Next Page >>
function
"This web application [OpenClassifieds] is developed to be fast, light, secure and SEO friendly."
Usually when I see that an application claims to be secure, they really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY
vulnerabilities in this code base which allowed me to string a few cool ones together to make an
interesting exploit. OpenClassifieds is sanitizing everything on input using cG() and cP(), these
functions are used to perform a mysql_real_escape_string() on all GET and POST variables. Most
servers aren't using an exotic character set so from a security stand point this is exactly identical to
magic_quotes_gpc. So I dusted off my usual magic_quotes_gpc auditing tricks, look for
stripslashes(),base64decode(),urldecode(),html_entity_decode() lack of quote marks around variables
in a query, ect... Sanitation must ALWAYS be done at the time of use, parametrized queries are a
good example of this. Its impossible to account for all the ways a variable can be mangled once it
print "Email account's email\n";
print "File PHP script upload and execute\n";
print "Id account'id\n\n";
exit();
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
other attacks are possible including information disclosure and file deletion,
see typelib:
class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj
)
{
}
# yeah ... it rox (:
class ipb_spl
{
var $web;
function main()
{
$this->mhead();
# Gimme your args
$this->p_attack = $this->get_p('attack', true);
I - INTRODUCTION
Before continuing, you need to know some stuff about how
user's inputs are handled. All superglobal arrays which
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
I - IP SPOOFING
The file "scripts/sb_communicate.php" contains the following
code:
19| function getIP() {
20| if ( !empty ( $_SERVER[ 'HTTP_CLIENT_IP' ] ) ) {
21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ];
22| }
23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
.top {BACKGROUND-COLOR: "#D0D0D0"}
.firstalt {BACKGROUND-COLOR: "#000000"}
.secondalt {BACKGROUND-COLOR: "#000000"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked;
}
Mtr allows local and remote attackers to overflow buffer on stack.
Description:
Mtr combines the functionality of the traceroute and ping programs in a single
network diagnostic tool. For more detail please read manual page.
Details:
var $flags = array(
-1 => '-',
0 => '/',
1 => '+');
function main()
{
$this->agent('Mozilla Firefox');
$this->cookiejar(1);
$this->mhead();
familiar
with the way IPB handles input data. Below is a quick trace of input
validation process. The code snippets come from IPB version 3.0.4.
line | file: admin/sources/base/ipsRegistry.php
352 | static public function init()
353 | {
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
allows remote attackers to cause a denial of service (heap memory
corruption and panic) or possibly have
unspecified other impact via malformed data, a different vulnerability
than CVE-2010-4164. (CVE-2010-3873)
The bcm_connect function Broadcast Manager in the Controller Area
Network (CAN) implementation in the Linux creates a publicly accessible
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
other attacks are possible ,
see typelib:
class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj
)
{
}
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request.
fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always
follow NFS automount symlinks, which allows attackers to have an
unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088)
The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem
in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9
does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure
members, which might allow local users to obtain sensitive information
from kernel memory via unspecified vectors. (CVE-2009-3228)
fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always
follow NFS automount symlinks, which allows attackers to have an
unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088)
The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem
in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9
does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure
members, which might allow local users to obtain sensitive information
from kernel memory via unspecified vectors. (CVE-2009-3228)
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
address to the webservers. If these headers are found, FWS will uses the
value of the header as the user's IP address. If these headers are
not set, FWS uses the IP address of the connecting party.
Source code snippet from vulnerable script "action.php":
-----------------[ source code start ]---------------------------------
final class Action {
protected $file;
..
public function __construct($route, $args = array()) {
$path = '';
$parts = explode('/', str_replace('../', '', (string)$route));
foreach ($parts as $part) {
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
...
see SESS_updateSessionTime() function near lines 418-436:
...
function SESS_updateSessionTime($sessid, $md5_based=0) {
global $_TABLES;
source applications that are vulnerable to this.
