| New User, Welcome! Login |
Next Page >>
development
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
Note: If the presentation is based upon code or a particular
technique, the presenter must be one of the developers of the code or
technique and be prepared to perform a demonstration.
We look forward to reviewing your submissions, and anticipate another
great line-up for this year's conference. Once again, if you have any
questions about your submission, please email cfp [at] layerone [dot]
This Nant's letter I found some time ago (and now found time to write answer
on it) and I found it accidentally, because I'm not subscribed to Bugtraq
mailing list. So Nant and every reader of the list must take it into
account (and send letters to my email, if they want to contact me).
And this is that example of letter from developer, which I mentioned last
week at the list. Which clearly shows, that web developers ignore advisory
about holes in CaptchaSecurityImages.php itself, and only draw attention on
advisories about their specific web applications. So in my answer I'll draw
attention to this aspect of Nant's letter.
hardware and wonder why I occasionally get a spam posted, but maybe I'm
wrong in my jaded patchers/risk view.
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
My specific question is did you contact the admin of this particular
site ahead of time with this information. Based on your timeline you
say you found it, you disclosed this issue on your site, then informed
developers. Then posting here 7 days afterwards seems a bit of a short
Hello Susan!
> Pardon me, but you disclosed it at your site before you informed the
> developers?
Yes, and there is a reason for it. In 99% I use advanced responsible
disclosure approach for informing admins and web developers about
vulnerabilities. But in this time I used responsible full disclosure. I
wrote in details about all disclosure policies (including these ones) in my
article "Hacking of web sites, security researches, disclosure and
*Vendor Information, Solutions and Workarounds*
Vendor statement:
"The current version of the Android SDK is an early look release to the
open source community, provided so that developers can begin working
with the platform to inform and shape our development of Android toward
production readiness. The Open Handset Alliance welcomes input from the
security community throughout this process. There will be many changes
and updates to the platform before Android is ready for end users,
including a full security review."
> DoS of the browser is already bad thing. And there are many risks for
> users
> from DoS holes in browsers, which I wrote about in 2008 in my articles
> Dangers of DoS attacks on browsers and Dangers of resources
> consumption DoS
> attacks. But mostly browser developers ignore to fix these issues.
>
> But in this case it's not only attack on browsers, but on the whole
> user's
> computer - because it's blocking of whole computer and full resource
> consumption. Which is working in many browsers, including their last
> add in or just using a browser
DoS of the browser is already bad thing. And there are many risks for users
from DoS holes in browsers, which I wrote about in 2008 in my articles
Dangers of DoS attacks on browsers and Dangers of resources consumption DoS
attacks. But mostly browser developers ignore to fix these issues.
But in this case it's not only attack on browsers, but on the whole user's
computer - because it's blocking of whole computer and full resource
consumption. Which is working in many browsers, including their last
versions. So browser developers with their neglect to this problem make
entirely coordinated by me, and thus, Wagner, Conviso and Check Point
have no responsibilities over any mistake I eventually made.
Anyway, just to clarify your points:
> First, you must have reported to the developer, but in what way?
I sent to the developer a complete advisory, including the exploit code.
> Confusing the XSS vulnerability with PHP code execution
> vulnerability is so funny. I can't help feeling that you told it
> So as it clear, browser vendors only answer when they want.
>
>> Patches take time. The do not occur over night. Furthermore it may take
>> a day for the vendor to respond to you.
>
> As I mentioned, 3 from 4 developers answered me (but it's not common for
> cases with DoS holes). But MS didn't answer me for more than 1,5 week.
> From
> which you can see their attitude to such issues. And on example of Google,
> which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows
> their
So as it clear, browser vendors only answer when they want.
> Patches take time. The do not occur over night. Furthermore it may take
> a day for the vendor to respond to you.
As I mentioned, 3 from 4 developers answered me (but it's not common for
cases with DoS holes). But MS didn't answer me for more than 1,5 week. From
which you can see their attitude to such issues. And on example of Google,
which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows their
attitude to such issues - that they are working to fix holes (including
those which was in older versions of their browser) even before they will be
> how can i solve this issue quickly ?
There are the next solutions for you:
1. Wait until developers of CB Captcha released new fixed version of the
plugin. They are examining this vulnerability for some time already (at
least Beat, developer of CB Captcha 2.x, because from two authors only he
answered me). But Beat told me, that they will be releasing the new fixed
version not very quickly (due to their standardized bugfixing process), so
users of CB Captcha will need to wait for new release.
bug tracking system to access information about issue #2947.
. 2009-11-17:
Core requests again information regarding the release date of TestLink
1.8.5 in order to schedule the release of this advisory accordingly,
since no reply on this has been yet given by the TestLink developers
contacted. Core also mentions that issue #2947 cannot be accessed by
the user created in order to follow the development of a patch for the
vulnerabilities reported here.
. 2009-11-17:
TSL ID: TSL20120214-01
1. Affected Software
Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
Hello,
On December 17th, 2008, the OpenVAS[1] developer team released OpenVAS 2.0.0
which marks the start of the next generation of the Open Vulnerability
Assessment System for network security scanning.
OpenVAS is a fork of the Nessus security scanner which has continued development
under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0
in October 2007, the OpenVAS developers continued the auditing of the code
inherited from Nessus and have added a variety of useful features for OpenVAS
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
uninitialized string property can be used.
4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)
While not being a security vulnerability itself, please note that
applications running in developer mode and using Struts
DebuggingInterceptor are prone to remote command execution as well.
