OpenBase 10.0.5 (All Platforms)

Netragard’s SNOsoft Research Team discovered two critical vulnerabilities in the OpenBase SQL Relational Database that can lead to full system compromise.

The first vulnerability discovered is a command injection vulnerability that affects several of the default Stored Procedures. Specifically, it is possible to execute system commands as the root user by inserting a series of backticks into the pre-defined Stored Procedures.

The second vulnerability discovered in Buffer Overflow that causes heap corruption. This also has the potential to lead to the execution of arbitrary code or a Denial of Service condition.

Click here for the full advisory.

Netragard Protects Voters

Hackers Welcome – We’re in forbes again.

When legitimate security researchers notify technology vendors about security flaws in their technology, the best thing that the vendor can do is to welcome the information with open arms. When a vendor reacts with hostility it appears as if the vendor is attempting quash the security research instead of resolving the vulnerabilities identified by the research. While the hostile reaction is usually an attempt to “save face” it usually does the opposite and sends a dangerous false message to the vendors customers. That message is “We care more about saving face than we do about your security.” On the other hand… Vendors that work with security researchers in a positive and friendly manner send the message that they “care about the security of their customers”. This Forbes article contains key examples of “Software Bug Blowups“, in fact, it even covers the SNOsoft + HP + DMCA fiasco that happened back in early 2000.

Hackers Nasdaq – Our founder comments in forbes.

Our founder, Adriel Desautels, comments about purchasing exploits in this Forbes article. The article also outlines a new business called WabiSabiLabi that is attempting to gain traction in the exploit market by using an e-bay like bidding structure. While this seems like a good idea at first glance the idea will face significant trust problems as it appears that anyone can bid on an exploit. The question that we have for WabiSabiLabi is how do they assure that the winning bidder is an ethical legitimate buyer?

Maia Mailguard Security Risk Advisory

SNOsoft has discovered a high risk vulnerability in Maia Mailguard version 1.0.2 that makes it possible for an attacker to execute arbitrary commands on the affected system. The advisory will be published on Netragard’s website shortly. Until then users of the Maia Mailguard web application should suspend use or add .htaccess capabilities to the web server to mitigate the risk of compromise.

http://www.netragard.com/pdfs/research/NETRAGARD-20070628-MAILGUARD.txt

Netragard, LLC. — The Specialist in Anti Hacking.

@Mail Webmail Security Research

The SNOsoft Research Team recently performed a light weight security assessment of the @Mail Webmail product. @Mail is very much like OWA with respect to look, feel and functionality. The result of this research project was the discovery of two bugs in the product. These bugs were released as formal advisories by Netragard and can be viewed below:

https://netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt
https://netragard.com/pdfs/research/ATMAIL-XSS-NETRAGARD-20061206.txt