Next Page >>
developers
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
Note: If the presentation is based upon code or a particular
technique, the presenter must be one of the developers of the code or
technique and be prepared to perform a demonstration.
We look forward to reviewing your submissions, and anticipate another
great line-up for this year's conference. Once again, if you have any
questions about your submission, please email cfp [at] layerone [dot]
This Nant's letter I found some time ago (and now found time to write answer
on it) and I found it accidentally, because I'm not subscribed to Bugtraq
mailing list. So Nant and every reader of the list must take it into
account (and send letters to my email, if they want to contact me).
And this is that example of letter from developer, which I mentioned last
week at the list. Which clearly shows, that web developers ignore advisory
about holes in CaptchaSecurityImages.php itself, and only draw attention on
advisories about their specific web applications. So in my answer I'll draw
attention to this aspect of Nant's letter.
hardware and wonder why I occasionally get a spam posted, but maybe I'm
wrong in my jaded patchers/risk view.
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
My specific question is did you contact the admin of this particular
site ahead of time with this information. Based on your timeline you
say you found it, you disclosed this issue on your site, then informed
developers. Then posting here 7 days afterwards seems a bit of a short
Hello Susan!
> Pardon me, but you disclosed it at your site before you informed the
> developers?
Yes, and there is a reason for it. In 99% I use advanced responsible
disclosure approach for informing admins and web developers about
vulnerabilities. But in this time I used responsible full disclosure. I
wrote in details about all disclosure policies (including these ones) in my
article "Hacking of web sites, security researches, disclosure and
entirely coordinated by me, and thus, Wagner, Conviso and Check Point
have no responsibilities over any mistake I eventually made.
Anyway, just to clarify your points:
> First, you must have reported to the developer, but in what way?
I sent to the developer a complete advisory, including the exploit code.
> Confusing the XSS vulnerability with PHP code execution
> vulnerability is so funny. I can't help feeling that you told it
> add in or just using a browser
DoS of the browser is already bad thing. And there are many risks for users
from DoS holes in browsers, which I wrote about in 2008 in my articles
Dangers of DoS attacks on browsers and Dangers of resources consumption DoS
attacks. But mostly browser developers ignore to fix these issues.
But in this case it's not only attack on browsers, but on the whole user's
computer - because it's blocking of whole computer and full resource
consumption. Which is working in many browsers, including their last
versions. So browser developers with their neglect to this problem make
> DoS of the browser is already bad thing. And there are many risks for
> users
> from DoS holes in browsers, which I wrote about in 2008 in my articles
> Dangers of DoS attacks on browsers and Dangers of resources
> consumption DoS
> attacks. But mostly browser developers ignore to fix these issues.
>
> But in this case it's not only attack on browsers, but on the whole
> user's
> computer - because it's blocking of whole computer and full resource
> consumption. Which is working in many browsers, including their last
> how can i solve this issue quickly ?
There are the next solutions for you:
1. Wait until developers of CB Captcha released new fixed version of the
plugin. They are examining this vulnerability for some time already (at
least Beat, developer of CB Captcha 2.x, because from two authors only he
answered me). But Beat told me, that they will be releasing the new fixed
version not very quickly (due to their standardized bugfixing process), so
users of CB Captcha will need to wait for new release.
So as it clear, browser vendors only answer when they want.
> Patches take time. The do not occur over night. Furthermore it may take
> a day for the vendor to respond to you.
As I mentioned, 3 from 4 developers answered me (but it's not common for
cases with DoS holes). But MS didn't answer me for more than 1,5 week. From
which you can see their attitude to such issues. And on example of Google,
which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows their
attitude to such issues - that they are working to fix holes (including
those which was in older versions of their browser) even before they will be
> So as it clear, browser vendors only answer when they want.
>
>> Patches take time. The do not occur over night. Furthermore it may take
>> a day for the vendor to respond to you.
>
> As I mentioned, 3 from 4 developers answered me (but it's not common for
> cases with DoS holes). But MS didn't answer me for more than 1,5 week.
> From
> which you can see their attitude to such issues. And on example of Google,
> which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows
> their
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
bug tracking system to access information about issue #2947.
. 2009-11-17:
Core requests again information regarding the release date of TestLink
1.8.5 in order to schedule the release of this advisory accordingly,
since no reply on this has been yet given by the TestLink developers
contacted. Core also mentions that issue #2947 cannot be accessed by
the user created in order to follow the development of a patch for the
vulnerabilities reported here.
. 2009-11-17:
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
is allowing the data to "break the forth wall".
I discovered this issue in November of 2011 while talking about uses for
the lsof command on the @climagic Twitter account. I immediately found
which software was the culprit and submitted a bug reports to Gnome's
Bugzilla. The response so far has been that the developer doesn't not
consider this a bug. I also wrote to Behdad Esfahbod about the issue
but have not heard back from him. I was giving these people a bit of
time to respond or resolve the issue, but apparently that isn't going to
happen without making a bigger deal of it. Other knowledgeable security
people have considered this a major security issue.
I didn't tested in such large scale of devices (just in different browsers
at my PC).
> Credit : Except Apple - nobody
It's very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.
> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
I've reported the following XSS vulnerability in cforms II. This vulnerability has been fixed on February 14, 2012 by its developer.