During our search it was discovered that Piwik does unserialize()
data from the cookie and uses parts of the Zend Framework:
protected function loadContentFromCookie()
{
$cookieStr = $_COOKIE[$this->name];
$values = explode( self::VALUE_SEPARATOR, $cookieStr);
foreach($values as $nameValue)
{
evilaliv3 DOT org)
Date 20090207
I) Introduction
II) The bugs in 50 words
III) PHP filesystem functions path normalization attack
IV) PHP filesystem functions path normalization attack details
V) PHP filesystem functions path truncation attack
VI) PHP filesystem functions path truncation attack details
VII) The facts
VIII) POC and attack code
included. So the script must also be secured for this type
of server database.
In a recent research that I have done, I found that
60% of the PHP scripts which support Oracle aren't safe !
People think that if they use the function addslashes()
on a string which has quotes, they'll be secured
against SQL Injection. On MySQL that's roughly true, but
on Oracle that's wrong.
The escape character for MySQL is a backslashes, \x92[\].
php use create_function function to CREATE an anonymous function like below(stolen from php_manual):
--------------------------------------------------
Description
string create_function ( string args, string code )
Creates an anonymous function from the parameters passed, and returns a unique name for it. Usually the args will be passed as a single quote delimited string, and this is also recommended for the code. The reason for using single quoted strings, is to protect the variable names from parsing, otherwise, if you use double quotes there will be a need to escape the variable names, e.g. \$avar.
You can use this function, to (for example) create a function from information gathered at run time:
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
The do_anonymous_page function in mm/memory.c in the Linux kernel
does not properly separate the stack and the heap, which allows
context-dependent attackers to execute arbitrary code by writing
to the bottom page of a shared memory segment, as demonstrated by a
memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=[XSS]
# Cross Site Scripting (Code):
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
In this way we can inject the alert() code without brackets in the
function resetCredFields().
Abstract:
---------
Mplayer
Source file: stream/realrtsp/real.c
function: int real_get_rdt_chunk(rtsp_t *rtsp_session,
char **buffer,
int rdt_rawdata)
VLC
CGILua message
Lua error on configuration (or extension)
Error: unexpected type to index table
Active Stack:
function _ERRORMESSAGE at C code
function _initStart at //S/Publique/work/carregal/sys/reader/start.lua
main of //S/Publique/work/carregal/sys/reader/start.lua
function old_dofile at C code
function dofile at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/pos_env.lua
Problem Description:
Multiple vulnerabilities was discovered and corrected in php:
The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent
attackers to cause a denial of service (file truncation) via a key with
the NULL byte. NOTE: this might only be a vulnerability in limited
circumstances in which the attacker can modify or add database entries
but does not have permissions to truncate the file (CVE-2008-7068).
Description
===========
Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip
Olausson reported integer overflows in the gdImageCreate() and
gdImageCreateTrueColor() functions of the GD library which can cause
heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered
an integer overflow in the chunk_split() function that can lead to a
heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused
incorrect buffer size calculation due to precision loss, also resulting
in a possible heap-based buffer overflow (CVE-2007-4661 and
latest released version 6.1.7600.16701 of the above mentioned driver.
When digging into the vulnerability, in the 0x20 position of a
hypervisor packet there is a QWORD (0x3333333333333333 in the PoC) that
seems to be the length of something. This value is checked in the
function 'VidLockObjectShared', located in the driver 'vid.sys'. The
QWORD is compared against the value 0xffeff and the function returns
with error 0xC0370022 if the QWORD value is higher. Apparently, that
makes some flag is not set and the package processing never ends.
Unfortunately, additional and specific technical information regarding
the root and nature of this vulnerability was not provided by Microsoft.
}
header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');
WS_authenticate();
...
now WS_authenticate() function in /system/lib-webservices.php near lines 780-877:
...
function WS_authenticate()
{
global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
Next Page>>
|
