Next Page >>
functionalities
print "Email account's email\n";
print "File PHP script upload and execute\n";
print "Id account'id\n\n";
exit();
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
# yeah ... it rox (:
class ipb_spl
{
var $web;
function main()
{
$this->mhead();
# Gimme your args
$this->p_attack = $this->get_p('attack', true);
I - INTRODUCTION
Before continuing, you need to know some stuff about how
user's inputs are handled. All superglobal arrays which
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
I - IP SPOOFING
The file "scripts/sb_communicate.php" contains the following
code:
19| function getIP() {
20| if ( !empty ( $_SERVER[ 'HTTP_CLIENT_IP' ] ) ) {
21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ];
22| }
23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
.top {BACKGROUND-COLOR: "#D0D0D0"}
.firstalt {BACKGROUND-COLOR: "#000000"}
.secondalt {BACKGROUND-COLOR: "#000000"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked;
}
Mtr allows local and remote attackers to overflow buffer on stack.
Description:
Mtr combines the functionality of the traceroute and ping programs in a single
network diagnostic tool. For more detail please read manual page.
Details:
var $flags = array(
-1 => '-',
0 => '/',
1 => '+');
function main()
{
$this->agent('Mozilla Firefox');
$this->cookiejar(1);
$this->mhead();
familiar
with the way IPB handles input data. Below is a quick trace of input
validation process. The code snippets come from IPB version 3.0.4.
line | file: admin/sources/base/ipsRegistry.php
352 | static public function init()
353 | {
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
address to the webservers. If these headers are found, FWS will uses the
value of the header as the user's IP address. If these headers are
not set, FWS uses the IP address of the connecting party.
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
...
see SESS_updateSessionTime() function near lines 418-436:
...
function SESS_updateSessionTime($sessid, $md5_based=0) {
global $_TABLES;
source applications that are vulnerable to this.
During our search it was discovered that Piwik does unserialize()
data from the cookie and uses parts of the Zend Framework:
protected function loadContentFromCookie()
{
$cookieStr = $_COOKIE[$this->name];
$values = explode( self::VALUE_SEPARATOR, $cookieStr);
foreach($values as $nameValue)
{
evilaliv3 DOT org)
Date 20090207
I) Introduction
II) The bugs in 50 words
III) PHP filesystem functions path normalization attack
IV) PHP filesystem functions path normalization attack details
V) PHP filesystem functions path truncation attack
VI) PHP filesystem functions path truncation attack details
VII) The facts
VIII) POC and attack code
included. So the script must also be secured for this type
of server database.
In a recent research that I have done, I found that
60% of the PHP scripts which support Oracle aren't safe !
People think that if they use the function addslashes()
on a string which has quotes, they'll be secured
against SQL Injection. On MySQL that's roughly true, but
on Oracle that's wrong.
The escape character for MySQL is a backslashes, \x92[\].
php use create_function function to CREATE an anonymous function like below(stolen from php_manual):
--------------------------------------------------
Description
string create_function ( string args, string code )
Creates an anonymous function from the parameters passed, and returns a unique name for it. Usually the args will be passed as a single quote delimited string, and this is also recommended for the code. The reason for using single quoted strings, is to protect the variable names from parsing, otherwise, if you use double quotes there will be a need to escape the variable names, e.g. \$avar.
You can use this function, to (for example) create a function from information gathered at run time:
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=[XSS]
# Cross Site Scripting (Code):
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
In this way we can inject the alert() code without brackets in the
function resetCredFields().
CGILua message
Lua error on configuration (or extension)
Error: unexpected type to index table
Active Stack:
function _ERRORMESSAGE at C code
function _initStart at //S/Publique/work/carregal/sys/reader/start.lua
main of //S/Publique/work/carregal/sys/reader/start.lua
function old_dofile at C code
function dofile at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/pos_env.lua
Problem Description:
Multiple vulnerabilities was discovered and corrected in php:
The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent
attackers to cause a denial of service (file truncation) via a key with
the NULL byte. NOTE: this might only be a vulnerability in limited
circumstances in which the attacker can modify or add database entries
but does not have permissions to truncate the file (CVE-2008-7068).
