<< Previous Next >>
filter
================
Description:
================
Multiple XSS vulnerabilities exist within HP NNMi. In the case of GET
request XSS, this is due to a poorly implemented filter that does not
fully protect against XSS. In the case of POST request XSS, this
appears to be due to a lack of any filter.
Of particular note is the fact that if the user is not logged in they
are presented with the login page and the XSS is activated upon login.
| | not a bug - that is the entire point of string |
| | expansion. |
| | |
| | However, it is often the case due to expediency or |
| | design misunderstanding that a developer will not |
| | examine and filter string data from external sources |
| | before passing it into potentially harmful areas of |
| | their dialplan. With the flexibility of the design of |
| | Asterisk come these risks if the dialplan designer is |
| | not suitably |
| | cautious as to how foreign data is allowed to continue |
xlssr.dll version 8.0.0.7214, distributed with IBM Lotus Notes 8.0
xlssr.dll version 8.5.0.8339, distributed with IBM Lotus Notes 8.5
xlssr.dll version 10.5.0.0, distributed with Symantec Mail Security
for Microsoft Exchange
All versions of the KeyView SDK that include the "xlssr.dll" filter
module are suspected to be vulnerable.
V. WORKAROUND
For all products using the KeyView SDK, you can disable the "xlssr.dll"
Remote exploitation of an integer overflow vulnerability in multiple
versions of Adobe Systems Inc's Reader and Acrobat PDF reader and
processor could allow an attacker to execute arbitrary code with the
privileges of the current user.
The vulnerability occurs when parsing a FlateDecode filter inside a PDF
file. FlateDecode is a filter for data compressed with zlib deflate
compression method. Several parameters can be specified for the
FlateDecode filter. Those values are used in an arithmetic operation
that calculates the number of bytes to allocate for a heap buffer. This
calculation can overflow, which results in an undersized heap buffer
<values>
<evntitle> </evntitle>
<evnnote> </evnnote>
[..]
</values>
<filter>
<offset>0</offset>
<limit>60</limit>
<order_by>EVNTYPE asc</order_by>
<sql>(EVNTITLE LIKE '%SQL INJECTION TEST%' OR
EVNNOTE LIKE '%SQL INJECTION TEST%')
ZDI-08-067: Apple CUPS 1.3.7 (HP-GL/2 filter) Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-067
October 9, 2008
-- CVE ID:
CVE-2008-3641
-- Affected Vendors:
Apple
Summary:
--------
Lenovo Rescue and Recovery monitors system changes and enables users to
quickly restore their systems in the event of failure. One component
of the Rescue and Recovery system is a file system filter driver which
monitors new file writes/reads.
There is a heap overflow in the file system filter kernel driver which
could allow an attacker to overwrite kernel memory leading to elevation
of privilege.
_______________________________________________________________________
Problem Description:
A buffer overflow in the SGI image format decoding routines used by the
CUPS image converting filter imagetops was discovered. An attacker
could create malicious SGI image files that could possibly execute
arbitrary code if the file was printed (CVE-2008-3639).
An integer overflow flaw leading to a heap buffer overflow was found
in the Text-to-PostScript texttops filter. An attacker could create
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that the SGI image filter in CUPS did not perform
proper bounds checking. If a user or automated system were tricked
into opening a crafted SGI image, an attacker could cause a denial
of service. (CVE-2008-3639)
It was discovered that the texttops filter in CUPS did not properly
Printing System (CUPS). The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2008-0053
Buffer overflows in the HP-GL input filter allowed to possibly run
arbitrary code through crafted HP-GL files.
CVE-2008-1373
Buffer overflow in the GIF filter allowed to possibly run arbitrary
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 12, 2008
I. BACKGROUND
Microsoft Office contains a number of input filters. These input filters
allow transparent conversion from external types into a form that the
Office applications can use. More information on import filters in
Microsoft Office 2002 is available at the following URL.
http://support.microsoft.com/?scid=kb;en-us;290362
...| $this->ipsclass->input['name'], 0 ) );
992| $name = str_replace("+", "+", $name );
As you can see, this function uses the "rawurldecode()"
function, which can be used to bypass (eg: %2527) all
filters we saw before (eg: the parse_clean_value()
function).
Default charsets are "iso-8859-1" or "utf-8", so the
"parse_clean_value()" function is not applied to our
variable, we can use all characters:
Vulnerabilities in kses-based HTML filters
==========================================
During internal code review performed by Allegro.pl, some weaknesses
were discovered in kses - PHP HTML/XHTML filter. HTML filters using or
based on kses are part of many popular projects, including WordPress,
Moodle, Drupal, eGroupWare, Dokeos, PHP-Nuke, Geeklog and others. Issues
found range from cross-site scripting to code execution, depending on
implementation.
8e6 Technologies R3000 Internet Filter Bypass by Request Split
Product:
8e6 Technologies R3000 Internet Filter
http://www.8e6.com/network-security/internet-filtering/internet-filtering.html
The HTTP URL filtering function provided by the 8e6 Technologies R3000 Internet Filter can be bypassed by simply splitting the HTTP request line (which contains the URI) into multiple packets.
SMF is a very hardened php application. If anyone wants an example of some interesting PHP security SMF is a good place to look. Even after being able to injection SQL I had to take another step and bypass some difficult filters found in the db_query() function. Ultimately i was able to do so.
