Next Page >>
expects
Fatal error: Cannot redeclare error_handler() (previously declared in
C:\apache_www\opencart1521\index.php:78) in
C:\apache_www\opencart1521\admin\index.php on line 87
Error message above indicates, that directory traversal was successful
and php script "admin/index.php" was included as expected.
###############################################################################
2. Arbitrary File Upload in "product.php"
###############################################################################
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc/passwd' |
head -n1
(doesn't work as expected)
$ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc//passwd'
| head -n1
root:x:0:0:root:/root:/bin/bash
The text from the uri handler did work, but I'm not sure what the ramifications of that are. Oh, the Action Panel did show up.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
It actually brings up a question that I find more interesting than the issue itself, which is "how far is too far?" If MSFT designs a system around identifying files sourced from different zones in an attempt to mitigate risk of end-users downloading unknown content and immediately executing it, how far beyond user-acknowledgment and feature disabling (as even your "bypass" example shows) do you think a vendor is supposed to go (Not YOU, but the royal "you")?
I think it is a valid and applicable question. We have Apple seizing every opportunity they can to make user-acknowledgement for mitigation marketed as an actual Bad Thing, yet when a file downloaded from untrusted sources on the internet is marked as Internet Zone, and the user has to explicitly attempt to open it, and doing so generates a warning and they open it anyway, and for even then the "bypass" code doesn't even work, yet MSFT say they'll fix it in a service pack anyway, the entire issue you found gets reduced to "This was the response I expected."
On Fri, Oct 23, 2009 at 11:57:58PM +0400, Dan Yefimov wrote:
> That can hardly be called a real security hole, since the behaviour
> described above is expected, and is as it was conceived by design.
Lots of security holes can fall into that category! The code matches
its design, and works as expected... it's just that the author had no
idea what he was getting himself into. =8^)
> If the file owner in fact allows writing to it, why should Linux
> prevent that from happening?
inReader.close();
messageLog.append("Request
Property"+connection.getRequestProperty("cookie")+"\n");
...you simply connect to targetsite.net and then download a cookie using
getRequestHeader. This is not a breach of any kind but expected behavior
for a signed applet which has been allowed to perform this action.
>
> 4. A second request is done for the purpose
> of the demo which leaks www.targetsite.net
. 2011-05-16:
The Service Desk team notifies they are analyzing the [CVE-2011-1509]
issue and it will take them some time to fix it. The issue
[CVE-2011-1510] was identified and it will be fixed in SDP 8012, which
is expected by the end of May 2011.
. 2011-05-23:
Core requests to clarify whether the problems will be released
altogether or in two release cycles.
}
}
The Zend_Log destructor iterates through an array which it expects
inside the _writers property. Each element of this array is then
expected to have a method called shutdown() which is then executed.
The next step in creating an exploit is to find classes that contain
a shutdown() method. The best fitting class is Zend_Log_Writer_Mail.
It is the same class that is also utilized in the generic Zend
Framework exploit.
Computing Group (TCG) is claiming to create trust so they can have
security, a much less romantic goal but nevertheless an equally difficult
journey.
As the TCG writes, "?Trust as it applies to trusted computing is hardware
and software behaves as expected" [1]. However, ask any person in a
committed relationship and they will tell you that trust is certainly not
about each other behaving as expected. For people, that definition would
suggest a controlling or subjugating partner and those are terms that
divorce lawyers use to explain how the relationship broke down. This
highlights the huge gap that exists between what the TCG defines as trust
> || User1 verifies no hard links to file
> || User2 can not open the file for read or write access
> || User2 can not write to file descriptor 4
> || User2 _can_ write to /proc/$$/fd/4
> ||
> || Now user2 is expected to be able to have read-access to the file via
> || (he opened it in step 2). If he attempts to write with ">&4" then it
> || silently fails (on Linux, anyway). But access via /proc/$$/fd/4 allows
> || write access.
>
> On Sat, Oct 24, 2009 at 01:46:17AM -0500, Derek Martin wrote:
Subject: pwgen: non-uniform distribution of passwords
Hi Ted,
I did some testing of pwgen-2.06's "pronounceable" passwords, and I
think they might be weaker than you had expected (depends on what you
had expected, which I obviously don't know).
