<< Previous Next >>
attacks
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.
We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.
So if you know of a web hacking incident that you feel should be in the
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.
We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.
So if you know of a web hacking incident that you feel should be in the
> the Web Hacking Incidents Database Project we have collected numerous new
> incidents, listed below. It is very evident that both the rate of incidents
> as well the amount of information about each one is on the rise.
>
> We have also started adding more classifications to each incident. In
> addition to the attack method we now track for each incident its geography,
> the outcome of the attack and the industry sector it occured at. We are
> going to use this information in the our first annual Web Incidents summary
> report to be issued in early January.
>
> So if you know of a web hacking incident that you feel should be in the
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.
We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.
So if you know of a web hacking incident that you feel should be in the
Not to step in to the middle of this, but I once worked for an employer with what I considered the best way of stopping attacks cold: a proxy server that prompted you for your credentials when you went to an external web site and gp settings that disabled the ability to save your username/password locally as well as tight settings on the systems to prevent pretty much anything from being installed or modified. So everytime you opened up a brand new session of ie and tried to access an external site you were prompted for your username/password. Somehow I doubt there's any malware around that is designed to survive in that type of an environment.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "pdp (architect)" <pdp.gnucitizen@googlemail.com>
Date: Thu, 11 Oct 2007 01:17:16
Not to step in to the middle of this, but I once worked for an employer with what I considered the best way of stopping attacks cold: a proxy server that prompted you for your credentials when you went to an external web site and gp settings that disabled the ability to save your username/password locally as well as tight settings on the systems to prevent pretty much anything from being installed or modified. So everytime you opened up a brand new session of ie and tried to access an external site you were prompted for your username/password. Somehow I doubt there's any malware around that is designed to survive in that type of an environment.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "pdp (architect)" <pdp.gnucitizen@googlemail.com>
Date: Thu, 11 Oct 2007 01:17:16
Mambo CMS is a popular Content Management System.
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
Joomla CMS is a popular Content Management System.
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
- ----------------------
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- ------------------
WebLogic application server is commonly deployed in a three-tier
Original advisory details:
It was discovered that the Linux kernel did not correctly handle memory
protection of the Virtual Dynamic Shared Object page when running
a 32-bit application on a 64-bit kernel. A local attacker could
exploit this to cause a denial of service. (Only affected Ubuntu 6.06
LTS.) (CVE-2009-4271)
It was discovered that the r8169 network driver did not correctly check
the size of Ethernet frames. A remote attacker could send specially
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
vMA 4.0 RHEL5 Patch 2 *
* vMA JRE is updated to version JRE 1.5.0_21
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
realize the automatic process of password cracking.
As you comment, using this feature exist a lock (for 2 hours) for
authentication attempts, and beyond this limit (100 requests) the
message returned by the application does not allow to known if the
analyzed password is correct or not. However, every 2 hours an attacker
could make 100 authentication attempts.
To overcome this limit (100 authentication attempts), it is sufficient
that the attacker has other Gmail accounts. Each account allows the
malicious user to make 100 new auhtentication attempts within 2 hours of
can be injected directly into JavaScript without breaking out of a string.
* Injections facilitated by some HTTP headers are not currently blocked.
Ex: "Referer" based injection.
* If a page contains multiple nearby injection points, attacks can be
constructed that thwart the XSS Filter."
>>>
For more information about the Anti-XSS filter:
http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-
principles you mentioned. Security in depth works only in a perfect
world. The truth is that you cannot implement true security mainly
because you will hit on the accessibility side. It is all about
achieving the balance between security and accessibility. Moreover,
you cannot implement security in depth mainly because you cannot
predict the future. Therefore, you don't know what kinds of attack
will surface next.
Security is not a destination, it is a process. Security in depth
sounds like a destination to me.
Details:
Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)
Raphael Geisert and Dan Rosenberg discovered that the PEAR installer
allows local users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
Original advisory details:
Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)
Raphael Geisert and Dan Rosenberg discovered that the PEAR installer
allows local users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
Summary
=======
Cisco Unified Communications Manager, formerly CallManager, contains
a privilege escalation vulnerability in the IP Phone Personal Address
Book (PAB) Synchronizer feature that may allow an attacker to gain
complete administrative access to a vulnerable Cisco Unified
Communications Manager system. If Cisco Unified Communications
Manager is integrated with an external directory service, it may be
possible for an attacker to leverage the privilege escalation
vulnerability to gain access to additional systems configured to use
Details follow:
It was discovered that xine-lib did not correctly handle certain malformed
Ogg and Windows Media files. If a user or automated system were tricked into
opening a specially crafted Ogg or Windows Media file, an attacker could cause
xine-lib to crash, creating a denial of service. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
correctly handle memory allocation failures. If a user or automated system were
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
> Mail: nso-research at sotiriu.de
> URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
> Vendor: McAfee (http://www.mcafee.com/)
> Affected Products: McAfee LinuxShield <= 1.5.1
> Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
> Remote Exploitable: Yes (attacker must be authenticated)
> Local Exploitable: Yes
> Patch Status: Vendor released a patch (See Solution)
> Discovered by: Nikolas Sotiriu
> Thanks to: Thierry Zoller: For the permission to use his
> Policy
SUMMARY
This advisory addresses the renegotiation related vulnerability
disclosed recently in Transport Layer Security protocol [1][2]. This
vulnerability may allow a Man-in-the-Middle (MITM) attacker to inject
arbitrary data into the beginning of the application protocol stream
protected by TLS.
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
Vendor: McAfee (http://www.mcafee.com/)
Affected Products: McAfee LinuxShield <= 1.5.1
Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
Remote Exploitable: Yes (attacker must be authenticated)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Thanks to: Thierry Zoller: For the permission to use his
Policy
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
Vendor: McAfee (http://www.mcafee.com/)
Affected Products: McAfee LinuxShield <= 1.5.1
Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
Remote Exploitable: Yes (attacker must be authenticated)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Thanks to: Thierry Zoller: For the permission to use his
Policy
can include their banks, email accounts, shopping sites, etc.
IV. DESCRIPTION
-------------------------
It is possible for a malicious website to place arbitrary sites into your
Top Sites view through automated actions. The attack technique makes use of
javascript windows where in a small window is used to repeatedly browse to
different sites that the attacker wants to add in your Top Sites list. This
window is completely hidden using the window.blur function and user won't
know that is happening in the background. Please note that this attack is
not possible using invisible iframes as Safari does not use iframe urls to
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
Details follow:
USN-957-1 fixed vulnerabilities in Firefox and Xulrunner. Daniel Holbert
discovered that the fix for CVE-2010-1214 introduced a regression which did
not properly initialize a plugin pointer. If a user were tricked into
viewing a malicious site, a remote attacker could use this to crash the
browser or run arbitrary code as the user invoking the program.
(CVE-2010-2755)
This update fixes the problem.
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
upload script.
PHP does include 2 configuration settings that are related to this
situation: upload_max_filesize and post_max_size.
However, these are not enough to protect us against this denial of
service attack.
Workarounds
------------
Currently, I'm aware of three workarounds for this problem:
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
<<Previous Next>>
|
