VARIoT IoT vulnerabilities database

Hitachi uCosminexus products have cross-site scripting vulnerabilities. A remote attacker can use this vulnerability to execute a malicious script. The attacker can construct a malicious link to induce users to resolve, obtain sensitive information, or hijack a user's session. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The following products are affected: uCosminexus Stream Data Platform - Application Framework uCosminexus EUR Print Manager - Report Server HiRDB RealTime Monitor. * Hitachi HiRDB RealTime Monitor versions 09-00 and 09-01. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Hitachi uCosminexus EUR Print Manager Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA47773 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47773/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47773 RELEASE DATE: 2012-01-31 DISCUSS ADVISORY: http://secunia.com/advisories/47773/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47773/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47773 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Hitachi uCosminexus EUR Print Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. Please see the vendor's advisory for the list of affected products. SOLUTION: Update to version 08-70-/B. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (English): http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-006/index.html Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-006/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Control Manager. Authentication is not required to exploit this vulnerability.The specific flaw exists within En_Utility.dll. A module called from CASProcessor.exe running on TCP port 20801. A specially crafted packet with malformed BLOB encrypted data, is handled by HandleMcpRequest(), and contains instructions that will allow for an integer wrap, leading to a heap overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of the SYSTEM. Trend Micro Control Manager En_Utility.dll is defective. When handled by HandleMcpRequest(), the included structure allows triggering of integer overflows. Failed attacks will cause denial-of-service conditions. More details can be found at: http://esupport.trendmicro.com/solution/en-us/1058292.aspx -- Disclosure Timeline: 2011-04-07 - Vulnerability reported to vendor 2011-07-12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Trend Micro Control Manager "HandleMcpRequest()" Integer Overflow Vulnerability SECUNIA ADVISORY ID: SA45200 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45200/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45200 RELEASE DATE: 2011-07-14 DISCUSS ADVISORY: http://secunia.com/advisories/45200/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45200/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45200 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Trend Micro Control Manager, which can be exploited by malicious people to compromise a vulnerable system. This can be exploited to cause a heap-based buffer overflow via specially crafted packets sent to TCP port 20801. The vulnerability is reported in version 5.0 and 5.5. SOLUTION: Apply hotfix or Critical Patch. Please contact the vendor for details. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma via ZDI. ORIGINAL ADVISORY: Trend Micro: http://esupport.trendmicro.com/solution/en-us/1058292.aspx ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-235/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695. The problem is Bug ID CSCtr26695 It is a problem.By a third party IPv4 Service disruption via packets (line-card reload) It may be in a state. The Cisco ASR 9000 is an aggregation router from Cisco that is the carrier Ethernet base router family. The consequence of a network processor deadlock is that the line card automatically reloads the message when it processes the message, causing a denial of service attack. Devices using Ipv6 are not affected by this vulnerability. When the vulnerability is triggered, one or two of the following messages may appear in the system log: PLATFORM-DIAGS-3-PUNT_FABRIC_DATA_PATH_FAILEDPLATFORM-DIAGS-0-LC_NP_LOOPBACK_FAILED. Cisco ASR 9000 Series is prone to a denial-of-service vulnerability. Successful exploits will cause an affected device to reload or hang, denying service to legitimate users. NOTE: This issue is not vulnerable when IP version 6 (IPv6) is in use. This issue is being tracked by Cisco Bug ID CSCtr26695. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco ASR 9000 Series Line Card Denial of Service Vulnerability SECUNIA ADVISORY ID: SA45333 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45333/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45333 RELEASE DATE: 2011-07-22 DISCUSS ADVISORY: http://secunia.com/advisories/45333/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45333/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45333 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco 9000 Series Aggregation Services Routers (ASR), which can be exploited by malicious people to cause a DoS (Denial of Service). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110720-asr9k.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released a free software maintenance upgrade (SMU) to address this vulnerability. There are no workarounds for this vulnerability. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to Cisco IOS XR Software. The software version is displayed after the text Cisco IOS XR Software. ROM: System Bootstrap, Version 1.05(20101118:025914) [ASR9K ROMMON], Router uptime is 9 weeks, 1 day, 5 hours, 53 minutes System image file is "bootflash:disk0/asr9k-os-mbi-4.1.0/mbiasr9k-rp.vm" cisco ASR9K Series (MPC8641D) processor with 4194304K bytes of memory. MPC8641D processor at 1333MHz, Revision 2.2 ASR-9010-CHASSIS 4 Management Ethernet 8 WANPHY controller(s) 8 TenGigE 8 DWDM controller(s) 40 GigabitEthernet 4 SONET/SDH 2 Packet over SONET/SDH 1 MgmtMultilink 219k bytes of non-volatile configuration memory. 975M bytes of compact flash card. 33994M bytes of hard disk. 1605616k bytes of disk0: (Sector size 512 bytes). 1605616k bytes of disk1: (Sector size 512 bytes). To determine which SMUs are active on the device, issue the show install active summary command. This command will return a list of all SMUs installed, as shown in the following example: RP/0/0/CPU0:Router#show install active summary Fri Jul 8 19:02:15.887 CEST Active Packages: disk0:asr9k-doc-p-4.1.0 disk0:asr9k-mini-p-4.1.0 disk0:asr9k-k9sec-p-4.1.0 disk0:asr9k-video-p-4.1.0 Note: The preceding output shows a device without the SMU asr9k-p-4.1.0.CSCtr26695.tar installed. Also note that Cisco IOS XR Software can include multiple SMUs and the output may differ from the preceding example. This will return a list of all SMUs installed: RP/0/0/CPU0:Router#show install active summary Fri Jul 8 19:02:15.887 CEST Active Packages: disk0:asr9k-p-4.1.0.CSCtr26695-1.0.0 disk0:asr9k-p-4.1.0.CSCto96804-1.0.0 disk0:asr9k-p-4.1.0.CSCto95435-1.0.0 disk0:asr9k-doc-p-4.1.0 disk0:asr9k-mini-p-4.1.0 disk0:asr9k-k9sec-p-4.1.0 disk0:asr9k-video-p-4.1.0 Note: The preceding output shows a device with the SMU asr9k-p-4.1.0.CSCtr26695.tar installed (in bold). Also note that Cisco IOS XR Software can include multiple SMUs and the output may differ from the preceding example. Cisco IOS XR Software is a distributed operating system designed for continuous system operation combined with service flexibility and high performance. Both transit IPv4 packets and IPv4 packets directed to the device itself may trigger this vulnerability. The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr26695 - ASR9k:Line Card Issue with NP lockup CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability described in this advisory may cause the affected line card to reload. Repeated exploitation could result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS XR Software table (below) names a Cisco IOS XR Software release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix, if available at the time of Advisory, are listed in the "First Fixed Release" column of the table. +--------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |-------------+------------------------------------------------------| | | SMU ID | SMU Name | First Fixed | | | | | Release | |-------------+------------------------------------------------------| | 3.2.X | | | through | Not affected | | 4.0.X | | |-------------+------------------------------------------------------| | 4.1.0 | AA05118 | asr9k-p-4.1.0.CSCtr26695.tar | 4.1.1 | +--------------------------------------------------------------------+ Note: At the time of this advisory, Release 4.1.1 is expected to be available on July 29, 2011. Workarounds =========== There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during the resolution of multiple customer service requests. We would like to thank the Internet Measurement Group from the University of Washington for their help and support on troubleshooting this issue. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110720-asr9k.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +--------------------------------------------------------------------+ | Revision 1.0 | 2011-July-20 | Initial public release | +--------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iF4EAREIAAYFAk4m/30ACgkQQXnnBKKRMND3gAD/QU7mozUjiGpbzBoEtIYGi8uj Bhe/TfxZjzFA4tNYZAYA/RUP7WMFrhK9q8jWUrniWTwcbp1PAc90pyPZ2QwTkwFK =vnj1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Stack-based buffer overflow in the Data Archiver service in GE Intelligent Platforms Proficy Historian before 3.5 SIM 17 and 4.x before 4.0 SIM 12 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted TCP message traffic. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy Historian. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. The code within this module trusts a value supplied over the network and uses it as a length when copying user-supplied data to a stack buffer. By providing a large enough value, this buffer can be overflowed leading to arbitrary code execution under the context of the user running the service. GE Proficy Historian is a factory system that collects, archives and distributes very large amounts of real-time data at high speeds, significantly improving operational visibility and profit and loss settlement lines. There is a stack-based buffer overflow that can be exploited by remote attackers to crash ihDataArchiver.exe or ihDataArchiver_x64.exe. Failed exploit attempts will likely result in denial-of-service conditions. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Proficy Historian Cross-Site Scripting and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA46699 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46699/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46699 RELEASE DATE: 2011-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/46699/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46699/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46699 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Proficy Historian, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. 1) Certain unspecified input is not properly sanitised within the Web Administrator component before being returned to the user. Please see the vendor's advisories for a list of affected versions. SOLUTION: Apply updates. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Billy Rios and Terry McCorkle via ICS-CERT. 2) Luigi Auriemma via ZDI. ORIGINAL ADVISORY: GE (GEIP11-01, GEIP11-03): http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14493/en_US/GEIP11-03%20Security%20Advisory%20-%20Proficy%20Historian%20Web%20Administrator.pdf http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14493/en_US/GEIP11-01%20Security%20Advisory%20-%20Proficy%20Historian%20ihDataArchiver.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-11-320 : GE Proficy iFix HMI/SCADA ihDataArchiver.exe Trusted Header Size Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-320 November 7, 2011 -- CVE ID: -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C -- Affected Vendors: GE -- Affected Products: GE Proficy Historian ihDataArchiver -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11646. -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14493 -- Disclosure Timeline: 2011-06-02 - Vulnerability reported to vendor 2011-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Buffer overflow in the WRF parsing functionality in the Cisco WebEx Recording Format (WRF) player T26 before SP49 EP40 and T27 before SP28 allows remote attackers to execute arbitrary code via a crafted WRF file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within atdl2006.dll. The vulnerability is caused by lack of validation when parsing WRF files. A specially crafted WRF file will cause the application to incorrectly push a size value to a memcpy, allowing for corruption of heap memory. An attacker can leverage this vulnerability to execute arbitrary code on the target system under the context of the current user. Cisco WebEx is a web conferencing solution. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. The specific flaw exists within atdl2006.dll. More details can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex - -- Disclosure Timeline: 2011-05-25 - Vulnerability reported to vendor 2011-12-07 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Aniway (Aniway.Anyway@gmail.com) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Cisco WebEx Player WRF File Processing Vulnerabilities SECUNIA ADVISORY ID: SA46607 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46607/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46607 RELEASE DATE: 2011-10-28 DISCUSS ADVISORY: http://secunia.com/advisories/46607/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46607/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46607 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Cisco WebEx Player, which can be exploited by malicious people to compromise a user's system. SOLUTION: Update to a fixed version (Please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits TippingPoint. 2) Aniway and Anonymous via ZDI. