Next Page >>
characters
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK.
All of them may use backslash ('\') as part of multibyte character.
- escapeshellcmd()
- escapeshellarg()
Unfortunately it was discovered that both functions fail to
protect against shell command injection when the shell uses
a locale with a variable width character set like GBK,
EUC-KR, SJIS, ..
This can lead to arbitrary shell command injection vulnerabilities
in PHP applications believed to be safe. In addition to that
exploiting this problem in PHP functions that use this shell
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
4850| $this->clean_globals( $_REQUEST );
This function will replace special characters such as
the null byte one and "../" (this replacement can be
easily bypassed, we'll see that later), by their
entities. Good idea, but bad implementation:
4979| function clean_globals( &$data, $iteration = 0 )
Various URL's within the deployed OpenCms application version 7.5.0 are
open to attacks, including Cross-Site Scripting, Phishing Through Frames
and Application Error. Some of these attacks allow injection of scripts
into a parameter in the request. The application should filter out such
hazardous characters from user input.
Example follows:
Vulnerable URL (from the OpenCms VFS):
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/
help_head.jsp?&homelink=>"'><script>alert("This%20site%20has%20been%20co
Sanitizing an argument of an Ex command in a generic way is not going to be
that easy.
3.3.1. Three Character Classes
Ex commands don't accept strings for arguments, only bare-words. In other
words, there is just one level of quoting. It is possible to quote individual
characters by prepending a backslash. As we can learn in the Vim Reference
Manual (``cmdline.txt'') we can divide the characters in three classes --
Vendor: http://www.php.net
- --- 0.Description ---
strfmon -- convert monetary value to string
The strfmon() function places characters into the array pointed to by s as controlled by the string pointed to by format. No more than maxsize bytes are placed into the array.
The format string is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments. Each conversion specification is introduced by the % character.
SYNOPSIS:
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
For the Apache 403 error page, the only opportunity to "trick" the victim is within the URL itself. It would be quite a feat of social engineering to do this within a URL, between the phrases "You don't have permission to access" and "on this server".
There are many possible malicious strings in UTF-7, and any sequence of character values less than 0x80 starting with a "+" is potentially a UTF-7 string. This is why it is not appropriate for browsers to automatically interpret text as UTF-7. Preventing a user from manually overriding the specified charset and interpreting strings as UTF-7 is not something a web server can do. If you feel this manual function should be disabled in browsers, it may be better to let the browser developers know.
re: percent-encoding the "+" character in URLs
The "+" character is a reserved character in URIs per RFC2396 (see section 2.2 Reserved Characters). RFC3986 goes further and explains why reserved characters like "+" should not be percent-encoded:
Enhanced Encryption is only slightly better since it takes the
Standard Encryption rotational keyed password and then sends it to the
database to be stored in a binary field instead of a text/varchar
field. Even using this "encryption" once the password is over four
characters the first returned hash (16 HEX characters after a standard
lead in) is the same no matter what follows. Making a rainbow table
of the first four characters would be annoying but takes less than a
day done by hand. Once you had the first four characters making the
next four would take another day for any given first four, again by
hand. So cracking any one account's 1-8 character password would take
5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) -
CVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10
Parameter 'page' of ajax.php is not properly sanitizing user-supplied
input. The function safe_url_extraclean is filtering ':' character, and
it doesn't allow to use the string "http://" to create urls, but allows
'/' character and an attacker could reference remote resources via
Windows UNC files, using //servername//resource/file
Note that the first check in safe_url_extraclean is filtering '://', so
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
How is that _not_ a Windows Problem ?
RAG> Don't get me wrong, I want to protect end-users as much as the
RAG> next person (as does MS), but if it is the application not
RAG> validating correctly, could there not be hundreds of potential
RAG> characters and strings that cause input validation problems in
RAG> particular circumstances, which will vary according to the application?
We are speaking of the mailto: handler here that _seems_ to be broken
POST IE7 installation. (Again IMHO)
Could you explain me why POST Ie7:
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
manipulate account databases on the target resources. In the case of
*NIX-based systems the management server remotely logs in to a target
server and issues a series of shell command, using send-expect technique.
The system allows users to submit passwords containing control
characters including new line (ASCII 0x0A). The implementation of
send-expect mechanism fails to handle such passwords correctly. This
flaw allows an unprivileged Sun IDM user to execute an arbitrary UNIX
shell command by requesting a password to be changed to a specially
crafted value. The injected command will be executed with root
privileges on all UNIX systems the user is provisioned on.
> less-trusted sources. Unfortunately, an implementation error in the whitelist
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
>
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
Specifically crafted .ftpaccess file can return result as below
-proftpd---
# telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.3.3f Server (ProFTPD Default Installation) [127.0.0.1]
user dude
331 Password required for dude
pass dude
How is that _not_ a Windows Problem ?
RAG> Don't get me wrong, I want to protect end-users as much as the next
RAG> person (as does MS), but if it is the application not validating
RAG> correctly, could there not be hundreds of potential characters and
RAG> strings that cause input validation problems in particular
RAG> circumstances, which will vary according to the application?
We are speaking of the mailto: handler here that _seems_ to be broken
POST IE7 installation. (Again IMHO)
The applications in question are accepting abitrary input and not validating correctly.
How is that a Microsoft or Windows problem?
Don't get me wrong, I want to protect end-users as much as the next person (as does MS), but if it is the application not validating correctly, could there not be hundreds of potential characters and strings that cause input validation problems in particular circumstances, which will vary according to the application?
If Microsoft scrubs out every potential malicious character, it's bound to break lots of legitimate applications. That would make plenty of users and developers mad.
At what point should Microsoft scrub URIs so that it hands off only "legitmate" characters "most of the time"? How could Microsoft determine ahead of time what is and isn't legitimate characters to pass to applications they don't own? If they block characters that affect certain applications, it might cause problems in other applications that have no problem with the character(s) in question?
1658 | self::cleanGlobals( $data[ $k ], ++
$iteration );
1659 | }
1660 | else
1661 | {
1662 | # Null byte characters
1663 | $v = str_replace( chr('0') , '', $v );
1664 | $v = str_replace( "\0" , '', $v );
1665 | $v = str_replace( "\x00" , '', $v );
1666 | $v = str_replace( '%00' , '', $v );
1667 |
References: "Null Prefix Attacks Against SSL/TLS Certificates",
Moxie Marlinspike, 2009-07-29, Defcon 17, Blackhat 09.
CVE-2009-2408, Mozilla Firefox <3.5 and NSS <3.12.3
improper handling of '\0' characters in domain names in
the Subject CN field of X.509 certificates.
0. Release history
==================
URL and are used to supply additional information about the product that
has to be downloaded. The language and os parameters are automatically
set by the ActiveX control if they are not provided. The parameter
itemid is used to specify which product is to be downloaded. Multiple
products (multiple downloads) can be supplied using semi colon
characters between identifiers.
getPlus creates a URL based on the previously supplied parameters and it
will use this URL to download additional configuration parameters. For
example
http://get.adobe.com/reader/webservices/dlm/?itemid=941&os=XPSP2&langid=en:
The user supplied passphrase is crypt(3)'ed with the MD5 salt
of $1$YCCaQNAP$ and used as the initial key to access the LUKS
master key for the drive.
Additionally, the system creates a second key, which is 32
characters long and contains all low case characters and the
numbers 0-9, and adds it to the LUKS keyring:
/sbin/cryptsetup luksAddKey /dev/md0 /tmp/temp.wLbZNp \
--key-file=/tmp/temp.rUBxFo
Before writing the second key to the flash, the key is then
Internet Explorer (6,7 or 8) or Chrome.
The exploit originates from a failure to sanitise raw binary content correctly
and the ability of ShellExecute() to permit URIs which contain raw binary values.
Security-Assessment.com found that the Skype: URI handler permits the double quote
and forward slash (“ and /) characters within a Skype URI, but does not permit
any whitespace characters (such as space, %20, +) to be included. This essentially
protects Skype from a user inserting additional command line arguments directly
within a Skype: link, as a command line argument separator character (whitespace)
cannot be included.
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033
CVE: CVE-2008-2939
unused. If a string has length divisible by 4096, it fits exactly in the
memory reserved, no bytes are left unused.
When the vulnerable function is called, it calls the method
'WebCore::nextBreakablePosition' in charge of searching for "breakable"
characters, for example a space, character "-", etcetera, and returns
the position where the first "breakable" character was found. This
method takes as parameter the same string passed to the 'alert' on
JavaScript.
In the case that no "breakable" characters are found, it returns the
including anti-virus and is mainly a firewall but also includes an anti-spam and content control.
------------------------------------------------------
Vulnerability
The vulnerability is that when using certain special characters such as file name
could be left without protection for the system.
The first flaw is used as a special character file name,
making this could evade antivirus protection and make a file already detected
by the antiviru not be detected.
Recommendations for Web Server Vendors
--------------------------------------
Web server vendors should provide options for requiring strict HTTP
compliance in HTTP headers. That is, instances of bare CR or bare LF
characters should not be accepted as delimiters of HTTP headers. These
should either be ignored (and considered a part of the HTTP header
content) or requests containing bare CR and/or bare LF characters should
be rejected. Eventually, such a configuration option should be enabled
by default.
* Gerry Eisenhaur discovered a directory traversal vulnerability when
using "flat" addons (CVE-2008-0418).
* Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported
multiple character handling flaws related to the backspace character,
the "0x80" character, involving zero-length non-ASCII sequences in
multiple character sets, that could facilitate Cross-Site Scripting
attacks (CVE-2008-0416).
The following vulnerability was reported in Thunderbird and SeaMonkey:
Vulnerability Overview
- ----------------------
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Usually when I see that an application claims to be secure, they really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY
vulnerabilities in this code base which allowed me to string a few cool ones together to make an
interesting exploit. OpenClassifieds is sanitizing everything on input using cG() and cP(), these
functions are used to perform a mysql_real_escape_string() on all GET and POST variables. Most
servers aren't using an exotic character set so from a security stand point this is exactly identical to
magic_quotes_gpc. So I dusted off my usual magic_quotes_gpc auditing tricks, look for
stripslashes(),base64decode(),urldecode(),html_entity_decode() lack of quote marks around variables
in a query, ect... Sanitation must ALWAYS be done at the time of use, parametrized queries are a
good example of this. Its impossible to account for all the ways a variable can be mangled once it
enters a program and if you Sanitize input when it first enters the program there will be cases where it
I found a flaw in the trillian 3.1 for Windows.
It is that on receipt of a nickname too long with some characters, this leads to break the program, the failure of the curious is that when the abri with ollydbg tries to read the argument of the message such as whether to wear the nickname long special characters and message write many letters "A" is the result
Access violation when reading [41414141]
The test is made using an account of MSN Messenger and I got a nick there till the limit of characters to the next character "‿" (without the quotes) and send a message to another account that had msn in trillian.
Anyway, is wrong with many more characters that is only one example ...
Greetings!
Next Page>>
|
