Next Page >>
responsible
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Research by Hernan Pereira and associates.
No response from Speedy in the past 15 days.
Proceeding with disclosure.
A DoS vulnerability exists in NetCache proxies of at least some areas
of Speedy Argentina ISP (201.255.64/18), by which a URL could be rendered
inaccessible by means of the prefetch cache control directive.
Summary
=======
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco
Unified IP Interactive Voice Response (Unified IP-IVR) contain a
directory traversal vulnerability that may allow a remote,
unauthenticated attacker to retrieve arbitrary files from the
filesystem.
Cisco has released free software updates that address this
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs
Microsoft Server Message Block (SMB) Protocol is a Microsoft network
file sharing protocol also used for sharing printers, communications
abstractions such as named pipes and mailslots, and performing Remote
Procedure Calls (DCE/RPC over SMB) [1].
NTLM (NT Lan Manager) is a challenge-response authentication protocol
used by the SMB protocol [2].
Windows systems commonly use the SMB protocol with NTLM authentication
for network file/printer sharing and remote administration via DCE/RPC.
Summary:
A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting
A) Prelude to the vulnerabities
What follows is the code used to validate the user input:
- Table of Contents -
OPENNMS MULTIPLE VULNERABILITIES 1
Vendor 3
Application Description 3
OpenNMS HTTP Response Splitting Vulnerability 3
Vulnerability Information 3
Vulnerability Details 3
Proof-of-Concept 4
OpenNMS Cross-Site Scripting Vulnerabilities 5
Vulnerability Information 5
12/05/2007 - Initial Discovery
12/12/2007 - Contacted Cert Coordination Center to attempt to obtain
appropriate vendor contact information.
12/17/2007 - Additional work on details, proof of concept
interim - No response from Macrovision either directly or through Cert (who
kept in constant contact with me).
01/02/2008 - Posted to product request site for security contact information.
01/08/2008 - Automated sales response, asking how "Product Evaluation" is
going.
01/18/2008 - In contact with sales representative @ Macrovision
Details
=======
SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
Affected Vendor: Cisco Systems, Inc
Affected Product: Cisco Unified Communications Manager
Platform: All
Impact: Privilege Escalation
Vendor response: Patch. IntelliShield ID 21656
CVE: CVE-2010-3039
Credit: Knud / nSense
Technical details
---------------------------------------------------------------
error messages belong to different categories such as Alerts, Startup, Operational
and Policy Errors, so, I'm assuming that the OPTIONS HTTP method doesn't fit in
none of the mentioned categories, resulting in a message explaining that there's
no handler for this type of request which discloses an internal IP address.
Cisco PSIRT (Product Security Incident Response Team) responded by saying that the
bug is triggered not only by the OPTIONS request. Internal IP address is included
in response if ACE XML Gateway was not able to find a matching handler for the
request. Also, the PSIRT verified that GET request, with a path for which no
handler was configured, results in the same address disclosure.
No response.
02 VII 2009: Security bulletin released.
Response: ?
Rationale:
The vendor hasn't responded neither responsibly nor reasonably within 34
working days. The bulletin was released in hope that users will be able
to protect themselves against these serious threats before vendor will
realese fixes and before the bad guys will reach them first.
Links:
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, ethical
hacking and application security tests for Trustwave's
clients. SpiderLabs has responded to hundreds of security
incidents, performed thousands of ethical hacking exercises
and tested the security of hundreds of business applications
for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs
Depending on the application server and web server configuration, this
could be used to bypass security controls implemented on the web
server.
In addition, by injecting secondary requests which are unseen by the web
server, this causes the pairings of requests and responses to lose
correct synchronization. When attacking web servers that are
configured using simple proxy pairings (for instance, under Apache HTTPD
with WebLogicHost and WebLogicPort settings), this does not appear to
create many avenues of attack since web server TCP connections appear to
be directly paired with TCP connections to the application server.
-----Original Message-----
From: Security Mailing List <s3clist@hotmail.com>
Date: Thu, 15 Mar 2012 10:33:19
To: Zach C.<fxchip@gmail.com>
Cc: <bugtraq@securityfocus.com>
Subject: Re: Android wireless accepts fake response (No interaction requires)
(Vulnerability ?)
