Real Estate CRM Pro from IT Ways version 5.7 appears to suffer from a remote SQL injection vulnerability that can allow for authentication bypass.
723412c1c662339fa3ee2d97d91d825433c984a5932629170b4722fd07dd3334Red Hat Security Advisory 2012-1151-01 - OpenLDAP is an open source suite of LDAP applications and development tools. It was found that the OpenLDAP server daemon ignored olcTLSCipherSuite settings. This resulted in the default cipher suite always being used, which could lead to weaker than expected ciphers being accepted during Transport Layer Security negotiation with OpenLDAP clients.
b5e58ac02a262a4dec401a753af836111759f4a329334fb8c3c1a2a0b7b62159This Metasploit module exploits a stack-based buffer overflow vulnerability in versions 4.3.2.0 and below of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview\'s window. An egg hunter is used for stability.
c5cce711dbd4abe77f358a5360b9fd21367c38e3811ab24c191fb5a02cb79609Mandriva Linux Security Advisory 2012-096 - Multiple vulnerabilities has been discovered and corrected in python. The _ssl module would always disable the CBC IV attack countermeasure. A flaw was found in the way the Python SimpleHTTPServer module generated directory listings. An attacker able to upload a file with a specially-crafted name to a server could possibly perform a cross-site scripting attack against victims visiting a listing page generated by SimpleHTTPServer, for a directory containing the crafted file. A race condition was found in the way the Python distutils module set file permissions during the creation of the.pypirc file. Various other issues were also addressed.
6519f45b66e8e91380ebd2fe36730ada9b3c9fe8a02948e6fcc43d7e69bb6a64It is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition: attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file. Proof of concept code included.
c8e117983282dd44d231f39a10dc8b0b2bf8c46c42490f1cf78aeb4b75db6be8This Metasploit module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as 'PAGE'.
979dd7941c1071466332c8564dba032aa510362e1fb22f874339cf269936c50eWhitepaper called The Source Is A Lie. Backdoors have always been a concern of the security community. In recent years the idea of not trusting the developer has gained momentum and manifested itself in various forms of source code review. For Java, being one of the most popular programming languages, numerous tools and papers have been written to help during reviews. While these tools and techniques are getting developed further, they usually focus on traditional programming paradigms. Modern concepts like Aspect Oriented Programming or the Java Reflection API are left out. Especially the use of Java’s Reflection API in conjunction with the lesser known “string pool” can lead to a new kind of backdoor. This backdoor hides itself from unwary reviewer by disguising its access to critical resources like credential through indirection. To raise the awareness about this particular kind of backdoor, this paper will provide a short introduction to the string pool, show how reflection can be used to manipulate it, demonstrate how a backdoor can abuse this, and discuss how it can be uncovered.
2a07f7ba8590b6f096b40e0241279121aa6cb6cc3400db03bb9062a53afd7af0Mathematica on Linux uses the /tmp/MathLink directory in insecure ways that can allow for account takeover. The problem was made worse by later versions as the addendum states. As of 02/08/2013, the author has noted that this problem is still present in version 9.0.1. As of 08/27/2014, the author has noted that this problem is still present in version 10.0.0 for the GUI interface.
7ededdbc15af7026dccd7b744315ba7216047ad69a2910c0587edbe99dab0843Many people use telecommunications provided SMTP to SMS/MMS gateways to send out sensitive data. This paper looks into encryption (or lack of) covered by these types of public access SMTP to SMS/MMS gateways and services.
4a7ee04849235d3e90c1270eb15f6e24884ab471f7c7606cf34bb4f9587f746bMu Dynamics has discovered vulnerabilities in GnuTLS and Libtasn1. The block cipher decryption logic in GnuTLS assumed that a record containing any data which was a multiple of the block size was valid for further decryption processing, leading to a heap corruption vulnerability. Various functions using the ASN.1 length decoding logic in Libtasn1 were incorrectly assuming that the return value from asn1_get_length_der is always less than the length of the enclosing ASN.1 structure, which is only true for valid structures and not for intentionally corrupt or otherwise buggy structures.
5c22831c56b5d7f5cefb792251ddbea761d9ea8806a0c02c5e304b7b960abf12RelativeLink.sh in Tor browser bundle has a small typo causing debug mode to be always turned on. This, in turn, may log sensitive information like domain names.
