Next Page >>
error message
Let's try this proof of concept test:
http://localhost/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts
&mergepost[war]=1&mergepost[axe]=2
... and we can see sql error message:
MySQL error: 1054
Unknown column 'war' in 'where clause'
Query: SELECT p.pid, p.uid, p.fid, p.tid, p.visible, p.message, f.usepostcounts
FROM mybb_posts p LEFT JOIN mybb_forums f ON (f.fid=p.fid)
We can see here that the 'sprintf' function at line 3267 will write on
the buffer 'msgBuffer' if there is an error, but it will never check
that the error message fits the length of that buffer, so if the
attribute exceeds a length of about 170 characters, a buffer overflow
will ensue.
The following page consisting of a single HTML tag is enough to trigger
this vulnerability. This code will control the instruction pointer,
to it in /tmp:
attacker@thegibson:~$ ln -s /etc/sekrut /tmp/sekrut.map
The attacker then accesses <http://site/cgi-bin/mapserv?
map=/tmp/sekrut.map> and receives the following error message:
msLoadMap(): Unknown identifier. Parsing error
near (passw0rd):(line 1)
Product URL: http://www.cisco.com/en/US/products/ps7314/
Author: nitrus [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector: Remote
CVSS v2 Base Score: 5 (Medium) [ AV:N/AC:L/Au:N/C:P/I:N/A:N ]
Class: I think, it's a Design problem on the error messages' handling
Product Information
=======================================
);
[----------- source code snippet end -----------]
It appears, that user submitted parameter "answer" is not properly sanitized
before using in sql query. As result sql injection is possible. Test will
induce sql error message:
Invalid SQL:
UPDATE vb_hvanswer
SET answer = 'war'axe'
WHERE answerid = 1;
=====================================================================================
[Technical Details]
HP System Management Homepage (SMH) is prone to a XSS vulnerability because it
fails to check the input parameter used to show a generic error message.
The vulnerability affects the "message.php" script. In detail, this page uses the
JavaScript property "location.search" in order to create a contextual error message.
If the error ID provided in the URL does not match any valid code, a generic error
is reported ("An unknown error (%INVALID_CODE%) occurred") instead.
more in three weeks.
To put the icing on the cake:
- the software installs without any error message on Windows 2000,
although it needs Windows XP or Windows Vista to run (see
<http://service.t-online.de/c/12/70/32/44/12703244.html>), and
fails to start with error message "Library UXTHEME.DLL missing"
after successful installation.
*** Windows Media Player Plugin: Local File Detection Vulnerability ***
A design flaw in Windows Media Player 11 allows a remote attacker to determine the presence of local files (programs, documents, etc.). I sent an e-mail to Microsoft (nearly a year ago) but they never responded…
Windows Media Player permits to open locally stored media-files. Opening non-supported files usually provokes an error message. By a simple HTTP-redirect, the error message can be circumvented. Local files can be opened. The file-opening-procedure can be controlled with the “Player.OpenStateChange Event”. If a file exists, event 8 (”MediaChanging”) is fired. This way, via JavaScript, a malicious web site could determine the presence of local (and remote) files.
Additional infos (in German): www.lrv.ch.vu
I’ve also set up a demo page at: http://lrv.bplaced.net/wmp/wmp.php
gcc's FORTIFY_SOURCE feature. For those who don't know, this feature
attempts to prevent exploitation of a subset of buffer overflows by
inserting a set of checks at compile-time, including stack canaries
for some functions. It's enabled by default in many cases. In
particular, when FORTIFY_SOURCE detects an overflow, it aborts
execution and prints an error message that might look similar to the
following:
*** stack smashing detected ***: ./strcpy terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x40)[0x502b30]
So let's have a test:
http://victim.com/search.php?search=O'Brien
and we get nice error message:
SiteX experienced error #1 with an SQL bash readout of : You have an error
in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near
'Brien%' OR SiteX_Photos.name LIKE '%O'Brien%' OR
server by issuing an request like:
http://website/zen-cart/extras/curltest.php?url=file:///etc/passwd
The extras directory contains other test scripts. One of them, named
ipn_test_return.php, is not properly written and will display an error
message when called directly:
If you issue a request like
http://website/zen-cart/extras/ipn_test_return.php
you will receive the following error message:
attack)! It is also possible that the RSA host key has just been
changed.