This exploit is using blind sql injection. although you might not believe it on how fast it is. It can take less than 20 seconds to obtain a 40byte hash on a remote server!
Be safe,
Michael Brooks
#!/usr/bin/perl
Versions Affected:
Apache Shiro 1.0.0-incubating
The unsupported JSecurity 0.9.x versions are also affected
Description:
Shiro's path-based filter chain mechanism did not normalize request paths
before performing path-matching logic. The result is that Shiro filter
chain matching logic was susceptible to potential path traversal attacks.
Mitigation:
All users should upgrade to 1.1.0
Secunia Research has discovered two vulnerabilities in Microsoft
Office, which can be exploited by malicious people to compromise a
user's system.
1) An input validation error in the TIFF Import/Export Graphic Filter
when copying certain data can be exploited to cause a heap-based
buffer overflow via a specially crafted TIFF image.
2) Another input validation error in the TIFF Import/Export Graphic
Filter when copying certain data after having encountered a specific
A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
possible without some changes in exim4's behvaviour. If you use the -C
or -D options or use the system filter facility, you should evaluate
the changes carefully and adjust your configuration accordingly. The
Debian default configuration is not affected by the changes.
The detailed list of changes is described in the NEWS.Debian file in
the packages. The relevant sections are also reproduced below.
The Compression Parameter Index indicates which compression algorithm was used
to compress the ipcomp payload, which is expanded and then routed as requested.
Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely
implemented, RFC1951 DEFLATE (cpi=2).
It's well documented that ipcomp can be used to traverse perimeter filtering,
however this document discusses potential implementation flaws observed in
popular stacks.
The IPComp implementation originating from NetBSD/KAME implements injection of
unpacked payloads like so:
6. *Solutions and Workarounds*
On the server side, you can upgrade to a non-vulnerable version. Onthe
client you can use a browser that obeys the Content-Type header
specified by the server, such as Mozilla Firefox, Google Chrome, Apple
Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute
the malicious scripts.
7. *Credits*
2) Varnish is the only program that doesn't need a "cat" program as logs
are stored in memory and displayed using the "varnishlog" utility.
2) Apache fixed a similiar bug (CVE-2003-0020), "Low: Error log escape
filtering", in 2004 (six years ago). The bug was affecting Apache up
to 1.3.29 [8] or 2.0.48 [9] depending on the branch.
Take you conclusion, criticize if you want. In the meantime things are a
little safer.
The unlink function is used by a web page to delete a file on the web server.
The unlink function was found to be used with user input:
unlink($oldsmile_path);
Although the filter functions like str_replace are used:
$oldsmile_path = str_replace("\\", "/", realpath(XOOPS_UPLOAD_PATH.'/'.trim($_POST['old_smile'])));
It is not a strong enough for CodeScan Developer to count it as a filter.
It is potentially dangerous for user to have direct input of what to delete,
# The Risk:
# By exploiting this vulnerability, an attacker can inject malicious code in the script and can stole cookies.
#
# Fix the vulnerability:
# * Encode output based on input parameters.
# * Filter input parameters for special characters.
# * Filter output based on input parameters for special characters...
#
#################################################################
#
# [2]-SQL injection
to the beginning of every configuration file "; <?php exit; ...".
Because of this it is not possible to just write PHP code into a
file and execute it.
There is however a lesser known and nearly never used feature of PHP5
that allows exploiting this situation. By using the PHP5 filter
stream wrapper through the php://filter URI scheme it is possible to
write arbitrary files to the server. By crafting a configuration
filename like
php://filter/write=convert.base64-decode/resource=/var/www/x.php it
is possible to channel all writes to the file through a base64
Quote from http://www.php-ids.org
"PHPIDS (PHP-Intrusion Detection System) is a simple to use, well
structured, fast and state-of-the-art security layer for your PHP
based web application. The IDS neither strips, sanitizes nor
filters any malicious input, it simply recognizes when an attacker
tries to break your site and reacts in exactly the way you want it
to. Based on a set of approved and heavily tested filter rules any
attack is given a numerical impact rating which makes it easy to
decide what kind of action should follow the hacking attempt. This
could range from simple logging to sending out an emergency mail
web-based attacks.
The processing method for the search function fails to perform proper
input validation on the data that is being submitted via HTTP GET. The
parameter "searchtext" lacks validation and is therefore vulnerable to
script injection. While there is a basic input filterting method in
place, it fails to detect more advanced (e.g. encoded) payloads.
Other parts of the application might be affected too.
This vulnerability has been tested on version 6.1, other versions might
be affected as well.
Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file.
In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb
This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:
"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file.
In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb
This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:
"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
VUPEN Vulnerability Research - Adobe Acrobat and Reader U3D Filter Code
Execution Vulnerabilities
I. BACKGROUND ---------------------
Adobe Acrobat is a family of computer programs developed by Adobe
Systems, designed to view, create, manipulate and manage files in
Adobe's Portable Document Format (PDF).
fix the escape injection problem"
20091024 Advisory release
IX. REFERENCES
[1] Apache does not filter terminal escape sequences from error logs
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020
[2] Apache does not filter terminal escape sequences from access logs
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083
[3] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability
http://www.milw0rm.com/exploits/7681
<<Previous Next>>
|
