Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:1 декабря 2010 г.
Источник:
SecurityVulns ID:11274
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:PHPMYADMIN : phpMyAdmin 3.3
 BTNET : BugTracker.NET 3.4
 ELXIS : Elxis CMS 2009.2
 DIGITALUS : Digitalus 1.10
 PANDORA : PandoraFMS 3,1
 WERNHART : Wernhart Guestbook 2001,03
 ORBISCMS : Orbis CMS 1.0
 FABRICAENGINE : Fabrica Engine 2.1
 BRAVENEWCODE : BraveNewCode 1.9
 DYNPG : DynPG 4.2
 ECLIME : Eclime 1.1
 LINKPROTECT : Link Protect 1.2
 APACHE : Archiva 1.3
 ALGUEST : Alguest 1.1
CVE:CVE-2010-4329 (Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request.)
 CVE-2010-4283 (PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.)
 CVE-2010-4282 (Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.)
 CVE-2010-4281 (Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.)
 CVE-2010-4280 (Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.)
 CVE-2010-4279 (The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.)
 CVE-2010-4278 (operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.)
 CVE-2010-3449 (Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials.)
 CVE-2010-3267 (Multiple SQL injection vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the qu_id parameter to bugs.aspx, (2) the row_id parameter to delete_query.aspx, the (3) new_project or (4) us_id parameter to edit_bug.aspx, or (5) the bug_list parameter to massedit.aspx. NOTE: some of these details are obtained from third party information.)
 CVE-2010-3266 (Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the pcd parameter to edit_bug.aspx, (2) the bug_id parameter to edit_comment.aspx, (3) the id parameter to edit_user_permissions2.aspx, or (4) the default_name parameter to edit_customfield.aspx. NOTE: some of these details are obtained from third party information.)
Оригинальный текстdocumentAliaksandr Hartsuyeu, [eVuln.com] Multiple XSS in Alguest (01.12.2010)
 documentMANDRIVA, [ MDVSA-2010:244 ] phpmyadmin (01.12.2010)
 documentAPACHE, [CVE-2010-3449] Apache Archiva CSRF Vulnerability (01.12.2010)
 documentAlen Pagnien, Link Protect 1.2 XSS Vulnerabilities (01.12.2010)
 documentHigh-Tech Bridge Security Research, XSS in WPTouch wordpress plugin (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in Elxis CMS (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in Elxis CMS (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in DynPG (01.12.2010)
 documentHigh-Tech Bridge Security Research, Path disclosure in DynPG (01.12.2010)
 documentHigh-Tech Bridge Security Research, LFI in DynPG (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in Eclime (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in Enano CMS (01.12.2010)
 documentHigh-Tech Bridge Security Research, Path disclosure in Enano CMS (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in Eclime (01.12.2010)
 documentHigh-Tech Bridge Security Research, XSS in Eclime (01.12.2010)
 documentHigh-Tech Bridge Security Research, SQL Injection in Eclime (01.12.2010)
 documentMustLive, Уязвимости в Fabrica Engine (01.12.2010)
 documentAlen Pagnien, OsCSS Remote File Upload Exploit (01.12.2010)
 documentAlen Pagnien, OsCSS 1.2.2a Authentication Bypass (01.12.2010)
 documentAlen Pagnien, DibaCommerce Authentication Bypass (01.12.2010)
 documentMark Stanislav, 'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313) (01.12.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] Multiple XSS inj in Wernhart Guestbook (01.12.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] Multiple SQL injections in Wernhart Guestbook (01.12.2010)
 documentJuan Galiana Lara, Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities (01.12.2010)
 documentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2010-1109 - Multiple vulnerabilities in BugTracker.Net (01.12.2010)
 documenteidelweiss_(at)_windowslive.com, Digitalus 1.10.0 Alpha2 Arbitrary File Upload vulnerability.txt (01.12.2010)

Многочисленные проблемы с чексуммами в MIT Kerberos 5
Опубликовано:1 декабря 2010 г.
Источник:
SecurityVulns ID:11276
Тип:библиотека
Уровень опасности:
6/10
Описание:Различные проблемы с чексумами в GSS-API, KDC в подсете чексум PAС, SAM-2, KRB-SAFE и других.
Затронутые продукты:MIT : krb5 1.7
 MIT : krb5 1.8
CVE:CVE-2010-4021 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue.")
 CVE-2010-4020 (MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.)
 CVE-2010-1324 (MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key.)
 CVE-2010-1323 (MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.)
Оригинальный текстdocumentMIT, MITKRB5-SA-2010-007 Multiple checksum handling vulnerabilities [CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021] (01.12.2010)

