Thursday, February 28, 2013

What is open source?


Introduction

In production and development, open source is a philosophy, or pragmatic methodology that promotes free redistribution and access to an end product's design and implementation details. Before the phrase open source became widely adopted, developers and producers used a variety of terms for the concept; open source gained hold with the rise of the Internet, and the attendant need for massive retooling of the computing source code. Opening the source code enabled a self-enhancing diversity of production models, communication paths, and interactive communities. The open-source software movement arose to clarify the environment that the new copyright, licensing, domain, and consumer issues created.

Generally, open source refers to a program in which the source code is available to the general public for use and/or modification from its original design. Open source code is typically created as a collaborative effort in which programmers improve upon the code and share the changes within the community. Open source sprouted in the technological community as a response to proprietary software owned by corporations.

The open-source model includes the concept of concurrent yet different agendas and differing approaches in production, in contrast with more centralized models of development such as those typically used in commercial software companies. A main principle and practice of open-source software development is peer production by bartering and collaboration, with the end-product, source-material, "blueprints", and documentation available at no cost to the public. This model is also used for the development of open-source-appropriate technologies, solar photovoltaic technology and open-source drug discovery.

The concept of free sharing of technological information existed long before computers. For example, cooking recipes have been shared since the beginning of human culture.

In the early years of automobile development, a group of capital monopolists owned the rights to a 2-cycle gasoline engine patent originally filed by George B. Selden. By controlling this patent, they were able to monopolize the industry and force car manufacturers to adhere to their demands, or risk a lawsuit. In 1911, independent automaker Henry Ford won a challenge to the Selden patent. The result was that the Selden patent became virtually worthless and a new association(which would eventually become the Motor Vehicle Manufacturers Association) was formed. The new association instituted a cross-licensing agreement among all US auto manufacturers: although each company would develop technology and file patents, these patents were shared openly and without the exchange of money between all the manufacturers. By the time the US entered World War 2, 92 Ford patents and 515 patents from other companies were being shared between these manufacturers, without any exchange of money (or lawsuits).

Very similar to open standards, researchers with access to Advanced Research Projects Agency Network (ARPANET) used a process called Request for Comments to develop telecommunication network protocols. This collaborative process of the 1960s led to the birth of the Internet in 1969.

Early instances of the free sharing of source code include IBM's source releases of its operating systems and other programs in the 1950s and 1960s, and the SHARE user group that formed to facilitate the exchange of software.

In a foreshadowing of the Internet, software with source code included became available on BBS networks in the 1980s. This was sometimes a necessity; distributing software written in BASIC and other interpreted languages can only be distributed as source code as there is no separate portable executable binary to distribute.

Example of BBS systems and networks that gathered source code, and setup up boards specifically to discuss its modification includes WWIV, developed initially in BASIC by Wayne Bell. A culture of "modding" his software and distributing the mods, grew up so extensively that when the software was ported to first Pascal, then C++, its source code continued to be distributed to registered users, who would share mods and compile their own versions of the software.] This may have contributed to its being a dominant system and network, despite being outside the Fidonet umbrella that was shared by so many other BBS makers.

The sharing of source code on the Internet began when the Internet was relatively primitive, with software distributed via UUCP, Usenet, and irc, and gopher. BSD, for example, was first widely distributed by posts to comp.os.linux on the Usenet, which is also where its development was discussed. Linux followed in this model.

The label "open source" was adopted by a group of people in the free software movement at a strategy session held at Palo Alto, California, in reaction to Netscape's January 1998 announcement of a source code release for Navigator. The group of individuals at the session included Christine Peterson who suggested "open source", Todd Anderson, Larry Augustin, Jon Hall, Sam Ockman, Michael Tiemann and Eric S. Raymond. Over the next week, Raymond and others worked on spreading the word. Linux Torvalds gave an all-important sanction the following day. Phil Hughes offered a pulpit in Linux Journal. Richard Stallman, pioneer of the free software movement, initially seemed to adopt the term, but later changed his mind. Those people who adopted the term used the opportunity before the release of Navigator's source code to free themselves from the ideology of the term "free software". Netscape released its source code under the Netscape Public License and later under the Mozilla Public License.