Specifically, not only the keyspace is significantly smaller than that
for "secure" passwords (which I'm sure you were aware of), but also the
distribution is highly non-uniform. My guess is that this results from
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
||
|| Now user2 is expected to be able to have read-access to the file via
|| (he opened it in step 2). If he attempts to write with ">&4" then it
|| silently fails (on Linux, anyway). But access via /proc/$$/fd/4 allows
|| write access.
On Sat, Oct 24, 2009 at 01:46:17AM -0500, Derek Martin wrote:
prefix 1.3.6.1.4.1.25623, backward compatibility in server and client has been
ensured.
* 64-bit Support:
Intensive work on 64-bit cleanliness has been undertaken. OpenVAS 2.0.0
is expected be fully 64-bit compatible.
* Improved GUI Client:
The OpenVAS-Client has seen a number of improvements and is now able to
display NVT signature information in the GUI and in the various reports.
Reporting has been improved as well as localization for various languages
}
}
The Zend_Log destructor iterates through an array which it expects
inside the _writers property. Each element of this array is then
expected to have a method called shutdown() which is then executed.
The next step in creating an exploit is to find classes that contain
a shutdown method. The best fitting class is the Zend_Log_Writer_Mail
public function shutdown()
{
> >
> ># ...until we take a way around it with /proc filesystem. Oops.
> >guest@toy:/tmp/my_priv$ echo got you> /proc/self/fd/3
> >
> That can hardly be called a real security hole, since the behaviour
> described above is expected, and is as it was conceived by design.
> If the file owner in fact allows writing to it, why should Linux
> prevent that from happening?
No, I do not think this is expected. You could not write to that file
under traditional unix, and you can not write into that file when
Debugger Results:
(ea8.aec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=734c4d90 ecx=035efe24 edx=00000193 esi=035efe24 edi=035efe24
eip=62408f23 esp=035efd20 ebp=035efd6c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Novell\NDS\httpstk.dlm -
httpstk!HT_RspCCSetNoCache+0x5fb:
$index++;
$expecting_op = false;
//===============
} elseif ($op == ')' and $expecting_op) { // ready to close a parenthesis?
while (($o2 = $stack->pop()) != '(') { // pop off the stack back to the last (
if (is_null($o2)) return $this->trigger("unexpected ')'");
else $output[] = $o2;
}
if (preg_match("/^([a-z]\w*)\($/", $stack->last(2), $matches)) { // did we just close a function?
$fnn = $matches[1]; // get the function name
$arg_count = $stack->pop(); // see how many arguments there were (cleverly stored on the stack, thank you)
The mysqli_real_escape_string() PHP function takes strings as parameters
and will raise warnings when values that are passed are arrays rather
then strings.
To get the path of the current script, you simply need to pass the
arguments as arrays rather then expected strings
and then simply read the warning message generated by PHP to see the
error including the full path of the current running script.
Proof of concept:
http://localhost/cms/sqlfilter/sqlsanatizer.php?params[]=
* HTML that is delivered via instant messaging applications
WebEx Upgrade Timeline
+---------------------
Upgrades from WBS 23 versions to WBS 26 are expected to be complete
by the end of September 2008.
Fixed versions of WBS 25 are expected to be deployed by the end of
September 2008.
gather the real path of the server side script.
The preg_match() PHP function takes strings as parameters and will raise
warnings when values that are passed are arrays rather then strings.
To get the path of the current script, you simply need to pass the
arguments as arrays rather then expected strings
and then simply read the warning message generated by PHP to see the
error including the full path of the current running script.
Proof of concept:
http://localhost/cms/modules/system/admin.php?fct=users&op[]=
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
extra data that precedes the class instance. (This means that a
CDispNode-family class instance is not expected to snugly occupy its
own heap block.) CDispNode::SetExpandedClipRect then backs up the
class instance pointer (the 'this' pointer, which of course points to
the vtable pointer initially) by that many machine words and expects
to find a flags field there. This is only a problem if the extra size
index is 0, because CDispNode::_extraSizeTable[0] == 0, and in
On Tue, 20 Nov 2007, Kapetanakis Giannis wrote:
> I would consider this a feature of the X509 standard and not a bug.