680afc2e40e9f3b6fa62bc22f0230dda07dde9e92e158703ce7e8e80e0ee53c2Onapsis Security Advisory - Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information about the system's configuration.
a6dfb3a6559dfc645d1303f9b5a6826e4fa6b4bbc4a75ebc31faef54217250c8Red Hat Security Advisory 2012-0322-01 - These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions. It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
a47b8edfd1d4bed1bde89335a2a2494f395ff12d9652b721790b470340985519Red Hat Security Advisory 2012-0135-01 - These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions. It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
03a52258048d18b15e6ac5ca0a3669a39f7dda305c6e46f2a57b7e2a22041bd8Red Hat Security Advisory 2012-0095-01 - Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures and an interpreter for Portable Document Format files. An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used. If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code.
e6888517744a038247ddcec36a31a2483e8893d5f08cc6726fef676d829fd42bThis Metasploit module exploits a SIP username enumeration vulnerability in Asterisk. Performs a REGISTER scan for numeric peer usernames having a nat setting different to global sip nat setting. Works even when alwaysauthreject=yes. For this exploit to work, the source port cannot be 5060.
54da0d99e312b44be212dc5220e9ea0fef3a31a1f8a4b91a6f8f48f53c53ca09Ubuntu Security Notice 1254-1 - It was discovered that CVE-2011-3004, which addressed possible privilege escalation in addons, also affected Thunderbird 3.1. An attacker could potentially exploit a user who had installed an add-on that used loadSubscript in vulnerable ways. Yosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. It may be possible to trigger this crash without the use of debugging APIs, which might allow malicious websites to exploit this vulnerability. An attacker could possibly use this flaw this to steal data or inject malicious scripts into web content. Various other issues were also addressed.
7380de76d3f7ae9d28ad3d7ebd18e2d1d0c2c421ee05e83463651e5d8cf20229Ubuntu Security Notice 1251-1 - It was discovered that CVE-2011-3004, which addressed possible privilege escalation in addons, also affected Firefox 3.6. An attacker could potentially exploit Firefox when an add-on was installed that used loadSubscript in vulnerable ways. Yosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. A malicious website could possibly use this flaw this to steal data or inject malicious scripts into web content. Various other issues were also addressed.
904393052c763c857c28523ce148e5d5f06843e53f3ab205080487b696333173Packet Storm Widget is a Mac OS X widget that allows users to see all latest news from packetstormsecurity.org. A user can choose between different kind of news to see: All of the Latest Content, Latest News, Latest Files, Latest 0 Days, Latest Vulnerabilities and Latest Exploits. This allows a user to always keep up to date on their favorite security topics. Please note that this was *not* created by Packet Storm Security and questions should be directed to the author. This should run on Leopard, Snow Leopard, Lion and Tiger.
69c119dd10637e93745b7d47028577720527e2e790477da1e00cfc3d5ceebc42FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
90c70fca348e56d74499aa09d49020d5bbfb6758cde3a0c5eb8220e687826572Import address table (IAT) hooking is a well documented technique for intercepting calls to imported functions. However, most methods rely on suspicious API functions and leave several easy to identify artifacts. This paper explores different ways IAT hooking can be employed while circumventing common detection mechanisms.
7fc4f73e8ce5a00253ddb8deff3d09da7612ebbcf819c8a3ae17075fced2702eMandriva Linux Security Advisory 2011-116 - The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
767f06162b545daa7a4c7e9547032580498601a606a596114106c10fe11f863fWhitepaper called Web Application Finger Printing - Methods/Techniques and Prevention. This paper discusses how automated web application fingerprinting is performed, the visible shortcomings in the approach, and then discusses ways to avoid it.
eab628337996d7cae9ebcf66a12c3a7e94c93d563219fe2015815e81d348b321Debian Linux Security Advisory 2254-2 - Jamie Strandboge noticed that the patch proposed to fix CVE-2011-1760 in OProfile has been incomplete. OProfile is a performance profiling tool which is configurable by opcontrol, its control utility. Stephane Chauveau reported several ways to inject arbitrary commands in the arguments of this utility. If a local unprivileged user is authorized by sudoers file to run opcontrol as root, this user could use the flaw to escalate his privileges.
d15f72bc77a63ca7a0207ae2609c80cd893bfdfa52bfb50b39e5218d4783a885Red Hat Security Advisory 2011-0918-01 - cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that cURL always performed credential delegation when authenticating with GSSAPI. A rogue server could use this flaw to obtain the client's credentials and impersonate that client to other servers that are using GSSAPI. Users of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect. Various other issues were also addressed.
757ebdb8f6af6eba26dd318d53aed488e7fce3737ac0568add4ee65f5ac9bb7eAsterisk Project Security Advisory - Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system.
5b60a5f0651dd793f221422ae84407ad379322998ba39d3b47a0a855e825710d
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed