[TZO-27-2009] Firefox Denial of Service (Keygen)

________________________________________________________________________

From the very-low-hanging-fruit-department
Firefox Denial of Service (KEYGEN)
________________________________________________________________________

Release mode: Forced release.
Ref        : [TZO-27-2009] – Firefox Denial of Service (KEYGEN)
WWW        : http://blog.zoller.lu/2009/04/advisory-firefox-denial-of-service.html
Vendor      : http://www.firefox.com
Status      : No patch
CVE        : none provided
Credit      : none
Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=469565

Security notification reaction rating : There wasn’t any appropriate reaction.
Notification to patch window : x+n

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- Firefox 3.0.10 (Windows)
- Likely : All Firefox versions supporting the KEYGEN tag. Read more »

Survey: “MIME/Content-Type-Sniffing” Issues in Image Uploads in Forum Scripts

Survey: “MIME/Content-Type-Sniffing” Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau

Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.

I Introduction
====================================================
Mime or Content Type sniffing[1] is a standard functionality in browsers to find
an appropriate way to render data where the HTTP headers sent by the server are
either inconclusive or missing. Especially the Internet Explorer browser is
known to use this technique even in cases where the server sends a specific
content type header[2]. Read more »

Call For Papers – ACM CCS 2009 Workshops

========================================================================
Please excuse multiple copies of this message.
========================================================================
Call for Papers: ACM CCS WORKSHOPS

co-located with the
16th ACM Conference on Computer and Communications Security (CCS) 2009

Nov. 9, 2009 – Nov. 13, 2009 — Chicago, IL, USA
http://www.sigsac.org/ccs/CCS2009/

================================================================================
*** Workshop submissions due: June 12, 2009 ***
[ please check individual workshop pages for possible deadline extensions ]

================================================================================
Workshop on Assurable & Usable Security Configuration (SafeConfig)
http://www.arc.cs.depaul.edu/~ehab/ccs/safeconfig09/ Read more »

Novell Groupwise fails to properly sanitize emails.

Affected product
—————-

Novell Groupwise webaccess
Affected software: 7.x and 8.0

Vulnerability details
———————

Groupwise WebAccess implements a security parser designed to prevent embedded scripts in HTML emails from executing in the users’s browser.
Unfortunately this parser fails to recognize some unusual but valid syntaxes like the one used in the example shown below allowing a maliciously crafted email to run its payload in the context of a user session.
All the configuration options of a user’s mailbox, including proxy and rule lists, are therefore exposed to illegitimate modification and will easily grant an attacker read/write access to the victim’s mailbox.
A malicious code might be well designed like a worm and spread itself using its victims’s address book taking over all of a company’s mailboxes one after another.
Even though the accounts’s password can’t be extracted or changed through direct call to the configuration tools,
other indirect attacks are still available like using a fake relogin page prompting victims to give up their password.

Following harmless code uses an onload() event handler to bootstrap its payload as soon as the email is open.
The first stage of this script extracts the session token (User.Context) from within the current document’s URI and used
to make up the second stage.
The second injects an iframe in the current page which in turn calls the signature configuration interface and changes the user’s signature on the fly.
This example uses a fake target, ‘gwwa.victim.com’ that must be changed with a real server addresss/name.
Here, the security parser won’t recognize “onload = ‘javascript:…” as potentially unsafe just because of the space characters. Read more »

Pinnacle Studio 12 “Hollywood FX Compressed Archive” (.hfz) directory traversal vulnerability poc

<?php
/*
Pinnacle Studio 12 “Hollywood FX Compressed Archive” (.hfz) directory
traversal vulnerability poc
by Nine:Situations:Group::pyrokinesis

Our site: http://retrogod.altervista.org/
Software site: http://www.pinnaclesys.com/

Some keys exported from the registry:

[HKEY_CLASSES_ROOT\.hfz]
@=”hfzfile”

[HKEY_CLASSES_ROOT\.hfz\hfzfile]

[HKEY_CLASSES_ROOT\.hfz\hfzfile\ShellNew]

[HKEY_CLASSES_ROOT\hfzfile]
@=”Hollywood FX Compressed Archive” Read more »

(GET var ‘id’) BLIND SQL INJECTION EXPLOIT –Dog Pedigree Online Database v1.0.1-Beta –>

#!/usr/bin/perl
#
#
#——————————————————————————————
#(GET var ‘id’) BLIND SQL INJECTION EXPLOIT –Dog Pedigree Online Database v1.0.1-Beta –>
#——————————————————————————————
#
#CMS INFORMATION:
#
#–>WEB: http://thewhippetarchives.net/twa_is_offline.php
#–>DOWNLOAD: http://sourceforge.net/projects/dogarchive
#–>DEMO: N/A
#–>CATEGORY: Genealogy
#–>DESCRIPTION: This project allows to setup and maintain a database for
#        collecting (dog) pedigrees. The data will actually be collected…
#–>RELEASED: 2009-01-25
#
#CMS VULNERABILITY:
#
#–>TESTED ON: firefox 3
#–>DORK: inurl:”printable_pedigree.php”
#–>CATEGORY: BLIND SQL INJECTION EXPLOIT
#–>AFFECT VERSION: <= 1.0.1 Beta
#–>Discovered Bug date: 2009-05-08
#–>Reported Bug date: 2009-05-08
#–>Fixed bug date: 2009-05-12
#–>Info patch (v1.0.2): http://sourceforge.net/projects/dogarchive/
#–>Author: YEnH4ckEr
#–>mail: y3nh4ck3r[at]gmail[dot]com
#–>WEB/BLOG: N/A
#–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
#–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) Read more »

[USN-777-1] Ntp vulnerabilities

===========================================================
Ubuntu Security Notice USN-777-1              May 19, 2009
ntp vulnerabilities
CVE-2009-0159, CVE-2009-1252
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions: Read more »

(GET vars ‘x’ & ‘y’) ADMIN FUNCTION EXECUTION–Jorp v-1.3.05.09–>

——————————————————————–
(GET vars ‘x’ & ‘y’) ADMIN FUNCTION EXECUTION–Jorp v-1.3.05.09–>
——————————————————————–

CMS INFORMATION:

–>WEB: http://jorp.sourceforge.net/
–>DOWNLOAD: http://jorp.sourceforge.net/
–>DEMO: http://jorp.short-stack.net/demo/
–>CATEGORY: Project Management
–>DESCRIPTION: Jorp is a simple, web-based project management system.
It allows you to keep track of projects, tasks, clients,…
–>RELEASED: 2009-05-07

CMS VULNERABILITY:

–>TESTED ON: firefox 3
–>DORK: “2009 Jorp”
–>CATEGORY: ADMIN FUNCTION EXECUTION
–>AFFECT VERSION: 1.3.05.09 (maybe <= ?)
–>Discovered Bug date: 2009-05-09
–>Reported Bug date: 2009-05-09
–>Fixed bug date: 2009-05-12
–>Info patch: http://jorp.sourceforge.net/
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) Read more »