Next Page >>
ip address
As a workaround, configure an access control list (ACL) in the
signaling / media VLAN on the Route Processor (RP). The following
examples show how VLAN 140 is configured as the signaling / media
VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance
(FT). An ACL is added to the signaling/media VLAN on the RP filtering
all TCP port 2000 packets to the alias IP address.
Cisco SBC configuration
interface vlan 140
ip address 10.140.1.90 255.255.255.0
actually lead to UPnP being exploited remotely, even if the web admin
console is not visible from the Internet!
The following is a non-malicious proof-of-concept exploit which sets
up a port-forwarding rule from port 1337 on the WAN interface to port
445 on the internal IP address 192.168.1.64. Such IP address is the
first usable IP address reserved for clients connected to Speedtouch
and BT Home Hub routers. The exploit has been tested on BT Home Hub -
Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled
by default on the BT Home Hub, just like most IGDs. If your Internet
gateway is a BT Home Hub, clicking on the following link should add a
RFC 2818 covers the requirements for matching CNs and subjectAltNames
in order to establish valid SSL connections. It first discusses CNs
that are for hostnames, and the rules for wildcards in this case.
The next paragraph in the RFC then discusses CNs that are IP
addresses:
'In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.'
complete compromise of the entire system.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
Vulnerability Information
=======================================
Product: Cisco ACE XML Gateway <= 6.0
Vulnerabily: Internal IP Address Disclosure
Vendor: Cisco Systems, Inc. http://www.cisco.com
Product URL: http://www.cisco.com/en/US/products/ps7314/
Author: nitrus [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector: Remote
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Further information about ALPS is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
the Airline Product Set" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfalps_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Workarounds
===========
There are no workarounds other than disabling NTP on the device. The
following mitigations have been identified for this vulnerability;
only packets destined for any configured IP address on the device can
exploit this vulnerability. Transit traffic will not exploit this
vulnerability.
Note: NTP peer authentication is not a workaround and is still a
vulnerable configuration.
=======
Internet Group Management Protocol (IGMP) is the protocol used by
hosts and adjacent routers to manage membership in IP multicast
groups. The IGMP version 3 protocol permits source-specific multicast
which allows hosts to specify the IP address of the multicast source.
A malformed IGMP packet can cause a vulnerable device to reload. This
vulnerability can only be exploited if the malformed IGMP packet is
received on an interface that has been enabled for IGMP version 3 and
Protocol Independent Multicast (PIM). The malformed IGMP packet
CVE: CVE-2010-2860
Finding:
The Celerra appliance's NFS server freely exports its "/" file system and
enforces access using a factory-defined list of authorized IP addresses.
The addresses found on a recent model are listed in the showmount example
below, however this list may differ depending on product version. The IP
addresses are intended for communication internal to the appliance, but are
still accepted from external sources. An attacker can mount this file system
by spoofing an authorized IP address.
and details the following vulnerabilities:
* Unauthenticated Common Gateway Interface (CGI) Access
* CGI Command Injection
* TFTP Information Disclosure
* Malicious IP Address Injection
* XML-Remote Procedure Call (RPC) Command Injection
* Cisco Discovery Protocol Remote Code Execution
Duplicate Issue Identification in Other Cisco TelePresence Advisories
+--------------------------------------------------------------------
"dlsw local-peer"
or
"dlsw local-peer peer-id <IP address>"
Any version of Cisco IOS prior to the versions which are listed in
the Software Versions and Fixes section below is vulnerable.
To determine the version of Cisco IOS software running on a Cisco
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.
Mitigation:
Upgrade to:
What's important to note is that every time an "authenticated" URL is
accessed, there is _no_ authentication data being sent within HTTP
requests whatsoever. There are no passwords, or session IDs being
submitted at all within HTTP requests. Instead, the AP uses the
administrator's source IP address as authentication data.
This means that the authentication state relies on the false assumption
that post-authentication URLs won't be known by an attacker and that the
attacker and the administrator will _not_ share the same source IP
address. By simply accessing administrative URLs in a browser from _the
There are some issues in the way IE enforces zone security policies when
an URI is specified in the UNC form (i.e.,
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'). In this case, Internet
Explorer classifies as *Internet Zone* any UNC address pointing to an IP
address including '127.0.0.1'. As a result, any website (belonging to
any security zone) can address and redirect the navigation flow to files
stored in '\\127.0.0.1'.
