Next Page >>
filter
Aspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Release Date:
December 11, 2008
Date Reported:
October 5, 2008
Severity:
Medium-High (Execute scripts, Turning Protection Off, Transfer data Cross
Overview:
Various URL's within the deployed OpenCms application version 7.5.0 are
open to attacks, including Cross-Site Scripting, Phishing Through Frames
and Application Error. Some of these attacks allow injection of scripts
into a parameter in the request. The application should filter out such
hazardous characters from user input.
Example follows:
Vulnerable URL (from the OpenCms VFS):
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/
shell meta-characters. An authenticated remote attacker could execute
arbitrary commands as the web server user, if curl was installed and
configured. (CVE-2008-4796, MSA-09-0003)
It was discovered that Smarty (also included in Moodle), did not
correctly filter certain inputs. An authenticated remote attacker could
exploit this to execute arbitrary PHP commands as the web server user.
(CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)
It was discovered that the unused SpellChecker extension in Moodle did not
correctly handle temporary files. If the tool had been locally modified,
A workaround for this vulnerability is to prevent UDP port 4500 traffic
from ever traversing IPsec tunnels terminating on the Cisco ASA 5500
Series Adaptive Security Appliance. This may be feasible since in most
cases there is no need for allowing IPsec tunnels inside IPsec tunnels.
Filtering out UDP port 4500 traffic across an IPsec tunnel can be
accomplished by using a VPN filter, as shown in the following example:
!-- Deny only UDP port 4500 traffic and allow everything else
access-list VPNFILTER extended deny udp any any eq 4500
users all over the world in educational institutes, schools, or
companies. See vendor homepage for details.
II. DESCRIPTION
An input filter for TeX formulas can be exploited to disclose files
readable by the web server. This includes the moodle configuration
file with all authentication data and server locations for directly
connecting to backend database.
TeX filter by default is off and in case of being activated mostly no
complete LaTeX environment on a server system will be available.
Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails. The second
vulnerability has a wider impact.
Horde relies on code similar to Popoon's externalinput.php to filter out
potential XSS attacks on user-supplied input. This filter, and the original,
fail to fully sanitize user data. In particular, this filter fails to
protect against '/'s acting as spaces in both Microsoft Internet Explorer and
Mozilla Firefox.
description:Lotus Quickr, announced at Lotusphere 2007, is an evolution of Lotus QuickPlace ,The software use a weak xss filter that an attacker can bypass this xss filter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the IBM Lotus Quickr 8.0 software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
IBM Quickr 8.0 Server Calender XSS Injection:
its seems that IBM Lotus Quickvr use a filter xss,an attacker can avoid this filter .
example of IBM Quickr 8.0 XSS filter:
http://victim.com/QuickPlace/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20"><script>alert('g')</script>
and then you will get a error message from Quickr:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Bypassing servlet input validation filters (OWASP Stinger + Struts example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. ORIGINAL ADVISORY
~~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/o0o_bypassing_servlet_input_validation_filters.txt
I. BACKGROUND
Advisory Released: 15th December 2008
Abstract
Barracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. Barracuda Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack,
access to Intranet available servers, etc.
Description
on operating system level.
1) Authentication bypass
This vulnerability provides an attacker full access to all functions
in the admin webinterface without providing any user credentials.
The Tomcat filter which is responsible for authentication could be
completely circumvented.
2) SQL injection
It is possible to pass SQL statements to the backend database through
a SQL injection vulnerability. Depending on the particular
>> It's easy to compute all the public keys that will be generated
>> by the broken PRNG. The clients could embed that list and refuse
>> to accept any certificate containing one of them. So, this
>> is distinct from CRLs in that it doesn't require knowing which servers have which cert...
>
> Funnily enough I was just working on this -- and found that we'd end up adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am curious about the feasibility of a large bloom filter that fails back to online checking though. This has side effects but perhaps they can be made statistically very unlikely, without blowing out the size of a browser.
Using this Bloom filter calculator:
http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html ,
plus the fact that there are 32,768 weak keys for every key type &
size, I get various sizes of necessary Bloom filter, based on how many
Background
==========
CUPS provides a portable printing layer for UNIX-based operating
systems. The alternate pdftops filter is a CUPS filter used to convert
PDF files to the Postscript format via Poppler; the filter is installed
by default in Gentoo Linux.
Affected packages
=================
Details
Before moving a file to its final location, its path name is sent
through the function "bh_fpclean()" in
"includes/filesystem/filesystem/filesystem.inc.php" in order to canonize
its name and filter possible traversal attacks. This filter removes all
"/.." substrings but fails to remove two dots without a preceding slash.
By entering ".." (or ".." followed by a path) as the directory name, the
filter takes no action. Bytehoard then uses this tainted path and places
the file in the filestorage's parent directory.
2) OS Command Injection - CVE-2010-4278 - CVSS 9/10
The layout parameter in file operation/agentes/networkmap.php is not
properly filtered and allows an attacker to inject OS commands.
Snippet of vulnerable code (file operation/agentes/networkmap.php):
32 $layout = (string) get_parameter ('layout', 'radial');
...
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn. (CVE-2009-0165)
}
...
