Next Page >>
URLs
<object id="GetActiveX"
classid="clsid:CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7"
codebase="http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab#Version=1,5,2,35"
type="application/x-oleobject" width="1" height="1">
<param name="Service-URL"
value="http://get.adobe.com/reader/webservices/dlm/" />
<param name="itemid" value="860;941" />
<param name="language" value="" />
<param name="os" value="" />
</object>
#############################################################
#
# Product: Outlook Web Access for Exchange 2003
# Vendor: Microsoft (www.microsoft.com)
# CVD ID: CVE-2008-1547
# Subject: URL Redirection Vulnerability
# Risk: Medium
# Effect: Remotely exploitable
# Author: Martin Suess <martin.suess@csnc.ch>
# Date: October 15th 2008
#
> #############################################################
> #
> # Product: Outlook Web Access for Exchange 2003
> # Vendor: Microsoft (www.microsoft.com)
> # CVD ID: CVE-2008-1547
> # Subject: URL Redirection Vulnerability
> # Risk: Medium
> # Effect: Remotely exploitable
> # Author: Martin Suess <martin.suess@csnc.ch>
> # Date: October 15th 2008
> #
- Presentation name
- A one-sentence synopsis of your topic
- A longer one to three paragraph synopsis or short outline of what
you plan on covering
- Names, email addresses and URLs of the presenter(s)
- A short (single-paragraph) biography of the presenter(s)
Once everything is ready to go, please email your submission to cfp
[at] layerone [dot] info no later than March 15, 2008. You will
receive notice no later than April 1, 2008 to let you know if your
2) Browser Internals
---------------------
The Android browser's main activity, as defined in its manifest file, is
BrowserActivity. This is defined with the singleTask launch mode. The input
Intent for the activity may hold a URL, which is opened and then rendered by
the browser.
* The activity's onCreate member function, tries to restore the
browser's previous state. If it fails to do so, it creates a new tab, with the
input Intent's URL (if there is one), or else with the defined homepage.
* The activity's onNewIntent member function, has the following characteristic:
Faille Discovered By TsukasaGenesis && Ajax
Sploit Coded By Ajax Site: http://www.r57shell.in
*/
if($argc<9){
print "---KwsPHP All Version / Remote Code Execution---\n\n";
print "usage: kwsphpsploit.php -url <url> -login <login> -pass <pass> -email <email> -file <file> [-id <id>]\n\n";
print "Url url of KwsPHP script : Ex : www.example.com/kwsphp/\n";
print "Login your account's login ( need to be allow to upload )\n";
print "Pass account's password\n";
print "Email account's email\n";
print "File PHP script upload and execute\n";
CrySyS Lab Security Advisory - secureURL.php design flaws
Affected Software: secureURL 2.0 by Nguyen Quoc Bao
URL e.g.
http://www.phpclasses.org/package/2556-PHP-Encrypt-the-parameters-passed-in-link-URLs.html
Product description:
secureURL encrypts URL parameters and additionally protects it by
checksum, thus an attacker
cannot see the 'real' GET parameters of the website and disables
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> ----------------------------------------------------------------------------
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help documents
> directly via URLs by installing a protocol handler for the scheme "hcp",
> a typical example is provided in the Windows XP Command Line Reference,
> available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
>
> Using hcp:// URLs is intended to be safe, as when invoked via the registered
> protocol handler the command line parameter /fromhcp is passed to the help
directly execute any SQL statement.
3. VULNERABILITY DESCRIPTION
Some URLs in phpMyAdmin do not properly escape user inputs that lead
to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').
topic "glFusion"
*/
$err[0]="[!] This script is intended to be launched from the cli!";
$err[1]="[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
findings, although I gave up investigation at after discovering so many
flaws in the application's architecture with respect to security.
Version Information Leakage:
By calling the URL http://target.tld/ppim/Readme.txt you can view the
version information of the installed version of pPIM.
Password Hash Disclosure:
By requesting the URL http://target.tld/ppim/password.dat the password
Opera browser is vulnerable to stored Cross Site
Scripting. A malicious attacker is able to inject
arbitrary browser content through the
websites visited with the Opera browser. The code
injection is rendered into the Opera History Search
page which displays URL and a short
description of the visited pages.
