<< Previous Next >>
tests
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
. Foxit Reader 3.0 build 1506
6. *Vendor Information, Solutions and Workarounds*
The latest version 3.0 build 1506 of Foxit Reader has been released.
Please download the latest version from
http://www.foxitsoftware.com/downloads/ and visit the Foxit security
page for details at http://www.foxitsoftware.com/pdf/reader/security.htm.
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
>
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
> .text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
Debasis Mohanty wrote:
> No offence intended but if you take a little more effort of validating your
> work before posting publicly then you can save yourself from embarrassment.
>
> I don't see anything in the script that can bypass zone security and run
> successfully from internet zone. I am sure you have tested it locally and
> drawn conclusion that the script can execute from internet zone. To test the
> script from internet zone, you need to upload it to a webserver and try
> accessing via browser.
>
> Any VB/Java script will run from local security with a charm but if you can
Fixed Versions: Firmware Releases from or after April 25, 2011
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: http://www.zyxel.com/
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
...
> $ time ~/john/john-1.7.9-jumbo-5/run/unique -v -mem=25 1gu < 1g
> Total lines read 1000000000 Unique lines written 697066573
Here's some further analysis of the 1 billion sample used as a training
set along with a separate 1 million sample used as a test set:
Applying the 697 million unique passwords (from the 1 billion sample
above) as a wordlist (6 GB file size) to crack another 1 million of
pwgen'ed passwords cracks 418168 of them (41.8%). For a uniform
distribution (which is not the case), this would correspond to total
As we can see, previously constructed file path is used as argument for
php function "require_once()". Sanitization against "../" works well in
most cases, but in case of underlying Windows operating system attacker
can use backslashes and bypass such filtering with use of "..\".
Test (on Windows platform):
http://localhost/opencart1521/index.php?route=..\..\admin\index
Result:
to bypass this checkpoint and provides the "location.search" as in the previous
vulnerable versions.
The version 2.1.11 is patched against this vulnerability.
The server side validation introduced in the second generation appears to be a black-list
based filter. All HTML tags tested were blocked by the filter. However the '<BGSOUND>' tag
has not been included in the black-list and it bypasses the server-side validation.
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack vector in
certain versions of Opera.
The latest version (2.1.12) has not yet been tested for this vector. Since only Opera
wp-admin/includes/file.php:
---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;
// If you override this, you must provide $ext and $type!!!!
$test_type = true;
Hey Jon,
I am sorry about the space after the "~", That was a typo.
Its been tested it on all the versions prior to MR4MP1 since the
RTM(11.0.776)
But what's interesting is that the process isn't crashing. But a possible
arbitrary execution of code.
Core Security Technologies - CoreLabs
Advisory
http://www.coresecurity.com/corelabs/
Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System
1. *Advisory Information*
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20090725
I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Theorically verified on: Windows 2000, XP, Server 2003, Vista, Server 2008.
Successfully exploited on: Microsoft Windows Vista SP1 with latest security updates.
Analysis
A condition exists with srv.sys and npfs.sys wherein a specially crafted WRITE_ANDX SMB (http://msdn.microsoft.com/en-us/library/aa302278.aspx) packet may cause a kernel Denial Of Service.
.text:1000E330
.text:1000E330 push esi
.text:1000E331 mov esi, [esp+4+arg_0]
.text:1000E335 mov ecx, [esi+84h]
.text:1000E33B xor eax, eax
.text:1000E33D test ecx, ecx
.text:1000E33F jz short loc_1000E393
.text:1000E341 mov eax, [esp+4+arg_8]
.text:1000E345 mov edx, [esp+4+arg_4]
.text:1000E349 push eax
.text:1000E34A push edx
1. Summary
Product : Vim -- Vi IMproved, Netrw
Version : Tested with Vim 7.2b, Netrw 127
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v5.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Lack of sanitization throughout Netrw can lead to arbitrary code execution upon
*Vulnerable Packages*
. Systems using WonderWare SuiteLink prior to version 2.0 Patch 01.
. The vulnerability was discovered and tested on a system running
WonderWare InTouch 8.0.
*Non-vulnerable Packages*
most web browsers today, or if the end user agrees to activate an
ActiveX or Java Applet from the webpage hosting the exploit.
Workarounds to avoid this vulnerability include:
a. Using the default security settings or higher on the latest version
of your chosen web browser. In line with general security best practice
we would also encourage end users not to download ActiveX or Java
Applets unless confident about their content.
b. Turning off the Runtime Behavioural Analysis functionality within
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.
