Next Page >>
idea
- RFID Hacking
- Proximity Card Hacking
- Cryptographic Cracking Using FPGA Technology
We would love to see the same breadth and depth of submissions as we
have in previous years, so if you have an idea you're on the fence
about - please send it in! For a complete list of past presentations,
visit www.layerone.info.
Please be sure to include the following information in your submission:
> do have use beyond surfing adult-content).
>
>
> > To tell you the truth,
> > the original motivation was just that it's not a
> > good idea to have a valid authentication token
> > (the file retrievel session ID) embedded in a URL.
>
> Sure, it can show up in logs, referer, etc. If
> you don't mind JavaScript, it's easy enough to
> use JavaScript to submit a POST.
That's the future, like it or not. Cookies are not only "good enough",
but they have distinct advantages over Digest when it comes to
verifying and tracking Identity.
But this stuff makes for good thought so keep the ideas rolling,
---
Arian Evans
capitalist marksman. eats animals and cookies.
On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some
time before that was a new attack vector for filesystem functions (fopen,
(include|require)[_once]?, file_(put|get)_contents, etc) for the PHP
language. It was a path normalization issue and I asked them to keep it
"secret" [4], this was a good idea cause my analisys was mostly
incomplete and erroneous but the idea was good and the bug was real and
disposable.
Later on Dec 24, 2008 on sla.ckers.org barbarianbob showed a path
truncation attack against PHP that is partially based on mine attack.
Hi Arian,
> Good points James. I read this paper a few times to make sure I got
> the point, and it's a cute idea but I just don't see it happening.
Pessimism is understandable; I don't fault you for that.
> For multi-node, multi-app, websites sharing auth/state/preferences
> across multiple web assets (physical servers and logical "websites")
-------------------
Mitigation
-----------------------
It is a good idea to prevent users from creating files on filesystems mounted
without nosuid. The following interesting solution for administrators who
cannot modify their partitioning scheme was suggested to me by Rob Holland
(@robholland):
You can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,
On 3/23/2011 12:54 PM, Luigi Auriemma wrote:
>> I fundamentally disagree with the idea that public disclosure
>> as a means of vendor notification serves any purpose
> so now the question is, why don't all these "good guys" spend their
> personal time and skills to find these vulnerabilities and reporting
> them to the vendors before me?
>
> the answer is that usually such people don't have the skills or simply
> don't like the idea of doing a professional work completely for free and
> even with the obligation of doing everything the vendor wants before
> Anyway... I'd bet that every implementation that "followed" the spec is
> vulnerable....
Unfortunately :(
>> By the way, I don't think it is a good idea to disallow any Extension
>> Headers in ND-Messages,
>
> Consensus at the relevant IETF working-group (6man) seems to be to only
> ban the Fragment Header (when SEND is not employed).
I'd like to discuss this further, there are many options and I really
tell them to build better deployment images.
If you have this problem, your IT guys are not doing their job.
Bob Fiero wrote:
>> You get the idea. This is non issue.
>>
>
> I disagree. You are involved in intense business negotiations. During lunch you leave your notebook unattended assuming it is safe with a password protected
> userID. Your competitor goes in to the conference room and logs in with
> Administrator and installs something like eBlaster to log everything
limits on everything. That said, I agree that implementation advice is
strongly needed.
>>> By the way, I don't think it is a good idea to disallow any Extension
>>> Headers in ND-Messages,
>>
>> Consensus at the relevant IETF working-group (6man) seems to be to only
>> ban the Fragment Header (when SEND is not employed).
>
Will certainly take a look. Thanks!
> By the way, I don't think it is a good idea to disallow any Extension
> Headers in ND-Messages,
Consensus at the relevant IETF working-group (6man) seems to be to only
ban the Fragment Header (when SEND is not employed).
No, it isn't a good idea. You can use always Jrequest::getVar
specifing the type
(http://api.joomla.org/Joomla-Framework/Environment/JRequest.html#getVar).
The allowed types are: INT, FLOAT, BOOLEAN, WORD, ALNUM, CMD, BASE64,
STRING, ARRAY, PATH.
Regards.
--
tell them to build better deployment images.
If you have this problem, your IT guys are not doing their job.
Bob Fiero wrote:
>> You get the idea. This is non issue.
>>
>
> I disagree. You are involved in intense business negotiations. During lunch you leave your notebook unattended assuming it is safe with a password protected
> userID. Your competitor goes in to the conference room and logs in with
> Administrator and installs something like eBlaster to log everything
*
In multiple locations of the MiFi web interface user input is not
properly encoded when output back to the user. One interesting location
is the key field for the wifi settings. I’m wondering why the hell
somebody thought it was a good idea to print the wifi key in clear text
back to the user, and in this case it’s not properly encoded either
giving us a nice 63 character persistent injection point for script.
So for those that weren’t paying attention: Any MiFi user that visits a
specially crafted page will give up their GPS location to the attacker.
and tell them to build better deployment images.
If you have this problem, your IT guys are not doing their job.
Bob Fiero wrote:
>> You get the idea. This is non issue.
>>
>
> I disagree. You are involved in intense business negotiations.
> During lunch you leave your notebook unattended assuming it is
> safe with a password protected
> Proposed fixes:
> do not enable SNMP at all. vendor fix required.
This AP can use VLAN tagging to separate management traffic from user data,
which is generally a good idea in any environment.
