Next Page >>
HTTPS
Summary
=======
Two crafted packet vulnerabilities exist in the Cisco Firewall
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
A third vulnerability may cause access control list (ACL) entries to not
be evaluated after the access list has been manipulated.
vulnerability may allow a Man-in-the-Middle (MITM) attacker to inject
arbitrary data into the beginning of the application protocol stream
protected by TLS.
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
configured to authenticate to the WebUI over HTTPS using a client
certificate, an attacker can potentially use the victim's credentials
temporarily to execute arbitrary HTTP request for each initiation of an
HTTPS session from the victim to the WebUI. This would happen without
any HTTPS/TLS warnings to the victim. This condition can essentially be
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
* Secure Socket Layer Virtual Private Network (SSL VPN)
* When the affected device is configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access when using HTTPS
SSL VPN (or WebVPN) is enabled with the "enable <interface name>"
command in "webvpn" configuration mode. SSL VPN is disabled by default.
The following configuration snippet provides an example of a SSL VPN
configuration.
The PIX and ASA security appliances are also affected by a crafted TLS
packet vulnerability that affects devices running certain 7.x software
versions if the software has one or more features configured that cause
TLS sessions to terminate on the PIX or ASA security appliance. These
functions include, but are not limited to, clientless WebVPN, HTTPS
management, cut-through proxy for network access, and TLS proxy for
encrypted voice inspection. Version 6.3.x is not affected. Features that
cause TLS sessions to terminate on the PIX and ASA security appliances
are not enabled by default. For specific affected versions, please refer
to the "Software Versions and Fixes" section.
RESOLUTION
The vulnerability can be resolved by the following procedure:
Disable the array's HTTP and HTTPS network management services (Note: This will also disable all management access from a Web browser. Array management access may be maintained via Command Line Interface [CLI].) Use the instructions outlined in the Workaround section below to disable the HTTP and HTTPS network management services.
Install TS230P008 firmware as soon as possible. If the HTTP and HTTPS network management services have been previously disabled, the services may be re-enabled as the issue is fully resolved in TS230P008 firmware.
TS230P008 firmware installation and workaround instructions:
Crafted TLS Packet Vulnerability
+-------------------------------
Cisco ASA and Cisco PIX devices are affected by a crafted TLS request
vulnerability if the HTTPS server on the Cisco ASA or Cisco PIX
device is enabled and is running software versions prior to 8.0(3)9
on the 8.0.x release or prior to version 8.1(1)1 on the 8.1.x
release. Cisco ASA and Cisco PIX appliances running software versions
7.x are not vulnerable.
authenticity_token=c8b5abaf53f223e827d9258ddfef4285a816db5f&
oauth_token=I4FK956n1foaHjayLKXJT2IaBpsmoo0amKyPhebc&
session%5Busername_or_email%5D=USERNAME&session%5Bpassword%5D=PASSWORD
This authentication exchange should be protected by HTTPS, forcing the credentials to be sent over an encrypted channel.
The second vulnerability resides in the way HTC Peep works. Once the Twitter session has been established, all the HTTP requests from the mobile device to the Twitter service include an HTTP Basic authentication header that contains the Twitter username and password (although the app is supposed to be using OAuth). Examples of standard Twitter resources retrieved through HTTP GET requests: "/direct_messages.json?count=50&page=1", "/favorites.json?page=2", "/statuses/friends_timeline.json?count=50&page=1", or "/statuses/mentions.json?count=50&page=1".
GET /statuses/friends_timeline.json?count=50&page=1 HTTP/1.1
Accept: text/xml, application/xml;q=0.9, */*;q=0
services-config.xml file, located within the
Flex/WEB-INF folder of the application.
By default, the HTTPChannel classes are mapped to
the following endpoints:
1. http://{server.name}:{server.port}/{context.root}/messagebroker/http
2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure
Note that the HTTPChannel may be mapped to different
endpoints.
This depends on the deployed application and the
leveraging the vulnerability in other ways that certainly increase
the effectiveness and impact of this vulnerability.
A brief warning to those that think they are safe because they
don't accept client-side renegotiations (server + openssl). I
came across major websites where the SSL loadbalancer in front of the HTTPS
servers were vulnerable. Although the servers were patched it still was
possible to perform the attacks (The loadbalancer merged both
sessions and handed them as one to the webserver)
Updates :
WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely
exploited without authentication to cause a denial of service
condition. Both vulnerabilities affect both Cisco IOS WebVPN and
Cisco IOS SSLVPN features:
1. Crafted HTTPS packet will crash device.
2. SSLVPN sessions cause a memory leak in the device.
Cisco has released free software updates that address these
vulnerabilities.
> Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The
> script is run when the package installed, and anytime su executes the
> script.
>
> reseed(8) performs a unsecured HTTP request to random.org for its
> bits, despite random.org offering HTTPS services.
This resulted in a couple of discussions elsewhere, but as weird the
idea of retrieving a seed from the Internet is (over HTTPS or not),
this particular use is probably (unintentionally) harmless.
for the untrusted content, so that "same origin" policies
act as a sort of firewall. You propose different hostnames;
back in 2001, the acmemail webmail project did something
similar, but rather than hostnames, we chose to offer the
option of using different port numbers. Many of us ran
acmemail on https URLs, and that meant either using wildcard
certs for https (which would expose other hosts to any
flaws in acmemail) or different ports. You can see the source here:
http://acmemail.cvs.sourceforge.net/viewvc/acmemail/acmemail/AcmemailConf.pm?view=log
contains temporary authentication data so that it can connect to the
kvm switch without asking the user for username/password again.
