Next Page >>
request
A DoS vulnerability exists in NetCache proxies of at least some areas
of Speedy Argentina ISP (201.255.64/18), by which a URL could be rendered
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
IBM WebSphere Application Server Cross-Site Request Forgery
1. *Advisory Information*
Title: IBM WebSphere Application Server Cross-Site Request Forgery
One 'Content-length:' header equals to two values. i.e.: "Content-length: 0, 0"
One 'Content-length:' header equals to a negative value. i.e.: "Content-length: -1"
One 'Content-length:' header equals to a large value. i.e.: "Content-length: 9999999999999999999999999999999999999999999999"
Apache 2.X returns a '413 Request Entity Too Large' error, when submitting invalid length data. When probing for XSS on the error page returned by the server we have 3 possible string vectors:
The 'Host:' header
The URL
The HTTP method
- ----------------------
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- ------------------
WebLogic application server is commonly deployed in a three-tier
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Real Helix DNA RTSP and SETUP request handler vulnerabilities
1. *Advisory Information*
Title: Real Helix DNA RTSP and SETUP request handler vulnerabilities
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The Formshield CAPTCHA library that is used to prevent automated bots
from functioning is vulnerable to a replay attack. It is possible to
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The Formshield CAPTCHA library that is used to prevent automated bots
from functioning is vulnerable to a replay attack. It is possible to
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example:
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1
Host: 127.0.0.1
Author: George D. Gal <ggal (a) vsecurity . com>
Vendor Status: Cisco CSS vulnerability remains unpatched, workarounds
available
Cisco ACE workarounds available
CVE Candidate: CVE-2010-1575 - Certificate Spoofing Flaw
CVE-2010-1576 - HTTP Request Parsing Flaw
Reference: http://www.vsecurity.com/resources/advisory/20100702-1/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I received several off-list requests for a summary of what I learned
about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
would like to thank everyone who replied off-list with additional
information.
1) A book on hacking AS/400s:
Advisory # 1:
TITLE
Malformed 802.11 Probe Request frame causes Denial of Service condition
on an Access Point.
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cross site request forgery [CWE-352], Cross site scripting
[CWE-79], OS command injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37905
01/14/2008 to IBM & Symantec - 1st notice
11/24/2008 to Autonomy - 1st notice
12/04/2008 From Autonomy - 1st response
12/04/2008 to Autonomy - 2nd notice
12/05/2008 From Autonomy - PoC Request
12/08/2008 to Autonomy - PoC sent
12/09/2008 From Autonomy - PoC Resend Request
12/09/2008 to Autonomy - PoC Resend sent
12/11/2008 From Autonomy - PoC Clarification Request
12/11/2008 to Autonomy - PoC Clarification reply
0000000013rxrLogin~~administrator
The single argument ("administrator") is copied into a buffer size of
0x1AC on the stack using wsprintfW, however no string length checks are
performed. By sending an overly long username as part of the first
authentication request, an exploitable condition is reached.
Vulnerability 2: Authentication Password Overflow
Another stack-based buffer overflow exists within the authentication
portion of rxRPC.dll which is accessible via TCP/1900. A sample
According to a comment in a Cyrus SASL include source file, a server
must not reuse a Cyrus SASL server handle after client authentication
failure. Instead, a server must create a new Cyrus SASL server
handle including mechanism list, before processing another client
authentication request.
The Postfix SMTP server fails to create a new Cyrus SASL server
handle after authentication failure. This causes memory corruption
when, for example, a client requests CRAM-MD5 authentication, fails
to authenticate, and then invokes some other authentication mechanism
A) "Dump Servlet" information leak
(Affected versions: Any)
By requesting the demo "Dump Servlet" at an URL like "/test/dump/"
it's possible to obtain a number of details about the remote Jetty
instance.
Variables: getMethod, getContentLength, getContentType, getRequestURI,
getRequestURL, getContextPath, getServletPath, getPathInfo,
MSA01240108:
IE7 Transfer-Encoding: chunked allows Request Splitting/Smuggling.
