<< Previous
port 80
the LCD-like screen containing info about the status of the connection.
For exploiting this vulnerability is only needed that an user follows
a rtsp:// link, if the port 554 of the server is closed Quicktime will
automatically change the transport and will try the HTTP protocol on
port 80, the 404 error message of the server (other error numbers are
valid too) will be visualized in the LCD-like screen.
During my tests I have been able to fully overwrite the return address
anyway note that the visible effects of the vulnerability could change
during the usage of the debugger (in attaching mode it's everything
if (isset($_POST['Submit']) && $host != '' && $path != '')
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('<font
color=white>Error... check the path!</font>');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
Exploitation of these vulnerabilities results in the execution of
arbitrary code with the privileges of the affected service. On RedHat
Enterprise 4, the application is started as the user 'bin'. All that is
required for exploitation is the ability to create a TCP connection to
port 80 on the targeted host.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in Network
Node Manager version 7.53 for Linux. Previous versions, as well as
$host=$argv[1];
$shell=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP MSA 2000 G3. Authentication is not
required to exploit this vulnerability.
The specific flaws exists within the web interface listening on TCP port
80. There exists a directory traversal flaw that can allow a remote
attacker to view any file on the system by simply specifying it in the
default URI. Additionally, the pasword file contains a default login
that can be used to authenticate to the device. This can be leveraged by
a remote attacker to perform any tasks an administrator is able to.
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Sybase MBusiness Anywhere. Authentication is
not required to exploit this vulnerability.
The flaw exists within the agd.exe component which listens by default on
TCP port 80 and 443. When calling agd!encodeUsername the process creates
a 100 byte buffer on the heap. The process then blindly copies user
supplied data into that fixed-length buffer without verifying that the
size of the destination buffer is adequately sized. A remote attacker
can exploit this vulnerability to execute arbitrary code under the
context of the SYSTEM user.
Crysis has a small internal HTTP/XML-RPC server which must be activated
with the http_startserver command (manually or through server.cfg) and
allows to receive rcon commands.
This service works on port 80 if no port is specified but usually the
admins choose a custom port or just the same of the game (64087, the
service is easily distinguishable due to the "Bad Request" title
visible with a web browser).
If an attacker uses an HTTP request with a total length major than 4096
print " "
print " Usage: "
print " %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags] " % (sys.argv[0])
print " "
print " Additional Flags: "
print " -id34 -passMypassword -port80 "
print " "
print " Example: "
print " python %s 127.0.0.1 admin /DeluxeBB/ me@it.com -port81 " % (sys.argv[0])
print " "
print "########################################################################################\n"
Citrix web frontend which is exposed to the Internet in many cases.
Description:
The Citrix XML Service (ctxxmls.exe) is installed on every server used for
sharing applications. This windows service listens by default on port 80 and
can receive HTTP requests. Using HTTP POST requests with a URL starting with
the path /scripts/ it is possible to send messages to so called "HTTP
Extension DLLs" which consist of XML markup.
The stack-based buffer overflow was identified in the wpnbr.dll extension
XP redirects just fine.
/str0ke
none@void.gov.com wrote:
> yea i second that i tested on Vista and it doesnt attempt to redirect to the port 80 there must be another condition that u have specified that allows for redirection
>
>
}
$host=$argv[1];
$path=$argv[2];
$cmd=$argv[3];
$port=80;
$cmd=urlencode($cmd);
$p='http://'.$host.':'.$port.$path;
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett-Packard OpenView Network Node
Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the nnmRptConfig.exe CGI executable
accessible via the IIS web server listening by default on TCP port 80.
While parsing POST variables this process copies the contents of the
Template parameter into a fixed length stack buffer using a strcat call.
By supplying a large enough value this buffer can be overflowed leading
to arbitrary code execution.
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
Port 80 gives access through an HTML interface to the configuration menu as would be expected, but although you can control access to that interface using a password, there is no control over the telnet port. So, telnetting to port 23 (on is default IP 192.168.0.1) the users get automatically access to the filesystem, by providing no credentials at all. Now the file system of the device may be used for malicious communication and temporary data storage. Too, a user may download the upgrade firware's HTML code from the www directory and modify it locally so allow other files than IMGs to be uploaded and replace the existing firmware, making the device useless.
Also, one can view the contents of /etc/htpasswd file, where everything is in plaintext, and retrieve the web-based administrator's (admin) password. Some of the possible implications, that can be triggered from the web-interface, but not limited to the following, are:
1. Intruders are now capable to open the configuration page and go through the submenus where they can get the wireless key in use (the wireless key is being displayed in plaintext, as well)
2. They can perform a trivial DoS attack (factory restart the modem and everything stops working) similarly from the telnet session, by issuing the command "reboot" the device will obey and it will restart itself
the system running the XML service.
Description:
The Citrix XML Service (ctxxmls.exe) is installed on every server used for
sharing applications. This windows service listens by default on port 80 and
can receive HTTP requests. Using HTTP POST requests with a URL starting with
the path /scripts/ it is possible to send messages to so called "HTTP
Extension DLLs" which consist of XML markup.
