| New User, Welcome! Login |
Next Page >>
default configuration
::::: Blacklist / negative model bypass :::::
CVE: CVE-2009-1593
Description: Profense Web Application Firewall with default configuration in negative model can be evaded to inject XSS.
Technical Description:
Versions 2.4 and 2.2 of Profense Web Application Firewall with the default configuration in negative model (blacklist approach) can be evaded to inject XSS (Cross-Site Scripting). The problem is due to the built-in core rules that can be abused using the flexibility provided by HTML and JavaScript.
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
version, no release date set.
Louhi Networks Oy
-= Security Advisory =-
Advisory: HP LaserJet multiple models web management CSRF
vulnerability & insecure default configuration
Release Date: 2009-03-17
Last Modified: 2009-03-17
Authors: Henri Lindberg, CISA
[henri d0t lindberg at louhi d0t fi]
Unfortunately, Rovio's access control mechanisms (username/password) are not
completely utilized across the platform even when enabled. Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication. Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.
Resources exposed without proper access controls include:
rtsp://[rovio]/webcam -- RTSP Audio/Video Stream, directly accessible.
===========
Amit Klein from Trusteer reported that the random number generator of
ISC BIND leads, half the time, to predictable (1 chance to 8) query IDs
in the resolver routine or in zone transfer queries (CVE-2007-2926).
Additionally, the default configuration file has been strengthen with
respect to the allow-recursion{} and the allow-query{} options
(CVE-2007-2925).
Impact
======
Intruders Tiger Team Security identified an unknown vulnerability in
Citrix Metaframe Presentation Server and Citrix Metaframe XP.
The icabar.exe file which is designed to startup the Citrix MetaFrame
administration toolbar allows an attacker to escalate privilege in
Windows 2000 and below in the default configuration and in Windows
2003 in some special circumstances.
IV - ANALISYS:
---------------
> Hello and thank you again for reporting this security issue to
> cPanel. We appreciate your interest in helping secure the shared
> hosting environment.
>
> cPanel attempts to deliver a default configuration that suits the
> majority of our customers. cPanel makes every attempt to provide
> straight forward interfaces that allow server administrators to
> configure their hosting platform to serve the needs of their end
> users. cPanel provides no guarantee of complete security under the
> default configuration as our product is tailored to suit the
has assigned the names CVE-2007-5398 and CVE-2007-4572 to these
issues.
Note: By default Samba is not configured as a WINS server or a domain
controller and ESX is not vulnerable unless the administrator
has changed the default configuration.
This vulnerability can be exploited remotely only if the
attacker has access to the service console network.
Security best practices provided by VMware recommend that the
-- Affected Products:
EMC Dantz Retrospect 7 backup Client 7.5.116
-- Vulnerability Details:
The retroclient.exe process listens, in a default configuration, on TCP
port 497.
When Continued sending packets with length of 2064 bytes and filling with
0x00,
about 30 seconds to 5 minutes the status box shows: ¡°Client networking
not available, or service not running¡± , keep on sending packets and few
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3
---
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
----------------------------------
exploit & p0c
There is several conditions to be logged as Admin, if
the "match_ipaddress" option is turned On, there's a
check which is made on the user IP. If the option
"xforward_matching" is turned on, the attacker can spoof
his IP address. On default configuration:
match_ipaddress = Yes
xforward_matching = No
match_browser = No (user only)
Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
>
> 1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
>
> 2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
>
> t
>
>
>> -----Original Message-----
1. The trusted website uses blacklist to block known
executable file types for scripted content. E.g. html, jsp, etc.
2. Attacker uploads a file with extension .rss/.atom/arbitary
extension preceded by .rss/.atom [e.g. .atom.tx]. Most widely used Apache
web server passes Content-Type as “application/{atom/rss}+xml” for all the
three cases automatically in default configuration.
3. Attacker convinces victim to visit the direct link to
uploaded file.
4. Victim’s cookies and other sensitive data gets sent to
attacker’s site.
5. Note: For Internet Explorer (v7,8), the task is easier
The updated packages have been patched to prevent this.
Note: Mandriva Linux is using login application from util-linux-ng
by default, and therefore is not affected by this issue on default
configuration.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5394
Summary
McAfee Network Security Manager is vulnerable to cross-site scripting (XSS) caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using vulnerable parameters in a specially-crafted URL to execute script in a victim’s web browser within the security context of the Network Security Manager site.
Affected Products
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration).
It is unknown which other versions, if any, are affected as of November 11, 2009.