If an attacker controlling a website finds a way to store HTML with any
valid scripting code the local file system of the visitor and then
listed game servers, asking each for its description. The client's parsing of
the servers' responses is vulnerable to a buffer overflow attack.
The client is designed to listen for incoming UDP packets from
master.corservers.com and from the game servers on port 27901, however it will
accept and parse UDP packets from any IP address even if the client did not
initiate a UDP conversation with that given IP address. As such, an attacker
can send a malformed UDP packet from any source IP address; they need not know
a valid game server's IP address to exploit this buffer overflow vulnerability.
When the client receives a UDP packet on port 27901 that specifies a server's
Details
=======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
...
!
phone-proxy <instance name>
media-termination address <IP address>
...
<Rest of phone proxy feature configuration>
Or (Cisco ASA Software version 8.2 and later):
description ** Zone Pair - inside to outside **
service-policy type inspect layer4-policymap
!
!
interface GigabitEthernet0/0
ip address 192.168.0.6 255.255.255.0
ip ips myips in
zone-member security inside
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
> (Restart nginx and run only the second command to see its expected
> behavior; i.e., actually fetching http://www.google.com/.)
>
> This works because crc32("www.google.com.") ==
> crc32("www.google.com.9nyz309.crc32.dempsky.org."). The first request
> cached the IP address for www.google.com.9nyz309.crc32.dempsky.org,
> and then the second request used this IP address instead of querying
> for www.google.com's real IP address because of the matching CRCs and
> the common prefix.
>
> [1] http://marc.info/?l=nginx&m=125257590425747&w=2
Msn messenger 8.5.1
-------------------------------
Description :
The protocol MSNP15 Windows Live Messenger Client 8.5.1 transmit to the
information on the IP address public and private. Everything happens
during a conversation that starts with you in our contacts list.
By analyzing the conversation with Wireshark can be noted that in
addition to passing the information, such as the sessionid, the Cal, the
Ringing, and also pass Ipv4ExternalAddrsAndPorts
--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security
Information Portal <cross-site-scripting-security@xssworm.com> wrote:
>
> In the case of Yahoo, security firm Finjan said hackers exploited an
> unused IP address within Yahoo's hierarchy and used that as the domain
> address behind a forged Google Analytics domain name. This fooled the
> Finjan Web-filtering product into believing a person was going to a
> highly trusted Yahoo domain. The victims, customers of Finjan, never knew
> they were on a malicious Web site, and neither did the security
> mechanisms on the network. (In this case, Finjan's Web-filtering
...
}
}
As we can see in [2] there is unsecure call for function sprintf().
Argument 'name' is RevDNS for IP address. In details exploiting this
situaction will be later becouse normal we can't do that!
Now let's look what call this function:
"display.c"
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
filtering all packets that are destined to UDP port 1975 may cause
some applications to malfunction. Therefore, access lists need to
explicitly deny UDP 1975 packets that are sent to any router
interface IP addresses and permit transit traffic. Such access lists
need to be applied on all interfaces to be effective. Since the IPC
channel uses addresses from the 127.0.0.0/8 range, it is also
necessary to filter packets that are sourced from or destined to this
range. An example is given below:
1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
5. Gadu-Gadu Remote User Addition Vulnerability
other
hand, a DNS server with recursion sends query with the recursion bit unset
(i.e.
iteration query), the reply has to have this bit unset, too.
C. The tool spoofs the source IP address of the queries. This is useful if
the
attacker does not want leave any trace of his IP address on the server.
D. The tool utilizes CNAME Record Type to inject the false entry. The way
the
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$
To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:
If you read your own post you would realize that Mitsubishi
kept the device ipaddress prefix as 192.168.1 so only you can attack
yourself.
192.168 cannot be access from the internet ;-) [unless you NAT at which
point its your NAT config problem]
-----Original Message-----
|
528| if ( $comment_url != '' ) {
529| $save_data[ 'URL' ] = clean_post_text( $comment_url );
530| }
|
531| $save_data[ 'IP-ADDRESS' ] = $user_ip; // New 0.4.8
532| $save_data[ 'MODERATIONFLAG' ] = $hold_flag;
533|
534| // Implode the array
535| $str = implode_with_keys( $save_data );
536|
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$
To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:
Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.
Next Page>>
|
