Next Page >>
logged in
Summary
=======
The Postfix SMTP server has a memory corruption error when the Cyrus
SASL library is used with authentication mechanisms other than PLAIN
and LOGIN (the ANONYMOUS mechanism is unaffected but should not be
enabled for different reasons). See below for instructions to
determine what systems are affected.
Examples of affected Cyrus SASL authentication methods are CRAM-MD5,
DIGEST-MD5, EXTERNAL, GSSAPI, KERBEROS_V4, NTLM, OTP, PASSDSS-3DES-1,
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
address to the webservers. If these headers are found, FWS will uses the
value of the header as the user's IP address. If these headers are
X-Forwarded-For: 127.0.0.1\r\n
Connection: keep-alive\r\n\r\n
Later, we'll see how to gain the administrator's session
id. Even if we got the good session id, there is a
protection that "normally" don't permit to be logged in.
Let's see a part of the file "scripts/sb_login.php":
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
2) Stored XSS
An attacker may inject 36 bytes of JavaScript code into log via SSH login
parameter. Login parameter will be written into log as is. BBI or telnet login parameter
does not write into log - only SSH. And when log page will be generated all input
from SSH login parameter will be displayed as is.
Both vulnerabilities give chance to change switch configuration file or attack Administrator's
// Check user status
$status = SEC_checkUserStatus($userid);
if (($status == USER_ACCOUNT_ACTIVE) ||
($status == USER_ACCOUNT_AWAITING_ACTIVATION)) {
$user_logged_in = 1;
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
...
telnet to mailserver pop3 port:
+OK Hello there. <6274.1219631200@mailserver>
USER password
+OK Password required.
PASS password
+OK logged in.
LIST
+OK POP3 clients that break here, they violate STD53.
.
QUIT
+OK Bye-bye.
families.
The disk station product provided by Synology as Network Attached Storage is vulnerable to multiple vulnerabilities including the possibility of
remote command execution via CSRF (Cross Site Request Forging) through FTP login console. The FTP server is provided as a configurable service
through web interface which provides backend access to manage the disks station. The problem occurs in the FTP logging mechanism together with the
admin interface used to view those logs. The FTP console input in the form username and password gets logged in the web application interface.
This problem was confirmed in the following versions of Synology Disk Station, other versions may be also affected.
Synology Disk Station 2.x
Faille Discovered By TsukasaGenesis && Ajax
Sploit Coded By Ajax Site: http://www.r57shell.in
*/
if($argc<9){
print "---KwsPHP All Version / Remote Code Execution---\n\n";
print "usage: kwsphpsploit.php -url <url> -login <login> -pass <pass> -email <email> -file <file> [-id <id>]\n\n";
print "Url url of KwsPHP script : Ex : www.example.com/kwsphp/\n";
print "Login your account's login ( need to be allow to upload )\n";
print "Pass account's password\n";
print "Email account's email\n";
print "File PHP script upload and execute\n";
- S21Sec Advisory -
##############################################################
Title: Cezanne SW Cross-Site Scripting (login required)
ID: S21SEC-042-en
Severity: Medium
History:
02.Jan.2008 Vulnerability discovered
Authors:
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
login 1:4.0.13-7ubuntu3.4
Ubuntu 7.10:
login 1:4.0.18.1-9ubuntu0.2
Ubuntu 8.04 LTS:
The following PoC is available:
http://[host]/exportcsv/exportcsv_index.php?action=export_page&module=../../../../tmp/file
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
2) Input passed via the "sel_domain_id" POST parameter to /obm.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
which app is currently running in the foreground, and 2) display an
Activity
defined in its own app (ie, not the current foreground app).
