Next Page >>
Web sites
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
transferring data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in the
current implementation. Microsoft decided to filter "Type 1 XSS" which is
free text send to the server being reflected to the user and therefore
injecting HTML code into the website's page. They chose not to handle
certain situations such as injection into a JavaScript tag space, which
would be extremely difficult to filter. The software giant also chose not
to filter injection into HTTP headers, which will drive hackers to focus on
discovering CRLF vulnerabilities.
> * Country: USA
> * Outcome: Identity Theft
> * Vertical: Government
>
> The Secret Service has arrested at least 6 people in an investigation that
> involves information theft at an Ohio court web site, which is actively used
> for identity theft. At least one known identity theft case resulted in
> $40,000 loss to the victim.
>
>
> WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
* Country: USA
* Outcome: Identity Theft
* Vertical: Government
The Secret Service has arrested at least 6 people in an investigation that
involves information theft at an Ohio court web site, which is actively used
for identity theft. At least one known identity theft case resulted in
$40,000 loss to the victim.
WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
* Country: USA
* Outcome: Identity Theft
* Vertical: Government
The Secret Service has arrested at least 6 people in an investigation that
involves information theft at an Ohio court web site, which is actively used
for identity theft. At least one known identity theft case resulted in
$40,000 loss to the victim.
WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
* Country: USA
* Outcome: Identity Theft
* Vertical: Government
The Secret Service has arrested at least 6 people in an investigation that
involves information theft at an Ohio court web site, which is actively used
for identity theft. At least one known identity theft case resulted in
$40,000 loss to the victim.
WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
released on 11 June 2007 and currently supports both Windows XP and Windows
Vista. The current stable release of the browser is 4.0.3 for Mac OS X and
Windows. (Source - Wikipedia).
Safari 4 introduced the Top Sites feature to provide an at-a-glance view of
a user's favorite websites. It is the most hyped feature of Safari 4 and
widely used by users to quickly jump to their frequently used sites which
can include their banks, email accounts, shopping sites, etc.
IV. DESCRIPTION
-------------------------
Introduction:
-------------
The vulnerability found targets the Outlook Web Access application
for Microsoft Exchange 2003. A valid user can be redirected to a
malicious website when clicking on a specially crafted URL which can
be sent to the user by email. If the user is logged in,
he is redirected instantly - if he is not logged in yet, the login page
will be displayed and he will be redirected after successful login.
This vulnerability can be used to redirect the user to a phishing
website which shows the (faked) login screen and getting the users
>
> Introduction:
> -------------
> The vulnerability found targets the Outlook Web Access application
> for Microsoft Exchange 2003. A valid user can be redirected to a
> malicious website when clicking on a specially crafted URL which can
> be sent to the user by email. If the user is logged in,
> he is redirected instantly - if he is not logged in yet, the login page
> will be displayed and he will be redirected after successful login.
> This vulnerability can be used to redirect the user to a phishing
> website which shows the (faked) login screen and getting the users
===========
There are no workarounds for these vulnerabilities.
Cross-site scripting, also known as XSS, is a flaw within web
applications that enables malicious users, vulnerable websites, or
owners of malicious websites to send malicious code to the browsers
of unsuspecting users. The malicious code is usually in the form of a
script embedded in the URL of a link or the code may be stored on the
vulnerable server or malicious website. The browser will execute the
malicious script because the web content is assumed to be from a trusted
downloading a crafted .url file and a crafted HTML file, an attacker
could steal information from the user's cache. (CVE-2008-4582)
Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the
same-origin check in Firefox could be bypassed. If a user were tricked
into opening a malicious website, an attacker could obtain private
information from data stored in the images, or discover information
about software on the user's computer. This issue only affects Firefox 2.
(CVE-2008-5012)
It was discovered that Firefox did not properly check if the Flash
implementations of DNS (with Microsoft's implementation being
more easily predictable than those of BIND).
Using this attack an attacker can remotely poison the cache of
any Windows DNS server (when run in caching mode) and force users
who use this DNS server to reach fraudulent websites each time
they try to access real websites.
Windows DNS Server (part of Windows 2003 Server and Windows 2000
Server) is a popular DNS server (especially in Microsoft-based
sites).
Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco
"ascii" Ongaro are credited with the discovery of this vulnerability.
Giovanni "evilaliv3" Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it
Antonio "s4tan" Parata
web site: http://www.ush.it/
mail: s4tan AT ush DOT it
Proof of concept, version 4.0.4:
https://[yourserver]/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=XSS_%3Cbody%20onload=alert(document.cookie)%3E_here
Impact:
Attacker could impersonate victim to do any activity the victim is authorized to do through a compromised web site, for example, initiate funds transfers or access private data. Under some circumstances the existence of this vulnerability in one web site could be used to attack other web sites in the same DNS domain. For example, if host "a.example.com" shares cookies with host "b.example.com" and "b" is vulnerable, "b" can be used to attack "a".
Versions tested:
Calcium 4.0.4 Vulnerable
Calcium 3.10 Vulnerable
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
Overview:
Quote from http://www.piwik.org
"Piwik is a downloadable, open source (GPL licensed) web analytics
software program. It provides you with detailed real time reports
on your website visitors: the search engines and keywords they
used, the language they speak, your popular pages… and so much more.
Piwik aims to be an open source alternative to Google Analytics."
Piwik recently became sourceforge project of the month and won the
Due to the high number of requests, I have decided to release a fully
usable version of HTTPBruteForcer, the free and easy to use web-based
login forms' bruteforcer for Windows.
HTTP BruteForcer is a tool designed for webmasters, programmers and
websites administrators, or pentesters, to perfom a password strength
check against a simple web login form.
The old demo version was limited to a limited built-in wordlist.
The new public version let you use a custom wordlist. (
https://www.securinfos.info/wordlists-dictionnaires.php or default
>
> Due to the high number of requests, I have decided to release a fully
> usable version of HTTPBruteForcer, the free and easy to use web-based
> login forms' bruteforcer for Windows.
> HTTP BruteForcer is a tool designed for webmasters, programmers and
> websites administrators, or pentesters, to perfom a password strength
> check against a simple web login form.
>
> The old demo version was limited to a limited built-in wordlist.
> The new public version let you use a custom wordlist. (
> https://www.securinfos.info/wordlists-dictionnaires.php or default
Note: this is a different attack from BIND 9 DNS cache poisoning.
I discovered a new weakness in BIND 8 DNS server which enables "DNS
Forgery Pharming". An attacker can remotely poison the cache of any
BIND 8 caching DNS server and force users who use this DNS server to
reach fraudulent websites each time they try to access real websites.
BIND 8 is still a very popular DNS server nowadays thus this attack
applies to a big part of Internet users.
The concept of DNS cache poisoning was discussed many times before.
However, this attack was considered impractical for the leading
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in N-13 News, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the GET "id" parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?id=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Open-Realty, which can be exploited to perform cross-site scripting and SQL Injection attacks.
1) Input passed via the "name", "email", "friend_email", "subject", "message" POST parameters to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
<form action="http://[host]/index.php?action=contact_friend&popup=yes&listing_id=1" method="post">
* Local Intranet Zone: for content located on an organization's
intranet. Because the servers and information are within an
organization's firewall, it is reasonable to assign a higher level of
trust to content on the intranet.
* Trusted Sites Zone: for content located on Web sites that are
considered more reputable or trustworthy than other sites on the
Internet. Assigning a higher level of trust to these sites minimizes the
number of related authentication requests. The user adds the URLs of
trusted Web sites to this zone.
*Vulnerability Description*
WonderWare is supplier of industrial automation and information software
solutions. According to the company's website [1]: "one third of the
world's plants run Wonderware software solutions. Having sold more than
500,000 software licenses in over 100,000 plants worldwide, Wonderware
has customers in virtually every global industry - including Oil & Gas,
Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals,
Automotive and more".
enough arguments why it's dangerous vulnerability and why Mozilla and
Michal are not right and so it's better to fix it. Read my message at
Bugtraq, maybe it'll change your mind on this issue ;-).
> The best way to defend against any Cross Site Scripting attacks is to
> sanitize all inputs and outputs properly on your website
XSS vulnerabilities must be fixed and when they are made at web sites, then
they must be fixed at web sites. But in this case browsers developers made
XSS holes (JavaScript execution) in redirectors, so they just from
Redirector vulnerability (which can be used for redirection to malicious
workaround is available, a software upgrade is not required to address this
vulnerability. However, if you have a service contract, and would like to
upgrade to unaffected code, you may obtain upgraded software through your
regular update channels when that software is available. For most customers,
this means that upgrades should be obtained through the Software Center on
Cisco's worldwide web site at http://www.cisco.com.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their regular
|Description|
+-----------+
The Yoono Firefox extension provides an interface for
users to share objects with their friends on social
networks from any website. It allows users to select
images from a website to be shared, which publishes
that image to their friends.
Security-Assessment.com discovered that Yoono's share
function is vulnerable to DOM event handler injection.
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
Next Page>>
|