By sending a POST request to a really long non-existent extension DLL some
TN> Discovered: 18 November, 2006
TN> Disclosed: 15 June, 2009
TN> I. DESCRIPTION
TN> The Netgear DG632 router has a web interface which runs on port 80. This
TN> allows an admin to login and administer the device's settings. However,
TN> a Denial of Service (DoS) vulnerability exists that causes the web interface
TN> to crash and stop responding to further requests.
TN> II. DETAILS
my ISP blocks ports below < 1024... so I figured 8800 would be the next best thing ...
@everybody : *always* be careful - port 80 will not make things safer than port 8800 ;)
____________________________________________________
moreover the visualization of more than 1024 chars, but other better
ways could exist.
The internal web server built in the Unreal engine is a service useful
for managing the own game server remotely through a web browser.
This server is NOT enabled by default and works on port 80 if the admin
doesn't change it.
The files pointed by the server are those contained in the Web folder
inside the game directory and /images is the only one which doesn't
require authorization, and is also the one needed to exploit this bug.
http://docs.codehaus.org/display/JETTY/Running+Jetty-7.0.x
- From an unpacked release directory of jetty-7,
the server can be started with the command: java -jar start.jar
- This will start a HTTP server on port 8080 and
deploy the test web application at: http://localhost:8080/test
II. DESCRIPTION
Multiple Vulnerabilities exist in Jetty software.
vulnerable device configured with Cisco IOS SSL VPN:
Router#show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
http-redirect port 80
ssl trustpoint Gateway-TP
inservice
!
Router#
Discovered: 18 November, 2006
Disclosed: 15 June, 2009
I. DESCRIPTION
The Netgear DG632 router has a web interface which runs on port 80. This
allows an admin to login and administer the device's settings. However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.
II. DETAILS
Discovered: 18 November, 2006
Disclosed: 15 June, 2009
I. DESCRIPTION
The Netgear DG632 router has a web interface which runs on port 80. This
allows an admin to login and administer the device's settings.
Authentication of
this web interface is handled by a script called "webcm" residing in
"/cgi-bin/"
which redirects to the relevant pages depending on successful user
vulnerable installations of HP Managed Printing Administration.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the MPAUploader.dll file. An extended
length string can be passed into scripts within the management website
on port 80 (the 'uploadfile' multipart form data 'filename' parameter in
Default.asp) and ultimately to MPAUploader.dll. As a static stack
allocation is used to store the buffer and the string length is not
handled properly, a remote attacker may overwrite the stack and
ultimately execute remote code.
The PartyGaming PartyPoker client program can be forced into downloading a
malicious update. This is a result of the PartyPoker client not properly
confirming the authenticity of the network update server or the
executable update files themselves. When downloading an update, first
the client program resolves the DNS address of the update host. Next, it
establishes a TCP connection on port 80 of the previously resolved IP
address. Then, it sends an HTTP request for an EXE file under the web
server's Downloads directory. Upon receiving the HTTP response, the
requested portable executable is written to disk and executed.
ANALYSIS
http://goo.gl/m99l6
There are numerous Puppet Dashboard's exposed directly to the Internet
and indexed by Google. By default Dashboard runs on port 3000, so
these are only sites that have reconfigured to run on port 80. A
machine search for port 3000 would probably reveal magnitudes more
sites.
This problem effects all versions of Puppet Dashboard.
communicate using a series of xml packets and absolutely zero
authentication or encryption :-(
Oh, and just in case you thought about maybe putting something secure
like an ssl webserver proxying the thing, these java applets are hard
coded to connect back to port 80 on the originating host using HTTP :-(
Still, you should get an idea of how the box is *supposed* to be used by
the fact that its ip address is set with dip switches where the
192.168.1 bit is hard coded!
communicate using a series of xml packets and absolutely zero
authentication or encryption :-(
Oh, and just in case you thought about maybe putting something secure
like an ssl webserver proxying the thing, these java applets are hard
coded to connect back to port 80 on the originating host using HTTP :-(
Still, you should get an idea of how the box is *supposed* to be used by
the fact that its ip address is set with dip switches where the
192.168.1 bit is hard coded!
#include <sys/stat.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <fcntl.h>
#define PORT 80
#define sys_err(x) \
do { \
fprintf(stderr,"%s",x); \
exit(-1); \
} while(0)
Depending on the operating system and setup this may be used to
compromise computers attached to the kvm switch.
Severity: Medium
CVE-2009-1474: Session ID Cookie not secure-only
When the user connects to the device via http on port 80, the device
redirects the user to the same device on port 443 (https). There the
user logs in and gets a session id cookie. However, this cookie does
not contain the secure option as specified in rfc2109. When the user
goes back to http for any reason, an attacker can sniff the session
id. Using this session ID it is possible to download the Windows/Java
<<Previous
|
