Next Page >>
hosting
Description:
"Fortinet's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that fulfill 3 factors:
1.- HTTP Requests are terminated by the CRLF characters.
2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.
3.- Finally, by Fragmenting the GET or POST requests
Analysis:
Fortinet's past vulnerability
Title: Multiple Security Bugs In Hosting Controller
Critical: Extremely critical
Impact: Full system administrator access
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A From company - There is temporary solution in this report
Exploit: Available
Release Date: 2007 - December
Credit: www.BugReport.ir
??
I'm unclear - exactly how does an ICMP echo cycle have anything to do with the apparent disparity between the host portion of the CONNECT URI and the contents of the host header?
I can see the logic in :
1. comparing the HOST header to the host portion of the CONNECT URI
2. resolving either to a name or IP address (depending on its original state)
3. comparing the resolved results to each other (DNS RR records will be an interesting case)
The thing to bear in mind is that reverse resolution (IP-to-name) on the Internet tends to be flaky to the point of completely useless.
There are two main problems:
Among the many reasons that promote the adoption virtualization
technologies, one of the most commons today is the promise of an improved
information security posture due to the implied isolation between multiple
virtualized systems (referred as Guest systems) and the non-virtualized
systems controlling the virtualization hardware and software (the Host
system) [1].
Consequently, software bugs that could allow potential attackers to
invalidate the premise of effective isolation between Host and Guest
systems are considered security vulnerabilities with a potentially high
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
Details
=======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
>
> > Hi there,
> >
> > First of all - please forgive me, I'm not a developer and I don't use
> > the automation API. However, I use VMware a lot for development. I
> > have a Windows XP host machine and I use VMware to develop Linux code
> > (Debian Etch, Linux 2.6).
>
> I'm a p570 user on the server side, but I do use vmware workstation for
> development purposes as well.
>
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0005
Synopsis: VMware Hosted products, VI Client and patches for ESX
and ESXi resolve multiple security issues
Issue date: 2009-04-03
Updated on: 2009-04-03 (initial release of advisory)
CVE numbers: CVE-2008-4916 CVE-2008-3761 CVE-2009-1146
CVE-2009-1147 CVE-2009-0909 CVE-2009-0910
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0007
Synopsis: VMware hosted products, vCenter Server and ESX
patches resolve multiple security issues
Issue date: 2010-04-09
Updated on: 2010-04-09 (initial release of advisory)
CVE numbers: CVE-2010-1142 CVE-2010-1140 CVE-2009-2042
CVE-2009-1564 CVE-2009-1565 CVE-2009-3732
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0007
Synopsis: VMware hosted products, vCenter Server and ESX
patches resolve multiple security issues
Issue date: 2010-04-09
Updated on: 2010-04-09 (initial release of advisory)
CVE numbers: CVE-2010-1142 CVE-2010-1140 CVE-2009-2042
CVE-2009-1564 CVE-2009-1565 CVE-2009-3732
Bugtraq ID: 25984
CVE Name: CVE-2007-0063
*Vulnerability Description*
OpenBSD’s DHCP server, dhcpd, implements the Dynamic Host Configuration
Protocol (DHCP) [1] and the Internet Bootstrap Protocol (BOOTP) [2]. DHCP
allows hosts on a TCP/IP network to request and be assigned IP addresses,
and also to discover information about the network to which they are
attached. BOOTP provides similar functionality, with certain restrictions.
Hi there,
First of all - please forgive me, I'm not a developer and I don't use
the automation API. However, I use VMware a lot for development. I
have a Windows XP host machine and I use VMware to develop Linux code
(Debian Etch, Linux 2.6).
On 8/23/07, Arthur Corliss <corliss@digitalmages.com> wrote:
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
> Hi there,
>
> First of all - please forgive me, I'm not a developer and I don't use
> the automation API. However, I use VMware a lot for development. I
> have a Windows XP host machine and I use VMware to develop Linux code
> (Debian Etch, Linux 2.6).
I'm a p570 user on the server side, but I do use vmware workstation for
development purposes as well.
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'"
enctype="multipart/form-data" method="post">
<p></font><font color="#00ff00" > hostname
(ex:www.sitename.com): </font><input name="host" size="20"> <span
class="Stile5"><font color="#FF0000">*</span></p>
<p></font><font color="#00ff00" > path (ex: /joomla/ or
just / ): </font><input name="path" size="20"> <span
class="Stile5"><font color="#FF0000">*</span></p>
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
Hello,
We might be able to fix this by simply doing a ping to the website
before connecting, so that the IP of the host specified matches the
connect field. In any case, the consistency of the host and connect is
indeed a big design flaw.
- Vikram
On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes
* This code posts a crafted comment with a very simple
PHP shell.
* It exploits the LFI, hides the shell in the cache directory
* and starts a remote command session via POST.
*
* Syntax: php fp-lfi2rce.php <host> <path> [action] [lang] [shell]
* <host>: the hostname or IP address of your target;
* <path>: the path where FlatPress was installed;
* [action]: the action to take against the host system
(test, attack);
* [lang]: the remote language used (en, it);";
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
>
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
>
> But it gets more interesting. Several other BSD operating systems
> copied the OpenBSD code for their own IP ID PRNG, so they're
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
The recently announced vulnerability in Debian's openssl package
(DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result,
all user and host keys generated using broken versions of the openssl
package must be considered untrustworthy, even after the openssl update
has been applied.
1. Install the security updates
# muts you gave me the wrong pill! it's your fault!!!
# I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 192.168.1.195:6080
# bt ~ # nc -vv 192.168.1.195 4444
# 192.168.1.195: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
which gives way to O/S fingerprinting, idle-scanning, host alias
detection, traffic analysis, and in some cases, even to TCP blind
data injection.
But it gets more interesting. Several other BSD operating systems
copied the OpenBSD code for their own IP ID PRNG, so they're
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
* CVE-2008-0410 - Information Disclosure Vulnerability
----------------------------------------------------------------
Overview:
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.
II. Problem Description
In multiple situations the host's jail rc.d(8) script does not check if
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0), &wsaData);
#endif
}
unsigned long resolv(const char *host)
{
struct hostent *hp;
unsigned long host_ip;
host_ip = inet_addr(host);
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0), &wsaData);
#endif
}
unsigned long resolv(const char *host)
{
struct hostent *hp;
unsigned long host_ip;
host_ip = inet_addr(host);
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
the issue. There are many, many situations where someone would want to
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
network. Anyway, it is absurd to say you will never log in to the console,
sometimes you just have to.
Whether it affects you personally or not, it certainly is helpful to know
Next Page>>
|
