ID 1337DAY-ID-22246 Type zdt Reporter Scott Arciszewski Modified 2014-05-14T00:00:00
Description
CodeIgniter versions 2.1.4 and below and Kohana versions 3.2.3 and below and 3.3.2 and below suffer from PHP object injection, a timing attack, and a remote code execution vulnerability.
Background info and boring history shit:
https://scott.arciszewski.me/research/view/php-framework-timing-attacks-object-injection
Vulnerability:
1. Remote timing attack
2. PHP Object Injection
3. Possibly, as a result of 2, remote code execution
Affects:
- CodeIgniter (<= 2.1.4)
- Kohana (<= 3.2.3, 3.3.2)
Some PHP frameworks (CodeIgniter and Kohana, for sure), give you the option
of storing $_SESSION data in a cookie, then appending a hash of the session
data and an unknown key.
For example:
a:2:{s:1:"a";s:10:"douchelord";s:8:"is_admin";b:0;}5c2d88368e2c154398e77269c3af3edd
Vulnerability 1 - Remote Timing Attack
https://github.com/EllisLab/CodeIgniter/blob/master/system/libraries/Session.php#L159
https://github.com/kohana/core/blob/3.3/master/classes/Kohana/Cookie.php#L74
If you wanted to alter the above serialized blob to read:
a:2:{s:1:"a";s:5:"admin";s:8:"is_admin";b:1;}
... in theory, you would need to either know the encryption key stored in
the framework's configuration. And remotely brute-forcing an md5/sha1 hash
isn't really attractive.
Luckily, the behavior of standard string comparison operators (== and ===)
is to return false as soon as two bytes do not match. Thus we could
discover that...
a:2:{s:1:"a";s:5:"admin";s:8:"is_admin";b:1;}ef000000000000000000000000000000
...takes a little longer than...
a:2:{s:1:"a";s:5:"admin";s:8:"is_admin";b:1;}00000000000000000000000000000000
... and then ...
a:2:{s:1:"a";s:5:"admin";s:8:"is_admin";b:1;}ef870000000000000000000000000000
... will take slightly longer.
Theoretically, if we need 100 samples per possible hexit to guess the
correct value through this strategy, and there are 32 hexits in a hash, at
10 request per second it will take 51200 samples to crack an md5 hash. If
you can guess 50 per second without bringing the target server to its
knees, that's about 18 minutes (worst case) to get the end result:
a:2:{s:1:"a";s:5:"admin";s:8:"is_admin";b:1;}ef87978c40e2c2871ba58ab55b50854e
Vulnerability 2 - PHP Object Injection
If you can convince PHP to pass arbitrary data to unserialize(), which is
the automatic next step when the timing attack succeeds, then you can
inject objects into the code. From what I understand, this can also lead to
remote code execution.
CodeIgniter already patched this in its 3.0/develop branch.
Kohana accepted my pull request for its 3.3/develop branch:
https://github.com/kohana/core/pull/492
Note: Kohana uses SHA1, not MD5, so add another 20% to my estimate.
# 0day.today [2018-04-06] #
{"published": "2014-05-14T00:00:00", "id": "1337DAY-ID-22246", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T02:40:07", "bulletin": {"published": "2014-05-14T00:00:00", "id": "1337DAY-ID-22246", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.0, "modified": "2016-04-19T02:40:07", "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/"}}, "hash": "cf02ffdcdcaedcf60212d9df1edc43e245f5ce903eecf5c5b9cbd15151a410dc", "description": "CodeIgniter versions 2.1.4 and below and Kohana versions 3.2.3 and below and 3.3.2 and below suffer from PHP object injection, a timing attack, and a remote code execution vulnerability.", "type": "zdt", "lastseen": "2016-04-19T02:40:07", "edition": 1, "title": "CodeIgniter / Kohana PHP Object Injection / Timing Attack", "href": "http://0day.today/exploit/description/22246", "modified": "2014-05-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 9, "cvelist": [], "sourceHref": "http://0day.today/exploit/22246", "references": [], "reporter": "Scott Arciszewski", "sourceData": "Background info and boring history shit:\r\nhttps://scott.arciszewski.me/research/view/php-framework-timing-attacks-object-injection\r\n\r\nVulnerability:\r\n1. Remote timing attack\r\n2. PHP Object Injection\r\n3. Possibly, as a result of 2, remote code execution\r\n\r\nAffects:\r\n- CodeIgniter (<= 2.1.4)\r\n- Kohana (<= 3.2.3, 3.3.2)\r\n\r\nSome PHP frameworks (CodeIgniter and Kohana, for sure), give you the option\r\nof storing $_SESSION data in a cookie, then appending a hash of the session\r\ndata and an unknown key.