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-308/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually installed for offline playback after downloading the application from www.webex.com If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products ================= The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as "Client build: 27.25.4.11889." This indicates the server is running software version T27 SP25 EP4. To determine whether a Cisco WebEx meeting site is running an affected version of the WebEx client build, users can log in to their Cisco WebEx meeting site and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/ downloadplayer.html. If the player is no longer needed, it can be removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting Services Removal tool" available at support.webex.com/support/ downloads.html. Users can manually verify the installed version of the WRF player to determine whether it is affected by these vulnerabilities. To do so, an administrator must examine the version numbers of the installed files and determine whether the version of the file contains the fixed code. Detailed instructions on how to verify the version numbers are provided in the following sections. The following tables provide the first nonvulnerable version of each object. Microsoft Windows +---------------- Two dynamically linked libraries (DLLs) were updated on the Microsoft Windows platform to address the vulnerabilities that are described in this advisory. These files are in the folder C:\ Program Files\WebEx\Record Playback or C:\Program Files (x86)\ Webex\Record Player. The version number of a DLL can be obtained by browsing the Record Playback directory in Windows Explorer, right-clicking on the file name, and choosing Properties. The Version or Details tab of the Properties page provides details on the library version. The following table gives the first fixed version number for each DLL. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable. +----------------------------------------------------------------------------+ | Library | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 | | | EP40 | EP26 | EP9 | EP3 | | |--------------+-------------+------------+----------+----------+------------| | atas32.dll | Not | 2.6.11.0 | 2.6.21.5 | 2.6.25.0 | 2.6.28.0 | | | vulnerable | | | | | |--------------+-------------+------------+----------+----------+------------| | atdl2006.dll | 2.5.49.4000 | 2.6.1123.1 | 2.6.21.1 | 2.6.20.0 | Not | | | | | | | vulnerable | +----------------------------------------------------------------------------+ Mac +-- A package bundle was updated on the Macintosh platform to address the vulnerabilities that are described in this advisory. This file is in each user's home directory, which can be accessed in ~/Library/Application Support/WebEx Folder/824 for systems connected to servers running T26 and ~/Library/Application Support/WebEx Folder/924 for systems connected to servers running T27. The version can be obtained by browsing to the appropriate folder in Finder and control-clicking the filename. When the menu is displayed, select show package contents and then double-click the Info.plist file. The version number is shown at the bottom of the displayed table. +-------------------------------------------------------------------------------+ | Bundle | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 | | | EP40 | EP26 | EP9 | EP3 | | |-------------------+-----------+------------+-----------+----------+------------| | asplayback.bundle | 6.0.49.40 | 6.10.11.25 | 6.10.21.9 | 6.0.25.3 | 5.25.27.28 | +-------------------------------------------------------------------------------+ Linux A shared object was updated on the Linux platform to address the vulnerabilities that are described in this advisory. This file is in the ~/.webex directory. The version number of the shared object can be obtained by performing a directory listing with the ls command. The version number is provided after the .so extension. +---------------------------------------------------------------------------+ | Shared | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 | | Object | EP40 | EP26 | EP9 | EP3 | | |------------+-----------+------------+-----------+------------+------------| | atascli.so | 1.0.26.41 | 1.11.27.15 | 1.0.27.17 | 1.25.27.17 | 1.28.27.17 | +---------------------------------------------------------------------------+ Vulnerable Products +------------------ No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF file format is used to store WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players are applications that are used to play back and edit recording files (files with a .wrf extension). The WRF players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site (for stream playback mode). The WRF players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). The vulnerabilities cannot be triggered by users who are attending a WebEx meeting. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could cause the Cisco WRF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF player application. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in the following versions: * T26 SP49 EP40 * T27 FR20 * T27 SP11 EP23 * T27 SP21 EP9 * T27 SP23 * T27 SP25 EP3 * T27 SP28 The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release T27 SP22 EP9 is fixed, release T27 SP22 EP23 will also have the software fix. End users will see a version such as "Client build: 27.25.4.11889." This indicates the server is running software version T27 SP25 EP4. If a WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If a WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html. If the player is no longer needed, it can be removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting Services Removal tool" available at support.webex.com/support/downloads.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- This section does not apply for vulnerabilities in Cisco WebEx products. Customers using Third Party Support Organizations +------------------------------------------------ This section does not apply for vulnerabilities in Cisco WebEx products. Customers without Service Contracts +---------------------------------- This section does not apply for vulnerabilities in Cisco WebEx products. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by TippingPoint. Cisco would like to thank TippingPoint for reporting these vulnerabilities to us. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2011-October-26 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOqCUXQXnnBKKRMNARCO+aAP9IbHs1VnWKq0GY3UPgGavVWYYrypo9uR2g S1eif/eNEQD7BRMCZrBRVyqMy2c0STwOH9IN35fyqGyLtlO/Nxv4geA= =eg2S -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Control Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within the Cas_LogDirectInsert.aspx http handler, which listens by default on TCP port 443. A specially crafted POST request allows remote attackers to supply XML and schema information which is used within queries to the backend database. By supplying malicious values, an attacker can inject themselves a user account which can be used to execute code via the management console on the service. By default, the Cas_LogDirectInsert.aspx http processor on the TCP 443 port is flawed. -- Vendor Response: Trend Micro states: http://esupport.trendmicro.com/solution/en-us/1058280.aspx Fix is posted at download center: tmcm-55-win-en-criticalpatch1422.exe http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1763&lang_loc=1 This critical patch resolves the following issue(s): Issue: A vulnerability allows an attacker to create and insert a user account which can be used to execute codes through the management