Next Page >>
escaping
Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa log escape sequence injection
Name Nginx, Varnish, Cherokee, thttpd, mini-httpd,
WEBrick, Orion, AOLserver, Yaws and Boa log escape
sequence injection
Systems Affected nginx 0.7.64
Varnish 2.0.6
Cherokee 0.99.30
mini_httpd 1.19
(Affected versions: Any)
D) "Session Dump Servlet" stored XSS
(Affected versions: Any)
E) "Cookie Dump Servlet" escape sequence injection
(Affected versions: Any)
F) Http Content-Length header escape sequence injection
(Affected versions: Any)
----- Original Message ----
From: Tavis Ormandy <taviso@cmpxchg8b.com>
To: full-disclosure@lists.grok.org.uk
Cc: bugtraq@securityfocus.com
Sent: Wed, June 9, 2010 4:46:21 PM
Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
(And try dealing with Microsoft licensing sometime if you think security
communication is lacking)
Tavis Ormandy wrote:
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> ----------------------------------------------------------------------------
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help documents
> directly via URLs by installing a protocol handler for the scheme "hcp",
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
Quote from http://www.php.net
"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded
into HTML."
In PHP there exist two functions to escape shell commands or
arguments to shell commands that are used in PHP applications
to protect against shell command injection vulnerabilities.
- escapeshellcmd()
- escapeshellarg()
Product : Vim -- Vi IMproved
Version : >= 7.2a.013; tested with 7.2b
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Improper implementation of the shellescape() function and lack of
documentation can result in untrusted data being insufficiently
sanitized, possibly leading to arbitrary code execution.
compromise.
2. Detail
Most database query in WordPress uses escape() method to sanitize SQL
string, which is essentially filtering input via addslashes() function.
However addslashes() fails to consider character set used in SQL string,
and blindly inserts backslash before any single quote, regardless of
whether such backslashes will form another valid character or not.
- --- EXAMPLE 1 ---
# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'
GET /icons/ http/1.1
Host: localhost
Content-type: text/html
Keep-Alive: 300
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Syslog-ng: Chroot escape
Date: July 12, 2009
Bugs: #247278
ID: 200907-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Many developers still rely on escaping user's inputs by adding backslashes (like using magic_quotes_gpc or addslashes() in PHP), where it is well known that adding backslash to escape inputs in not sufficient to prevent SQL Injections attacks for many different reasons.
One of those reasons is that MS Access uses a different method to escape apostrophe (') which is doubling it ('') instead of prefixing it with a backslash (\').
It's true that injection takes place easily in this case, but leveraging it is not so easy using traditional injection technique. Since an excess slash will corrupt the query structure and causes error (actually "Syntax error (missing operator) in query expression...").
For example consider this query:
SELECT * FROM Users WHERE Username = '$user' AND Password = '$pass'
> On Thu, 25 Sep 2008, lmfao@hotmail.com wrote:
>
> > Are you kidding ?
> >
> > As the PHP manual said "if you use double quotes there will be a need to
> > escape the variable names".
> >
> > In your example you use a function with double quotes, without escaping the
> > variable $sort_by, so
> > this is not a PHP vulnerability, but a development one.
> >
Are you kidding ?
As the PHP manual said "if you use double quotes there will be a need to escape the variable names".
In your example you use a function with double quotes, without escaping the variable $sort_by, so
this is not a PHP vulnerability, but a development one.
For this time, don't blame PHP, blame developers.
It's like if I was using mysql_query() without escaping user's inputs...an sql injection, not a PHP vuln ;)
On Thu, 25 Sep 2008, lmfao@hotmail.com wrote:
> Are you kidding ?
>
> As the PHP manual said "if you use double quotes there will be a need to escape the variable names".
>
> In your example you use a function with double quotes, without escaping the variable $sort_by, so
> this is not a PHP vulnerability, but a development one.
>
> For this time, don't blame PHP, blame developers.
3110| }
3111|
3112| return $t;
3113| }
So, we can't use any SQL escape character if
magic_quotes_gpc is turned on. But if not, we can
still use the character \. Now let's see how we'll
bypass these protections =)
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&doaction=1
HTML Injection: (this will only affect the user logged in apparently..)
http://[HOST]/pivot/pivot/user.php?func=edit_prefs&w=my_weblog
sign up formular (all fields might be, but url is recommended to use)
(use "> to escape tag)
http://[HOST]/pivot/pivot/user.php?func=reg_user&w=my_weblog
http://[HOST]/pivot/pivot/user.php?func=reg_user&w=my_weblog
-- Set username to <script>alert(0)</script>
CVE Id(s) : CVE-2008-2383
Debian Bug : 510030
Paul Szabo discovered that xterm, a terminal emulator for the X Window
System, places arbitrary characters into the input buffer when
displaying certain crafted escape sequences (CVE-2008-2383).
As an additional precaution, this security update also disables font
changing, user-defined keys, and X property changes through escape
sequences.