In February 1998, Raymond made the first public call to the free software community to adopt the new term. The Open Source Initiative was formed shortly thereafter by Eric Raymond and Bruce Perens.

The term was given a big boost at an event organized in April 1998 by technology publisher Tim O'Reilly. Originally titled the "Freeware Summit" and later known as the "Open Source Summit", The event brought together the leaders of many of the most important free and open-source projects, including Linux Torvalds, Larry Wall, Brian Behlendorf, Eric Allman, Guido van Rossum, Michael Tiemann, Paul Vixie, Jamie Zawinski of Netscape, and Eric Raymond. At that meeting, the confusion caused by the name free software was brought up. Tiemann argued for "sourceware" as a new term, while Raymond argued for "open source." The assembled developers took a vote, and the winner was announced at a press conference that evening.

Starting in the early 2000s, a number of companies began to publish a portion of their source code to claim they were open source, while keeping key parts closed. This led to the development of the now widely used terms free open-source software and commercial open-source software to distinguish between truly open and hybrid forms of open source.

Open source doesn't just mean access to the source code. The distribution terms of open-source software must comply with the following criteria:

1. Free Redistribution

The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.

2. Source Code

The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed.

3. Derived Works

The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.

4. Integrity of The Author's Source Code

The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software.

5. No Discrimination Against Persons or Groups

The license must not discriminate against any person or group of persons.

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

7. Distribution of License

The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.

8. License Must Not Be Specific to a Product

The rights attached to the program must not depend on the program's being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program's license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution.

9. License Must Not Restrict Other Software

The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.

10. License Must Be Technology-Neutral

No provision of the license may be predicated on any individual technology or style of interface.

The Open Source Initiative

The Open Source Initiative (OSI) is a non-profit corporation with global scope formed to educate about, and advocate, for the benefits of open source, and to build bridges among different constituencies in the open source community. See our about and history pages for more.

About Open Source Licenses

Open source licenses are licenses that comply with the Open Source Definition — in brief, they allow software to be freely used, modified, and shared. To be approved by the Open Source Initiative (also known as the OSI), a license must be go through the Open Source Initiative's license review process.

 

Popular Licenses

The following OSI-approved licenses are popular, widely used, or have strong communities (as defined in the 2006 Proliferation Report):

  1. Apache License 2.0
  2. BSD 3-Clause "New" or "Revised" license
  3. BSD 2-Clause "Simplified" or "FreeBSD" license
  4. GNU General Public License (GPL)
  5. GNU Library or "Lesser" General Public License (LGPL)
  6. MIT license
  7. Mozilla Public License 2.0
  8. Common Development and Distribution License
  9. Eclipse Public License

 

 

 