== Bug Analysis ==
Opera.exe imports Opera.dll which handles most of the
http://www.vsecurity.com/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: WebLogic Plugin HTTP Injection via Encoded URLs
Release Date: 2010-07-13
Application: WebLogic Plugin
Versions: All known versions
Severity: High
Discovered by: Timothy D. Morgan < tmorgan (at) vsecurity {dot} com >
Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability
1. OVERVIEW
The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL
Redirection when "Enable webuser@domain.com" access format, a new
feature introduced in Plesk 7.0, is enabled in user preferences.
clear text passwords inside the registry, so an attacker
can abuse this to gain certain credentials from the victim
browser. If you ask me, this is not acceptable.
This sample code extracts BIOS informations and
redirects to a specified url with this info
passed as parameters.
Through some more programming efforts, you could dump a bigger
portion of the registry.
break;
case 'savepreferences':
savepreferences ($_POST);
$display .= COM_refresh ($_CONF['site_url']
. '/usersettings.php?mode=preferences&msg=6');
break;
...
all the $_POST[] variables are passed to the savepreferences() function
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0016
Justin Schuh, Tom Cross and Peter Williams discovered a buffer
overflow in the parser for UTF-8 URLs, which may lead to the
execution of arbitrary code. (MFSA 2008-37)
CVE-2008-0304
It was discovered that a buffer overflow in MIME decoding can lead
D-Link DIR-100 long url filter evasion
scip AG Vulnerability ID 3808 (09/08/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808
I. INTRODUCTION
D-Link DIR-100 is a small and cost-effective router and firewall device
for small offices and home users. More details are available at the
official product web site (German link):
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
Summary:
A buffer overflow condition can be triggered by setting URL filtering
for an overly long URL, leading to possible arbitrary code execution or
denial of service. Successful authentication is required in order to
exploit the vulnerability, but attackers can leverage other
vulnerabilities for achieving unauthenticated remote exploitation.
Possibly other ZLD-based products
Affected Versions: Firmware Releases before April 25, 2011
Fixed Versions: Firmware Releases from or after April 25, 2011
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: http://www.zyxel.com/
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managenews to exploit the vulnerability.
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-100216.1
___________________________________________________________________
Name: Windows URL Handling Vulnerability
Released: 16 February 2010
Vendor Link:
http://www.microsoft.com/
RESOLUTION
HP has provided the following patches to resolve this vulnerability.
The patches are available from the following location
URL http://itrc.hp.com
HP-UX Release
Component from bundle
Patch ID
I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. If the request fails to provide any token or provide a token with incorrect value, then the request is rejected. This prevents CSRF or any cross domain unauthorized function execution.
Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server.
The reasons being:
1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.
I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.
(BENCHMARK() cannot be used because commas are filtered by COM_applyFilter() function)
*/
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
credit goes to rgod, bug found more than a year ago
working against PHP >= 5.0
google dorks: "By Geeklog" "Created this page in" +seconds +powered
"By Geeklog" "Created this page in" +seconds +powered inurl:public_html
vulnerability, see /public_html/webservices/atom/index.php near lines 34-53:
...
require_once '../../lib-common.php';
---------------
|Multiple XSS |
---------------
a.Vulnerable URL: http://localhost/phpmychat/chat/deluser.php3
Parameter = LIMIT
POC =http://localhost/phpmychat/chat/config/start_page.css.php3?Charset=iso-8859-1&medium=10&FontName= >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Successfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>
b. Vulnerable URL: http://www.localhost/mychat/chat/deluser.php3
TZ> Sorry, Untrusted code from the internet ?
TZ> The user clicks on a mailto link, is that untrusted code?
TZ> Or the mailto link is clicked for him.
What URL is is defined by RFC 1738, what mailto: is is defined by RFC
2368. String in question is definetly _not_ URL because of %xx and ".
Double quote is URL delimiter and is not a part of URL, in this case
application incorrectly parses and highlights URL (it should stop before
"). %xx is invalid character encoding. And altogether it's, for sure,
not mailto: URL. Passing unchecked user input to function called
Next Page>>
|
