Next Page >>
saved
The idea of putting XSS code to the parameter (i.e. after '?') is to avoid
redirection in case if particular site (which is using in the attack) is
configured in such way. So using of any holes is not needed, just any
working page of any working site. The XSS code will appear in html file
saved to the disk. So on every particular site it's needed to use any
working page. And for hidden attack via iframe (on any web site) it's
possible to use any stably working site (such as google.com).
Second, this variant of attack is working (and so I'm using this example for
all affected browsers) in first hole in IE (as I wrote in 2007), in Google
The download is started using the StartDownload method of the ActiveX
control. When the download starts, the ActiveX control creates a
temporary configuration file after which it invokes a separate program
(Manager.exe) that performs the download. Download Manager will first
ask the user where the file has to be saved (figure 1).
http://www.akitasecurity.nl/advisory/AK20090402/001_dlm_save_as_dialog.png
Figure 1: Download Manager Save As dialog
If the user chooses to save the file, the download window is displayed.
The following functions are affected by these issues:
Evolution plugin:
* processTnef()
* saveVCard()
* saveVCalendar()
* saveVTask()
yTNEF:
* ProcessTNEF()
Saving to: `/dev/null'
[ <=> ] 5,136
32.6K/s in 0.2s
2009-08-16 21:15:05 (32.6 KB/s) - `/dev/null' saved [5136]
$ wget http://$GoogleHost/ -O /dev/null -T 5
- --2009-08-16 21:15:07-- http://74.125.65.106/
Connecting to 74.125.65.106:80... connected.
HTTP request sent, awaiting response... 200 OK
Hello Thierry!
> Your saying above that this attack works if "Initialise and script
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
option to Enabled or Prompt (for Local intranet).
A Remote Code Execution vulnerability exists in Vtiger CRM version
5.0.4. In order to exploit this vulnerability an account on the CRM
system is required.
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
/* execve("/bin/sh", NULL, NULL) -
Take advantage of the 4.3 BSD UNIX VM.
It always puts the process entry point (_start) at address 0x00000000.
This gives us valid memory (a zero-byte string, since the first two bytes
of procedures like _start on VAX (those called with "callg" instr.) are
the saved register-mask, and in _start's case this is zero (does not matter).
Furthermore, this line in kern_exec.c checks if:
if (ap == NULL && uap->envp) {
uap->argp = NULL;
...
Technical Explanation
=====================
The string below is not properly sanitized when the web page is saved
after adding a picture using the application's text editor:
"""></P></div></td><script>alert("bingo");</script>
The text between the script tags will be injected into the page upon
-----Original Message-----
From: MustLive [mailto:mustlive@websecurity.com.ua]
Sent: Sunday, November 14, 2010 6:54 PM
To: bugtraq@securityfocus.com
Subject: Saved XSS vulnerability in Internet Explorer
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
(http://websecurity.com.ua/2641/).
-------------------------
Affected products:
-------------------------
> greets from austria, michael
>
>
>
>
See above: you overwrote the saved EBP, ECX, and 3 bytes of ESP. If I
recall correctly, on stack-grows-down architectures (Intel et c. -
likely yours) the saved value of EBP occurs at a lower memory address
than the saved value of EIP (your target). The strcpy() call will copy
bytes to increasing memory addressed, so add bytes to the COPY array -
i.e. lengthen it.
Note that Internet Explorer does not crash when trying to
execute EIP, attach a tool like faultmon to the IE sub-process.
(*)
<!-- saved from url=(0014)about:internet -->
<script>
var obj = new ActiveXObject("ADODB.Connection");
x=""; for (i=0;i<666;i++){x = x + "AAAA"}
obj.ConnectionString ="DRIVER=DataDirect 6.0 SQL Server Native Wire Protocol;HOST=" + x + ";IP=127.0.0.1;PORT=9;DB=xxxxxx;UID=sa;PWD=null";
obj.Open();
$dest = "unnumbered-";
} else {
$dest = "{$usersnum}-";
}
$suffix = substr(strrchr($_FILES['ivrfile']['name'], "."), 1);
$destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
echo "<h6>"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."</h6>";
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
} ?>
forgets to check the value of the 'csrfid' token when processing 'POST'
requests, even though the 'csrfid' hidden field is included in every
'FORM', making the application vulnerable to Cross-Site Request Forgery.
The vulnerable areas of the WebSphere administrative console include the
'Security > Global Security' panel [6], and the 'Save changes to the
master configuration' feature. This makes possible for a remote attacker
to disable the 'Administrative Security', 'Application Security' and
'Java 2 Security' options, and then to save the changes to the
configuration, by tricking an IBM WebSphere administrator which is
currently logged in to the administrative console to visit a malicious
Google Chrome has an inbuilt file downloader[1], just like every other
browser. However, the behavior of this function is different from other
browsers and provides users much more usability and convenience. Chrome
automatically downloads a file from any site that is passed using the
Content-Disposition header value "attachment" (on the contrary, all other
browsers show a save as dialog). There are some mitigations done by Chrome
to protect users from auto downloading malware by raising an alert on
executable extensions such as .exe, .htm, .jar, etc.