\r\n\r\nFor example:\r\n\r\na:2:{s:1:\"a\";s:10:\"douchelord\";s:8:\"is_admin\";b:0;}5c2d88368e2c154398e77269c3af3edd\r\n\r\nVulnerability 1 - Remote Timing Attack\r\n\r\nhttps://github.com/EllisLab/CodeIgniter/blob/master/system/libraries/Session.php#L159\r\nhttps://github.com/kohana/core/blob/3.3/master/classes/Kohana/Cookie.php#L74\r\n\r\nIf you wanted to alter the above serialized blob to read:\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}\r\n\r\n... in theory, you would need to either know the encryption key stored in\r\nthe framework's configuration. And remotely brute-forcing an md5/sha1 hash\r\nisn't really attractive.\r\n\r\nLuckily, the behavior of standard string comparison operators (== and ===)\r\nis to return false as soon as two bytes do not match. Thus we could\r\ndiscover that...\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}ef000000000000000000000000000000\r\n\r\n...takes a little longer than...\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}00000000000000000000000000000000\r\n\r\n... and then ...\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}ef870000000000000000000000000000\r\n\r\n... will take slightly longer.\r\n\r\nTheoretically, if we need 100 samples per possible hexit to guess the\r\ncorrect value through this strategy, and there are 32 hexits in a hash, at\r\n10 request per second it will take 51200 samples to crack an md5 hash. If\r\nyou can guess 50 per second without bringing the target server to its\r\nknees, that's about 18 minutes (worst case) to get the end result:\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}ef87978c40e2c2871ba58ab55b50854e\r\n\r\nVulnerability 2 - PHP Object Injection\r\n\r\nIf you can convince PHP to pass arbitrary data to unserialize(), which is\r\nthe automatic next step when the timing attack succeeds, then you can\r\ninject objects into the code. From what I understand, this can also lead to\r\nremote code execution.\r\n\r\nCodeIgniter already patched this in its 3.0/develop branch.\r\nKohana accepted my pull request for its 3.3/develop branch:\r\nhttps://github.com/kohana/core/pull/492\r\n\r\nNote: Kohana uses SHA1, not MD5, so add another 20% to my estimate.\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "322f290525cebb6784d4705b0d92725d", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "72bf8cd190ec4ff924f46cc1ea8e2c2d", "key": "published"}, {"hash": "7062fb649cbe75a87cbac66cfe7ed191", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "6173c4a211ce7b822641afd352e8d2e4", "key": "href"}, {"hash": "72bf8cd190ec4ff924f46cc1ea8e2c2d", "key": "modified"}, {"hash": "074798b5f185a7dd611a1bdfa5a83da6", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "db57c4ce55454e51a48819daaa18436b", "key": "sourceHref"}, {"hash": "3ebaa46293f5ac8e1b12449fdb8376fd", "key": "description"}], "objectVersion": "1.0"}}], "description": "CodeIgniter versions 2.1.4 and below and Kohana versions 3.2.3 and below and 3.3.2 and below suffer from PHP object injection, a timing attack, and a remote code execution vulnerability.", "hash": "971ab38c66b0a7863136c08d3f4e51688ca207c67254214bfe7019040555102c", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-04-06T01:49:10"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-04-06T01:49:10", "edition": 2, "title": "CodeIgniter / Kohana PHP Object Injection / Timing Attack", "href": "https://0day.today/exploit/description/22246", "modified": "2014-05-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 16, "cvelist": [], "sourceHref": "https://0day.today/exploit/22246", "references": [], "reporter": "Scott Arciszewski", "sourceData": "Background info and boring history shit:\r\nhttps://scott.arciszewski.me/research/view/php-framework-timing-attacks-object-injection\r\n\r\nVulnerability:\r\n1. Remote timing attack\r\n2. PHP Object Injection\r\n3. Possibly, as a result of 2, remote code execution\r\n\r\nAffects:\r\n- CodeIgniter (<= 2.1.4)\r\n- Kohana (<= 3.2.3, 3.3.2)\r\n\r\nSome PHP frameworks (CodeIgniter and Kohana, for sure), give you the option\r\nof storing $_SESSION data in a cookie, then appending a hash of the session\r\ndata and an unknown key.