Abstract:
---------
Mplayer
Source file: stream/realrtsp/real.c
function: int real_get_rdt_chunk(rtsp_t *rtsp_session,
char **buffer,
int rdt_rawdata)
VLC
Description
===========
Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip
Olausson reported integer overflows in the gdImageCreate() and
gdImageCreateTrueColor() functions of the GD library which can cause
heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered
an integer overflow in the chunk_split() function that can lead to a
heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused
incorrect buffer size calculation due to precision loss, also resulting
in a possible heap-based buffer overflow (CVE-2007-4661 and
}
header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');
WS_authenticate();
...
now WS_authenticate() function in /system/lib-webservices.php near lines 780-877:
...
function WS_authenticate()
{
global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
vulnerability. The Magic Quotes must be off in order to exploit
this vulnerability, however this feature will not be supported
starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).
Zabbix has a security feature that parses all incoming input for
possible bad chars with the help of the function check_fields() defined
in "include/validate.inc.php". The issue we have discovered is contained
in this input validation code.
Pages define an array of every used variable that derives from external
(GPC) input. An example of the mechanism is the following:
> vulnerability. The Magic Quotes must be off in order to exploit
> this vulnerability, however this feature will not be supported
> starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).
>
> Zabbix has a security feature that parses all incoming input for
> possible bad chars with the help of the function check_fields() defined
> in "include/validate.inc.php". The issue we have discovered is contained
> in this input validation code.
>
> Pages define an array of every used variable that derives from external
> (GPC) input. An example of the mechanism is the following:
http://[host]/[path_to_runcms]/userinfo.php?uid[]=1
Final notes:
This sql injection vulnerability has to be considerated as high risk because as ADMIN you
can inject php code by the Filter/Banning functionalities, ex:
click 'Administration Menu', then 'System Admin', then click on the Filters/Banning icon,
then 'Prohibited: Emails'
Now you can edit the /modules/system/cache/bademails.php file
Type in:
A remote denial of service can be triggered by an unauthenticated
attacker, by sending an unexpected 'op_connect_request' message with
invalid data of length greater than or equal to 12 bytes to the server.
Inside the server ('src/remote/server.cpp'), the function
'process_packet2()' processes a packet received from a client. This
function has a 'switch' statement that considers all the possible
opcodes defined in the protocol (see 'P_OP' enum 'in
src/remote/protocol.h').
$display .= COM_refresh ($_CONF['site_url']
. '/usersettings.php?mode=preferences&msg=6');
break;
...
all the $_POST[] variables are passed to the savepreferences() function
now look the function always in usersettings.php:
...
function savepreferences($A) {
global $_CONF, $_TABLES, $_USER;
SecurityRisk: High
Affected Software:
FreeBSD lines: 6,7
NetBSD 4
another systems what use this functions.
Standard C Library (libc, -lc) for BSD
probably some MacOS version
Advisory URL:
http://securityreason.com/achievement_securityalert/53
The part of the code responsible for uploading files looks as follows:
wp-admin/includes/file.php:
---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;
More Details
============
To prevent the execution of JavaScript and VBScript code in HTML emails
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML
emails with the function cleanHTML() that is defined in the PHP file
html/webmail/server/inc/tools.php
This filtering function can be circumvented in various ways, to still
allow XSS to happen.
Details
Before moving a file to its final location, its path name is sent
through the function "bh_fpclean()" in
"includes/filesystem/filesystem/filesystem.inc.php" in order to canonize
its name and filter possible traversal attacks. This filter removes all
"/.." substrings but fails to remove two dots without a preceding slash.
By entering ".." (or ".." followed by a path) as the directory name, the
This service utilizes the StRpcSrv.dll, Stcommon.dll, Eng50.dll and
Notification.dll libraries to service various RPC requests.
Three buffer overflows exist with the StRpcSrv.dll library. The first
two vulnerabilities exist within the RPCFN_ENG_NewManualScan and
RPCFN_ENG_TimedNewManualScan functions. These functions copy
user-supplied data into a fixed-size heap buffer without performing
proper bounds checking. The third problem exists within the
RPCFN_SetComputerName function. This function copies user-supplied data
into a fixed-size stack buffer using the MultiByteToWideChar() function
without correctly specifying the output buffer length.
Next Page>>
|