console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This critical patch imposes stricter rules for the insertion of system account relative tables to prevent attackers from inserting user accounts. Reference: http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1422.txt -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-07-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Trend Micro Control Manager "Cas_LogDirectInsert.aspx" XML Processing Vulnerability SECUNIA ADVISORY ID: SA45176 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45176/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45176 RELEASE DATE: 2011-07-13 DISCUSS ADVISORY: http://secunia.com/advisories/45176/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45176/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45176 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Trend Micro Control Manager, which can be exploited by malicious people to manipulate certain data. The vulnerability is caused due to an error in Cas_LogDirectInsert.aspx when processing certain XML and schema information. The vulnerability is reported in versions 5.0 and 5.5. SOLUTION: Apply Critical Patch 1422. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Andrea Micalizzi (rgod) via ZDI. ORIGINAL ADVISORY: Trend Micro: http://esupport.trendmicro.com/solution/en-us/1058280.aspx ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-234/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in nettransdll.dll in HistorySvr.exe (aka HistoryServer.exe) in WellinTech KingView 6.53 and 65.30.2010.18018 allows remote attackers to execute arbitrary code via a crafted op-code 3 packet. Authentication is not required to exploit this vulnerability. The specific flaw exists within the protocol parsing code inside nettransdll.dll. The parent service is called HistoryServer.exe and listens on port 777. When a packet with op-code 3 is received, the service allocates memory from the heap based on the 10th and 11th bytes of the packet (element count). Packet data is then copied into the allocated buffer based on the first two bytes of the packet (packet size). KingView is a product for building data information service platforms for industrial automation. This vulnerability can be triggered by sending a data message of more than a certain length to the TCP 777 port. KingView is prone to a heap-based buffer-overflow vulnerability because it fails to properly validate user-supplied input. Failed exploit attempts will likely result in denial-of-service conditions. KingView 65.30.2010.18018 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: KingView HistorySvr Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA47339 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47339/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47339 RELEASE DATE: 2011-12-22 DISCUSS ADVISORY: http://secunia.com/advisories/47339/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47339/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47339 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in KingView, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified error in the nettransdll.dll module of the HistorySvr component. The vulnerability is reported in version 6.53 (65.30.2010.18018). SOLUTION: Apply patch. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Luigi Auriemma via ZDI. ORIGINAL ADVISORY: KingView: http://en.wellintech.com/news/detail.aspx?contentid=166 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-355-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - -- Vendor Response: WellinTech has issued an update to correct this vulnerability. More details can be found at: http://www.kingview.com/news/detail.aspx?contentid=587 - -- Disclosure Timeline: 2011-11-09 - Vulnerability reported to vendor 2011-12-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJO81sqAAoJEFVtgMGTo1scImgIAKikq6VqLK8P6zI5vIfUX3/I hJ2Ee4eAEB1P3qsehw3G4ZelP6uJUbxrVAl0UoyFctPQL+Jh+XkKmiJskzzTlvtz 3TfL0RZBgSnHHUnusjxdpDO7kmzIlFIMbWJgQLGaRRVTVXLukSgFws7cdAH1lo4V c64jAXagVvv9gJUHGUMemqR+tpHxSa7YRdribO/P192cc31z7wh/ybjIP7dCev9O zpH5sQ1PFgaVb8CMLxMbHiVVzCgbzJ59q/ydoG5TUo2XnDkinthQ3VNoGaeGIKWZ aLMrG+gREbfsdKBvlgzcAgAjIQHVeK8SiIZBICrVcHYFED5BQtmyKhzUJG+md/E= =BHoc -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple stack-based buffer overflows in RobNetScanHost.exe in ABB Robot Communications Runtime before 5.14.02, as used in ABB Interlink Module, IRC5 OPC Server, PC SDK, PickMaster 3 and 5, RobView 5, RobotStudio, WebWare SDK, and WebWare Server, allow remote attackers to execute arbitrary code via a crafted (1) 0xA or (2) 0xE Netscan packet. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ABB WebWare. Authentication is not required to exploit this vulnerability. The specific flaw exists within RobNetScanHost.exe and its parsing of network packets accepted on port 5512. The parsing of 'Netscan' packets with opcodes 0xE and 0xA are vulnerable to a stack-based buffer overflow with a fixed allocation of 20 bytes. This vulnerability can be exploited to execute arbitrary code in the context of the service process (LocalSystem). ABB WebWare Server is a software product used primarily for production data control. RobNetScanHost.exe provided by ABB WebWare Server has security flaws. ABB WebWare Server is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will likely result in denial-of-service conditions. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: ABB Multiple Products RobNetScanHost.exe Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA48090 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48090/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48090 RELEASE DATE: 2012-02-23 DISCUSS ADVISORY: http://secunia.com/advisories/48090/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48090/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48090 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in multiple ABB products, which can be exploited by malicious people to compromise a vulnerable system. * PickMaster 3 version 3.3 and prior. * PickMaster 5 version 5.13 and prior. * WebWare SDK and ABB Interlink Module versions 4.6 through 4.9. * WebWare Server versions 4.6 through 4.91. SOLUTION: Update to a fixed version or apply patch (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma via ZDI. ORIGINAL ADVISORY: ABB: http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf ZDI: http://www.zerodayinitiative.com/advisories/ZDI-12-033/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-033 : ABB WebWare RobNetScanHost.