Next Page >>
input validation
Bypassing servlet input validation filters (OWASP Stinger + Struts example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. ORIGINAL ADVISORY
~~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/o0o_bypassing_servlet_input_validation_filters.txt
I. BACKGROUND
> "This paper will present a new class of attack, called SQL Smuggling.
> ...
I don't see how this is a new class of attack. You've merely outlined
some techniques to bypass broken data validation routines. In SQL
injection, as with any injection vulnerability, the correct way to fix
it is to rely on the syntax of the language to encode data which may be
interpreted as /special/.
Yes, this is database specific. That's not new. That's why you need to
High
Details:
========
Multiple persistent Input Validation vulnerabilities are detected on Enterasys SecureStack Switches Series A - C.
Local low privileged user accounts can implement/inject malicious script code to manipulate modules via persistent context
requests. When exploited by an authenticated user, the identified vulnerabilities can result in information disclosure via error,
session hijacking, access to available appliance services, manipulated persistent content execution out of the application context.
Vulnerable Module(s):
* The OWASP ESAPI project - Dave Wichers
* Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf
* Evaluation Criteria for Web Application Firewalls - Ivan Ristic
* HTML5 security - Thomas Roessler
* The OWASP Orizon Project internals - Paolo Perego
* Remo presentation (Input Validation) - Christian Folini
* Best Practices Guide: Web Application Firewalls (OWASP German chapter) -
Alexander Meisel
* Google-Hacking and Google-Shielding - Amichai Shulman
* NTLM Relay Attacks - Eric Rachner
* PHPIDS Monitoring attack surface activity - Mario Heiderich
Census ID: census-2010-0001
URL:
http://census-labs.com/news/2010/05/26/freebsd-kernel-nfsclient/
CVE ID: CVE-2010-2020
Affected Products: FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE
Class: Improper Input Validation (CWE-20)
Remote: No
Discovered by: Patroklos Argyroudis
We have discovered two improper input validation vulnerabilities in the
FreeBSD kernel's NFS client-side implementation (FreeBSD 8.0-RELEASE,
> "This paper will present a new class of attack, called SQL Smuggling.
> ...
I don't see how this is a new class of attack. You've merely outlined
some techniques to bypass broken data validation routines. In SQL
injection, as with any injection vulnerability, the correct way to fix
it is to rely on the syntax of the language to encode data which may be
interpreted as /special/.
Yes, this is database specific. That's not new. That's why you need to
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on Endians WAF UTM appliance application.
The vulnerability allows an attacker to manipulate specific application requests via persistent included script codes.
Vulnerable: Input Validation Vulnerabilities (Server-Side|Persistent)
(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/backup_overview.php)
Abstract:
=========
Vulnerability-lab Team discovered multiple Input Validation Vulnerabilities on Barracuda Backup Service v2.0.
Report-Timeline:
================
2011-05-03: Vendor Notification
* The vendor credits Stefano Di Paola of Minded Security for
reporting that an ActionScript attribute is not interpreted properly
(CVE-2008-4823).
* Riley Hassell and Josh Zelonis of iSEC Partners reported multiple
input validation errors (CVE-2008-4824).
* The aforementioned researchers also reported that ActionScript 2
does not verify a member element's size when performing several known
and other unspecified actions, that DefineConstantPool accepts an
untrusted input value for a "constant count" and that character
census ID: census-2009-0003
URL: http://census-labs.com/news/2009/12/02/corehttp-web-server/
CVE ID: CVE-2009-3586
Affected Products: CoreHTTP web server versions <= 0.5.3.1.
Class: Improper Input Validation (CWE-20), Failure to Constrain
Operations within the Bounds of a Memory Buffer (CWE-119)
Remote: Yes
Discovered by: Patroklos Argyroudis
We have discovered a remotely exploitable "improper input validation"
rows of the tree_edit() routine are:
function tree_edit() {
global $colors, $fields_tree_edit;
/* ================= input validation ================= */
input_validate_input_number(get_request_var("id"));
/* ==================================================== */
The input_validate_input_number routine correctly validate the
parameter, but the problem is that get_request_var routine returns
Release mode: Coordinated release
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
Title: Aryanic HighPortal, HighCMS Multiple Vulnerabilities
Vendor: www.aryanic.com
Vulnerable Version: 10 and priors
Type: Input.Validation.Vulnerability (URI Injection, Frame Injection, XSS)
Fix: N/A
================== nsec.ir =================
Description:
(Copy from vendors homepage: http://up2date.astaro.com/2009/03/astaro_comand_center_20_releas.html#more)
Abstract:
=========
Vulnerability-Lab Team discovers multiple Input Validation Vulnerabilities on Astaros Command Center Application v2.x
Report-Timeline:
================
2011-01-12: Verified by Vulnerability-Lab
downloaded through URL parameter "name", as shown on the above URL:
- http://<affected_device>/a_getlog.cgi?name=messages
The Path Traversal vulnerability occurs due to lack of proper input
validation on user supplied data.
