|
|
Colapse all |
Post message
[Full-Disclosure] [SECURITY] [DSA-403-1] userland can access Linux kernel memory 2003-12-01 debian-security-announce lists debian org [ANNOUNCE] glibc heap protection patch 2003-12-01 William Robertson (wkr cs ucsb edu) Hi all, I'd just like to announce that we have a heap protection system for glibc available for download. The system detects and prevents all heap overflow exploits that modify inline control information from succeeding against a protected application, can be installed system-wide or on a per-p [ more ] [ reply ] where to discuss common criteria issues? 2003-12-01 Magosányi Árpád (mag bunuel tii matav hu) Hi! Sorry for beeing offtopic, but I cannot find better place to ask: Is there a public mailing list to discuss Common Criteria related issues? I would like to talk about methodology issues (using CC in system integration), actual security targets, and interpretation issues. cc-cmt (at) nist (dot) gov [email concealed] does [ more ] [ reply ] Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability. 2003-12-01 Shaun Colley (shaunige yahoo co uk) ANNOUNCE: New mailing list for secure application development, SC-L 2003-11-30 Kenneth R. van Wyk (ken vanwyk org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I would like to announce the availability of a new and free resource to the software security community, the SC-L email discussion forum. The moderated forum is open to the public. The group's purpose is, "to further the state of the pr [ more ] [ reply ] Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities 2003-12-01 S-Quadra Security Research (research s-quadra com) S-Quadra Advisory #2003-11-28 Topic: Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities Severity: Average Vendor URL: http://www.vpasp.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20031128.txt Release date: 28 Nov 2003 1. DESCRIPTION Virtual [ more ] [ reply ] Cutenews 1.3 information disclosure 2003-11-30 scrap (webmaster securiteinfo com) .oO Overview Oo. Cutenews 1.3 information disclosure Discovered on 2003, July, 12th Vendor: CutePHP Cutenews is a powerful and easy for using news management system that use flat files to store its database. It supports comments and archives, search function, image uploading, backup function, IP [ more ] [ reply ] Re: phpBB 2.06 search.php SQL injection 2003-11-30 Jay Gates (zarath knightsofchaos com) In-Reply-To: <20031129073514.18236.qmail (at) sf-www2-symnsj.securityfocus (dot) com [email concealed]> This proof of concept code isn't very reliable. The string that is returned from the char functions returns this -> a:7:{s:14:"search_results";s:1:"1";s:17:"total_match_count";i:5;s:12:"sp lit_search";a:1:{i:0;s:32:"[md5 has [ more ] [ reply ] Re: phpBB 2.06 search.php SQL injection 2003-11-29 Hat-Squad Security Team (service hat-squad com) In-Reply-To: <3FC7D97E.22063.167ABDD@localhost> A explanation about the released exploit code: phpBB stores the search records in serialized format in php_search_result table.in our case when search_id is not one of these values ('newposts' || 'egosearch' || 'unanswered' |)) then this routine w [ more ] [ reply ] Pieterpost - access to "vitual" account 2003-11-29 datasink op pl Hello bugtraq readers and writers ! name: PieterPost 0.10.6 homepage: http://todsah.nihilist.nl/index.php?p=Development/Projects/Pieterpost about: "PieterPost is a webbased interface to a pop3 mailbox. It is designed to be both small and easy to use" what: entering url http://server.com [ more ] [ reply ] FreeBSD Security Advisory FreeBSD-SA-03:19.bind 2003-11-28 FreeBSD Security Advisories (security-advisories freebsd org) Re: phpBB 2.06 search.php SQL injection 2003-11-28 n teusink planet nl An exploit has been released by bugtraq by some other group, the issue is unfortunately not minor... As the exploit shows, the trick is to mimic a search_array. I was planning on releasing more technical details later, when everybody had a chance to patch his/her forum. About my test URL, you are [ more ] [ reply ] Re: phpBB 2.06 search.php SQL injection 2003-11-28 Jay Gates (zarath knightsofchaos com) In-Reply-To: <3FC680E1.20563.5632F88@localhost> Greetings BugTraq, I have tested this vulnerability fairly extensively since it was announced on phpBB.com. Even though the version I'm using clearly has the vulnerable code it in, it does not seem to work as easily as this is being made out. My se [ more ] [ reply ] [Hat-Squad] phpBB search_id injection exploit 2003-11-28 Hat-Squad Security Team (service hat-squad com) Hello list, Here is the exploit code for phpbb 2.06 sql injection described in http://www.securityfocus.com/archive/1/345872 . It will return MD5 password hash of specified user as [highlight] variable for viewtopic.php in search results page. http://site.com/search.php?search_id=1%20union [ more ] [ reply ] Applied Watch Response to Bugtraq.org post - Was: Multiple Remote Issues in Applied Watch IDS Suite (advisory attached) 2003-11-28 Eric Hines (eric hines appliedwatch com) Applied Watch Technologies Official Vendor Response Date: November 28, 2003 Lists: Applied Watch Technologies embraces and fully supports the open-disclosure community. Further to that, we embrace responsible disclosure where vendors are given ample time to develop and release a patch in coordin [ more ] [ reply ] Re: Multiple Remote Issues in Applied Watch IDS Suite(advisory attached) 2003-11-28 Chris Mann (christopher stonebridgebank com) >>> Bugtraq Security Systems <research (at) bugtraq (dot) org [email concealed]> 11/28/2003 >>>2:10:24 PM >>> >>> >>>There is currently no patch available from the vendor, so consider the >>>Threatcon[1] to be higher than normal. I just spoke the the gang at Applied Watch, and there is indeed a patch available at https://my.ap [ more ] [ reply ] Multiple Remote Issues in Applied Watch IDS Suite (advisory attached) 2003-11-28 Bugtraq Security Systems (research bugtraq org) Hello Lists, We have recently concluded a comprehensive audit of the Applied Watch Command Center, which resulted with the discovering of hundreds of vulnerabilities. This is the first of many future advisories on the IDS suite, which discusses two remote issues in the authentication mechanisms us [ more ] [ reply ] MDKSA-2003:109 - Updated gnupg packages fix vulnerability with ElGamal signing keys 2003-11-28 Mandrake Linux Security Team (security linux-mandrake com) [OpenPKG-SA-2003.050] OpenPKG Security Advisory (screen) 2003-11-28 OpenPKG (openpkg openpkg org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security (at) openpkg (dot) org [email concealed] [ more ] [ reply ] [OpenCA Advisory] Vulnerabilities in signature verification 2003-11-28 Michael Bell (michael bell cms hu-berlin de) OpenCA Security Advisory [28 November 2003] Vulnerabilities in signature validation ======================================= Multiple flaws in OpenCA before version 0.9.1.4 could cause OpenCA to use an incorrect certificate in the chain to determine the serial being checked which could lead to cert [ more ] [ reply ] |
|
Privacy Statement |
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-403-1 security (at) debian (dot) org [email concealed]
http://www.debian.org/security/ Wichert Akkerman
December 1, 2003
- ------------
[ more ] [ reply ]