While applications should never run in developer mode during
production, developers should be aware that doing so not only has
performance issues (as documented) but also a critical security impact.
I've reported the following XSS vulnerability in cforms II. This vulnerability has been fixed on February 14, 2012 by its developer.
WordPress cformsII Plugin "rs" Cross-Site Scripting Vulnerability - Secunia.com
http://secunia.com/advisories/47984/
You might see this is a normal XSS vulnerability, but this isn't.
Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this list!
Are you puzzled?
> 'Virtual Keyboard' installations can be found using this 'Google dork':
>> http://google.com/search?hl=en&safe=off&filter=0&q=inurl%3A%22vkeyboard.php%22
>
> This vulnerability was originally reported in early May 2010.
> A suitable update fixing this issue, Virtual Keyboard v0.9.2 for
> Squrrelmail 1.4.x, has been provided to the Squirrelmail developers and
> me by Daniel Kobayashi Imori of Bastion Systems (the original developer
> of this plugin) in early June 2010 and is attached to this email -
> thanks Daniel. The Squirrelmail team has not yet made it to update this
> plugin in their repository:
> http://squirrelmail.org/plugin_view.php?id=159
raw transmit library created by Joshua Wright and Mike Kershaw, Scruby,
the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain
Sarmejeanne, and a contextual encoding system for Metasploit payloads.
"Contextual encoding breaks most forms of shellcode analysis by
encoding a payload with a target-specific key" said I)ruid, author of
the Uninformed Journal (volume 9) article and developer of the
contextual encoding system included with Metasploit 3.1.
The graphical user interface is a major step forward for Metasploit
users on the Windows platform. Development of this interface was driven
by Fabrice Mourron and provides a wizard-based exploitation system, a
========
Timeline
========
06/19/09 Alien Arena 7.30 released
06/21/09 Anonymous remote arbitrary code execution vulnerability discovered
06/22/09 Request for contact sent to Alien Arena's developers
06/23/09 Detailed vulnerability report responsibly disclosed to Lead Developer
of Alien Arena
06/23/09 Security vulnerability "fixed" (Revision 1390)[3]
06/23/09 Broken "fix" identified and responsibly disclosed to Lead Developer
of Alien Arena
I didn't tested in such large scale of devices (just in different browsers
at my PC).
> Credit : Except Apple - nobody
It's very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.
> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of CMS AltConstructor, before version released
at 16.08.2010, where developers fixed holes after my informing.
----------
Details:
----------
http://www.ptsecurity.com
Positive Technologies is one of the leading companies in information security in Russia. The principle company's activities are: information security monitoring systems development (XSpider, MaxPatrol); consulting and services in IT security, SecurityLab special portal development.
Positive Technologies products are certified by Ministry of Defense of the Russian Federation and Federal Service for Technical and Export Control (FSTEK Russia). Positive Technologies clients are more than 40 state institutes, more than 50 banks and financial structures, 20 telecommunication companies, more than 40 industrial enterprises, IT companies, service and retail companies from Russia, CIS, Baltic states, and also from the Great Britain, Germany, Holland, Israel, Iran, China, Mexico, USA, Thailand, Turkey, Ecuador, South African Republic, Japan.
Positive Technologies is a team of highly qualified developers, consultants and experts with great practical experience that have professional titles and certificates, are the members of international organizations and actively take part in industry development.
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory.
. 2010-10-05:
Cisco PSIRT contacts Core stating that their development team is out of
the office till Friday October 8th. November 15th 2010 is mentioned as
an estimated release date for a fix.
. 2010-10-05:
Core replies to Cisco PSIRT postponing the release date of this advisory
others how to make their lives more enjoyable, this category is for you.
# Community
In addition to individual speakers the Chaos Communication Congress
is also inviting groups such as developer teams, projects and
activists to present themselves and their topics.
Developer groups are also encouraged to ask for support to hold
smaller on-site developer conferences and meetings in the course of
the Congress.
their lives more enjoyable, this category is for you.
Community
---------
In addition to individual speakers the Chaos Communication Congress is
also inviting groups such as developer teams, projects and activists
to present themselves and their topics.
Developer groups are also encouraged to ask for support to hold
smaller on-site developer conferences and meetings in the course of
the Congress.
I want to warn you about security vulnerabilities in system NovaBoard.
In this advisory I'm continue to inform readers of mailing lists about
vulnerable web applications which are using CaptchaSecurityImages.php. If
you read Bugtraq you can saw the letter which was posted last week by one
developer of one such vulnerable web application (which I posted to the
list before). And from that letter it's clearly seen, that web developers
ignore advisory about holes in CaptchaSecurityImages.php itself, and only
draw attention on advisories about their specific web applications. So, as I
already wrote to the list, it's only way to draw attention of web developers
to these issues.
base of around 5800 Tests. With the release of OpenVAS 2.0 in December
2008, the development was boosted and has now reached an average of 10
code updates per day. The public OpenVAS NVT Feed Service delivers 3-10
new vulnerability tests every day.
The significantly grown and globally distributed developer team will
gather at the second OpenVAS developers conference[2] July 9-12 2009 in
Germany. During the conference features and a roadmap for OpenVAS 3.0
will be scheduled.
The OpenVAS project is backed by a number of companies, which also
2008-10-15: Contest closes
2008-10-30: Winners nominated
How to participate:
* express you wish to participate on the OpenVAS developer mailing list
and present your idea
* summarize you contribution before contests closes and submit
it to the OpenVAS developer mailing list
[1] http://www.openvas.org/
Next Page>>
|
|
|