Courtesy : Wikipedia , open source 

Saturday, February 23, 2013

Expired SSL Certificate knocks-out Microsoft's Azure

Microsoft's Azure cloud platform faced a worldwide outage in its storage services from Friday afternoon because of an expired SSL (secure sockets layer) certificate.
Expired SSL Certificate knocks-out Microsoft's Azure - e-Knights Technologies
The company also reported problems with its Xbox Music and Video Store services.
The service problems come on a day the company said it was recently a victim of a cyberattack similar to ones that targeted Apple and Facebook.
"Beginning Friday, February 22 at 12:44 PM PST, Storage experienced a worldwide outage impacting HTTPS operations (SSL traffic) due to an expired certificate," Microsoft said on its Windows Azure service dashboard. HTTP traffic was not impacted, the company said. It said it executed steps to update the SSL certificate and expected HTTPS traffic to notice gradual recovery in many sub-regions.
Expired SSL Certificate knocks-out Microsoft's Azure - e-Knights TechnologiesHypertext Transfer Protocol Secure, a combination of the HTTP and SSL/TLS protocols, is an Internet communications protocol for secure network communications.
"Further updates will be published to keep you apprised of the situation. We apologize for any inconvenience this causes our customers," the company said.
Expired SSL Certificate knocks-out Microsoft's Azure - e-Knights TechnologiesMicrosoft also reported problems in its Xbox Music and Video services. It said users may be unable to browse, stream, download, or buy things at the Xbox Music and Video Store, also known as "Zune Marketplace." The company did not trace a connection between the Azure storage outage and the Xbox service problems.
The company said early morning on Saturday on the Xbox support site that it is working with its team of engineers "to get those jams back online and streaming properly." The company earlier reported that users were experiencing issues accessing content in Xbox Music and Video, and said, "know that we are aware of the issue and actively engaged working toward a fix to bring you back those sweet tunes !"
Microsoft also had a serious problem in its Azure service last February.
By Saturday, the company reported that Xbox Music and Video Store were "up and running." It also said on its Windows Azure service dashboard that it had "executed repair steps to update SSL certificate on the impacted clusters," and had recovered to over 99 percent availability across all sub-regions, but warned customers of intermittent failures for the next 24 hours. "We will continue monitoring the health of the Storage service and SSL traffic for the next 24 hrs," it said.
The company has not disclosed what led to the expired SSL certificate or the service problems on Xbox Music and Video Stores. Microsoft could not be immediately reached for comment.






Courtesy: computerworld.com

nagios metacharacter filtering omission (OSEC-2013-01)

Summary:
---------------
CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: < 2.14
Remote Exploitable: Yes
Local Exploitable: No
Patch Status Vendor released a patch (See Solution)
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability

 


Description
----------------
nrpe 2.13 has, in src/nrpc.c, line 52:

#define NASTY_METACHARS         "|`&><'\"\\[]{};"

This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,
'nagios').

Solution
------------
Upgrade to NRPE 2.14 or later, available at
http://sourceforge.net/projects/nagios/files/nrpe-2.x/








Courtesy: securityfocus.com

Cross-site scripting in Oracle EM (advReplicationAdmin) (CVE-2013-0355)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cross-site scripting in Oracle Enterprise Manager (advReplicationAdmin)

TeamSHATTER Security Advisory

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a
legitimate web application into sending malicious code, generally in the form
of a script, to an unsuspecting end user. The attack usually involves crafting
a hyperlink with malicious script code embedded within it. A valid user is
likely to click this link since it points to a resource on a trusted domain.
The link can be posted on a web page, or sent in an instant message, or email.
Clicking on the link executes the attacker-injected code in the context of the
trusted web application. Typically, the code steals session cookies, which can
then be used to impersonate a valid user.
There are instances of XSS vulnerabilities in the Distributed/Cross DB
Features of Oracle Enterprise Manager.  For example web page
/em/console/database/dist/advRepl/advReplicationAdmin is vulnerable to this
kind of attacks.

Impact:
Attackers might steal administrator's session cookies, thereby allowing the
attacker to impersonate the valid user.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0355

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html


https://www.teamshatter.com/?p=4162
 


Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmcToACgkQRx91imnNIgHHPgCdEowSWrZMUIZqCt9l4rZ9jXr3
8bgAnjXHt2HN6LjZ0Ye/bPRwNJAxI5xj
=yJVw
-----END PGP SIGNATURE-----








Courtesy: securityfocus.com

Samsung Galaxy S3 partial screen-lock bypass

MTI Technology – Vulnerability Research Team
www.mti.com

 

ukpentestinfo"at"mti.com
 


Samsung Galaxy S3 – partial screen-lock bypass


Date found:
17th Feb 2012

Vendor Notified:
20th Feb 2012

Vendor Affected:
Samsung

Device:
Galaxy S3

Model:
GT-19300

OS:
Android 4.1.2

Kernel Version:
3.0.31-742798


Affects:

Only tested on Samsung Galaxy SIII kernel version 3.0.31-742798 but it is possible any Samsung device that allows emergency contacts to be used and has S-Voice present could be vulnerable.