URL: http://www.binaryplanting.com/test.htm
Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out there you certainly are
63AF5CBE |. 03F8 |ADD EDI,EAX
63AF5CC0 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
63AF5CC3 |. 66:0FB607 |MOVZX AX,BYTE PTR DS:[EDI]
63AF5CC7 |. 0FB7C8 |MOVZX ECX,AX
63AF5CCA |. 83C4 0C |ADD ESP,0C
63AF5CCD |. 84C9 |TEST CL,CL
63AF5CCF |. 79 0D |JNS SHORT rvrender.63AF5CDE
63AF5CD1 |. 83E1 7F |AND ECX,7F
63AF5CD4 |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX
63AF5CD7 |. B8 01000000 |MOV EAX,1
63AF5CDC |. EB 1E |JMP SHORT rvrender.63AF5CFC
function argument
0x80bacb9: mov esi,DWORD PTR [ebp+0xc] ; same for esi
0x80bacbc: mov edi,DWORD PTR [ebp+0x10]
0x80bacbf: mov ecx,DWORD PTR [edx+0x8]
0x80bacc2: test ecx,ecx
0x80bacc4: je 0x80bad00
0x80bacc6: cmp DWORD PTR [edx+0x1c],edi
0x80bacc9: jle 0x80bad00
0x80baccb: mov ecx,DWORD PTR [edx+0x18]
0x80bacce: mov eax,DWORD PTR [edx+0x10]
Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar attacks.
1. Using <s:submit> tag with Dynamic Method Invocation (DMI) enabled.
a. Test case for Struts 2.2.1 with XWork 2.2.1
http://test.app.net/home.action?user=&password=&action!login:cantLogin_1=some_value
XWork generated error:
We can see, that user submitted parameter 'folder' is used in argument
for php function "move_uploaded_file()". There is no input data validation,
therefore attacker can use directory traversal and upload files with any
extension to arbitrary directory on remote system.
Test:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/uploadify-v2.1.4/uploadify.php"
method="post" enctype="multipart/form-data">
<input type="file" name="Filedata">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).
Hope many will contribute to this project!
Jetty is used in a wide variety of projects and products: embedded in
phones, in tools like the the eclipse IDE, in frameworks like GWT, in
application servers like Apache Geronimo and in huge clusters like
Yahoo's Hadoop cluster.
The latest version at the time of writing can be obtained from:
http://dist.codehaus.org/jetty/jetty-7.0.0/jetty-hightide-7.0.0.v2009100
5.tar.gz
Running Jetty 7.0.x is very easy, from the documentation page at:
http://docs.codehaus.org/display/JETTY/Running+Jetty-7.0.x
Hi Sandeep,
Are you saying this is supposed to affect 11.0.4000.x? If so, what
sub-sub-minor versions did you test it on?
I just tested this on 11.0.4000.2295 (on a managed client) and all it
did was crash the smc.exe process started by the command you supplied,
not smcgui.exe process. I tested as an administrator and an unprivileged
user and got the same results - smc.exe crashes, but not the smcgui.exe
process.
. Google SketchUp 7.6859 (MAC OS X)
6. *Vendor Information, Solutions and Workarounds*
Users can download the latest version of Google SketchUp from
http://sketchup.google.com
7. *Credits*
Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr
(recType 0xF003) containers that allows an attacker to cause a class
pointer to be interpreted incorrectly, leading to code execution in the
context of the currently logged on user.
The precise affected executable version we tested is 'Excel.exe
v10.0.6854' and the DLL is 'mso.dll v10.0.6845'
Likely attack vectors include:
. Targeted attacks involving e-mailed malicious files combined with
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
=======
On Wed, Oct 28, 2009 at 10:30:37PM +0100, Pavel Machek wrote:
> On Tue 2009-10-27 11:49:32, CaT wrote:
> > On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:
> > > and testing them. Remember the scenario from the original mail and try
> > > finding a window, during which creating a hardlink would still work thus
> > > evading directory permissions check.
> >
> > The main thing this does is allow a hardlink-like attack to work across
> > mountpoints afaics.
>
Advisory: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest
Authentication
During a penetration test, RedTeam Pentesting discovered that the
GNCaster software has multiple bugs in its implementation of HTTP Digest
Authentication.
Details
=======
<<Previous Next>>
|