Vendor Information, Solutions and Workarounds
locate a browser configuration file used to connect through proxy.
Successful attack on WPAD guarantees attackers full access
on user data sent to Internet which could allow stealing critical data like passwords or
credit card numbers. WPAD potential danger depends on two factors: default
configuration and weak awareness among users.
In this article we discuss WPAD architecture and its many functioning principles in home
and corporate networks, real examples of attacks and give recommendations for ordinary
users and system administrators that allow reducing attack consequences.
Summary
McAfee Network Security Manager is vulnerable to authentication bypass via HTTP session cookie hijacking. A remote attacker could exploit this vulnerability to hijack an existing session to the Network Security Manager.
Affected Products
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration).
It is unknown which other versions, if any, are affected as of November 11, 2009.
Vendor Information, Solutions and Workarounds
If successful every visitor of the page should see an alert saying 'XSS'
Note:
We can inject php code but the output file (sbox.history.html)has an .html extension so in order for the code to execute the server must be configured to parse .html files for php code which is not the default configuration.
> available over a network interface.
The proxy process doesn't run as root by default, but that's not much
consolation if the master process can reconfigure it at will. The C compiler
is available over whatever interface the master port is bound to, and in most
cases that will be localhost:6082. I've seen that as a default configuration
for FreeBSD, Fedora, Debian and Ubuntu packages.
> You can ask varnish to reload a configuration and recompile it, but
> you'd have to have write access to the filesystem first.
- The attacker must be able to log on to the machine, or exploit another
vulnerability on the machine to place the malicious executable on a local
drive. Note that Windows Terminal Server allows multiple users to log on
locally from remote and effectively act as local users. Additionally, the
default configuration of Windows domain machines allows any domain user to
log on locally to any domain computer (except the domain controller),
which can be especially attacker-friendly in conjunction with remotely-
accessible desktops via VMware View.
- VMware Tools installations on Windows XP, Windows Vista and Windows 7
Axesstel MV 410R is a device offered by the two leading polish telecom
operators Orange and Polish Telecom to provide broadband Internet in
CDMA technology and it's already widely in use.
Overview:
Axesstel MV 410R firmware and its default configuration has many flaws,
which allows remote unauthorized access to device and the internal
network behind it.
#1 Access from the Internet to device enabled by default
Anyone is able to automatically detect devices, which are online and
>
> 2) Think things through. If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, don't deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it. Seems like simple logic points
to me.
>
platforms that are deployed in promiscuous mode only or that do not
contain gigabit network interfaces are not vulnerable.
Jumbo Ethernet support is usually deployed in data center
environments to increase inter-server communication performance and
is not a default configuration for Cisco routers and switches.
Support for jumbo Ethernet frames must be enabled on each device that
require the feature. In order to exploit this vulnerability, an
attacker must be able to inject jumbo Ethernet frames to a vulnerable
Cisco IPS platform that is deployed in inline mode.
>
> 2) Think things through. If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, don't deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it. Seems like simple logic points
to me.
>
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
*/
error_reporting(0);
Potential Security Impact: Remote disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP Client Automation Enterprise Infrastructure (Radia). The default configuration allows remote disclosure of information.
References: CVE-2010-1972
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Client Automation Enterprise Infrastructure (Radia)
The vulnerability may be exploited on Studio if both of these
conditions apply:
- you have Studio 2.0
and
- you have created a user account with limited privileges (this is
not the default configuration).
Studio is by default shipped with the root user account and no other
user accounts. For this reason, exploitation of the vulnerability
would not yield any gain for an attacker since the attacker would
need to know the credentials of the root user account in order to
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3
$Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
---
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
----------------------------------
exploit & p0c
ssl pre-remove-http-hdr
* The CSS and ACE should require device administrators to specify
a random header prefix when configuring client certificates, but
provide a mechanism for existing deployments to disable or opt
out of a secure by default configuration to support exisitng or
legacy applications. One way to accomplish this would be to prevent
the client-cert header insertion configuration from taking effect
until a device administrator has configured the header prefix using
the following command syntax:
A remote attacker could send a specially crafted "SAMLOGON" domain
logon packet, possibly leading to the execution of arbitrary code with
elevated privileges. Note that this vulnerability is exploitable only
when domain logon support is enabled in Samba, which is not the case in
Gentoo's default configuration.
Workaround
==========
Disable domain logon in Samba by setting "domain logons = no" in the
Next Page>>
|
|
|