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-033 February 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: ABB - -- Affected Products: ABB WebWare - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11594. - -- Vendor Response: ABB has issued an update to correct this vulnerability. More details can be found at: http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf - -- Disclosure Timeline: 2011-10-10 - Vulnerability reported to vendor 2012-02-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJPRUiZAAoJEFVtgMGTo1sc9REIAKdxGGjQNRsQBQh7OZ3Bbfz2 vbul36hrqRdCxEmV++F5LcoFSpXmRx7Wjc6FHcUKkGGbRQ7+I9zjAi4CzwubSjCY zk+G0v324lSwQ7be6bxp5kGl5UTjVDczlfyjG2K2QSPBitz/RpkhpaTDXJcBALLR lx8KOxgAT9TGEodE5pjG2R2eCeDgrV34q5+xu3hdMQYWgvdYqoL39OHw/7QMjIOT NO1hYzGpadTcRuXwDzkpsJi+Gx03DinnlJ1VjUaXPfdbnN7IpGoON7yaYkjXDBVf NHA2pvKBl0mRjevIy/uQqJpsG8KC4eR5pHdl/lTKV61vb45zAyewDo5EM9xl6J0= =DeOF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Integer overflow in Cogent DataHub 7.1.1.63 and earlier allows remote attackers to cause a denial of service (crash) via a negative or large Content-Length value. The software incorrectly handles the Content-Length field (-1 or 4294967295) plus one, which can cause integer overflow. Cogent DataHub is software for SCADA and automation. Cogent DataHub has server/service listening ports 4052 and 4053, except that the second port uses SSL, the first one uses plaintext. The \"DH_OneSecondTick\" function has a stack-based unicode buffer overflow that can be triggered by \"domain\", \"report_domain\", \"register_datahub\", \"slave\" and other commands. Cogent DataHub is prone to multiple buffer-overflow and integer-overflow vulnerabilities. Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the privileged domain (Dom0). Failed attempts will likely cause denial-of-service conditions. Cogent DataHub 7.1.1.63 is vulnerable; other versions may also be affected

Unspecified vulnerability in HP Business Service Automation (BSA) Essentials 2.01 allows remote attackers to execute arbitrary code via unknown vectors. Very few technical details are currently available. We will update this BID as more information emerges. ---------------------------------------------------------------------- SC World Congress, New York, USA, 16 November 2011 Visit the Secunia booth (#203) and discover how you can improve your handling of third party programs: http://secunia.com/resources/events/sc_2011/ ---------------------------------------------------------------------- TITLE: HP Business Service Automation Essentials Unspecified Vulnerability SECUNIA ADVISORY ID: SA46080 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46080/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46080 RELEASE DATE: 2011-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/46080/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46080/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46080 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in HP Business Service Automation Essentials, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified error. The vulnerability is reported in version 2.01. SOLUTION: Apply hotfix QCCR1D134337. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HPSBMU02705 SSRT100622: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03014398 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . References: CVE-2011-2412 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. To obtain the hotfix contact the normal HP Services support channel and request hotfix QCCR1D134337. HISTORY Version:1 (rev.1) - 19 September 2011 Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk53SIAACgkQ4B86/C0qfVn61QCgl92CaAagub2Y/QT1D9RB+5KZ q0gAoKxgSJKxSKf+z33IXS5ghqxEkrtM =4J/I -----END PGP SIGNATURE-----

Multiple directory traversal vulnerabilities in SAP NetWeaver 7.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the logfilename parameter to (1) b2b/admin/log.jsp or (2) b2b/admin/log_view.jsp in the Internet Sales (crm.b2b) component, or (3) ipc/admin/log.jsp or (4) ipc/admin/log_view.jsp in the Application Administration (com.sap.ipc.webapp.ipc) component. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. Because the input passed to the b2b/admin/log_view.jsp or b2b/admin/log.jsp script in the Internet Sales module via the \"logfilename\" parameter is missing validation before being used to display the file, it can result in arbitrary files being obtained through the directory traversal sequence. information. The SAP NetWeaver com.sap.aii.mdt.amt.web.AMTPageProcessor servlet error can be exploited to leak certain Adapter monitoring information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple information-disclosure vulnerabilities Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47861 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47861/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/47861/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47861/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information. Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs. The vulnerabilities are reported in version 7.0. Other versions may also be affected. SOLUTION: Apply SAP Security Notes 1585527 and 1583300. PROVIDED AND/OR DISCOVERED BY: Dmitriy Chastukhin, Digital Security Research Group. ORIGINAL ADVISORY: Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://dsecrg.com/pages/vul/show.php?id=414 http://dsecrg.com/pages/vul/show.php?id=415 http://dsecrg.com/pages/vul/show.php?id=416 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in Cisco Unified Communications Manager (CUCM) 5.x and 6.x before 6.1(5)SU2, 7.x before 7.1(5b)SU2, and 8.x before 8.0(3), and Cisco Unified Contact Center Express (aka Unified CCX or UCCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) before 6.0(1)SR1ES8, 7.0(x) before 7.0(2)ES1, 8.0(x) through 8.0(2)SU3, and 8.5(x) before 8.5(1)SU2, allows remote attackers to read arbitrary files via a crafted URL, aka Bug IDs CSCth09343 and CSCts44049. The problem is Bug ID CSCth09343 and CSCts44049 Problem.Expertly crafted by a third party URL Via, arbitrary files may be read. Multiple Cisco products are prone to a directory-traversal vulnerability. Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks. This issue is tracked by Cisco BugID CSCts44049 and CSCth09343. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2011-October-26 | Initial public release. It is possible for an attacker to use this vector to gain console access to the vulnerable node as the 'ccxcluster' user, and subsequently escalate privileges. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Cisco Multiple Products Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA46600 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46600/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46600 RELEASE DATE: 2011-10-28 DISCUSS ADVISORY: http://secunia.com/advisories/46600/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46600/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46600 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in multiple Cisco products, which can be exploited by malicious people to disclose sensitive information. Certain input passed via the URL is not properly verified before being used. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: r@b13$, Digital Defense. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm Digital Defense (DDIVRT-2011-35): http://archives.neohapsis.com/archives/fulldisclosure/2011-10/0894.