Date: March 21th, 2008
Tested Versions:
Internet Explorer 7.0.5730.11
Tested OS:
Windows XP Professional SP2 Italian
-- Vulnerability description:
The default Twitter client (or application) in HTC mobile devices is called HTC Peep. HTC Peep is vulnerable to two different credentials disclosure vulnerabilities during the authentication process against the Twitter service (twitter.com).
During the authentication process, the HTC Peep app establishes an HTTP (TCP/80) connection against the twitter.com servers, sending a few HTTP OAuth-related requests. The first two HTTP GET requests try to gather and make use of an OAuth token: "GET /oauth/request_token" (the response contains the "oauth_token") and "GET /oauth/authorize?oauth_token=...".
The first vulnerability resides in the third HTTP request, a POST request towards the "/oauth/authorize" resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks:
authenticity_token=c8b5abaf53f223e827d9258ddfef4285a816db5f&
oauth_token=I4FK956n1foaHjayLKXJT2IaBpsmoo0amKyPhebc&
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
464 | IPSLib::cleanGlobals( $_COOKIE );
465 | IPSLib::cleanGlobals( $_REQUEST );
466 |
467 | # GET first
468 | $input = IPSLib::parseIncomingRecursively( $_GET, array() );
469 |
470 | # Then overwrite with POST
http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin&op=install&module=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe
Parameter: module[]
[REQUEST]
POST /xoops/modules/system/admin.php HTTP/1.1
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
Debian Security Advisory DSA-2220-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
April 19, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : request-tracker3.6, request-tracker3.8
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688
CVE-2011-1689 CVE-2011-1690
<?php
/*
CA ARCserve D2D r15 GWT RPC Request Auth Bypass /
Credentials Disclosure and Commands Execution PoC
product homepage: http://arcserve.com/us/default.aspx
file tested: CA_ARCserve_D2D_Setup_BMR.zip
tested against: Microsoft Windows Server 2003 r2 sp2
- Tomcat 7.0.0 to 7.0.21
- Tomcat 6.0.30 to 6.0.33
- Earlier versions are not affected
Description:
For performance reasons, information parsed from a request is often
cached in two places: the internal request object and the internal
processor object. These objects are not recycled at exactly the same time.
When certain errors occur that needed to be added to the access log, the
access logging process triggers the re-population of the request object
after it has been recycled. However, the request object was not recycled
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
that the proxy won't see.
On Wed, Apr 18, 2012 at 7:46 PM, Richard Barrett
vulnerability in the Kerberos protocol.
IMPACT
======
An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.
AFFECTED SOFTWARE
=================
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
configured to authenticate to the WebUI over HTTPS using a client
certificate, an attacker can potentially use the victim's credentials
temporarily to execute arbitrary HTTP request for each initiation of an
HTTPS session from the victim to the WebUI. This would happen without
any HTTPS/TLS warnings to the victim. This condition can essentially be
exploited by an attacker for command injection in beginning of a HTTPS
session between the victim and the ArubaOS WebUI.
functionality for users to store, for example, contact information,
notes, a journal or files. A search form can be used to search for such
stored items.
When users search, for example, for certain files, using the provided
search form, an HTTP POST request containing the search query in XML
form is sent from the browser to the PHP script at
https://example.com/webmail/server/webmail.php:
----- HTTP POST request ------------------------------------------------
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"
not to be vulnerable to the specific exploit identified and reported by
OuTian/Ryeo. However, all implementations which accept overlong paths,
including Glassfish, remain vulnerable insofar as any access control is
implemented at the proxy or gateway layer of an http service. Apache Tomcat
release 6.0.18 is no longer vulnerable with respect to its URI path, as
6.0.18 rejects all requests where the decoded value changes the path
representation, but is still exposed due to this vector in other
characteristics.
That said, the underlying vector for this vulnerability identified by Rowe
is actually within the UTF-8 charset implementation of the
Next Page>>
|
