lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 31 Dec 2003 00:52:31 +0000
From: "Peter Winter-Smith" <peter4020@...mail.com>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com, news@...uriteam.com, vuln@...unia.com, vuln@...urity.nnov.ru, vulndb@...urityfocus.com, vulnwatch@...nwatch.org
Subject: Re: NetObserve Security Bypass Vulnerability


Re: NetObserve Security Bypass Vulnerability

############################################

Credit:
Author     : Peter Winter-Smith

Software:
Packages   : NetObserve
Version    : 2.0 and prior
Vendor     : ExploreAnywhere Software
Vendor Url : http://www.exploreanywhere.com/no-intro.php

Vulnerability:
Bug Type   : Security Bypass
Severity   : Highly Critical
              + Remote System Command Via NetObserve

UPDATE:

I may have been a little unclear in my description of the
exploitability of this flaw. It seems that I interchanged the words
'administrator' and 'remote user' giving the impression that only a
current'user' of the administration panel can compromise the system
through these flaws. In actual fact it is possible to compromise a system
running NetObserve without being any kind of authenticated user or
administrator!

I thought I should mention this because it has been labelled as only
exploitable by current users of the NetObserve system, which is
technically incorrect - anyone can exploit it  :-)

The complete document on this flaw can be found at:
http://www.elitehaven.net/netobserve.txt

Thanks to you all for the tireless effort and research work which you
put into the security community!

-Peter Winter-Smith

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection 
http://www.msn.co.uk/specials/btbroadband

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