CVE-2009-1477: Same SSL Key for all devices
All tested devices (KH1516i, KN9116 and PN9108) use the same SSL key
for the https web interface. If an attacker manages to extract the
private key from one single device, (s)he can decrypt the https
traffic of all other affected devices. This includes the username and
password used to authenticate to the kvm switch. If the attacker is
able to carry out a man in the middle attack, (s)he can also
compromise client systems by exchanging the windows or java client
>for the untrusted content, so that "same origin" policies
>act as a sort of firewall. You propose different hostnames;
>back in 2001, the acmemail webmail project did something
>similar, but rather than hostnames, we chose to offer the
>option of using different port numbers. Many of us ran
>acmemail on https URLs, and that meant either using wildcard
>certs for https (which would expose other hosts to any
>flaws in acmemail) or different ports. You can see the source here:
>
>http://acmemail.cvs.sourceforge.net/viewvc/acmemail/acmemail/AcmemailConf.pm?view=log
>
Hash: SHA1
Cisco Security Response: Cisco IOS Cross-Site Scripting
Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
CVE-2011-1406
It has been pointed out to us that if Mahara is configured (through its
wwwroot variable) to use HTTPS, it will happily let users login via the HTTP
version of the site if the web server is configured to serve content over
both protocol. The new version of Mahara will, when the wwwroot points to an
HTTPS URL, automatically redirect to HTTPS if it detects that it is being
run over HTTP.
Devices running Cisco IOS and using SSL-based services are
susceptible to this vulnerability. Some of the services that utilize
SSL are:
* HTTP server supporting SSL encryption (HTTPS)
The following example shows a device that has the standard Cisco
IOS HTTP server disabled, but the SSL-enabled Cisco IOS HTTP
server enabled:
Router#show running-config | include ip http
Vulnerabilities in this category enable unauthorized users to read
and modify device configuration. A malicious user must authenticate
as an existing user but does not need to have administrator
privileges or know administrator credentials to modify device
configuration. Both vulnerabilities can be exploited over either
transport protocol (HTTP or HTTPS).
Additionally, the vulnerability described by Cisco Bug ID CSCtb83618
( registered customers only) can be used to reload the vulnerable
device. Repeated exploitation of this vulnerability can lead to a
prolonged denial of service (DoS) condition.
I have noticed several media articles recommending that users use
https to protect their gmail sessions from Robert Graham's
"Sidejacking" attackers.
It turns out that independent of Mr. Graham's work, I have also been
investigating these types of attacks as they pertained to users'
safety while they use the Tor network.
As I presented in my Black Hat and DefCon talks on Securing the Tor
Network, it turns out that using https for accessing mail.google.com
attacker to execute arbitrary code on the server. Any code would
execute with system administrative privileges.
The vulnerability could be exploited over TCP port 443 or 1741.
Note: The default HTTP and HTTPS ports can be reconfigured on the
server.
The vulnerability affects both CiscoWorks Common Services for Oracle
Solaris and Microsoft Windows.
FWSM(config)#show mode
Security context mode: multiple
The flash mode is the SAME as the running mode.
The following commands are used to enable the HTTPS server and allow
only hosts on the inside interface with an address in the 192.168.1.0
/24 network to create ASDM, SSH or Telnet connections:
asa(config)# http server enable
asa(config)# http 192.168.1.0 255.255.255.0 inside
An unauthenticated attacker may be able to exploit this issue to access
sensitive information that could be leveraged to launch subsequent
attacks.
This vulnerability can be exploited over all open HTTP ports; TCP ports
80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate
HTTP and HTTPS port), as well as those that are configured as part of
the HTTP proxy.
In Cisco content delivery system software 2.5.3 and earlier, it is
possible to configure "Enable Incoming Proxy", which when enabled,
1. Local File Include vulnerability found in script /module.php
Vulnerable GET parameter "link".
First discovered by Zero_X [http://secunia.com/advisories/10604/].
Vendor fixed vulnerability in version 2.0.3 by adding verification for this parameter.
However, attacker still can include local files.
Code [line 32-42, 141-145]
--------------------------
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Chris Clark discovered that Ruby's HTTPS module did not check for
commonName mismatches early enough during SSL negotiation. If a remote
attacker were able to perform man-in-the-middle attacks, this flaw could
be exploited to view sensitive information in HTTPS requests coming from
Ruby applications. (CVE-2007-5162)
AAA server group that is configured to use the NTLMv1 authentication
protocol is affected. Affected services include:
* Telnet access to the security appliance
* SSH access to the security appliance
* HTTPS access to the security appliance (including Cisco ASDM
access)
* Serial console access
* Privileged (enable) mode access
* Cut-through proxy for network access
* VPN access
[0] Vulnerability Tracing ( Tracing [BREAK 0] ~ [BREAK 6] )
~/xoops-1.3.10/html/class/snoopy.class.php
--------------------------------------------------------------------------------------------------------------------
function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")
{
..
/* [BREAK 5]: $URI(sourceURl in vulnerable Moudle) is Ours injected parameter From below fetch() */
$URI_PARTS = parse_url($URI);
... someone thought this was a good idea.
[an entropy pool remotely biased by MitM attacker, maybe?]
> reseed(8) performs a unsecured HTTP request to random.org for its
> bits, despite random.org offering HTTPS services.
https doesn't help if your host entropy pool is poorly seeded.
[SSL/TLS needs entropy for authenticity/privacy.]
CVE: CVE-2007-4850
SecurityRisk: Medium
Affected Software: PHP 5.2.4 and 5.2.5
Advisory URL:
http://securityreason.com/achievement_securityalert/51
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
hi
is very curious vulnerability...
I think I found a variant of this vulnerability, if using another protocol (eg: https ://).
I am sure that is an variant because providing other protocolos (eg: http://) does not work, nor the exceptions that are generated are equal to fail.
------------------ POC ---------------------
Next Page>>
|