This XSS can be triggered by sending invalid data for numeric
parameters in several '.do' pages, causing the webapp to raise a
'java.lang.NumberFormatException' exception; this way,
'GenericError.jsp' will be called and it will print the data that
caused the exception without escaping HTML characters, leading to the
XSS vulnerability.
The following '.do' pages are affected, among others:
/-----
20:
----- install/install1.php -----
The sanitizer strip_tags prevents new tags to be used (like
) but it does not filter onmouseover type attacks. Addslashes inserts backslashes to escape special characters like double quote, but since html does not process escape sequences this sanitizer is useless to prevent breaking the double quote jail - regardless of magic_quotes is enabled or not.
===== Impact =====
Malicious java script code can be executed in the context of the affected web site.
http://www.debian.org/security/ Steffen Joeris
October 14, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : pygresql
Vulnerability : missing escape function
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-2940
####################
- Solution:
####################
Remove rss.php and wait for bug fixation by vendor or escape GET
parameter in file rss.php using the
vendor string escaping function 'quote_smart' as is used in all of
other files else of this one.
####################
Most of these vulnerabilities are present in the Testlink code
because the logic for the sanitization of user input is rudimentary.
Each script sanitizes its own input, instead of abstracting this task
to another layer of logic. Often only slashes are stripped, but html
entities are almost never escaped.
The only vulnerability in this report that can be exploited without
an authenticated session is a XSS vulnerability in Testlink's login
page 'login.php'. This script gets a parameter named 'req', which is
used by the application to set the next request to be made. All
HTTP secure server status: Disabled
These vulnerabilities are documented in the following Cisco bug IDs:
* Cisco bug ID CSCsi13344 - XSS in IOS HTTP Server
Special Characters are not escaped in URL strings sent to the
HTTP server.
* Cisco bug ID CSCsr72301 - XSS in IOS HTTP Server (ping parameter)
Special Characters are not escaped in URL strings sent to the
HTTP server, via the ping parameter. The ping parameter is used
both by external applications such as Router and Security Device
the "tagname" input value (POST Variable) without escaping, in a query.
The exact place of injection bug is at lines 67 and 69.
NOTE: In query creating phase, all security notes are maintained. In the file
"<SRC_DIR>/BlazeApps.Library/Search/PageSearch.cs" at lines 20 and 30 the
query parameters are all escaped in a prepared sql statement.
But (only) in the search module, the where clause is created manually before
reaching the DB utility code!!!
+--/-- 2>
In the "<SRC_DIR>/BlazeApps/App_Code/BlazeKBSVC.vb" file at lines 19 and 37
the "SearchString" function parameter is not escaped before using in
Cross-Site Scripting and Cross-Site Request Forgery attacks.
The SQL Injection is possible due to lack of filtration on the comment
post ID variable in the AJAX
Comments script.
The Cross-Site Scripting is possible due to lack of filtration and
escaping on several stored
options.
The Cross-Site Request Forgery is caused by the lack of the WordPress
Nonces on the options panel form.
__________________
5516 else if (cmdchar == '#')
5517 aux_ptr = (char_u *)(p_magic ? "/?.*~[^$\\" : "/?^$\\");
5518 else if (cmdchar == 'K' && !kp_help)
--> 5519 aux_ptr = (char_u *)" \t\\\"|!";
5520 else
5521 /* Don't escape spaces and Tabs in a tag with a backslash */
--> 5522 aux_ptr = (char_u *)"\\|\"";
5523
5524 p = buf + STRLEN(buf);
5525 while (n-- > 0)
5526 {
Problem Description:
A vulnerability has been discovered in xterm, which can be exploited
by malicious people to compromise a user's system. The vulnerability
is caused due to xterm not properly processing the DECRQSS Device
Control Request Status String escape sequence. This can be exploited
to inject and execute arbitrary shell commands by e.g. tricking a
user into displaying a malicious text file containing a specially
crafted escape sequence via the more command in xterm (CVE-2008-2383).
The updated packages have been patched to prevent this.
People think that if they use the function addslashes()
on a string which has quotes, they'll be secured
against SQL Injection. On MySQL that's roughly true, but
on Oracle that's wrong.
The escape character for MySQL is a backslashes, \x92[\].
The escape character for Oracle is a single quote, \x39['].
The script has a user interface for the administrators.
The file "lib/control/AuthentificationController.class.php"
contains the following code:
and accept the database update to clear any invalid cached data.
Details follow:
Thor Larholm discovered that PHPMailer, as used by Moodle, did not
correctly escape email addresses. A local attacker with direct access
to the Moodle database could exploit this to execute arbitrary commands
as the web server user. (CVE-2007-3215)
Nigel McNie discovered that fetching https URLs did not correctly escape
shell meta-characters. An authenticated remote attacker could execute
http://www.debian.org/security/ Steffen Joeris
October 14, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : postgresql-ocaml
Vulnerability : missing escape function
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-2943
Next Page>>
|