Simon
> You get the idea. This is non issue.
I disagree. You are involved in intense business negotiations. During lunch you leave your notebook unattended assuming it is safe with a password protected
userID. Your competitor goes in to the conference room and logs in with
Administrator and installs something like eBlaster to log everything
you do and email it to him.
Far fetched, but not a non-issue.
_____
From: Bob Fiero [mailto:i.am@mentalfloss.net]
Sent: Thursday, May 14, 2009 10:12 AM
To: bugtraq@securityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Asus notebook
> You get the idea. This is non issue.
I disagree. You are involved in intense business negotiations. During lunch you leave your notebook unattended assuming it is safe with a password protected
userID. Your competitor goes in to the conference room and logs in with
Administrator and installs something like eBlaster to log everything
you do and email it to him.
+/* logWritev is vulnerable to buffer overflow */
ssize_t fakeLogWritev(int fd, const struct iovec* vector, int count)
{
/* Assume that open() was called first. */
(Sidenote; passing arrays by value is probably not good idea).
diff --git a/vold/ProcessKiller.c b/vold/ProcessKiller.c
index eeaae04..b8856ac 100644
--- a/vold/ProcessKiller.c
+++ b/vold/ProcessKiller.c
Announcement: 4/11/2008
We are proud to announce the 16th annual Def Con.
If you are at all familiar with any of the previous Cons, then you will have
a good idea of what DEF CON will be like. If you don't have any experience
with Cons, they are an event on the order of a pilgrimage to Mecca for the
underground. They are a mind-blowing orgy of information exchange,
viewpoints, speeches, education, enlightenment... And most of all sheer,
unchecked PARTYING. It is an event that you must experience at least once in
your lifetime.
Hi,
To show the progress of the OSSTMM 3 we have released a 20 page sample
with the ToC included. You'll see the graphics have not been put in
nor the new cover attached and there's still some chapters missing and
2 needing editing but this sample should give you a good idea of the
extensive content we're working with and how far we've come since the
Lite version was released. It's a completely new re-write from 2.0
with a big focus on clarity for the end user. Let's just say we don't
want it to read like stereo instructions again ;)
Best regards,
Tony.
--
Lysistrata had a good idea.
=========================
The Shmoo Group (TSG) is an independent think-tank of security
professionals from around the world who donate their time and energy
towards information security research and development. Six years ago
TSG had an idea. This idea has grown into a community recognized
security conference attended by over 1500 people.
Although ShmooCon is primarily a security conference, we encourage
innovative and interesting submissions on offbeat technology topics.
Greatest consideration will be given to new presentations, but updates
bunnies problem onto the Windows desktop. The level of warnings is
irrelevant, you could have a hundred or a thousand warnings and users would
still click through all of them to see the dancing bunnies. I first saw this
issue covered at the AVAR conference last year (before Vista had even been
released), there's only the abstract online at
http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea
of what the anti-virus guys are concerned about here. Microsoft's coverage of
gadget security at the time,
http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire
any more trust in the design.
CP, Adam, Frank^2, Vyrus - TwatFS: Surly abuse of social networking bandwidth
Ryan S. Upton, CISSP - Incident Response 101
Doug Cohen - Computation and Modeling
We're particularly excited about the new tool being debuted by the
DC949 folks, TwatFS. Like Twitter? Like the idea of distributed
storage? Well, you'll like this then. Hate Twitter? Like the idea of
it being used for something other than its intended purpose? Well,
you'll like this too.
Pre-registration will be closing May 15th. The pre-registration price
4850| $this->clean_globals( $_REQUEST );
This function will replace special characters such as
the null byte one and "../" (this replacement can be
easily bypassed, we'll see that later), by their
entities. Good idea, but bad implementation:
4979| function clean_globals( &$data, $iteration = 0 )
....|
4991| foreach( $data as $k => $v )
4992| {
>
> If you have this problem, your IT guys are not doing their job.
>
> Bob Fiero wrote:
>
>>> You get the idea. This is non issue.
>>>
>>>
>> I disagree. You are involved in intense business negotiations. During lunch you leave your notebook unattended assuming it is safe with a password protected
>> userID. Your competitor goes in to the conference room and logs in with
>> Administrator and installs something like eBlaster to log everything
Announcement: 4/11/2008
We are proud to announce the 16th annual Def Con.
If you are at all familiar with any of the previous Cons, then you
will have a good idea of what DEF CON will be like. If you don't have any
experience with Cons, they are an event on the order of a pilgrimage to
Mecca for the underground. They are a mind-blowing orgy of information
exchange, viewpoints, speeches, education, enlightenment... And most of all
sheer, unchecked PARTYING. It is an event that you must experience at least
once in your lifetime.
Part of the problem of the CRL approach is that CAs usually have
policies against obtaining private keys and therefore can't prove to the
customer that their keys are compromised. And adding a CRL entry when
the customer isn't convinced that they've got a problem is probably not
a good idea, either.
=========================================================================
Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it
would be fair to let PHP scripts rely on this, and not consider all scripts
that don't initialize their variables as vulnerable unless they require
register_globals to be on (this is not to say that it's not a good idea to
initialize variables).
And it would of course be nice if people posting to Bugtraq actually tested
their PoCs first. Can't the moderator spot obvious cases like this, or are
all vaguely relevant posts accepted, potentially for public ridicule?
Next Page>>
|
