Next Page >>
And I
Yes, still the same. Same holes in different web application. As it clearly
stated in my advisory.
With this vulnerabilities in one script which is using (the script itself or
its code) in multiple webapps, which makes them vulnerable, I used the same
approach as with vulnerabilities in WP-Cumulus. And I already reported to
security mailing lists about vulnerabilities in WP-Cumulus and in other web
applications which are using tagcloud.swf in the end of 2009 and in 2010.
So why not you, nor other readers of the list are asking the question (aka
moaning) about the same vulnerabilities in these webapps - which all are
But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and
SeaMonkey 2.0.4, but not in Firefox 3.0.x.
After I recently read this advisory, I decided to check different browsers.
And as I checked at 16.05.2010, to this vulnerability are vulnerable web
browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for conducting
of DoS attack on Firefox.
Also I found possibility to open email client via iframe with mailto: URL.
Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I created
exploit for conducting of attack on all browsers, which I called DoS via
script. It's only way to draw their attention to these issues.
If you'll look at my advisory about vulnerabilities in CaptchaSecurityImages
(http://www.securityfocus.com/archive/1/510276/30/30/threaded), you see that
I found these holes long time ago. I found them at one site and thought that
it's single site issue in custom made captcha. And I gave enough time to
admin of that site to fix those holes (but he ignored my warnings about the
holes). And only at 17.09.2009 when I found the same captcha script at
another site, I understood that it's popular captcha script and so these
holes are widespread. And after 16.03.2010 when I disclosed new hole at that
site, than on the next day I disclosed hole in CaptchaSecurityImages itself
> "Refresh" or "Location" redirection in Firefox will not bestow a
...
> updates - do inherit that context.
I know it. And I mentioned about this in my paragraph "Via data: it's
possible to bypass in Firefox ...". In these paragraph I wrote "But in
Firefox 3.0.11 and Google Chrome you can't get to cookies this way", which
is the same that your wrote, but in more laconic way. And in the same
paragraph I wrote "but it's possible in old Mozilla (and in those versions
of Firefox where there is relation between data: page and original page)".
> These vendors do not ignore security issues and do respond
As I already said, in 99% they do ignore and don't respond (and sometimes
were such cases as responded but not fixed, and such case as not responded
and not thanked me, but fixed). So taking into account my personal
experience with finding vulnerabilities in browsers and informing vendors,
I'm not informing them about DoS vulnerabilities in their browsers from this
year (except this one case).
From more then 5 years of my work here is TOP of different group of people,
based on answering and fixing of vulnerabilities which I informed them about
This is madness for various apparent reasons. In times like these it is
necessary to stand up against it. Of course not by committing crimes but
by attacking the flawed logic behind those laws itself.
There are many approaches to this. And I am sure (and I really hope)
that there will be many more taken. This is just one approach that came
to my mind today.
Introducing Project HayNeedle.
A tiny spider-like program written in C# that will create connection
>
> As I already said, in 99% they do ignore and don't respond (and sometimes
> were such cases as responded but not fixed, and such case as not
> responded
> and not thanked me, but fixed). So taking into account my personal
> experience with finding vulnerabilities in browsers and informing
> vendors,
> I'm not informing them about DoS vulnerabilities in their browsers
> from this
> year (except this one case).
>
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
Maybe I'm jaded but I'm my understanding of the risk is right, if all
they can do is bypass my spam filters and run up my CPU cycles I'm not
sure I'd call this a vulnerability. Bug yes. I guess I define
vulnerability more strictly in terms of actual damage, remote access,
harsh impact to the users of the site, loss of sensitive account
information, etc, more damage than just forcing me to buy beefier
> SeaMonkey 2.0.4, but not in Firefox 3.0.x.
>
> After I recently read this advisory, I decided to check different
> browsers.
> And as I checked at 16.05.2010, to this vulnerability are vulnerable web
> browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for
> conducting
> of DoS attack on Firefox.
>
> Also I found possibility to open email client via iframe with mailto:
> URL.
again, I think :).
-gathers 'useful' information from unencrypted wifi traffic (ala
Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http
cookies/authinfo, msn messages,ftp credentials, telnet network
traffic, nbt, etc.
-and I think that's it.
Requirements:
-Linux
-scapy
-wifi card :)
A longer explanation:
The main problem is that if users have filesystem access to the mail
server, they can create symlinks. Dovecot doesn't try to prevent
following symlinks (and I don't think it should) and normally it isn't a
problem. But when mail_extra_groups=mail is set:
1a) Maildir: Any files readable by mail group can be read by the user by
symlinking the file to their ~/Maildir/cur/.
have a proprietary tool and want to share with everyone. For all that I
think is a good idea to a site that combines the largest and ranked them
as best as possible so that it can help in all these cases.
The reason for not having added the tools available in backtrack, FIRE,
Phlax, Helix, etc, is that, despite the contributions of all you are
doing (and I appreciate greatly), almost all the tools I introduced
myself by hand. That takes time and that's why I'm going to slowly,
because what I do in my spare time. But of course that will introduce
all of these tools.
Regards
>> user-level access on a host, to listen in on private conversations
>> associated with the victim account.
>
> Basically, you're saying that if I have the rights of a user on a
> machine, I can access the private conversations of that user? Ooooh
> no. Well, I can also copy his keyfiles, no? And I can alter his
> settings. And spawn fake "Update didn't work, please enter root
> password to proceed" windows. I could alter his ~/.bashrc so that
> whenever he launches "sudo" or "su", a script is launched instead
> that grabs his password. So, please, what's the point?
Hello Nick aka Nant and Bugtraq!
This Nant's letter I found some time ago (and now found time to write answer
on it) and I found it accidentally, because I'm not subscribed to Bugtraq
mailing list. So Nant and every reader of the list must take it into
account (and send letters to my email, if they want to contact me).
And this is that example of letter from developer, which I mentioned last
week at the list. Which clearly shows, that web developers ignore advisory
about holes in CaptchaSecurityImages.php itself, and only draw attention on
Hello Hans!
First, it's not a site specific hole, it's browser specific. So issue in
browser and it'll be working at any site. And I used universal PoC (suitable
for most cases). For online testing and especially for attacking purposes
you can use any working web site (e.g. google.com).
http://www.google.com/webhp?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
The idea of putting XSS code to the parameter (i.e. after '?') is to avoid
soon I'll post it to security mailing lists.
> as site's that is allowing the rogue scripts
Don't worry about how bad guys will be placing of JS code or page with
iframes at web site for this attack - it'll be their own problem. And if
they want they will do it. And after they placed attacking code (JS or HTML)
on target-site, then it'll be already a problem of users of this site (which
will can not work with it) and admin of the site (which in addition to
problems with working with the site, also will left without visitors on his
site). There are always vulnerabilities on different sites which can be used
with a hex editor is available here:
http://aluigi.org/patches/unrealoadfix.txt
- there is a "strange" way that has avoided the termination of the
server (and I report it here only for thoroughness) through the
enabling of the map voting (like [xVoting.xVotingHandler] and
bMapVote=True in the INI of UT2003 and UT2004)
#######################################################################
I think this discussion had never existed if they used another name for
the 'fd' placeholder in /proc... Because then you wouldn't linked the
/proc fd to the fd being used within the actual process space.
And I think you would agree about your mis-interpretation earlier if
not so
many people had the same mis-interpretation of the virtual /proc
mechanism
(I hope you don't get me wrong; I'm not taking this personal or being
rude to you,
There are many other options outside of the sony key without the rootkit
problem. One of the best devices that I have read about is from stealth.
While I have yet to personally evaluate this product as I understand it
there is no software outside of the standard USB driver needed to recognize
and use a standard usb key outside of the initial device programming or a
lockout state.
http://www.gcn.com/print/26_14/44484-1.html
Well, that does not mean /proc does not need fixing.
> You are expecting transactional behavior in /proc, where /proc only
> registers object information.
