Heya Folks, we are working in nUbuntu 8.10 stable release..

For news and features that will be included in this version you can find them on the wiki (in progress) list.

Also we are pleased to announce that Giulio Rizzo is now new member of Developers Team, please give to him a warm welcome.

We’ve also partnered with “Gerix IT Security Solutions”.

The company is now official Technical partner of the nUbuntu project and Gerix IT Security Solutions will organize live sessions and video tutorials for nUbuntu certifications

The live/video sessions will be available in the Italian and English language.

Stay tuned

If you’re interested in the project, just checkout the Launchpad Page, or drop to say “hello” in #nubuntu on freenode.

nUbuntu, the best security distro (Ubuntu based) is out!

Remember this is an alpha release. Please check out the forums and post your thoughts and ideas on how to make nUbuntu better.

Also, don’t forget to report any bugs to us.

Well, What are you waiting for? Check out the downloads page and get a copy.

We are looking for mirrors for this ISO. If you can host one, grab the ISO, upload it and post the link here.

MD5: 4733f984b380eee4c1e5d454a77e8521
SHA1: 48f8994dd18bbfae9b50d70f9783220cc1b286fc

If you’re interested in the project, just checkout the Launchpad Page, or drop to say “hello” in #nubuntu on freenode.

Now it`s official, Anthony Ferrara shared this information in this post.

Here available staff team page, I’m working prevalently in auditing ad bugfixes.

About The Name:

In wild land firefighting, the term “Strike Team” is used to describe a collection of similar resources, which used for a specific purpose (http://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it’s a collection of developers and security experts tasked with improving and managing security for Joomla.

Goals

1. Investigate and respond to reported core vulnerabilities.
2. Execute code reviews prior to release to identify new vulnerabilities.
3. Provide public presence regarding security issues.
4. Help the community understand Joomla security.

Security Announcement Policy

• Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
• All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.

Public Responses Policy

Articles are written about Joomla all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.

• The JSST will assess and address articles written about security issues.
  • If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue.
  • If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article.
• The JSST will be available to answer questions/validate any Joomla security-related articles on the publisher’s request.

Security Release Policy

• Critical and high-level vulnerabilities trigger an immediate release cycle.
• Moderate vulnerabilities may trigger a release cycle depending on the specific issue.
• Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release.
• All security releases will be accompanied by one (or more) appropriate security announcements.

Vulnerability Threat Levels

There are two main details that contribute to a vulnerabilities priority or “threat level”:

Impact

• Critical - “0-day” attacks, and attacks where site control is compromised (allows attacker to take control over site).
• High - SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised.
• Moderate - XSS attacks, write ACL violations (editing or creating of content where not allowed).
• Low - read ACL violations (reading of content where not allowed).

Severity

• Critical - VERY easy to perform. Relies on no outside information (TRUE 0-day attack).
• High - Moderately easy to perform. May rely on readily available outside information.
• Moderate - Not easy to perform. May rely on sensitive information.
• Low - Difficult to perform. Relies on sensitive information or requires special circumstances to perform.

* NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.

Supported Versions

• All currently developed and supported versions of Joomla will be actively monitored by the JSST.
• Currently active versions include:
  • Joomla 1.0.x
  • Joomla 1.5.x

How to Help

• If you find a possible vulnerability, report it to the JSST FIRST. You can contact the team via the contact form in the Security Center.
• If you find a reported vulnerability (reported elsewhere), contact the JSST ASAP (include where you saw the report).
• You can provide patches for any issues that you find (e-mail the team for more information on how to submit a patch).
• Join the team! Due to the sensitive nature of the team, we restrict who joins. But if you think you’d be a good fit, contact the team via the contact form in the Security Center.

For several years I decided to reject the possibility of managing a hosting outside, mainly for security reasons.

Why pay an external hosting if we can not completely manage?
Where are the guarantees on server configuration and arrangements related to security?

It is true, there are virtual servers and dedicated servers, but who makes him to spend unnecessary money for a pseudo machine that can not always manage how we want?