It is a Samsung specific bug not an Android one,


I. Background
MTI technology recently conducted a 45 day internal research program aimed at locating new attacks and vulnerabilities in Android devices. Specifically the Samsung S3 and LG Nexus 4 were tested. Several new issues where located and most of them have or will be reported to the relevant vendors.

MTI will be releasing new advisories in cooperation with the relevant vendors.


II. Overview

Partial device functionality is available to a user from a locked S3, which permits certain activities to be carried out.


III. Problem Description

It is possible to access any functionality available from the S-Voice utility on a Samsung S3 when the phone it locked and a PIN (or other locking method) is set. Any command that can be issued via S-Voice can be issued when the phone is locked; however, only the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen.

To access S-Voice the following steps are followed (assuming the phone is locked with a PIN number):

Press the power / home button to turn phone on,
Swipe the screen to access the PIN entry screen,
Select Emergency Call
Select Emergency Contacts (bottom left icon)
On the Emergency Contact screen, press the Home button twice in quick succession (to active S-Voice)
As soon as the Home button is pressed twice, tap the bottom centre of the screen (the S-Voice Microphone button)
Issue any S-Voice Command.

Commands such as the following can be issued:

Call 12345 - will active the phone, dial the number and display it to a user. The command can be used to call any user, or contact (if the name is known) or even Voicemail if Voicemail has been saved as a contact.
What is number / address – will cause S-Voice to say the number or address associated with a contact
Message
Turn Wi-Fi On / off
Turn Bluetooth on / off
What is on my calendar
Go to Google.com

The S-Voice help screen can be used to obtain a listing of supported / documented commands. MTI were not able to locate any commands not listed in this help page.

A crude method to enumerate contact names is to press the home button from the Emergency Contacts screen and quickly press the message / SMS icon (if stored on the main page) this will briefly display the users SMS inbox, which will reveal contact names.

IV. Impact
Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be able to obtain information from the schedule / calendar, make phone calls to any phone number (such as a premium rate number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate contact addresses and phone numbers, active Bluetooth and Wi-Fi.


V. Workaround
In S-Voice settings, disable the ‘Open S-Voice by double pressing the Home Key’ setting.

VI. Solution

Awaiting vendor response. Vendor seems to require Vulnerability Disclosures to be posted in their public developers forum:

http://developer.samsung.com/forum/thread/samsung-s3---partial-screen-lock-bypass/77/222426?boardName=GeneralB&startId=zzzzz~








Courtesy: securityfocus.com

SQL Injection in Oracle EM (Resource Manager) (CVE-2013-0358)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (Resource Manager)

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4, 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database. SQL
injection can be used to insert additional SQL statements to be executed.
Some parameters of /em/console/database/instance/rsrcpln are vulnerable to SQL
Injection attacks. This web page is part of Oracle Enterprise Manager web
application. This vulnerability allows to execute SQL statements in the
backend database making a web request as an authenticated user.  The
vulnerability can be exploited, by means of cross-site request forgery
attacks, when an Administrator with an open OEM session visits a malicious web
site.

Impact:
An attacker hosting a malicious web site can execute SQL statements in the
backend database when an administrator with an open session in Oracle
Enterprise Manager web application visits the malicious web site.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0358

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html


https://www.teamshatter.com/?p=4149
 


Timeline:
Vendor Notification - 8/22/2012
Vendor Response - 8/28/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmdCYACgkQRx91imnNIgExpACfTypwOkrsaIsXlStKyF6p/Jrn
5g8AoMuWwLaNQyTKeD8gbNPcKk/BnEjB
=1/1M
-----END PGP SIGNATURE-----







Courtesy: securityfocus.com