In this case, the host key has simply been changed, and you
should update the relevant known_hosts file as indicated in the
error message.
3. Check all OpenSSH user keys
The safest course of action is to regenerate all OpenSSH user
keys, except where it can be established to a high degree of
4. Attacker replaces the user's visited sites with fake phishing sites
(makes legitimate sounding names with url obfuscation).
5. Every time user opens a phishing site and gets a login page, user's
credentials gets stolen. Attacker will present a login error message, asking
user to try again later. At the same time, attacker will reset that phishing
site back to the legitimate page. This way, user will never know what
happened.
6. On another note, attacker can always keep atleast 1 or 2 phishing
dom/base/nsJSEnvironment.cpp in Mozilla Firefox 3.5.x before 3.5.11
and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x
before 3.1.1, and SeaMonkey before 2.0.6 does not properly suppress
a script's URL in certain circumstances involving a redirect and an
error message, which allows remote attackers to obtain sensitive
information about script parameters via a crafted HTML document,
related to the window.onerror handler (CVE-2010-2754).
Mozilla Firefox permits cross-origin loading of CSS stylesheets
even when the stylesheet download has an incorrect MIME type and the
> # #
> # contact.......: Amir[at]IrIsT.ir #
> # #
> # Exploit.......: http://www.site.com/[path]/wp-content/plugins/advanced-text-widget/advancedtext.php?page=[xss] #
Do you have a working PoC for this issue? In which version did you test this? I only get error-message:
mod_fcgid: stderr: PHP Fatal error: Call to undefined function plugin_basename() in <snip>/wp-content/plugins/advanced-text-widget/advancedtext.php on line 11
- Henri Salo
Symptoms of successful attack
One or more of the following:
*Control panel lights are blinking, no response to pushing buttons
*LCD panel displays error message
*LCD panel displays a halted progress bar
*Switching power off from on/off button takes more than 10 seconds
Proof of Concept:
Examples:
tel:<124 characters> and sms:<124 characters>
Best guess is a off-by-one bug since shorter numbers work and longer
numbers produce an error message.
The crash will reboot the GUI of the phone. After 4 reboots in a row
the phone will switch off completely (e.g. user constantly trying to
read the tag containing this value).
- 0f85ce020000
+ 909090909090
After that run DataAdministration(%OpenEdge%\bin\prowin32.exe) and try to
enter into RDBMS with any UserID and without password.
Application show error message box, but allow to enter into RDBMS with
chosen UserId. If chosen UserID has a Security Administrator privileges,
so attacker gets this privileges. By default in OpenEdge RDBMS all
users have Security Administrator privileges.
Fix Information
Mitigation
It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May 2011, or to the latest available version.
Alternatively, it is recommended to implement a custom error page (eg. error_page.jsp) which either uses proper output encoding to display XWork generated errors or displays a generic error message. An example of Struts configuration (required in struts.xml file) is shown below:
…
<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
#
#############################################################
Introduction:
-------------
Flooding an UNIStim IP Softphone on the RTCP Port with garbage immediately results in a Microsoft Windows error message which is mostly caused by
memory corruption (buffer overflow).
This vulnerability may be exploitable to gain user privileges on the client workstation and execute malicious commands or code.
Nortel has noted this as:
Title: UNIStim IP Softphone - Potential Vulnerability Due to Buffer Overflow
For what is is worth...
I'm running MR4 version (11.0.4000.2295) and executing the command under a non-privileged account does throw a dialog box with the error message. It also puts an event in the application event log to the effect of "Faulting application smc.exe, version 11.0.4000.2261, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x000079f", but watchng task manager SMC.EXE running under the SYSTEM user and SMCGUI.EXE running under the same non-privileged account never dies. I do see an additional SMC.EXE process startup under the non-privileged user, but it is the process failing. I also tried this running the command with an admin account with the same results.