So I decided to use an old Pentium 3 with Ubuntu Server (encrypted disks) and other serious side arrangements kernel and demons going to transfer logs on the external device.

The device that you can see in the picture, copy every few minutes some log files (which I set), analyzes at them independently and sends them both to paper Printer and via email to me (if they conform to the warning rules that I set).

A true server-safe!

Tools:

* Apache2 and Mod_Security
* GRSEC
* Chroots
* Open SSH Server (only with key login)
* Snort
* Knockd
* dm-crypt
and other stuff wrote by me.

Nice news, Joomla people keep out the official fix, go to apply it if you are vulnerable.

--- components/com_user/models/reset.php        2008-08-13 01:19:01.000000000 +0200
+++ new/components/com_user/models/reset.php    2008-08-13 01:20:16.000000000 +0200
@@ -112,6 +112,11 @@
        {
                global $mainframe;

+       if(strlen($token) != 32) {
+       $this->setError(JText::_('INVALID_TOKEN'));
+       return false;
+       }
+
                $db     = &JFactory::getDBO();
                $db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

if you like download it, click here.

Happy defending!

UPDATE:
Joomla Advisory is available here

Hello folks,

New hight security issue was found in Joomla 1.5.x that allow remote admin password change.

This vulnerability affect more important website same nasa, university and istitution website, the fix isnt out (I’m writing it) but we can apply provisional fix for keep out stupid crackers.

How to check if my website is vulnerable:

The proof of concept is very simple, follow this steps:

0×01) open your browser and go to url:

http:www.target.com/index.php?option=com_user&view=reset&layout=confirm

(switch www.target.com with your website, and remember to add path if you have ex. /joomla/)

0×02) Write into text input box the char ‘ and Click OK.
(if you see this text input box you are vulnerable)

0×03) Now you are able to write in the new text input the new password for admin.

0×04) go to url http://www.target.com/administrator/ and try to login.

How to apply provisional fix:

This isnt a real fix, but with it you can keep out stupid crackers, follow this steps if you result vulnerable.

0×01) Login in admin panel and go to user management panel.

0×02) create a new SuperAdmin user and logout to admin panel.

0×03) Login in admin panel with new user, and go to user management panel.

0×04) remove all privileges to old admin (switch privilege to registred user) and disable this user.

Vulnerable code:

/components/com_user/controller.php
Line : 379-399

	function confirmreset()
	{
		// Check for request forgeries
		JRequest::checkToken() or die( 'Invalid Token' );

		// Get the input
		$token = JRequest::getVar('token', null, 'post', 'alnum');

		// Get the model
		$model = &$this->getModel('Reset');

		// Verify the token
		if ($model->confirmReset($token) === false)
		{
			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
			return false;
		}

		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
	}

/components/com_user/models/reset.php

Line: 111-130 	

	function confirmReset($token)
	{
		global $mainframe;

		$db	= &JFactory::getDBO();
		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); 

		// Verify the token
		if (!($id = $db->loadResult()))
		{
			$this->setError(JText::_('INVALID_TOKEN'));
			return false;
		}

		// Push the token and user id into the session
		$mainframe->setUserState($this->_namespace.'token',	$token);
		$mainframe->setUserState($this->_namespace.'id',	$id);

		return true;
	}

Security Fix:
I’m working to write it, i will release it shortly.

I am pleased (?) to annunce that BIND9 exploit is out (CVE-2008-1447).

This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver.
This exploit caches a single malicious host entry into the target nameserver.
By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

This issue was fixed in ubuntu via USN-622-1 but more ISP are now vulnerable.

emgent@amnistia:~$ sudo su root
[sudo] password for emgent:
root@amnistia:/home/emgent# echo “nameserver 208.67.222.222” > /etc/resolv.conf
root@amnistia:/home/emgent# echo “nameserver 208.67.220.220” >> /etc/resolv.conf
root@amnistia:/home/emgent# exit
exit
emgent@amnistia:~$