The vulnerability arises from the fact that there are other extensions such
as .svg, .mht, .mhtml that don't exist in the Chrome's malicious extension
Advisory: Cross-Site Scripting vulnerabilities in Icinga
Advisory ID: SSCHADV2011-001
Author: Stefan Schurtz
Affected Software: Successfully tested on: icinga-1.3.0 / icinga-1.2.1
Vendor URL: http://www.icinga.org
Vendor Status: fixed csv export link to make it XSS save (IE) #1275
CVE-ID: -
==========================
Vulnerability Description:
==========================
Summary:
A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
make the users to download arbitrary file, and save it to arbitrary
location while they are visiting a vicious web page. It means an
attacker who successfully exploits this vulnerability can run
arbitrary code on the affected system.
policy defined in the Windows registry.
A remote user is capable of crafting a link that when clicked, will spawn
Skype.exe on a client using a Datapath location which is present on a remote
SMB share. The Skype client will load any configuration or security policy
present, and save the users Skype account information to the remote share.
This allows a remote user to control the Skype configuration and security
policy of the local client instance of Skype. Settings such as a remote
proxy can be defined, which could be used to Man in The Middle Skype
communications.
Debasis Mohanty wrote:
> No offence intended but if you take a little more effort of validating your
> work before posting publicly then you can save yourself from embarrassment.
>
> I don't see anything in the script that can bypass zone security and run
> successfully from internet zone. I am sure you have tested it locally and
> drawn conclusion that the script can execute from internet zone. To test the
> script from internet zone, you need to upload it to a webserver and try
> accessing via browser.
>
Mathcad Security Vulnerability Briefing - CVE-2007-4600
Synopsis of Vulnerability
==========================
The ‘Protect Worksheet’ functionality, used to protect sections Mathcad sheets from alterations, in versions 12 through 14 is easily bypassed allowing access to the protected data due to the implementation of the file format used to save the files.
Background on Mathcad
======================
Mathcad (http://www.ptc.com/appserver/mkt/products/home.jsp?k=3901) is used to perform, document and share calculation and design work. The unique Mathcad visual format and scratchpad interface integrate standard mathematical notation, text and graphs in a single worksheet - making Mathcad ideal for knowledge capture, calculation reuse, and engineering collaboration.
Download vulnerabilities in Google Chrome, which I wrote in details in the
article Automatic File Download vulnerabilities in browsers
(http://websecurity.com.ua/2438/).
Goal of this research was to create a method of conducting File Download
attacks in different browsers (and DoS attacks via SaveAs functionality).
Which I called SaveAs attack.
And even this attack (file saving) is not going automatically (as it took
place in first versions of Chrome - in more new versions of its browser
Google fixed this vulnerability, after my warnings, and browser asks before
Description:
------------
Via this bug , attacker can save a file in path that not allowed in
open_basedir .
Reproduce code:
---------------
<?php
// Author : Sina Yazdanmehr (R3d.W0rm) ; Our Site : http://IrCrash.com
if(!extension_loaded('pdf')){
New keys can be generated using ssh-keygen, e.g.:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
> Privilege Escalation attack
>
> POC:
>
> ::Save the following as a batch file and execute it.
> :here
> taskkill /im smcgui.exe /f
> goto :here
>
> Now since the smcgui.exe is running in the user account, It will not be
necessary changes.
Details follow:
USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The upstream
patches introduced a regression in the saved password handling. While
password data was not lost, if a user had saved any passwords with
non-ASCII characters, Firefox could not access the password database.
This update fixes the problem.
We apologize for the inconvenience.
Privilege Escalation attack
POC:
::Save the following as a batch file and execute it.
:here
taskkill /im smcgui.exe /f
goto :here
Now since the smcgui.exe is running in the user account, It will not be
THE PROBLEM
Many web authoring tools that automatically generate SWFs insert
identical and vulnerable ActionScript into all saved SWFs or necessary
controller SWFs (think of tools that "save as SWF", "export to SWF",
etc.). The vulnerable ActionScript can used by attackers to execute
arbitrary JavaScript in the security domain of the website hosting the
SWF.
* Select the model from the product search results.
* Select the product.
* Select the operating system.
* In the Firmware – System section, locate the latest firmware package and click Download >> .
* To see the release notes with installation instructions, click on the package Description and then the Release Notes tab.
* Click on save and select a directory to save the package.
* Follow the installation instructions to complete the firmware update.
PRODUCT SPECIFIC INFORMATION
None
New keys can be generated using ssh-keygen, e.g.:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
Security Advisory
IS-2010-001 - Netgear WG602v4 Saved Pass Stack Overflow
Advisory Information
--------------------
Published:
2010-05-30
Next Page>>
|