This vulnerability allows the attacker to navigate in the directory
structure, thus enabling access to arbitrary files in Polycom's
operating system.
'=.|w|.='
_='`"``=.
presents..
Skype URI Handler Input Validation
Versions affected: All versions prior to 4.2.0.1.55 (v4.2 hotfix #1)
+-----------+
|Description|
On Mon, Feb 27, 2012 at 09:31:52AM -0700, Kurt Seifried wrote:
> If you make a list of issues (e.g. XSS, CSRF, etc) with the code
> examples I can assign the various blocks of issues CVEs.
1. ./administration/install.php opens ../functions/db_connect.php and writes to file without input validation leading to PHP code injection with all variables if any contains for example: ";} ?> <?php print("Hello World"); exit("") ?>
Note that install guide in web says: "after instalation is complete, delete the "install.php" file" and install.php does not need permissions.
2. ./administration/create_album.php does not have proper input validation leading to stored XSS, which can only be added by administrators, but I don't think this as a limit after other vulnerabilities. XSS will also be shown to normal users (mainpage).
ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution
for servers and embedded devices. This Linux distro can be configured
and managed with an easy to use web console.
ZeroShell is prone to an arbitrary code execution vulnerability due to
an improper input validation mechanism. An aggressor may abuse this
weakness in order to compromise the entire system.
Authentication is not required in order to exploit this flaw.
[Vulnerability Details]
In addition, this update fixes the following issues in Apache's
mod_proxy_ftp:
CVE-2009-3094: Insufficient input validation in the mod_proxy_ftp
module allowed remote FTP servers to cause a denial of service (NULL
pointer dereference and child process crash) via a malformed reply to
an EPSV command.
CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp
Release mode: Coordinated release
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
Details
-------
Proteus allows TFTP files to be named by an administrator, and
there is no data validation performed for user input such as
relative paths. Files are supposed to be copied only to the
/tftpboot/ directory, and the file copy is performed with root
privilege. This means for example that a file named
"../etc/shadow" will overwrite the shadow password database
"/etc/shadow".
###############################################################################
1. Arbitrary File Upload vulnerability in "uploadify.php"
###############################################################################
Reason: missing input data validation
Attack vector: user submitted GET or POST parameter 'folder'
Preconditions: none
Result: attacker can upload any files to remote system
Source code snippet from script "check.php":
Medium
Details:
========
Multiple persistent Input Validation vulnerabilities are detected on Barracudas Spam & Virus Web Firewall 600. Local low privileged user account can
implement/inject malicious persistent script code. When exploited by an authenticated user, the identified vulnerabilities
can lead to information disclosure, access to intranet available servers, manipulated persistent content.
Vulnerable Module(s):
[+] Trace route Device - Troubleshooting
census ID: census-2009-0004
URL: http://census-labs.com/news/2009/12/14/monkey-httpd/
CVE ID: Pending
Affected Products: Monkey web server versions ≤ 0.9.2.
Class: Improper Input Validation (CWE-20), Incorrect
Calculation (CWE-682)
Remote: Yes
Discovered by: Patroklos Argyroudis
We have discovered a remotely exploitable "improper input validation"
sanitised before being returned to the user.
Solution:
# Input validation of type parameter should be corrected.
# Input validation of keys parameter should be corrected.
Vulnerability:
# http://[site]/inner.php?id=14&type=2[SQLi]
Secunia Research has discovered vulnerabilities in Trend Micro Network
Security Component (NSC) modules as bundled with various products.
These can be exploited by malicious, local users to cause a DoS
(Denial of Service) or potentially gain escalated privileges.
1) Input validation errors exist in the firewall service (TmPfw.exe)
within the "ApiThread()" function when processing packets sent to the
service (by default port 40000/TCP). These can be exploited to cause
heap-based buffer overflows via specially crafted packets containing a
small value in a size field.
(Copy from vendors homepage: http://up2date.astaro.com/2009/03/astaro_comand_center_20_releas.html#more)
Abstract:
=========
Vulnerability-Lab Team discovers multiple Input Validation Vulnerabilities on Astaros Command Center Application v2.x
Report-Timeline:
================
2011-01-12: Verified by Vulnerability-Lab
The Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2009-0843
Missing input validation on a user supplied map queryfile name can be
used by an attacker to check for the existence of a specific file by
using the queryfile GET parameter and checking for differences in error
messages.
CVE-2009-0842
Impact: The ability to PUT and GET files outside of the TFTP root directory may allow an attacker to obtain more information about the underlying operating system and applications running on the host. Additionally, malicious code can be uploaded to the host operating system.
[--Background--]
Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users
Vulnerability Scope: The default installation of NetDecision TFTP Server 4.2 will allow exploitation of this vulnerability.
Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, gui, windows, server
Release mode: Coordinated release
*Vulnerability Information*
Class: Input validation error (Buffer Overflow)
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: None currently assigned
CVE Name: None currently assigned
Next Page>>
|
