<< Previous Next >>
plain text
*Report Timeline*
. 2008-05-02: Initial notification sent to the vendor, offering the
CORE-2008-0415 advisory draft in plain-text or encrypted.
. 2008-05-05: Vendor acknowledges and requests the draft in plain text.
. 2008-05-05: Core sends the draft.
. 2008-05-09: Vendor requests a more detailed description of the steps
to reproduce the bug.
. 2008-05-09: Core sends a more detailed description of the steps to
1. The IE user's browsing history is compounded of different files
and folders. One of these files is named 'index.dat', and is usually
located at: 'C:\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat'. Although the format of this
file is not entirely text, IE will store every visited URL including any
parameters in the query string in plain text.
2. Although the aforementioned folder cannot be directly browsed
using Windows Explorer or Internet Explorer, it can be browsed and
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5'.
The Postfix SMTP server creates a SASL handle for each SMTP session,
when SASL authentication is enabled. The Postfix SMTP server will
use this SASL handle until it closes the SMTP connection (the Postfix
SMTP server may create a new server SASL handle when the client and
server agree to switch from a plaintext session to a TLS-encrypted
session, but this does not eliminate the memory corruption problem).
According to a comment in a Cyrus SASL include source file, a server
must not reuse a Cyrus SASL server handle after client authentication
failure. Instead, a server must create a new Cyrus SASL server
Formshield1. The value of the properties parameter changed each time
new text was populated in the CAPTCHA image. Changing content of this
parameter results in no new text being generated at all. The encrypted
properties value though is obtained by a dynamic key in the
__VIEWSTATE variable. If the contents of the __VIEWSTATE variable can
be obtained then we have a plaintext cipher text match which can be
replayed every time for every new request.
Details of the Attack
To carry out this attack we need to intercept and modify HTTP(S)
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
9. *Report Timeline*
. 2009-10-29:
Core Security Technologies notifies Toshiyuki Kawanishi (at his
@users.sourceforge.jp address) from the Teamst team of the
vulnerabilities, offering a draft for this advisory in plaintext or
encrypted form (if proper keys are sent). November 9th, 2009, is
proposed as a release date.
. 2009-11-02:
Because no response was obtained from Toshiyuki at his
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
Versions Affected:
2.0.0.RELEASE to 2.0.5.SR01
2.1.0.RELEASE to 2.1.1.SR01
Description:
tc Server allows users to store the passwords used for JMX authentication in an obfuscated form for organizations where storing passwords in plain text is not permitted. The JMX authentication implementation was incorrectly allowing users to authenticate using the password in either its plain text form or its obfuscated form, bypassing the benefit of obfuscation.
Mitigation:
If you are not using password obfuscation, then you are not affected by this issue.
Users of 2.0.x may mitigate this issue by upgrading to 2.0.6.RELEASE.
Users of 2.1.x may mitigate this issue by upgrading to 2.1.2.RELEASE.
SQL injection has previously been discovered (http://www.securityfocus.com/bid/14052/)
New Details:
------------
UBBThreads is nice enough to encrypt/mask the regular users' passwords in the database, but stores the admin users' passwords plaintext!
Vulnerable Versions:
--------------------
Tested on version 5.5.1, others may be vulnerable
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
arbitrary length string, passed as an argument in the XSL input, is
incorrectly copied over a padding variable which is previously allocated with
a fixed size of 128bit (RC4_KEY_LENGTH).
Aside from the heap overflow other bugs affect the code, the length of the
plaintext string argument is used for computing the key length rather than
the actual key and the zero-padding of the key is incorrectly computed.
A simple XML file with excessively long input can be crafted for triggering
the heap overflow.
a) the accounts.xml file's location can be overriden (so that I can re-direct to a network shared TrueCrypt drive over an IPSEC protected pipe in a VLAN'd network :p)
b) to be able to disable the "Save Password" option and ensure it cannot be overridden by the user by default
In an institution where the authentication piece is tied into the universal PIM LDAP, as-is, the usage of your application puts us in awkward position, as it has been deemed against the policies to "store" such authentication information in the open in an easily accessible location.
Per your post on http://developer.pidgin.im/wiki/PlainTextPasswords here, AFAIK there still isn't any plugin that decrypts/encrypts the saved password file either :/
Such position your team is taking, pretty much ties our hands and cripples us on spreading the good word about Pidgin: IMO one of the best chat applications out there!
Anyways, please keep up the good work and I look forward to the development of Pidgin!
bug that allows anyone to inject spoofed incoming/outgoing phone
records, SMS messages, and URL's into the backend database for ANY user
of the software. In addition, since the incoming records are not
filtered, it is trivial to inject malicious JavaScript/HTML into the
webpage viewed by the user of the software. Finally, the user/pass is
stored locally on the victims phone as plaintext.
*Details:*
Details on this program and the vulnerabilities are located at:
http://www.informit.com/articles/article.aspx?p=1077909
injection vulnerability has been found, and than an advisory draft is
ready.
. 2010-06-02:
The CubeCart team asks Core for a technical description of the
vulnerability, in the form of an advisory draft, over plaintext e-mail.
. 2010-06-02:
Technical details are sent by Core in the form of a draft of this
advisory.
When using this share to serve PHP scripts with apache (from a linux
box) you can use it to display php script content directly to your
browser.
In apache, scripts are mapped to engines using the AddType directive
with file extension specified. Text files with extensions not handled
by any AddType are considered as plain text.
When visiting http://linuxbox/winshare/info.php - you get you script executed.
When visiting http://linuxbox/winshare/info.php\ or
http://linuxbox/winshare/info.php%5C - you get your script content
displayed, revealing any details like database passwords etc.
Bill Paul and I have discovered that LoginWindow.app doesn't clear
credentials after a user is authenticated. We discovered this while
testing our EFI-based memory recovery utilities discussed recently[0].