...
> And I think you would agree about your mis-interpretation earlier
> if not so
> many people had the same mis-interpretation of the virtual /proc
> mechanism
I think you understand the issue by now. But you think it should be
In this advisory I'm continue to inform readers of mailing lists about
vulnerable web applications which are using CaptchaSecurityImages.php. If
you read Bugtraq you can saw the letter, from which it's clearly seen, that
web developers ignore advisory about holes in CaptchaSecurityImages.php
itself, and only draw attention on advisories about their specific web
applications. And I answered on this letter
(http://www.securityfocus.com/archive/1/511023). So, as I already wrote to
the list, it's only way to draw attention of web developers to these issues.
-----------------------------
Advisory: Vulnerabilities in CCMS
20.04.2010 - found vulnerabilities.
28.04.2010 - announced at my site.
29.04.2010 - informed developer.
06.05.2010 - developer released Cimy Counter 0.9.5. In version 0.9.5 the
author fixed all mentioned vulnerabilities except Redirector (aka URL
Redirector Abuse in WASC TC v2). And I gave him addition argumentation to
fix Redirector hole also.
24.06.2010 - disclosed at my site.
-----------------------------
Details:
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
> > technically possible for malware to use the hidden directory as a hiding
http://www.securityfocus.com/bid/27539
The version of ImageUploader4 is 4.1.36.0
And I say that it's possible because I find a site where I download it, but I don't saw where the Activex control is used.
Web with the vulnerable control:
http://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
disadvantages of the additional burden. This may be of
particular significance for "mass virtual hosting"
systems, where many hostnames are associated with a
single IP.
Oh, and just as you (and I) until recently thought that there should be
only one PTR for any given address, there is undoubtedly still software
out there that expects <= 1 PTR, so no telling will break (though that
should not be an overriding concern if the security benefits of proper
reverse checking were large enough).
(during installation process). Because if default admin account will be
enabled later (with empty password) and will forget to set new password,
than it'll be much worse.
I'm not using Vista, so I can't check this issue on any of my computers. And
I want to check it by myself - is there such issue on Vista or not. For this
I'm planning to check one notebook of my friend (with Vista). But for more
than two weeks I couldn't meet with him and take his notebook. I quickly
checked two Asus notebook of my friends (as I wrote already to bugtraq), but
there is some delay with this Acer notebook with Vista. If in near time I'll
not be able to meet with my friend to take his notebook (because he is
for Intel gigabit network adapters which allow remote users to
bypass packet filters using specially crafted Ethernet frames.
CVE-2010-0003
Andi Kleen reported a defect which allows local users to gain read
access to memory reachable by the kernel when the
print-fatal-signals option is enabled. This option is disabled by
default.
CVE-2010-0007
To bypass protection from JavaScript code execution via refresh header it's
needed to use data: URI, which will be containing requisite JS code. This
method of conducting of XSS attacks via meta-refresh tag is already known -
it was in XSS Cheat Sheet (http://ha.ckers.org/xss.html) already in 2006
year. And I used it to bypass protection in Firefox and to conduct attacks
via refresh-header redirectors.
XSS:
Meta-refresh tag and refresh header attack vectors:
>
> As I already wrote you and Adam earlier, every type of disclosure
> (including
> full disclosure and responsible full disclosure) can be good in
> appropriate
> situation. And I use that type of disclosure which is suitable for every
> particular case.
>
> Taking into account that 3 from 4 vendors answered me (except Microsoft)
> and
> Google had already non affected Chrome 4, and Mozilla and Opera promised
Hello Susan!
As I already wrote you and Adam earlier, every type of disclosure (including
full disclosure and responsible full disclosure) can be good in appropriate
situation. And I use that type of disclosure which is suitable for every
particular case.
Taking into account that 3 from 4 vendors answered me (except Microsoft) and
Google had already non affected Chrome 4, and Mozilla and Opera promised to
fix it (we'll see when and how they do it), then you can see that my
Next Page>>
|