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. The new location is: http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products ================= Vulnerable Products +------------------ The following Cisco UCCX versions are vulnerable: * Cisco UCCX version 6.0(x) * Cisco UCCX version 7.0(x) * Cisco UCCX version 8.0(x) * Cisco UCCX version 8.5(x) Note: Cisco UCCX versions prior to 6.0(x) reached end of software maintenance. Customers running versions prior to 6.0(x) should contact their Cisco support team for assistance in upgrading to a supported version of Cisco UCCX. Details ======= The Cisco Unified Contact Center Express is a single/two node server, integrated "contact center in a box" for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCts44049 - UCCX vulnerable to directory traversal CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the Cisco Unified Contact Center Express or Cisco Unified IP Interactive Voice Response filesystem. Software Versions and Fixes =========================== Cisco has released free software updates that address this vulnerability. Customers should contact Cisco Technical Assistance Center (TAC) for assistance. When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds for this vulnerability. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20111026-cucm-uccx. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by the Vulnerability Research Team of Digital Defense, Inc. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2011-October-26 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk6oHqAACgkQQXnnBKKRMNBbTQD+N1Zs2nsqqvVjvIvMqD6wvwT2 9AtLDwrIbbHbocikIrkA/1ZWGc4wv6Z3izCnhNBwyusC+9+BUt8nN5w847FvAdm2 =UDZr -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

SQL injection vulnerability in forget.php in the management GUI in Symantec Web Gateway 4.5.x allows remote attackers to execute arbitrary SQL commands via the username parameter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the username parameter of POST requests to the forget.php script. Symantec Web Gateway is a Web security gateway hardware appliance. Attackers can obtain sensitive information or manipulate the database through SQL injection attacks. Exploiting this issue could allow an attacker to compromise the device, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Symantec Web Gateway Management Interface "username" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA45146 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45146/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45146 RELEASE DATE: 2011-07-09 DISCUSS ADVISORY: http://secunia.com/advisories/45146/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45146/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45146 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Symantec Web Gateway, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is reported in version 4.5.x. Other versions may also be affected SOLUTION: Upgrade to version 5.0.1. PROVIDED AND/OR DISCOVERED BY: An anonymous person via ZDI. ORIGINAL ADVISORY: Symantec: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20110707_00 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-233/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110707_00 -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-07-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The libobby server in inc/server.hpp in libnet6 (aka net6) before 1.3.14 does not perform authentication before checking the user name, which allows remote attackers to obtain sensitive information such as server-usage patterns by a particular user and color preferences. Net6 is a simple network library. The net6 library performs certain operations before verifying the connection of user authentication information, which may result in the disclosure of part of the information of the connected user. net6 is prone to a session-hijacking vulnerability and an information-disclosure vulnerability. An attacker can exploit these vulnerabilities to obtain sensitive information, or possibly perform actions with elevated privileges. net6 1.3.13 is vulnerable; other versions may also be affected. For more information: SA46605 SOLUTION: Apply updated packages via the yum utility ("yum update net6"). ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: net6 Two Weaknesses SECUNIA ADVISORY ID: SA46605 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46605/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46605 RELEASE DATE: 2011-10-31 DISCUSS ADVISORY: http://secunia.com/advisories/46605/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46605/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46605 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Vasiliy Kulikov has reported two weaknesses in net6, which can be exploited by malicious people to disclose certain information and conduct session hijacking attacks. 2) It's possible to cause an internal ID counter to overflow, which can be exploited to e.g. hijack another user's session. The weaknesses are reported in version 1.3.13. SOLUTION: Fixed in the GIT repository. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Vasiliy Kulikov ORIGINAL ADVISORY: http://www.openwall.com/lists/oss-security/2011/10/30/3 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) An error in the net6 library can be exploited to e.g. For more information see weakness #1 in: SA46605 2) An error in the net6 library can be exploited to hijack another user's session. For more information see weakness #2 in: SA46605 SOLUTION: Restrict access to trusted hosts only

The Internet Streamer application in Cisco Content Delivery System (CDS) with software 2.5.7, 2.5.8, and 2.5.9 before build 126 allows remote attackers to cause a denial of service (Web Engine crash) via a crafted URL, aka Bug IDs CSCtg67333 and CSCth25341. An attacker can exploit this issue to crash the webserver, causing denial-of-service conditions. This issue is fixed in Cisco Content Delivery 2.5.9 build 126. Versions prior to 2.5.7 are not affected. This issue being tracked by Cisco bug IDs CSCtg67333 and CSCth25341. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. Vulnerable Products +------------------ To determine the software version that is running on a Cisco Content Delivery Engine, log in to the device and issue the show version command-line interface (CLI) command to display the system banner. On the same line of output, the version number will also be provided. Content Delivery System Software Release 2.5.9 (build b5 Jun 16 2010) Version: cde200-2.5.9.5 Compiled 22:10:04 Jun 16 2010 by ipvbuild Compile Time Options: KQ SS System was restarted on Wed Sep 15 06:50:22 2010. The system has been up for 1 hour, 25 minutes, 6 seconds. cdn-cde# Alternatively, the Content Delivery System Manager home page gives a brief summary of the software versions in use on all the devices in the content delivery system network. To view the software version running on a particular device, choose Devices > Devices. The Devices Table page displays the software version for each device listed. No other Cisco products are currently known to be affected by this vulnerability. The device will remain operational, and the Web Engine will restart if the attack stops. Both bugs fixes are required for a full solution. Vulnerability Scoring Details ============================= Cisco has provided a score for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtg67333/CSCth25341 ("Crafted URL may crash webengine in CDS Internet Streamer") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may cause the Web Engine of the Cisco Internet Streamer application to crash. The device will remain operational, and the Web Engine will restart if the attack stops. A sustained attack will prevent the distribution of HTML content to end users. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The recommended release contains other software fixes that are recommended by Cisco. For further information please consult the Release Notes for Cisco Internet Streamer CDS 2.5.9 at the following link: http://www.cisco.com/en/US/docs/video/cds/cda/is/2_5/release_notes/CDS_RelNotes2_5_9.html#wp100128 +------------------------------------------------------------+ | Cisco Content | | Recommended | | Delivery System | First Fixed Release | Release | | Software Release | | | |------------------+---------------------------+-------------| | 2.2.x | Not Vulnerable | | |------------------+---------------------------+-------------| | 2.3.x | Not Vulnerable | | |------------------+---------------------------+-------------| | 2.4.x | Not Vulnerable | | |------------------+---------------------------+-------------| | | Releases prior to 2.5.7 | 2.5.9 build | | 2.5.x | are not affected, first | 126 | | | fixed in 2.5.9 build 126 | | +------------------------------------------------------------+ Workarounds =========== There are no workarounds for the vulnerability documented in this security advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered when handling customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110525-spcdn.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-May-25 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 25, 2011 Document ID: 112138 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk3dDvAACgkQQXnnBKKRMNDhVQD8CAFWUFBeDwTP/Cx9FZLIZtla UnpJ3ZyjDOZy25FNYNsA/3J4ic+L+7s6R+Dh8nGs/xIHVOuFJPZklPMRNcuUwfLs =0iXv -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Alerts when vulnerabilities pose a threat to your infrastructure The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. Watch our quick solution overview: http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY ---------------------------------------------------------------------- TITLE: Cisco Content Delivery System Internet Streamer URL Processing Denial of Service Vulnerability SECUNIA ADVISORY ID: SA44727 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44727/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44727 RELEASE DATE: 2011-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/44727/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44727/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44727 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Content Delivery System, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Update to version 2.5.9 build 126. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110525-spcdn.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow. Cisco Unified Operations Manager and CiscoWorks LAN Management Solution Used in Cisco Unified Service Monitor Contains a vulnerability that allows arbitrary code execution. The problem is Bug ID CSCtn42961 and CSCtn64922 It is a problem.Skillfully crafted by a third party TCP port 9002 Arbitrary code could be executed via packets. Authentication is not required to exploit this vulnerability.The flaw exists within the brstart.exe service which listens by default on TCP port 9002. When handling an add_dm request the process uses a user provided value to allocate a buffer then blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the casuser user. Multiple EMC Ionix applications are prone to a buffer-overflow vulnerability. Successful exploits will result in the complete compromise of affected applications. Failed exploit attempts will result in a denial-of-service condition. The following applications are affected. Ionix Application Connectivity Monitor (Ionix ACM) version 2.3 and prior Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) version 3.2.0.2 and prior Ionix IP Management Suite (Ionix IP) version 8.1.1.1 and prior Ionix IPv6 Management Suite (Ionix IPv6) version 2.0.2 and prior Ionix MPLS Management Suite (Ionix MPLS) version 4.0.0 and prior Ionix Multicast Manager (Ionix MCAST) version 2.1 and prior Ionix Network Protocol Management Suite version (Ionix NPM) 3.1 and prior Ionix Optical Transport Management Suite version (Ionix OTM) 5.1 and prior Ionix Server Manager (EISM) version 3.0 and prior Ionix Service Assurance Management Suite (Ionix SAM) version 8.1.0.6 and prior Ionix Storage Insight for Availability Suite (Ionix SIA) version 2.3.1 and prior Ionix VoIP Availability Management Suite (Ionix VoIP AM) version 4.0.0.3 and prior. Details ======= CiscoWorks LAN Management Solution is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads E-I Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Credits: EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml Note: CiscoWorks LAN Management Solution is also affected by these vulnerabilities. The Software Update page displays the licensing and software version. They provides a way to continuously monitor active calls supported by the Cisco Unified Communications System. Both of these vulnerabilities are documented in Cisco bug ID CSCtn42961 ( registered customers only) and have been assigned CVE ID CVE-2011-2738. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by ZDI and discovered by AbdulAziz Hariri. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-September-14 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4 6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8= =Ybok -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple cross-site request forgery (CSRF) vulnerabilities on the eAccess Pocket WiFi (aka GP02) router before 2.00 with firmware 11.203.11.05.168 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device. Pocket WiFi (GP02) contains a cross-site request forgery vulnerability. Pocket WiFi (GP02) provided by eAccess Ltd. is a mobile wireless LAN router. Pocket WiFi (GP02) contains a cross-site request forgery vulnerability. Naoto Katsumi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, settings of Pocket WiFi (GP02) may be initialized, or Pocket WiFi (GP02) may be rebooted. Successful exploits can result in privileged commands running on the affected devices, including changing settings and rebooting the device. This may lead to further network-based attacks. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Emobile Pocket WiFi GP02 Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA47795 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47795/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47795 RELEASE DATE: 2012-02-01 DISCUSS ADVISORY: http://secunia.com/advisories/47795/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47795/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47795 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Emobile Pocket Wifi GP02, which can be exploited by malicious people to conduct cross-site request forgery attacks. The device's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change settings and reboot the device by tricking a logged in user into visiting a malicious web site. SOLUTION: Install update. Please see the vendor's link for details. PROVIDED AND/OR DISCOVERED BY: JVN credits Naoto Katsumi, LAC Co. ORIGINAL ADVISORY: JVN (English): http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000010.html http://jvn.jp/en/jp/JVN33021167/index.html JVN (Japanese): http://jvn.jp/jp/JVN33021167/index.html Emobile: http://emobile.jp/topics/info20120201_01.