Next Page >>
requested
A DoS vulnerability exists in NetCache proxies of at least some areas
of Speedy Argentina ISP (201.255.64/18), by which a URL could be rendered
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
IBM WebSphere Application Server Cross-Site Request Forgery
1. *Advisory Information*
Title: IBM WebSphere Application Server Cross-Site Request Forgery
One 'Content-length:' header equals to two values. i.e.: "Content-length: 0, 0"
One 'Content-length:' header equals to a negative value. i.e.: "Content-length: -1"
One 'Content-length:' header equals to a large value. i.e.: "Content-length: 9999999999999999999999999999999999999999999999"
Apache 2.X returns a '413 Request Entity Too Large' error, when submitting invalid length data. When probing for XSS on the error page returned by the server we have 3 possible string vectors:
The 'Host:' header
The URL
The HTTP method
- ----------------------
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- ------------------
WebLogic application server is commonly deployed in a three-tier
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Real Helix DNA RTSP and SETUP request handler vulnerabilities
1. *Advisory Information*
Title: Real Helix DNA RTSP and SETUP request handler vulnerabilities
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The Formshield CAPTCHA library that is used to prevent automated bots
from functioning is vulnerable to a replay attack. It is possible to
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The Formshield CAPTCHA library that is used to prevent automated bots
from functioning is vulnerable to a replay attack. It is possible to
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
Author: George D. Gal <ggal (a) vsecurity . com>
Vendor Status: Cisco CSS vulnerability remains unpatched, workarounds
available
Cisco ACE workarounds available
CVE Candidate: CVE-2010-1575 - Certificate Spoofing Flaw
CVE-2010-1576 - HTTP Request Parsing Flaw
Reference: http://www.vsecurity.com/resources/advisory/20100702-1/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I received several off-list requests for a summary of what I learned
about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
would like to thank everyone who replied off-list with additional
information.
1) A book on hacking AS/400s:
Advisory # 1:
TITLE
Malformed 802.11 Probe Request frame causes Denial of Service condition
on an Access Point.
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cross site request forgery [CWE-352], Cross site scripting
[CWE-79], OS command injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37905
01/14/2008 to IBM & Symantec - 1st notice
11/24/2008 to Autonomy - 1st notice
12/04/2008 From Autonomy - 1st response
12/04/2008 to Autonomy - 2nd notice
12/05/2008 From Autonomy - PoC Request
12/08/2008 to Autonomy - PoC sent
12/09/2008 From Autonomy - PoC Resend Request
12/09/2008 to Autonomy - PoC Resend sent
12/11/2008 From Autonomy - PoC Clarification Request
12/11/2008 to Autonomy - PoC Clarification reply
0000000013rxrLogin~~administrator
The single argument ("administrator") is copied into a buffer size of
0x1AC on the stack using wsprintfW, however no string length checks are
performed. By sending an overly long username as part of the first
authentication request, an exploitable condition is reached.
Vulnerability 2: Authentication Password Overflow
Another stack-based buffer overflow exists within the authentication
portion of rxRPC.dll which is accessible via TCP/1900. A sample
According to a comment in a Cyrus SASL include source file, a server
must not reuse a Cyrus SASL server handle after client authentication
failure. Instead, a server must create a new Cyrus SASL server
handle including mechanism list, before processing another client
authentication request.
The Postfix SMTP server fails to create a new Cyrus SASL server
handle after authentication failure. This causes memory corruption
when, for example, a client requests CRAM-MD5 authentication, fails
to authenticate, and then invokes some other authentication mechanism
A) "Dump Servlet" information leak
(Affected versions: Any)
By requesting the demo "Dump Servlet" at an URL like "/test/dump/"
it's possible to obtain a number of details about the remote Jetty
instance.
Variables: getMethod, getContentLength, getContentType, getRequestURI,
getRequestURL, getContextPath, getServletPath, getPathInfo,
Node Manager, which can be exploited by malicious people to compromise
a vulnerable system.
1) Various boundary errors in the OpenView5.exe CGI application when
processing parameters can be exploited to cause stack-based buffer
overflows via HTTP requests to the CGI application with overly long
parameter strings.
2) A boundary error in ov.dll can be exploited to cause a stack-based
buffer overflow by e.g. sending a HTTP request to the OpenView5.exe
CGI application with an overly long parameter string.