Background on #ubuntu-quality:
[SNIP]
(04:36) ( emgent) hello
(04:37) ( LaserJock) hi emgent
(04:37) ( emgent) I’m plased to annunce that BIND9 exploit is now pubblic.
(04:37) ( emgent) s/plased/pleased/
(04:38) ( persia) It the solution also public, and distributed?
(04:38) ( emgent) sure. fixed some week ago in ubuntu.
(04:38)  * LaserJock wonders if he should clap or not
(04:39) ( emgent) but more ISP are vulnerale now..
(04:40) ( emgent) persia: you can check your dns on http://www.doxpara.com/ (right menu)
(04:42) ( emgent) s/vulnerale/vulnerable/
(04:44) ( Hobbsee) oh good!  telstra isn’t.
(04:45) ( emgent) nice, Telecom Italia now is vuln.
(04:45) ( persia) NTT is vulnerable, but that is bot unsurprising and unlikely to cause issues.
(04:45) ( emgent) I use Open DNS
(04:47) ( LaserJock) mine is vulnerable it says
(04:47) ( emgent) switch to open dns
(04:49) ( emgent) exploit was pubblished some hours ago.. and there is a big problem.. now all people can hack vuln DNS and redirect google.com to sarcazzo.com for example.
(04:50) ( emgent) i go to write a post in planet.
(04:50) ( LaserJock) interesting
[SNIP]

happy defending!

In these hot days, waiting to define the recent regulations for the Ubuntu Whitehat team, I started to auditing and penetration testing in MoinMoin.

MoinMoin is a WikiWikiWeb collaborative hypertext environment, with an emphasis on easy access to and modification of information. MoinMoin is a Python WikiClone that allows you to easily set up your own wiki, only requiring a Web server and a Python installation.

A “nice” security issue I found from my work, a cross-site scripting in macro Advanced Search.

Immediately notified Thomas Waldmann, we have worked to write a fix to add escaping.

The vulnerable versions found to have been 1.6, 1.7 and version 1.8 (development).

Needless to say that the site of  upstream (www.moinmo.in) appears vulnerable, but also our help.ubuntu.com patched promptly by Andrew Glen-Young.

The only vulnerable version in Ubuntu repository was in Intrepid Bug 248167,  now fixed.

Big Thanks to Scott Kitterman for the timely sponsorship of my debdiff in Intrepid (main) .

Security Fix Announcements

MoinMoin 1.6 http://hg.moinmo.in/moin/1.6/rev/8686a10f1f58

MoinMoin 1.7 http://hg.moinmo.in/moin/1.7/rev/383196922b03

See also: http://moinmo.in/SecurityFixes

Off Topic

Now I’m MOTU, big thanks for feedback and votes.

Affected by security bug quite significant, lighttpd is still be vulnerable to Ubuntu repositories.

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

Hence a preview of the bug and my relative debdiff that will be placed in a circle in the mirror:

lighttpd

Vulnerable Version:

• Hardy
• Gutsy
• Feisty
• Edgy
• Dapper

CVE

• 2008-1270

Debdiff Relatives:

• hardy_lighttpd_1.4.18-1ubuntu6.debdiff (uploaded in hardy)
• gutsy_lighttpd_1.4.18-1ubuntu1.3.debdiff
• feisty_lighttpd_1.4.13-9ubuntu4.5.debdiff
• edgy_lighttpd_1.4.13~r1370-1ubuntu1.6.debdiff
• dapper_lighttpd_1.4.11-3ubuntu3.8.debdiff

Affected by security bug quite significant, VLC is still be vulnerable to Ubuntu repositories.

Hence a preview of the bug and my relative debdiff that will be placed in a circle in the mirror:

VLC

Vulnerable Version:

• Hardy
• Gutsy
• Feisty
• Edgy
• Dapper

CVE

• 2008-0984

Debdiff Relatives:

• hardy_vlc_0.8.6.release.d-0ubuntu3.1.debdiff
• gutsy_vlc_0.8.6.release.c-0ubuntu5.1.debdiff
• feisty_vlc_0.8.6.release-0ubuntu4.1.debdiff
• dapper_vlc_0.8.4.debian-1ubuntu6.2.debdiff