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 allows remote attackers to execute arbitrary code via a crafted 0x15 (aka Remove File) operation for a file with a long name. Authentication is not required to exploit this vulnerability.The flaw exists within the CEServer component which is used as a runtime dependency for applications deployed using Indusoft WebStudio. When handling the Remove File operation (0x15) the process blindly copies user supplied data to a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. InduSoft Web Studio is a powerful and complete graphics control software that includes tools for developing Human Machine Interface (HMI), Management Control, Data Acquisition System (SCADA) and embedded control. This vulnerability exists in the CEServer component. Successful exploitation of the vulnerability can be applied. Failed attacks will likely cause denial-of-service conditions. InduSoft Web Studio 6.1 and 7.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-11-329 : InduSoft WebStudio CEServer Operation 0x15 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-329 November 16, 2011 - -- CVE ID: CVE-2011-4052 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: Indusoft - -- Affected Products: Indusoft WebStudio - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11473. - -- Vendor Response: Indusoft has issued an update to correct this vulnerability. More details can be found at: http://www.indusoft.com/hotfixes/hotfixes.php - -- Disclosure Timeline: 2011-04-27 - Vulnerability reported to vendor 2011-11-16 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJOw/OyAAoJEFVtgMGTo1sc2YUH+gP/cuGw73puMBaLm0tVCIYX 5/oLkfc95efUB/iDPiz6lwGpuXV7DhS38nDzjwI2StJYMFqqbox1PtBot1eLvXHO 0td+uYQu5IxqJON0GM5IzwUFofsC2NO/go8riPCjNkBlHdJrUoTejKmVqZMRNmB4 ytGkVuASAL6/yA19JXGlTvrf3npIOsWStuhRaOCyAXlQV2M4J8+3CXixTwmuPjeN bn2IUmW5aXYDpcUpHb7m4FTyH16TGHTt0DmqWgyW5q0pCRp23NKNPdEzBQtA+y2K Jj3ndSNFLENTWMgwGE5V+r5Lkn83YJ928dFSrSjYUHOH5sgxxgPZxgiPBFkj7os= =m2zu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: InduSoft Web Studio CEServer Security Bypass and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA46871 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46871/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46871 RELEASE DATE: 2011-11-16 DISCUSS ADVISORY: http://secunia.com/advisories/46871/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46871/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46871 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue and a vulnerability have been reported in InduSoft Web Studio, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. 1) An error within the remote agent component (CEServer.exe) when processing incoming requests can be exploited to bypass the authentication mechanism. The security issue and the vulnerability are reported in versions prior to 7.0 Service Pack 1 Patch 1. SOLUTION: Apply Service Pack 1 Patch 1. PROVIDED AND/OR DISCOVERED BY: The vendor credits Luigi Auriemma via ZDI. ORIGINAL ADVISORY: InduSoft: http://www.indusoft.com/hotfixes/hotfixes.php ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-319-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101. Authentication is not required to exploit this vulnerability.The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user. Trend Micro Control Manager (TMCM) is a centralized security management console from Trend Micro that enables unified coordination of Trend Micro products and services. Failed attacks will cause denial-of-service conditions. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Trend Micro Control Manager "CGenericScheduler::AddTask()" Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA47114 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47114/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47114 RELEASE DATE: 2011-12-08 DISCUSS ADVISORY: http://secunia.com/advisories/47114/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47114/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47114 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Trend Micro Control Manager, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "CGenericScheduler::AddTask()" function in cmdHandlerRedAlertController.dll when handling certain IPC packets. The vulnerability is reported in version 5.5. SOLUTION: Update to version 5.5.0.1613. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma via ZDI. ORIGINAL ADVISORY: Trend Micro: http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1613.txt ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-345/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-11-345 : TrendMicro Control Manager CmdProcessor.exe AddTask Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-345 December 7, 2011 - -- CVE ID: - -- CVSS: 9.7, AV:N/AC:L/Au:N/C:C/I:P/A:C - -- Affected Vendors: Trend Micro - -- Affected Products: Trend Micro Control Manager - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11469. More details can be found at: http://downloadcenter.trendmicro.com/index.php?prodid=7 - -- Disclosure Timeline: 2011-04-04 - Vulnerability reported to vendor 2011-12-07 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJO3+GTAAoJEFVtgMGTo1sc5ccIAJ3q7sFo1wZYonvkXdF9DoQL VasDMEdu+0W3wy+NllFJAMXGTnxnLlnZ/rpV4be90eEE2m8iQ23SDJLrXR4JsyRN rN5LEHGJL0Ijyphq4gy7FRNMu6/eoaJSP5TEhnNcGXAvBb4MblyKcIDfmTgn2fhO QSfM022Xce6Q9pVnfymQLHLnsSt48b7uGJY4G2cGe9Ao0gi3uPyB5qvK6osOTtof 7f9rZ8mNXRGutfNUYWiB0xlOSqJBiufj1ukVHQ4eScBsGHhHeOJNT+kepiUVASum /m7LC8i6JqA9wpVgDV/Od1fFYzsyTwhYdamlW8ULI/Caj1MYQopEl2Zy3bcbRX8= =VzVD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Vtiger CRM is a web-based open source customer relationship management system. There are multiple cross-site scripting vulnerabilities in vtiger CRM. Because the program fails to properly filter user-supplied input, an attacker could exploit this vulnerability to execute arbitrary script code in a trusted user's browser in the affected site context, stealing cookie-based authentication and initiating other attacks. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. vtiger CRM is a free, full-featured, 100% Open Source CRM softwareideal for small and medium businesses, with low-cost product support availableto production users that need reliable support.vtiger CRM suffers from a XSS vulnerability when parsing user input tothe '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php'script. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: vtiger CRM "default_user_name" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA42304 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42304/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42304 RELEASE DATE: 2010-11-18 DISCUSS ADVISORY: http://secunia.com/advisories/42304/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42304/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42304 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been discovered in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "default_user_name" parameter to index.php (when "module" is set to "Users" and "action" is set to "Login") is not properly sanitised in modules/Users/Login.php before being returned to the user. The vulnerability is confirmed in version 5.2.1. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi ORIGINAL ADVISORY: Giovanni Pellerano and Alessandro Tanasi: http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------