MSA01240108:
IE7 Transfer-Encoding: chunked allows Request Splitting/Smuggling.
Date: March 21th, 2008
Tested Versions:
Internet Explorer 7.0.5730.11
Tested OS:
Windows XP Professional SP2 Italian
-- Vulnerability description:
The default Twitter client (or application) in HTC mobile devices is called HTC Peep. HTC Peep is vulnerable to two different credentials disclosure vulnerabilities during the authentication process against the Twitter service (twitter.com).
During the authentication process, the HTC Peep app establishes an HTTP (TCP/80) connection against the twitter.com servers, sending a few HTTP OAuth-related requests. The first two HTTP GET requests try to gather and make use of an OAuth token: "GET /oauth/request_token" (the response contains the "oauth_token") and "GET /oauth/authorize?oauth_token=...".
The first vulnerability resides in the third HTTP request, a POST request towards the "/oauth/authorize" resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks:
authenticity_token=c8b5abaf53f223e827d9258ddfef4285a816db5f&
oauth_token=I4FK956n1foaHjayLKXJT2IaBpsmoo0amKyPhebc&
<?php
/*
CA ARCserve D2D r15 GWT RPC Request Auth Bypass /
Credentials Disclosure and Commands Execution PoC
product homepage: http://arcserve.com/us/default.aspx
file tested: CA_ARCserve_D2D_Setup_BMR.zip
tested against: Microsoft Windows Server 2003 r2 sp2
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Cross Site Request Forgery (CSRF) Vulnerabilities
C) Local File Inclusion (LFI) Vulnerability
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
1. For [CVE-2010-1929 | 40480], establish a Web Application
Firewall rule for limiting the length of the parameters
'EnteredClassID' and 'NewClassName' in POST requests to the URI
'/nps/servlet/webacc/'.
2. For [CVE-2010-1930 | 40485], establish a Web Application
Firewall rule for limiting the length of the parameter 'Tree' in POST
requests to the URI '/nps/servlet/webacc/'.
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
464 | IPSLib::cleanGlobals( $_COOKIE );
465 | IPSLib::cleanGlobals( $_REQUEST );
466 |
467 | # GET first
468 | $input = IPSLib::parseIncomingRecursively( $_GET, array() );
469 |
470 | # Then overwrite with POST
=======
Two crafted packet vulnerabilities exist in the Cisco Firewall
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
A third vulnerability may cause access control list (ACL) entries to not
be evaluated after the access list has been manipulated.
http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin&op=install&module=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe
Parameter: module[]
[REQUEST]
POST /xoops/modules/system/admin.php HTTP/1.1
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
Debian Security Advisory DSA-2220-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
April 19, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : request-tracker3.6, request-tracker3.8
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688
CVE-2011-1689 CVE-2011-1690
======================================================================
5) Time Table
16/04/2008 - Vendor notified.
16/04/2008 - Vendor response.
25/06/2008 - Status update requested.
27/06/2008 - Vendor response (responsible person is on holiday, but
will provide status update ASAP).
24/07/2008 - Status update requested.
13/08/2008 - Status update requested.
13/08/2008 - Vendor response.
After vendor was contacted and informed about the vulnerabilities, new
version was released, with all vulnerabilities supposedly fixed.
Vulnerability explained above was fixed by adding
ProbeForRead()/ProbeForWrite() calls in order to catch malformed
requests.
However, every affected driver uses METHOD_BUFFERED for all IOCTL
calls. Buffer passed from user mode is first copied to kernel mode,
and will always have kernel mode address (when accessed by the above
function). Calling ProbeForRead()/ProbeForWrite() on kernel mode
addresses raises exception which is appropriately handled, and the
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
configured to authenticate to the WebUI over HTTPS using a client
certificate, an attacker can potentially use the victim's credentials
temporarily to execute arbitrary HTTP request for each initiation of an
HTTPS session from the victim to the WebUI. This would happen without
any HTTPS/TLS warnings to the victim. This condition can essentially be
exploited by an attacker for command injection in beginning of a HTTPS
session between the victim and the ArubaOS WebUI.
vulnerability in the Kerberos protocol.
IMPACT
======
An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.
AFFECTED SOFTWARE
=================
Next Page>>
|