\r\n\r\nFor example:\r\n\r\na:2:{s:1:\"a\";s:10:\"douchelord\";s:8:\"is_admin\";b:0;}5c2d88368e2c154398e77269c3af3edd\r\n\r\nVulnerability 1 - Remote Timing Attack\r\n\r\nhttps://github.com/EllisLab/CodeIgniter/blob/master/system/libraries/Session.php#L159\r\nhttps://github.com/kohana/core/blob/3.3/master/classes/Kohana/Cookie.php#L74\r\n\r\nIf you wanted to alter the above serialized blob to read:\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}\r\n\r\n... in theory, you would need to either know the encryption key stored in\r\nthe framework's configuration. And remotely brute-forcing an md5/sha1 hash\r\nisn't really attractive.\r\n\r\nLuckily, the behavior of standard string comparison operators (== and ===)\r\nis to return false as soon as two bytes do not match. Thus we could\r\ndiscover that...\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}ef000000000000000000000000000000\r\n\r\n...takes a little longer than...\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}00000000000000000000000000000000\r\n\r\n... and then ...\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}ef870000000000000000000000000000\r\n\r\n... will take slightly longer.\r\n\r\nTheoretically, if we need 100 samples per possible hexit to guess the\r\ncorrect value through this strategy, and there are 32 hexits in a hash, at\r\n10 request per second it will take 51200 samples to crack an md5 hash. If\r\nyou can guess 50 per second without bringing the target server to its\r\nknees, that's about 18 minutes (worst case) to get the end result:\r\n\r\na:2:{s:1:\"a\";s:5:\"admin\";s:8:\"is_admin\";b:1;}ef87978c40e2c2871ba58ab55b50854e\r\n\r\nVulnerability 2 - PHP Object Injection\r\n\r\nIf you can convince PHP to pass arbitrary data to unserialize(), which is\r\nthe automatic next step when the timing attack succeeds, then you can\r\ninject objects into the code. From what I understand, this can also lead to\r\nremote code execution.\r\n\r\nCodeIgniter already patched this in its 3.0/develop branch.\r\nKohana accepted my pull request for its 3.3/develop branch:\r\nhttps://github.com/kohana/core/pull/492\r\n\r\nNote: Kohana uses SHA1, not MD5, so add another 20% to my estimate.\n\n# 0day.today [2018-04-06] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3ebaa46293f5ac8e1b12449fdb8376fd", "key": "description"}, {"hash": "67fda6e0f9a87c33cb45c86609b57185", "key": "href"}, {"hash": "72bf8cd190ec4ff924f46cc1ea8e2c2d", "key": "modified"}, {"hash": "72bf8cd190ec4ff924f46cc1ea8e2c2d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7062fb649cbe75a87cbac66cfe7ed191", "key": "reporter"}, {"hash": "665868015c6f209818be6508292ca8d9", "key": "sourceData"}, {"hash": "a3dbd357946a3aa665243acf96681a80", "key": "sourceHref"}, {"hash": "074798b5f185a7dd611a1bdfa5a83da6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1848-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nAugust 02, 2009 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : znc\r\nVulnerability : directory traversal\r\nProblem type : remote\r\nDebian-specific: no\r\nDebian Bug : 537977\r\n\r\nIt was discovered that znc, an IRC proxy, did not properly process\r\ncertain DCC requests, allowing attackers to upload arbitrary files.\r\n\r\nFor the old stable distribution (etch), this problem has been fixed in\r\nversion 0.045-3+etch3.\r\n\r\nFor the stable distribution (lenny), this problem has been fixed in\r\nversion 0.058-2+lenny3.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 0.074-1.\r\n\r\nWe recommend that you upgrade your znc package.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3.dsc\r\n Size/MD5 checksum: 667 933a585b14d230df9dd1a8b6ee5ad4b6\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3.diff.gz\r\n Size/MD5 checksum: 14501 330d9e4ac7894dbfec53bf9cf1e52660\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045.orig.tar.gz\r\n Size/MD5 checksum: 204863 9a514b125b7514811fd03befa73cce77\r\n\r\nalpha architecture (DEC Alpha)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_alpha.deb\r\n Size/MD5 checksum: 863536 a49fb4cba67de68d20b9da2cd8867362\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_amd64.deb\r\n Size/MD5 checksum: 794176 ed5f4fe35ce0a2550aa16a423e100065\r\n\r\narm architecture (ARM)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_arm.deb\r\n Size/MD5 checksum: 906432 f49d4961b57febdbc184146bbc0aca2f\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_hppa.deb\r\n