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Disclosure Timeline (YYYY/MM/DD):
=================================
2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.17) to Vendor
=================================
2009.09.09: Vulnerability found
2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.10.01) to Vendor
2009.09.15: Vendor response asking for resending the poc in a zipped and
password protected file (AV problem)
2009.09.15: Resending zipped and password protected
2009.09.17: Symantec Security Response Team verifies the vulnerability
2009.09.22: Symantec product team verifies the finding
2009.09.29: Ask for a status update, because the planned release date is
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
the box".
II. DESCRIPTION
Multiple vulnerabilities exist in Cacti software (XSS, SQL Injection,
Path Disclosure, HTTP Response Splitting).
III. ANALYSIS
Summary:
A) XSS Vulnerabilities
Apache mod_negotiation Xss and Http Response Splitting
Date: January 22th, 2008
Tested Versions: Apache <=1.3.39
<= 2.0.61
<= 2.2.6
Minded Security ReferenceID:
MSA01150108
If you discovered this vulnerability while performing your standard
duties within the company, you have an obligation to your company and to
your customers to report it to the appropriate company leaders as
quickly as possible. Going on the assumption that you discovered the
vulnerability while performing your standard duties, you should follow
your company's formal incident response procedures. Each company should
have incident response procedures or a whole incident response team to
deal with these sort of situations. If you are not sure whether your
company has incident response procedures or an incident response team,
check with the HR department (to prevent premature distress the IT
department).
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
with Windows OS because they would discard fake probe response at the
first place.
Nevertheless, I do not confirm this behavior as a vulnerability. I
personally do not see much opportunity to exploit this behavior. The
only opportunity I can think about is the situation where attacking
____
From: Security Mailing List [s3clist@hotmail.com]
Sent: Monday, March 12, 2012 2:25 AM
To: bugtraq@securityfocus.com
Subject: Android wireless accepts fake response (No interaction
requires) (Vulnerability ?)
## Android wireless accepts fake response (No interaction requires)
(Vulnerability ?) ##
information, visit https://www.trustwave.com
About Trustwave's SpiderLabs: SpiderLabs is the advance security team at
Trustwave responsible for incident response and forensics, ethical hacking
and application security tests for Trustwave's clients. SpiderLabs has
responded to hundreds of security incidents, performed thousands of ethical
hacking exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer: The information provided in this advisory is provided "as is"
======================================================================
6) Time Table
26/03/2010 - Vendor contacted to obtain security contact details.
29/03/2010 - Vendor response with details on security contact.
29/03/2010 - Vulnerability report sent to security contact (along with
references to SA30403 and SA26800).
07/04/2010 - Vendor response (requesting additional details).
07/04/2010 - Additional details provided.
08/04/2010 - Vendor response (fix expected within 2-3 days).
/65AfariaFx55/65AfariaFx55Admin/65AfariaFx55.htm
Timeline:
August 21st Contacted vendor PSIRT
September 2nd Vendor responded. Patch confirmed
September 2nd Inquired patch release date
September 2nd Vendor responded. No release date yet
available.
September 22nd Status update request sent to vendor
September 23rd Vendor responded. No release date available.
Summary
-------
A vulnerability exists in the Microsoft SMB client which allows an attacker to
trigger a kernel pool memory corruption by sending a specific
'Negotiate Protocol' response.
Successful exploitation of this issue may result in remote code execution with
kernel privileges. Failed attempts may result in a remote denial of service.
Description
The document module of the SharePoint server allows attackers to inject
malicious scripts into dynamically generated web content through file
uploading. These scripts will be executed in the browser of any user viewing
the infected content (persistent cross site scripting).
Further research and correspondence with Microsoft Security Response Center
has identified that a partial mention of this vulnerability appears in
CVE-2008-5026. However, as this is only partial, there is no bugtraq record
for this vulnerability and there is no fix (making it still valid on most
SharePoint deployments), we have decided to release this to the list.
Disclosure Timeline (YYYY/MM/DD):
=================================
2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.17) to Vendor
"test-jetty-webapp/src/main/java/com/acme/CookieDump.java".
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
protected void handleForm(HttpServletRequest request,
HttpServletResponse response)
{
String action = request.getParameter("Action");
String name = request.getParameter("Name");
String value = request.getParameter("Value");
String age = request.getParameter("Age");
Next Page>>
|
