brackets
The 'Host:' header
The URL
The HTTP method
If we probe for XSS using the 'Host:' header, Apache correctly filters the angle brackets and replaces them with HTML entities:
REQUEST:
GET / HTTP/1.1
Host: <BADCHARS>
Yesterday I wrote English version of my article The future of XSS attacks
(http://websecurity.com.ua/3878/), which you can read if you interested in
this topic.
In the article I talked about Cross-Site Scripting attacks where it’s not
possible to use any tags and angle brackets. I listed attack vectors which
can be used in this case (automated and non-automated). And wrote about
current situation with modern browsers: in 2008 in Firefox 3 possibility of
attack via -moz-binding was removed (partly) and in IE 8, which released at
beginning of 2009, support of expression() was removed.
Security issues were identified and fixed in firefox:
Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that
the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are
vulnerable to XSS attacks due to some characters being converted to
angle brackets when displayed by the rendering engine. Sites using
these character encodings would thus be potentially vulnerable to
script injection attacks if their script filtering code fails to
strip out these specific characters (CVE-2010-3770).
Google security researcher Michal Zalewski reported that when a
Security issues were identified and fixed in firefox:
Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that
the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are
vulnerable to XSS attacks due to some characters being converted to
angle brackets when displayed by the rendering engine. Sites using
these character encodings would thus be potentially vulnerable to
script injection attacks if their script filtering code fails to
strip out these specific characters (CVE-2010-3770).
Google security researcher Michal Zalewski reported that when a
Security issues were identified and fixed in firefox:
Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that
the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are
vulnerable to XSS attacks due to some characters being converted to
angle brackets when displayed by the rendering engine. Sites using
these character encodings would thus be potentially vulnerable to
script injection attacks if their script filtering code fails to
strip out these specific characters (CVE-2010-3770).
Google security researcher Michal Zalewski reported that when a
displaying pages from network or certificate errors. An attacker could
exploit this to spoof the location bar, such as in a phishing attack.
(CVE-2010-3774)
Yosuke Hasegawa and Masatoshi Kimura discovered that several character
encodings would have some characters converted to angle brackets. An
attacker could utilize this to perform cross-site scripting attacks.
(CVE-2010-3770)
Updated packages for Ubuntu 8.04 LTS:
of bounds.
CVE-2007-1662
A number of routines can be fooled into reading past the end of an
string looking for unmatched parentheses or brackets, resulting in a
denial of service.
CVE-2007-4766
Multiple integer overflows in the processing of escape sequences could
$ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE `id`=".addslashes($_POST['id']);
could be modified to an update query by posting value of id as next
id=union update members set password=[value] where id=1
offcourse value here should be md5 hash .. and no brackets so the query will be ok :)
lines[138-142]
elseif (@$_GET['show']=='thread' && $_GET['id'])
Hi kuza55,
Are you trying the payload that includes the tilde or the one without?
The one with the tilde (~) only works if the payload returns after an
opening angle bracket (<).
Please see: http://www.procheckup.com/Vulnerability_PR08-20.php
And yes, it also works on IE7. Just tried it on a live environment last
week.
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
order deny,allow
allow from all
</Files>
Adjust allowed file extensions in the brackets if necessary.
This will prevent Apache from serving files with double extensions inside the uploads directory.
Alternatively you can try to patch the source code yourself by editing the
wp-admin/includes/file.php file and the wp_handle_upload() function it contains. An example patch
could be to add the following three lines of code at the line 260:
done
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
At a certain lenght (2019 on our test system) it should start printing
numbers inside square brackets, that means that /etc/passwd has been
succesfully included.
- Windows path truncation POC
On Windows the universal path truncation token is "./" and not "/.".
XSS on login page fix:
Ensure all input is filtered sufficiently before being echoed back to
the client. In particular, characters such as left and right angle
brackets, quotation marks, apostrophes and ampersands should be
filtered. It is highly recommended to follow a white-listing input
validation approach whenever possible.
Username enumeration fix:
These examples illustrates how to execute code on the page without triggering the security mechanisms (could be many more) :
[inserting a newline between the tags]
postdata=aaa%22%3E%0A%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E
[insterting a space between the quotation marks and the closing bracket.]
postdata=aaa%22%20%3E%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E
[using the DIV tag to avoid using the keyword "javascript:" (IE only)]
postdata=aaa%22%3E<DIV%20STYLE="width:expression(alert(document.cookie));">
Can you be more specific? I tested this vulnerability on Oblog v4.5 with the following XSS string:
<script>alert("xss")</script>
Both the angle brackets and quotes were filtered, so I don't believe that this version is vulnerable to the problem you describe.
Can you tell us what version you tested?
5. Detailed analysis
When Apache HTTP Server is configured with proxy support
("ProxyRequests On" in the configuration file), and when mod_proxy_ftp
is enabled to support FTP-over-HTTP, requests containing wildcard
characters (asterisk, tilde, opening square bracket, etc) such as:
GET ftp://host/*<foo> HTTP/1.0
lead to cross-site scripting in the response returned by mod_proxy_ftp:
information about emoticons and their graphic equivalents. This is how an exemplary
line of configuration file looks like:
("emoticon","emoticon",...),"graphic_file.gif","graphic_file.gif"
If there's only one string associated to a gif file, the brackets can be skipped.
Also the third part of line isn't essential - it's just the name of optional graphic
file in NETSCAPE GIF format.
During the process of copying data from currently opened file (2nd and 3rd part of
configuration line) to some local buffers, the program doesn't check the
strings' lengths, what can lead to overwriting the 500-byte buffers placed on the stack.
corrupted (CVE-2007-1659). PCRE does not properly calculate sizes for
unspecified "multiple forms of character class", which triggers a
buffer overflow (CVE-2007-1660). Further improper calculations of
memory boundaries were reported when matching certain input bytes
against regex patterns in non UTF-8 mode (CVE-2007-1661) and when
searching for unmatched brackets or parentheses (CVE-2007-1662).
Multiple integer overflows when processing escape sequences may lead to
invalid memory read operations or potentially cause heap-based buffer
overflows (CVE-2007-4766). PCRE does not properly handle "\P" and
"\P{x}" sequences which can lead to heap-based buffer overflows or
trigger the execution of infinite loops (CVE-2007-4767), PCRE is also
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If the string with angle brackets ('<PROCHECKUP>') is NOT returned
anymore after making the Apache config changes, then the script
shouldn't print 'VULNERABLE'.
Did you reload the Apache configuration? i.e.:
sudo /etc/init.d/apache2 reload
> usort($array, $cmp);
> }
>
> if ($sort == 'config') sort($rows); else multisort($rows, $sort);
Taking care to match properly the quotes and angle brackets, it is
possible to insert PHP expressions into the code for the function. For
example, to run the phpinfo() function, one might set sort to this
value:
"].phpinfo().$a["
# Cross Site Scripting (Code):
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
In this way we can inject the alert() code without brackets in the
function resetCredFields().
-------------------------------
function resetCredFields()
|