Несанкционированный доступ в D-Link DIR-300/320/600/615
дополнено с 10 ноября 2010 г.
Опубликовано:1 декабря 2010 г.
Источник:
SecurityVulns ID:11252
Тип:удаленная
Уровень опасности:
5/10
Описание:Возможно изменить пароль администратора не зная старого пароля.
Затронутые продукты:DLINK : D-Link DIR-300
 DLINK : D-Link DIR-320
 DLINK : D-Link DIR-600
 DLINK : D-Link DIR-615
Оригинальный текстdocumentKarol Celinski, Re: D-Link DIR-300 authentication bypass (01.12.2010)
 documentKarol Celinski, Re: D-Link DIR-300 authentication bypass (20.11.2010)
 documentasmo, Re: D-Link DIR-300 authentication bypass (16.11.2010)
 documentKarol Celinski, D-Link DIR-300 authentication bypass (10.11.2010)

Многочисленные уязвимости безопасности в ядре Linux
дополнено с 1 декабря 2010 г.
Опубликовано:9 декабря 2010 г.
Источник:
SecurityVulns ID:11275
Тип:удаленная
Описание:Повышение привилегий, утечка информации из памяти ядра, DoS через протокол SCTP, многочисленные DoS условия, DoS через X.25.
Затронутые продукты:LINUX : kernel 2.6
CVE:CVE-2010-4258 (The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.)
 CVE-2010-4164 (Multiple integer underflows in the x25_parse_facilities function in net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data, a different vulnerability than CVE-2010-3873.)
 CVE-2010-4083 (The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.)
 CVE-2010-4081 (The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.)
 CVE-2010-4080 (The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.)
 CVE-2010-4079 (The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.)
 CVE-2010-4078 (The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.)
 CVE-2010-4074 (The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.)
 CVE-2010-4073 (The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.)
 CVE-2010-4072 (The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface.")
 CVE-2010-3880 (net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.)
 CVE-2010-3877 (The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.)
 CVE-2010-3876 (net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.)
 CVE-2010-3875 (The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.)
 CVE-2010-3874 (Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation.)
 CVE-2010-3873 (The X.25 implementation in the Linux kernel before 2.6.36.2 does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed (1) X25_FAC_CALLING_AE or (2) X25_FAC_CALLED_AE data, related to net/x25/x25_facilities.c and net/x25/x25_in.c, a different vulnerability than CVE-2010-4164.)
 CVE-2010-3859 (Multiple integer signedness errors in the TIPC implementation in the Linux kernel before 2.6.36.2 allow local users to gain privileges via a crafted sendmsg call that triggers a heap-based buffer overflow, related to the tipc_msg_build function in net/tipc/msg.c and the verify_iovec function in net/core/iovec.c.)
 CVE-2010-3858 (The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.)
 CVE-2010-3850 (The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.)
 CVE-2010-3849 (The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.)
 CVE-2010-3848 (Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to gain privileges by providing a large number of iovec structures.)
 CVE-2010-3705 (The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.)
 CVE-2010-3477 (The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.)
 CVE-2010-3448 (drivers/platform/x86/thinkpad_acpi.c in the Linux kernel before 2.6.34 on ThinkPad devices, when the X.Org X server is used, does not properly restrict access to the video output control state, which allows local users to cause a denial of service (system hang) via a (1) read or (2) write operation.)
 CVE-2010-3442 (Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.)
 CVE-2010-3437 (Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.)
 CVE-2010-3432 (The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.)
 CVE-2010-3310 (Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions.)
 CVE-2010-3297 (The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.)
 CVE-2010-3296 (The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.)
 CVE-2010-3067 (Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.)
 CVE-2010-2963 (drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.)
Оригинальный текстdocumentDan Rosenberg, Linux kernel exploit (09.12.2010)
 documentDEBIAN, [SECURITY] [DSA 2126-1] New Linux 2.6.26 packages fix several issues (01.12.2010)
Файлы:Exploits Linux Kernel <= 2.6.37 local privilege escalation

Целочисленное переполнение в WinAmp
дополнено с 1 декабря 2010 г.
Опубликовано:22 декабря 2010 г.
Источник:
SecurityVulns ID:11277
Тип:клиент
Уровень опасности:
5/10
Описание:Целочисленное переполнение при разборе потоков NSV, файлов MIDI.
Затронутые продукты:WINAMP : Winamp 5.581
 WINAMP : Winamp 5.6
CVE:CVE-2010-4370 (Multiple integer overflows in the in_midi plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted MIDI file that triggers a buffer overflow.)
 CVE-2010-2586 (Multiple integer overflows in in_nsv.dll in the in_nsv plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted Table of Contents (TOC) in a (1) NSV stream or (2) NSV file that triggers a heap-based buffer overflow.)
Оригинальный текстdocumentHenri Lindberg, nSense-2010-005: Winamp (22.12.2010)
 documentKryptos Logic Secure, Kryptos Logic Advisory: Winamp 5.6 Arbitrary Code Execution in MIDI Parser (09.12.2010)
 documentSECUNIA, Secunia Research: Winamp NSV Table of Contents Parsing Integer Overflow (01.12.2010)
Файлы:Exploits Winamp 5.6 Arbitrary Code Execution in MIDI Parser

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород