Next Page >>
cookies
several vulnerabilities have been found in FWS. These vulnerabilities
allow attackers to obtain arbitrary information from the webserver and
database. It is even possible to execute arbitrary code with the
privileges of FWS. In some cases it may even be possible to fully
compromise the system on which FWS is installed. Most of these issues
are related to the fact that FWS fully trusts the content of the cookies
that it receives. These issues were discovered within a very small
time frame, it is likely that more issues exist within FWS. A full
security review of the code base is recommended to increase the security
of FWS.
---------------------------------------------------------------------------------------
INSECURE COOKIE HANDLING VULNERABILITIES --Dog Pedigree Online Database v1.0.1-Beta-->
---------------------------------------------------------------------------------------
CMS INFORMATION:
-->WEB: http://thewhippetarchives.net/twa_is_offline.php
-->DOWNLOAD: http://sourceforge.net/projects/dogarchive
-->DEMO: N/A
-->CATEGORY: Genealogy
[FILE CONTENTS]
- -----------/
Cookies are stored in independent text files (one for each domain)
inside the cookies folder (usually located at '\Documents and
settings\USERNAME\Cookies' in all Windows NT based implementations). The
cookie file name is structured in the following manner:
/-----------
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [user] [pass] [OPTIONS] \n". "Options: \n". "--c:[uid:hash ] - use your user cookie, instead of uses/pwd pair \n". "--port:[port] - specify a port \n". " default->80 \n". "--uid:[n] - specify an uid other than default (2,usually admin)\n". "--proxy:[host:port] - use proxy \n". "--skiptest - skip preliminary tests \n". "--test - run only tests \n". "Examples: php ".$argv[0]." 192.168.0.1 /geeklog/ bookoo pass \n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --proxy:1.1.1.1:8080\n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --uid:3 \n". " php ".$argv[0]." 192.168.0.1
/geeklog/ * * -c:3:5f4dcc3b5aa765d61d8327deb882cf99");
die();
}
error_reporting(E_ALL ^ E_NOTICE);
<?php
/*
glFusion <= 1.1.2 COM_applyFilter()/cookies remote blind sql injection exploit
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
software site: http://www.glfusion.org/
google dork: "Page created in" "seconds by glFusion" +RSS
[-] File affected: inc/util_inc.php
Usually an SQL injection vulnerability located in the
authentication system allows a guest to bypass it, and
this is just what happens using the following cookie:
Cookie name: fcms_login_id
Cookie content: -1 UNION ALL SELECT
1,2,3,4,5,6,7,8,9,'admin','password',12,13,14,15,16,17,18,19,20,21,22
Cookie server: localhost (change it)
Vulnerable scripts
==================
wp-include/pluggable.php
function wp_validate_auth_cookie($cookie) {
...
// The cookie is not being validated.
list($username, $expiration, $hmac) = explode('|', $cookie);
...
// I could send 9999999999 as the second argument of the cookie to
Citrix NetScaler Web Management Cookie Weakness
Product: Citrix NetScaler
http://www.citrix.com/lang/English/ps2/index.asp
Background:
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically does not allow the attacker to obtain the user's login credentials.
along with number of other items.
Vulnerability Details
- ---------------------
The TANDBERG VCS web management interface utilizes custom cookies for the
purpose of session management. In version x4.2.1 of the appliance firmware
(and possibly earlier versions), it is possible to forge session cookies with
relatively little knowledge of the appliance's configuration.
The vulnerability lies in the files located at the following paths:
if(strlen($source)<2){ exit("$file don't exist.\n"); }
$xpl = new phpsploit();
$s = $xpl->post($url."/index.php?","sql_pseudo=$login&sql_pass=$pass");
//Cookies
if(preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i",$s,$phpsessid) && !preg_match("#name=\"sql_pseudo\"#i",$s)){
$xpl->addcookie("PHPSESSID",$phpsessid[1]);
$xpl->addcookie("sql_pseudo",$login);
$xpl->addcookie("sql_pass",md5($pass));
Wordpress 2.5 Cookie Integrity Protection Vulnerability
Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>
Systems Affected:
Release mode: Coordinated release
Discovered by: Daniel King, SecureWorks
Summary
McAfee Network Security Manager is vulnerable to authentication bypass via HTTP session cookie hijacking. A remote attacker could exploit this vulnerability to hijack an existing session to the Network Security Manager.
Affected Products
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration).
It is unknown which other versions, if any, are affected as of November 11, 2009.
# Remove expired sessions ( time() - 60*60*2 = > 2 hours )
$this->web->get($this->p_url.$this->p_acp.'/index.php?');
$this->msg('Removed all out of date admin sessions', 1);
# Cookie prefix
$this->get_cprefix();
}
# Admin session ?
$this->msg('Trying to find an admin session id', 0);
Regarding SSO - not at all. Not even remotely. It's not about
"wrappers frameworks put around cookies".
Spend some time on *.yahoo* and *.google* and their partner sites, and
look at how they use both auth and personalization cookies (two
different things).
For the former there is no way to solve usefully with Digest without
implementing some persistent unified tracking mechanism of the likes
Digest Auth does not provide today, or implementing some massive OoB
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
(Affected versions: Any)
D) "Session Dump Servlet" stored XSS
(Affected versions: Any)
E) "Cookie Dump Servlet" escape sequence injection
(Affected versions: Any)
F) Http Content-Length header escape sequence injection
(Affected versions: Any)
Arian,
> Regarding SSO - not at all. Not even remotely. It's not about
> "wrappers frameworks put around cookies".
That's exactly what it's about. Cookies are name value pairs sent and
received based on simple rules. Rules that happen to be poorly
standardized with few guarantees. Everything else is what you make of
it: frameworks and protocols that use this primitive as they see fit.
> security controls in modern browsers when communication
> occurs between two domains that resolve to the same IP
> address. This advisory includes a Proof-of-Concept
> (PoC) demo and a Java Applet source code, which
> demonstrates how this security can be exploited to leak
> cookie information to an unauthorised domain, which
> resides on the same host IP address.
>
> +------------+
> |Exploitation|
> +------------+
--------------------------------------------------------------
CLAN TIGER CMS MULTIPLE COOKIES HANDLING VULNERABILITIES
--------------------------------------------------------------
CMS INFORMATION:
-->WEB: http://www.clantiger.com
-->DOWNLOAD: http://www.clantiger.com/download-clan-cms
-->DEMO: http://www.demo.clantiger.com/
-->CATEGORY: CMS / Portals
There is a session fixation vulnerability [1] in Bea WebLogic 10.0
Administration Console that allows the attacker to assume administrator's
identity and thus gain administrative access to console. The session
management used for setting up and maintaining administrative sessions
allows the attacker to fix the administrative session cookie(s) in
administrator's web browser and use this cookie to access the
administration console after the administrator has logged into it. The
vulnerability is exploitable even if the Administration Console is only
accessed/accessible via HTTPS and even if Administrative Port is enabled.
There is a session fixation vulnerability [1] in Bea WebLogic 10.0
Administration Console that allows the attacker to assume administrator's
identity and thus gain administrative access to console. The session
management used for setting up and maintaining administrative sessions
allows the attacker to fix the administrative session cookie(s) in
administrator's web browser and use this cookie to access the
administration console after the administrator has logged into it. The
vulnerability is exploitable even if the Administration Console is only
accessed/accessible via HTTPS and even if Administrative Port is enabled.
> Great writeup of the state of the union for Web-based authentication
> methods.
Thanks. It is far from complete in that sense, but I hope it
illustrates the frog-in-the-frying-pan state we are in with session
cookies.
> As you mention, your paper is primarily an argument for fixing HTTP
> auth. That might make a better title for it, in fact, since that does
> seem to be the primary thrust of the arguments presented. Or at least,
> "If We Wean the Web Off of Session Cookies, This Is Some of What We'd
safety while they use the Tor network.
As I presented in my Black Hat and DefCon talks on Securing the Tor
Network, it turns out that using https for accessing mail.google.com
is not sufficient to protect you from many "Sidejacking" attacks. The
'GX' authentication cookie for mail.google.com is set to be
transmitted for any type of connection (http or https). This is the
only cookie one needs to authenticate to gmail.
This "Any type of connection" property allows an attacker execute a
cross site request forgery attack to inject spoofed
commands and instantiate certain ActiveX controls.
As a result of a successful attack, security or privacy-sensitive
information can be obtained by an attacker including but not limited to
user authentication credentials for any web application domain, HTTP
cookies, session management data, cached content of web applications in
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
assigned to URL Security Zones [2] when content from the corresponding
zone is loaded and rendered from a local file. These issues have been
Versions prior to 1.2.4 are affected. The issue was fixed in version 1.2.5.
The authentication process checks the cookies to see if the user has a given role. The user and role defined in the cookie is not validated during this process. An attacker can add a cookie (shown below) in order to bypass authentication.
BASERole=10000|nidem|794b69ad33015df95578d5f4a19d390e;
Explanation:
Each page checks to see if the user is has sufficent privledges. The user's role is checked using the hasRole method which then calls the readRoleCookie method. The code below is the readRoleCookie method as written in includes/base_auth.inc.php in rev 1.23 and earlier. This function retrieves the role of the user as read from the cookie. The cookie contains three pieces of information role, user, and md5 hash and is delimited by the pipe character.
function readRoleCookie()
# Vulnerability Title: Session hacking via authentication cookie on Oracle CRM on Demand
# Date: 20/05/2011
# Vendor: Oracle
# Product: Oracle CRM on Demand
# Software Link: https://sso.crmondemand.com/
Summary: Oracle CRM on Demand is a web application to
manage Customer information.
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Jetty Persistent XSS in Sample Cookies Application
1. *Advisory Information*
webSPELL 4.2.0c XSS (BYPASS BBCODE) COOKIES STEALING VULNERABILITY
----------------
CMS INFORMATION:
----------------
-->WEB: http://www.webspell.org/ (affected too)
-->DOWNLOAD: http://www.webspell.org/download.php?fileID=22
-->DEMO: http://www.webspell.org/index.php?site=demo
-->CATEGORY: CMS / Portals
Because of this a better one shot solution was developed that
allows to determine the new password and the new activation link
from the result of the request that triggered the password reset.
To understand how this is possible it is necessary to know that
during the installation PunBB creates a "random" cookie seed that
is used to store login data in the cookie during a visit. This
cookie seed generation is not really random, because it is more
or less the MD5 hash of the current timestamp. This means it is
easily bruteforceable when the attacker has his own user account
at the forum. He just needs to use his own login cookie and then
Next Page>>
|