WordPress cformsII Plugin "rs" Cross-Site Scripting Vulnerability - Secunia.com
http://secunia.com/advisories/47984/
You might see this is a normal XSS vulnerability, but this isn't.
Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this list!
Are you puzzled?
uninitialized string property can be used.
4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)
While not being a security vulnerability itself, please note that
applications running in developer mode and using Struts
DebuggingInterceptor are prone to remote command execution as well.
While applications should never run in developer mode during
production, developers should be aware that doing so not only has
performance issues (as documented) but also a critical security impact.
Hello,
On December 17th, 2008, the OpenVAS[1] developer team released OpenVAS 2.0.0
which marks the start of the next generation of the Open Vulnerability
Assessment System for network security scanning.
OpenVAS is a fork of the Nessus security scanner which has continued development
under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0
in October 2007, the OpenVAS developers continued the auditing of the code
inherited from Nessus and have added a variety of useful features for OpenVAS
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of CMS AltConstructor, before version released
at 16.08.2010, where developers fixed holes after my informing.
----------
Details:
----------
: on "4-21-2010" "MustLive" writ:
and about which, i find me confused.
: you can saw the letter which was posted last week by one developer of
: one such vulnerable web application ---
from my reading of that exchange, i "thought" the author a 'system
administrator', rather THAN, the programmer of the flawed application.
from my experience, a sysadmin seldom enjoys the freedom programmers
Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
01/16/09 Developer contacted
01/16/09 Developer's initial response
01/17/09 Fidings sent to developer
02/15/09 Patched version 2.30.01 released by developer
02/16/09 Public disclosure
|Solution|
+--------+
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on March 4,
2009, and a response was received on the following day.
A fix was released on March 14, 2009.
The vendor supplied patch is available from Mozilla
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on July 10,
2009, and a response was received on July 15. A fix
was released on July 20, 2009.
The vendor supplied patch is available
> 'Virtual Keyboard' installations can be found using this 'Google dork':
>> http://google.com/search?hl=en&safe=off&filter=0&q=inurl%3A%22vkeyboard.php%22
>
> This vulnerability was originally reported in early May 2010.
> A suitable update fixing this issue, Virtual Keyboard v0.9.2 for
> Squrrelmail 1.4.x, has been provided to the Squirrelmail developers and
> me by Daniel Kobayashi Imori of Bastion Systems (the original developer
> of this plugin) in early June 2010 and is attached to this email -
> thanks Daniel. The Squirrelmail team has not yet made it to update this
> plugin in their repository:
> http://squirrelmail.org/plugin_view.php?id=159
========
Timeline
========
06/19/09 Alien Arena 7.30 released
06/21/09 Anonymous remote arbitrary code execution vulnerability discovered
06/22/09 Request for contact sent to Alien Arena's developers
06/23/09 Detailed vulnerability report responsibly disclosed to Lead Developer
of Alien Arena
06/23/09 Security vulnerability "fixed" (Revision 1390)[3]
06/23/09 Broken "fix" identified and responsibly disclosed to Lead Developer
of Alien Arena
ClientCert-Signature: XXX
However, there is no attempt by the CSS to prevent clients from
supplying their own ClientCert-* headers. Depending on how application
developers handle multiple copies of these headers, an attacker may be
able to impersonate other users.
For example, assuming that a back-end web application simply trusts
the user identity supplied by the CSS in the ClientCert-Subject-CN
header and userX wants to impersonate userY, he may simply insert
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on February 18,
2009, and a response was received on the same day. A
fix was released on March 20, 2009.
The vendor supplied patch is available
According to the vendor, GlassFish v2 does not use vulnerable components.
Vendor contact timeline:
------------------------
2009-07-07: Contacting the developers of JSFTemplating by email.
2009-07-07: Very fast response from the developers by email and IRC, initial
attempts to fix the issue were being made
2009-07-08: Agreed on taking a further look into the issue by the end of July
2009-07-30: Contacted the developers again, they need more time
2009-08-10/13: Asked the developers for any news
These controls are as easy to turn on as flicking a switch. Super simple remediation. Most frameworks do not offer easy, native controls like this for cookies or hidden FFs.
Would you agree that the issue here is RTFM?
Many developers using Viewstates aren't aware they are using Viewstates. Think "Newbie Visual Studio Jockey" developers. They are using a control in their IDE and have no idea it's passing off stuff in b64 strings to the web-browser/client that can be decoded and/or modified.
The most common scenario where developers disable native Viewstate controls is in multi-websever deployments when they start load-balancing. The Viewstate keys don't match across servers; the app breaks; the developers Google just enough info to decide to turn off Viewstate encryption/checksums (or the server admin does it).
The fix for Viewstate load balancing issues is also super simple:
Share Viewstate MAC/checksum or encryption keys. But it is fairly common not to do this until after a security assessment. Usually for the same reasons I outlined above: they aren't really even sure what Viewstate is doing.
MyDMS
* <= 1.7.2
Vendor contact timeline:
------------------------
2009-10-29: Contacting developers on SourceForge.Net and on
trilexnet.com by contact-form and the dev-forum.
2009-12-11: No response from developers so far.
2009-12-11: New attempt to contact developers.
2010-01-15: No response from developers.
2010-01-15: Release of the advisory.
Next Page>>
|