Multiple vulnerabilities has been discovered and corrected in libpng:
The png_format_buffer function in pngerror.c in libpng allows
remote attackers to cause a denial of service (application crash)
via a crafted PNG image that triggers an out-of-bounds read during
the copying of error-message data. NOTE: this vulnerability exists
because of a CVE-2004-0421 regression (CVE-2011-2501).
Buffer overflow in libpng, when used by an application that calls the
png_rgb_to_gray function but not the png_set_expand function, allows
remote attackers to overwrite memory with an arbitrary amount of data,
* Two vulnerabilities were found in the Kerberos 4 support in KDC: A
global variable is not set for some incoming message types, leading
to a NULL pointer dereference or a double free() (CVE-2008-0062) and
unused portions of a buffer are not properly cleared when generating
an error message, which results in stack content being contained in a
reply (CVE-2008-0063).
* Jeff Altman (Secure Endpoints) discovered a buffer overflow in the
RPC library server code, used in the kadmin server, caused when too
many file descriptors are opened (CVE-2008-0947).
################
2) Cross-Site Scripting Vulnerabilities
a) If the script doesn't find the file, php shows an errormessage, so for xss
open this:
http://site.tldwordpress/wp-admin/admin.php?page=dmsguestbook&advanced=1&folder=language/&file=<script>alert("XSS")</script>
On Jan 10, 2008, at 7:45 PM, Luigi Auriemma wrote:
> For exploiting this vulnerability is only needed that an user follows
> a rtsp:// link, if the port 554 of the server is closed Quicktime will
> automatically change the transport and will try the HTTP protocol on
> port 80, the 404 error message of the server (other error numbers are
> valid too) will be visualized in the LCD-like screen.
Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn't
try to connect to port 80 if 554 is closed.
Software and configured for IPv6 operation are vulnerable. A device
that is running Cisco IOS Software and that has IPv6 enabled will
show some interfaces with assigned IPv6 addresses when the "show ipv6
interface brief" command is executed.
The "show ipv6 interface brief" command will produce an error message
if the version of Cisco IOS Software in use does not support IPv6, or
will not show any interfaces with IPv6 address if IPv6 is disabled.
The system is not vulnerable in these scenarios.
Sample output of the "show ipv6 interface brief" command on a system
Two serious functionality issues after installing this service pack. See following thread for details...
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2173615&SiteID=1
in brief
i) Pages with customized data view web parts or data view web parts linked to lists on other sites are not accesible. Error message either "access denied" or "Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator."
ii) No user can use the Edit in Datasheet view feature on lists. (Possible ok for admins). When the 'Edit in Datasheet View' button is clicked the Datasheet control appears to load however the page is redirected back to the default view in every case.
Issues currently unconfirmed by Microsoft.
I can’t find hardly any information about this post but this is exactly what happened after I installed service pack 3
What is funny about this error (Pages with customized data view web parts or data view web parts linked to lists on other sites are not accessible. Error message either "access denied" or "Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator.") it only happen when someone access my site from the outside world as long as you access the site entirely you don’t see this error.
I also have a problem with user from my intranet not being able to login at all
If I find a fix ill post it good luck
2) Bug
======
Zoom Player is affected by an unicode buffer-overflow in the function
which builds the error messages.
The problem can be exploited for example through a malformed ZPL file
containing a http link to a file with PLS extension which will force
the program to use wsprintf for building the "Unable to play [%s]"
error message.
CVE-2010-1618
A Cross-site scripting (XSS) vulnerability in the phpCAS
client library allows remote attackers to inject arbitrary web
script or HTML via a crafted URL, which is not properly
handled in an error message.
CVE-2010-1619
A Cross-site scripting (XSS) vulnerability in the
fix_non_standard_entities function in the KSES HTML text
cleaning library (weblib.php) allows remote attackers to
Next Page>>
|