These two "features" combine to allow a malicious developer to run a
service that looks for apps it knows how to attack, and display a login
screen to the user when those apps run. For example, when the user opens an
app which requires a login, the malicious service displays a screen that
looks identical to the legitimate login screen. Android gives no indication
that the login screen actually belongs to a different app, and the
Activity-switching animation would be the same whether the real app had
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR07-44: XSS on RSA Authentication Agent login page
Vulnerability found: 5th December 2007
Vendor informed: 13th December 2007
Severity: Medium-high
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR07-44: XSS on RSA Authentication Agent login page
Vulnerability found: 5th December 2007
Vendor informed: 13th December 2007
Severity: Medium-high
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR07-44: XSS on RSA Authentication Agent login page
Vulnerability found: 5th December 2007
Vendor informed: 13th December 2007
Severity: Medium-high
LineWeb it's a web-app to manage Lineage 2 private severs, a very known mmorpg, and allows to do action such as:
Main Features:
- Register
- Login
- Quick Login Function
- Quick statistics function (server status, game server status, online players)
- Statistics (login server status, game server status, players online, total accounts, total characters, total gm characters, total clans)
Administrator Features:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR07-44: XSS on RSA Authentication Agent login page
Vulnerability found: 5th December 2007
Vendor informed: 13th December 2007
Severity: Medium-high
client-side scripts to victim's browser by creating suitable links.
This vulnerability cannot be used for session hijacking, because
CMC-TC PU II requires each valid request to contain current session
ID as URL parameter. Requests without session ID are redirected to
the login page. Therefore only phishing-type attacks or attacks
against user's browser are possible.
Successful exploitation requires that attacker can lure or force
the user to follow the malicious link.
./rsue localhost /fcms/ user password
[*] Connecting...
[+] Connected
[*] Send login...
[+] Login Successful
[+] Uploading...
[+] Shell uploaded
[+] Connection closed
Main application: BPET36H
Released: 03-20-08
Rev: 54
Risk: Low - Moderate
High if Web Access is in active use and
access to login page is unrestricted
Vendor Status: Vendor notified, patch available.
References: http://www.louhinetworks.fi/advisory/ibm_090409.txt
Affected devices (from vendor):
IBM BladeCenter E (1881, 7967, 8677)
===========
I. Overview
===========
An Insecure Redirect vulnerability has been identified in the .NET Form
Authentication - in the Redirect From Login mechanism. This
vulnerability allows an attacker to craft links that contain redirects
to malicious sites in the ReturnURL parameter.
The exploitation technique detailed in this document bypasses the
CrossAppRedirects restriction and was successfully performed on
More Details
============
The IceWarp WebMail Server implements a "Forgot Password" function on
the login page. Users who have forgotten their login password can
provide their email address to the mail server. It will then check if
the email address exists in the system and send the associated user's
password to it.
The HTTP POST request sent when clicking on the "Forgot Password" page's
>>>> All versions of Microsoft Windows operating systems allow real-time
>>>> modifications to the Active Directory cached accounts listing stored
>>>> on all Active Directory domain workstations and servers. This allows
>>>> domain users that have local administrator privileges on domain
>>>> assets to modify their cached accounts to masquerade as other domain
>>>> users that have logged in to those domain assets. This will allow
>>>> local administrators to temporarily escalate their domain privileges
>>>> on domain workstations or servers.
>>>
>>>Wrong. The local administrator is already local administrator. There's
>>>nothing the elevate any more.
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
Note that the only users who can access the VM this way are either the
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
Note that the only users who can access the VM this way are either the
rather easy XSS:
http://localhost/vB3/admincp/index.php?redirect={XSS}
Yes, here goes the obscure. What is even better is that the exploit will
work outright if the admin is already logged in; if the admin is not, they
will be required to log in. If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin is logged in. A simple example of the above:
http://localhost/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
rather easy XSS:
http://localhost/vB3/modcp/index.php?redirect={XSS}
What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
All versions of Microsoft Windows operating systems allow real-time
modifications to the Active Directory cached accounts listing stored
on all Active Directory domain workstations and servers. This allows
domain users that have local administrator privileges on domain assets
to modify their cached accounts to masquerade as other domain users
that have logged in to those domain assets. This will allow local
administrators to temporarily escalate their domain privileges on
domain workstations or servers. If the local administrator masquerades
as an Active Directory Domain Admin account, the modified cached
account is now free to modify system files and user account profiles
using the identity of the Domain Admin's account. This includes
rather easy XSS:
http://localhost/vB3/modcp/index.php?redirect={XSS}
What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
> I'd
>tend to treat the retrieval keys more like typical web session objects
>-- in fact, I'd probably stick a hashtable of filename -> hostkey
> values
>in each user's web session objects, so the keys would remain valid as
>long as the user was still logged in.
My motivation for deleting the file retrieval
session record was that the extended hostname is
recorded in the browser history. So if the user
neglects to log out, and is using a laptop, and
Next Page>>
|