Size/MD5 checksum: 860972 659a6b3b95f80220b8c55fc54c7c1657\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_i386.deb\r\n Size/MD5 checksum: 811820 e2ed63396c2813e5e8a064ab5b4ac646\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_ia64.deb\r\n Size/MD5 checksum: 963774 37187a7fb2cc43d51e8112330311334a\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_mips.deb\r\n Size/MD5 checksum: 716040 9f206ba9ef54ff3658bbf62c5ec448b5\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_mipsel.deb\r\n Size/MD5 checksum: 714202 272cbc77e814fb6ef155e0cd33a1fcbe\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_powerpc.deb\r\n Size/MD5 checksum: 793154 84bb601bf6ebf409fbca63545b37c123\r\n\r\ns390 architecture (IBM S/390)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_s390.deb\r\n Size/MD5 checksum: 735198 67f86f69500e96461d1cea10fead09a9\r\n\r\nsparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.045-3+etch3_sparc.deb\r\n Size/MD5 checksum: 751090 1a0088824517b4f542e9589febc25536\r\n\r\nDebian GNU/Linux 5.0 alias lenny\r\n- --------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3.dsc\r\n Size/MD5 checksum: 1037 93fe1b9b7bd7aeebd7b3e0c3854a477f\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3.diff.gz\r\n Size/MD5 checksum: 9628 6fd05e2dbb8e6796dcc647bd79e9d1a0\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058.orig.tar.gz\r\n Size/MD5 checksum: 340741 c02fd740c55d5b3a7912f7584344103e\r\n\r\nalpha architecture (DEC Alpha)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_alpha.deb\r\n Size/MD5 checksum: 1096456 18a4159f41d3b931b31f98b84d2fb269\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_amd64.deb\r\n Size/MD5 checksum: 1031744 bc265fa88c9bb707b67e757b63ed5853\r\n\r\narm architecture (ARM)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_arm.deb\r\n Size/MD5 checksum: 1152106 dbf436ac4085fa58d3d51c6f9b642c16\r\n\r\narmel architecture (ARM EABI)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_armel.deb\r\n Size/MD5 checksum: 964084 fe6c30329c2deb11d40875b8642d3127\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_hppa.deb\r\n Size/MD5 checksum: 1164842 cf1a064e2ece7df88b9d4b9370811d8b\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_i386.deb\r\n Size/MD5 checksum: 1010412 654653749e84562db775a6dfd1ca3ebd\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_ia64.deb\r\n Size/MD5 checksum: 1183120 31579bc427d4cf4f941b3aea648740d2\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_mips.deb\r\n Size/MD5 checksum: 915526 a94198400fd7832802260953d8f10acb\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_mipsel.deb\r\n Size/MD5 checksum: 907738 b794ceddef5b50eb6ecad8b16aaff23b\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_powerpc.deb\r\n Size/MD5 checksum: 1035914 3176e289856565c20528b779b5dd5b65\r\n\r\ns390 architecture (IBM S/390)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_s390.deb\r\n Size/MD5 checksum: 971812 b51b7e7bb2d2b26ac7619a2db5274def\r\n\r\nsparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.debian.org/pool/updates/main/z/znc/znc_0.058-2+lenny3_sparc.deb\r\n Size/MD5 checksum: 1003518 681f3ddd6b61aaae7329b3835d926978\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJKdZKTAAoJEL97/wQC1SS+81MH/04oT9CB1bDrljLTxBZ1CKLp\r\nWiTLaa1U1lbmCMdSFpAl3U5Bpc9vW0AKGXAXPRYPPfYy+zaAvHoiiWgrvblkvnMk\r\niDh8qA38PyQShCkd7cyegCPgvTHNwzUoK5Q8d05jnEw6rjuMsaNwbuvbAsbIU3m7\r\na0jIz6atW+J/i3UxuEQjtO4N3QYzrzaSXlvWKyNpx2udgXKbHHlw7sjjLqrdKE55\r\n6CVuOWBfFurikvn0IPA5U9qxyI5KwhJlZlZyLafag43+V5afdK1srO+avUXlfJvy\r\nVR+rerLV/ZOAcgFxvvzYioYT2yBrptpl0/e/92gnJE54oqBXnRlnj9AtvbPU63E=\r\n=vHUu\r\n-----END PGP SIGNATURE-----", "modified": "2009-08-03T00:00:00", "published": "2009-08-03T00:00:00", "id": "SECURITYVULNS:DOC:22246", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22246", "title": "[SECURITY] [DSA 1848-1] New znc packages fix remote code execution", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "description": "Directory traversal on DCC request.", "modified": "2009-08-03T00:00:00", "published": "2009-08-03T00:00:00", "id": "SECURITYVULNS:VULN:10117", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10117", "title": "znc IRC proxy directory traversal", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}