The behavior is remarkably counterintuitive. It could be reasonably
expected for the browser to properly communicate the situation (show a
list of aliases) to the user, or better yet, to initially bind non-trusted
certs to their originating domain only, at least until an explicit desire
to extend their authority is expressed by the user.
What the standard says is immaterial - it is not expected to anticipate
24/10/2007 - Vendor notified.
24/10/2007 - Vendor response.
21/11/2007 - Status update requested.
21/11/2007 - Vendor responds that development is working on patches.
07/04/2008 - Status update requested.
08/04/2008 - Vendor notifies expected release in May 2008.
21/05/2008 - Vendor notifies expected release in October 2008.
10/11/2008 - Vendor informed that October release did not fix the
reported vulnerability in version 11.5.
10/11/2008 - Vendor requests additional information.
10/11/2008 - Additional information provided to the vendor.
* A draft "Call for Papers" articulating the scope and topics covered
by the workshop
* A brief summary and justification for the workshop, including
anticipated benefits to the ACM CCS community.
* Planned activities
* Expected number of submissions and acceptance rate
* Expected number of attendees
* Program chair(s), and, if available, tentative program committee
* A one-paragraph biographical sketch for each organizer, describing
relevant qualifications, including research and conference/workshop
organizing experience
Hi folks,
Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected in Firefox, apparently due to a code refactoring in
2008. The vulnerability permits malicious websites to access and
modify the contents of special pages such as about:neterror or
about:config, which has consequences ranging from content spoofing to
Examples:
http://localhost/cruxcms.3.0.0/manager/switcher.php?style[]
Warning: setcookie() expects parameter 2 to be string, array given in
C:\apache_wwwroot\cruxcms.3.0.0\manager\switcher.php on line 24
http://localhost/cruxcms.3.0.0/search.php?search[]
#Impact : Critical
#
# Windbg Output:
#(bec.528): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=41414141 ebx=00000000 ecx=07e415f4 edx=00000000 esi=41414141 edi=07e415f4
#eip=004bbafa esp=06e4fb38 ebp=06e4fb5c iopl=0 nv up ei pl nz na po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
#srxTitan+0xbbafa:
#004bbafa 8930 mov [eax],esi ds:0023:41414141=????????
On Sat 2009-10-24 01:24:49, Dan Yefimov wrote:
> On 24.10.2009 1:08, Pavel Machek wrote:
> >>That can hardly be called a real security hole, since the behaviour
> >>described above is expected, and is as it was conceived by design.
> >>If the file owner in fact allows writing to it, why should Linux
> >>prevent that from happening?
> >
> >No, I do not think this is expected. You could not write to that file
> >under traditional unix, and you can not write into that file when
> >/proc is unmounted.
> 3:00:48 - 1.8% - 55.2%
> 3:21:44 - 2.3% - 59.4%
> 5:05:17 - 3.1% - 64.2%
...
> I did some testing of pwgen-2.06's "pronounceable" passwords, and I
> think they might be weaker than you had expected (depends on what you
> had expected, which I obviously don't know).
It was just pointed out to me off-list that the man page for pwgen
specifically mentions that this kind of passwords "should not be used in
places where the password could be attacked via an off-line brute-force
The following Windbg output shows the observed crash of the XML service:
(b68.1020): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=009bfdac ecx=009bfd00 edx=00000000 esi=43434342
edi=00000000
eip=7c82ae6e esp=009bfd60 ebp=009bfd90 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
* Ubuntu Edgy: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 2.0.4 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 3.0.2 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Firefox 2.0.0.6 / Flash Player 9.0.47.0
* Solaris 10 i86: Firefox 2.0.0.3 / Flash Player 9.0.47.0
Doesn't work as expected on:
* Mac OSX 10.4.10: Opera 9.22 / Flash Player 9.0.47.0
# Known limitations
* The Scanner does not work on services that close the TCP-
Connection immediately after they receive Bytes that they don`t
Next Page>>
|