...
// compute the filtered pixel at (x,y) after the x and y scaling
// operations
m = xStep > 0 ? xStep : 1;
p = colorBuf + xSrc * 3; <- [2] !!!
pixAcc0 = pixAcc1 = pixAcc2 = 0;
for (i = 0; i < n; ++i) {
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
and other products allows remote attackers to cause a denial of service
(crash) via a crafted PDF file that triggers a free of uninitialized
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow (CVE-2009-0163).
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn (CVE-2009-0165).
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn. (CVE-2009-0165)
===========
Multiple vulnerabilities have been reported in Adobe Reader:
* Alin Rad Pop of Secunia Research reported a heap-based buffer
overflow in the JBIG2 filter (CVE-2009-0198).
* Mark Dowd of the IBM Internet Security Systems X-Force and Nicolas
Joly of VUPEN Security reported multiple heap-based buffer overflows
in the JBIG2 filter (CVE-2009-0509, CVE-2009-0510, CVE-2009-0511,
CVE-2009-0512, CVE-2009-0888, CVE-2009-0889)
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port
1975 will mitigate this vulnerability.
This vulnerability is documented in the Cisco Bug IDs CSCsg15342
and CSCsh29217 and has been assigned Common Vulnerabilities and
Exposures (CVE) ID CVE-2008-3805.
PE and CE devices.
2) MPLS Inter-AS option A with BGP running between the Autonomous
System Border Routers (ASBR).
The mitigation in the Workarounds section filters extended
communities on a PE device, preventing them from being received by
devices configured for MPLS VPN.
This vulnerability was introduced with Cisco bug ID CSCee83237. Cisco
IOS images that do not include CSCee83237 are not vulnerable to this
8e6 Technologies R3000 Internet Filter Bypass with Host Decoy
Product:
8e6 Technologies R3000 Internet Filter
http://www.8e6.com/network-security/internet-filtering/internet-filtering.html
The HTTP URL filtering function provided by the 8e6 Technologies R3000 Internet Filter contains a vulnerability in that it can mistake a properly formed custom header for the Host header. This can be exploited for bypassing the filter by providing an allowed site in the custom header.
On Fri, Aug 8, 2008 at 7:54 PM, Tim Dierks <tim@dierks.org> wrote:
> Using this Bloom filter calculator:
> http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html , plus the
> fact that there are 32,768 weak keys for every key type & size, I get
> various sizes of necessary Bloom filter, based on how many key type / sizes
> you want to check and various false positive rates:
> * 3 key types/sizes with 1e-6 false positive rate: 2826759 bits = 353 KB
> * 3 key types/sizes with 1e-9 false positive rate: 4240139 bits = 530 KB
> * 7 key types/sizes with 1e-6 false positive rate: 6595771 bits = 824 KB
> * 7 key types/sizes with 1e-9 false positive rate: 9893657 bits = 1237 KB
$this->msg('Getting security options', 0);
# Security options
$this->get_sec_options();
# IP filter ?
if( $this->conf['ip'] === '1' )
{
$this->s_bypass = true;
$this->msg('IP filter option is turned on', 0);
Vulnerable Variable : session
Address : http://Example.com/?session=">><>><script>alert(document.cookie)</script>
Solution : filter session variable with htmlspecialchars() function ...
----------------------------------------------------------------
Xss Vulnerability 2 :
> DragonFlyBSD (the 3 latter O/S however only use this PRNG when
> the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
> default, resulting in a sequential counter to be used instead...).
> OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
> fragmentation ID normalization feature (e.g. "scrub out random-
> id") in the packet filter module.
>
> Somewhat more distant flavors are used for various IPv6 fields
> across many BSD operating systems, which may be affected, and
> some other O/S not mentioned here, including possibly non-BSD O/S
> may be affected, since this code seems to have been extensively
DragonFlyBSD (the 3 latter O/S however only use this PRNG when
the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
default, resulting in a sequential counter to be used instead...).
OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
fragmentation ID normalization feature (e.g. "scrub out random-
id") in the packet filter module.
Somewhat more distant flavors are used for various IPv6 fields
across many BSD operating systems, which may be affected, and
some other O/S not mentioned here, including possibly non-BSD O/S
may be affected, since this code seems to have been extensively
99| * Exemple: index.php?id=1 UNION SELECT user, password ...
100| *
101| * It will return a secure string.
By seeing this comment and how the function is called, I
know that they'll be a filter against SQL Injections.
Let's see how the string is secured:
105| if(is_string($string_to_parse) and !empty($string_to_parse))
106| {
111| $keywords =
http://[host]/user/index.php?sall=1%%27%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14%20--%20
http://[host]/user/index.php?begin=search_user=&sall=&&sortfield=SQL_CODE_HERE
http://[host]/user/index.php?begin=search_user=&sall=&sortfield=u.login&sortorder=SQL_CODE_HERE
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
To bypass Dolibarr sql-injection filter and exploit this vulnerability an attacker should use url-encode technique.
3) Input passed via the "id" GET parameter to /user/info.php, /user/perms.php, /user/param_ihm.php, /user/note.php, /user/fiche.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
Next Page>>
|