We've found that depending on the state of capture, the passwords for
currently active accounts are stored in memory in plain text form, at
least once if not more times.
We've observed many copies of the password when the screensaver was
unlocked (but not the keychain per se). We consistently find one copy of
the password when the screen is locked. This memory is active for a
Core Security Technologies notifies the HP Software Security Response
Team (SSRT) of the vulnerability and preliminary schedule to publish the
corresponding security advisory on September 8th 2009. Core asks for
acknowledgement of the email within 2 working days and whether HP SSRT
prefers to receive the technical description of the bug encrypted or in
plaintext.
. 2009-08-12:
HP SSRT asks Core to send the technical description of the vulnerability
encrypted using the PGP key with id 0x08B83D45.
Here are some changes I had to make to my blind sql injection class:
"select substring('abc',1,1)"=>"select substring('abc' from 1 for 1)"
if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)" =>"case ".sprintf($question,"0+".$cur).">".$pos." when true then sleep(".$this->timeout.") end"
CWE Violations leveraged by this exploit:
CWE-256: Plaintext Storage of a Password
CWE-804: Guessable CAPTCHA (I asked that they create this CWE when I ran into a guy that works for Mitre.)
CWE-89: SQL Injection x2
CWE-79: Cross-site Scripting (Persistant)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerable captcha:
- Proof of Concept
The following example exploits the image viewer page by placing the password
of a user into the src attribute of the img tag instead of the correct path
to the image. User passwords are stored in plain-text.
http://[site]/index.php/[domain]/?action=collection.imageview&id=643635
union all select iaimage.id, iaimage.name, description,
iaimage.collection_id, iaimage.domain_id, password As path, access,
visits, checked FROM iaimage, iauser WHERE iaimage.id=411 /*
other attack vectors.
Impact of Workaround: components relying on metafile processing might
not work properly, such as printing.
Viewing e-mail in plain text format mitigates e-mail-based attack.
VI. VENDOR RESPONSE
"The vulnerability could allow remote code execution if a user opens a
specially crafted WMF image file. An attacker who successfully
> So it wouldn't make much sense to create connection noise on a TCP or
> HTTP basis, as this stuff isn't logged. I think one should rather
> concentrate on generating email noise in this regard.
Instead of creating noise, one should fix the problem of sending out
plaintext email, and encourage people to use email encryption such as
Enigma for Thunderbird. Encrypt IM conversations with OTR, and via
other ways pro-actively protect ones own privacy. That is a real
structural solution. Don't blame others for not using an envelope around
your own communication.
. 2009-07-28:
Core Security Technologies notifies the Pidgin team of the vulnerability
and schedules a preliminary publication date to August 18th.
. 2009-07-28:
Pidgin team requests technical details (in plaintext or encrypted).
. 2009-07-30:
Core sends the advisory draft, encrypted, including technical details.
. 2009-07-30:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This feature allows the security appliance to decrypt, inspect and
modify (as needed, for example, performing NAT fixup), and re-encrypt
voice signaling traffic while all of the existing VoIP inspection
functions for Skinny and Session Initiation Protocol (SIP) protocols are
preserved. Once voice signaling is decrypted, the plain-text signaling
message is passed to the existing inspection engines. The security
appliance accomplishes this by acting as a TLS proxy between the IP
phone and Cisco Unified CallManager, which implies that TLS sessions are
terminating on the security appliance.
>
> A backdoor in a computer system (or cryptosystem or algorithm) is a
> method of
> bypassing normal authentication, securing remote access to a computer,
> obtaining access
> to plaintext, and so on, while attempting to remain undetected. The
> backdoor may take
> the form of an installed program (e.g., Back Orifice), or could be a
> modification to an
> existing program or hardware device.
>
~~~~~~~~~~~~
Input passed to the "id" parameter in classified.php page is not properly verified before being used
in sql queries.This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation allows attacker retrieving users email and password in plain text.
Poc/Exploit:
~~~~~~~~
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the 'Free Simple Software' download module which allows for a 'UNION SELECT' to easily expose the application administrator's plaintext password.
II. TESTED VERSION
---------------------------------------
1.0 [Manual Install Version]
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences where this
material has been or will be published/submitted.
Please include the plain text version of this information in your
email as well as any file, pdf, sxw, ppt, or html attachments.
Please forward the above information to secwest11@cansecwest.com
to be considered for placement on the speaker roster, or have your
lightning talk scheduled. If you contact anyone else at our
3. Blind SQL Injection Vulnerability.
Input passed to the "category" parameter in search.php page is not properly verified before being used
in an sql query.
This can be exploited thru the browser to manipulate SQL queries and pull the username and password
from users in plain text.
Poc/Exploit:
~~~~~~~~~~~
http://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]
a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1
Newt is a programming library for color text mode, widget based
user interfaces. Newt can be used to add stacked windows, entry
widgets, checkboxes, radio buttons, labels, plain text fields,
scrollbars, etc., to text mode user interfaces.
A heap-based buffer overflow flaw was found in the way newt
processes content that is to be displayed in a text dialog box.
A local attacker could issue a specially-crafted text dialog box
Michal Zalewski discovered flaws in how Firefox processed the HTTP 204 (no
content) code. An attacker could exploit this to spoof the location bar,
such as in a phishing attack. (CVE-2010-1206)
Jordi Chancel discovered that Firefox did not properly handle when a server
responds to an HTTPS request with plaintext and then processes JavaScript
history events. An attacker could exploit this to spoof the location bar,
such as in a phishing attack. (CVE-2010-2751)
Chris Evans discovered that Firefox did not properly process improper CSS
selectors. If a user were tricked into viewing a malicious website, an
<<Previous Next>>
|
