Next Page >>
server side
Google V8 Server-Side JavaScript Injection joins the set of web
application security vulnerabilities
TIME-BASED PHP V8JS INJECTION & NOSQL/SSJS INJECTION
Detecting server-side JavaScript (SSJS) injection vulnerabilities using
time-based techniques. Article by Felipe Aragon - February 25, 2012
This article, which is an update of an article that we originally
published on December 18, 2011, intends to highlight the risk of
large population of vulnerable systems.
*2007-09-10*: Email from the AOL PVT indicating that the bugs are
considered extremely critical by AOL as well and expressing their
intention to provide weekly status updates. An estimated date for fixes
will be forthcoming as soon as they have one. In the meantime, a
server-side mitigation mechanism has been deployed and Core is invited to
test it.
*2007-09-10*: Core acknowledges reception of AOL‟s last email. We‟ve taken
up the offer to test the mitigation mechanism and although it did prevent
the original proof-of-concept code snippets from working we found that
attacks are still possible with minor tweaks to the original code. Tests
large population of vulnerable systems.
*2007-09-10*: Email from the AOL PVT indicating that the bugs are
considered extremely critical by AOL as well and expressing their
intention to provide weekly status updates. An estimated date for fixes
will be forthcoming as soon as they have one. In the meantime, a
server-side mitigation mechanism has been deployed and Core is invited to
test it.
*2007-09-10*: Core acknowledges reception of AOL‟s last email. We‟ve taken
up the offer to test the mitigation mechanism and although it did prevent
the original proof-of-concept code snippets from working we found that
attacks are still possible with minor tweaks to the original code. Tests
Time-Based Blind NoSQL Injection - Detecting server-side JavaScript
injection vulnerabilities
In July 2011, Bryan Sullivan, a senior security researcher at Adobe
Systems, demonstrated server-side JavaScript injection vulnerabilities
in web applications using MongoDB and other NoSQL database engines. He
demonstrated how they could be used to perform Denial of Service, File
System, Remote Command Execution, and many other attacks, including the
easy extraction of the entire contents of the NoSQL database -- a blind
NoSQL injection attack (paper here at
Detection
---------
The following sections explains how this attack can be somewhat detected
at the server side, although no one is perfect (except using OS
utilities).
Information at the RDBMS Server side
------------------------------------
Example:
It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.
Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.
Mitigation:
Applications which use serialization-based remoting are likely to be vulnerable. In the long-term, we would recommend users migrate away from serialization-based remoting in cases where the client cannot be trusted, as it is a potential source of vulnerabilities in both Spring and non-Spring applications.
Description:
Blue Coat SG400 is vulnerable to a couple of XSS holes.
Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_action/crl_format' / 'name'
Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_from_file.htm' / 'file'
Notes:
Earlier versions may also be affected.
JSPWiki Local .jsp File Inclusion Vulnerability.
An input validation problem exists within JSPWiki which allows to
execute (include) arbitrary local .jsp files. An attacker may leverage
this issue to execute arbitrary server-side script code on a vulnerable
server with the privileges of the web server process.
Example (including rss.jsp file from the application root directory):
http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss
__________________________________________________________________
On Fri, Nov 30, 2007 at 12:50 PM, <research@procheckup.com> wrote:
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date Found: 19th June 2007
Content-Length: 7
a=3&a=4
-----------------------------
The server side interpretation of this data is as follows:
Request.Params["a"] --> "1,2,3,4,5,6" ( if "a" was registered
as a server-side control ) (ASP.NET Only)
Request.Params["a"] --> "1,2,5,6" ( if "a" was not registered
as a server-side control ) (ASP.NET Only)
Dear Bill From Apache
I think that you didn't understand this vulnerability properly. I ask to to check again and run this exploit with Firefox. After running this exploit, change manually the ecnoding in Firefox to UTF-7.. You will see that the alert will jump up. There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering.
But if you, apache guys will set 403 page's charset in the server side by writing it in your server code, that will prevent this script running. In IE autoselect will work only if no charset was set to the page in server side.
We know how to solve this problem and if you want we can help you...
Best Regards and with big respect to Apache
Vendor: TietoEnator Abp
Vulnerable versions: unknown
Impact: high
Found: months ago
The login screens of the school administration database system, "login.asp" and "inloggning.asp", as used in an unnammed school district in Finland, contain SQL injection vulnerabilities, which can be easily detected by inserting '||' (the oracle string concatenation operator and ending and starting quotes) within a valid password or username (they still work), or adding an odd number of quotes (resulting in an exception). The "input validation" in JavaScript must be "defeated" first - there is no signs of any validation done server side.
The program also contains other SQL injection vulnerabilities in text fields etc. accessible after login - especially ones that are used to search for information, which may allow compromise of sensitive personal information in the database via injection to a SELECT query.
The program prints exception handlers to the browser, including Oracle database error strings.
Since it is not performed a global matching but just the first occurrence is replaced,
it is trivial to bypass this control and successfully exploit the flaw.
Moreover we have to remember that multiple attack vectors without the HTML "SCRIPT" tag
exist in this situation.
In the second generation (for sure, after the version 2.1.4), finally a server side
validation was introduced. Unfortunately a simple NULL byte (%00) is enough
to bypass this checkpoint and provides the "location.search" as in the previous
vulnerable versions.
The version 2.1.11 is patched against this vulnerability.
6. *Vendor Information, Solutions and Workarounds*
Contact the vendor for a fix. The following are workarounds for this issue.
6.1. *Server side*
According to OWASP [2], CSRF vulnerabilities can be avoided by checking
the referrer of the HTTP request and verifying that the request comes
from the original site. A potential workaround is thus to set a rule on
a Web Application Firewall that checks the referrer of the requests, and
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date Found: 19th June 2007
Successfully tested on: version 5.5.2
F5 Networks has confirmed the following versions to be vulnerable:
FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1
PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script
Date Found: 19th June 2007
Successfully tested on: version 5.5.2
F5 Networks has confirmed the following versions to be vulnerable:
FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1
Hmm... just about as easy as convincing a user to blindly accept a
forged SSL certificate or run an executable. At that point, who cares?
> But if you, apache guys will set 403 page's charset in the server side
> by writing it in your server code, that will prevent this script
> running. In IE autoselect will work only if no charset was set to the
> page in server side.
So let's see here... You're advocating that all web pages should have
> Vendor: TietoEnator Abp
> Vulnerable versions: unknown
> Impact: high
> Found: months ago
>
> The login screens of the school administration database system, "login.asp" and "inloggning.asp", as used in an unnammed school district in Finland, contain SQL injection vulnerabilities, which can be easily detected by inserting '||' (the oracle string concatenation operator and ending and starting quotes) within a valid password or username (they still work), or adding an odd number of quotes (resulting in an exception). The "input validation" in JavaScript must be "defeated" first - there is no signs of any validation done server side.
>
> The program also contains other SQL injection vulnerabilities in text fields etc. accessible after login - especially ones that are used to search for information, which may allow compromise of sensitive personal information in the database via injection to a SELECT query.
>
> The program prints exception handlers to the browser, including Oracle database error strings.
>
The Java Server page /corporate/Controller requires several parameters
to the server when a user attempts to perform these diagnostic
actions. The parameter 'host' is vulnerable to OS command injection.
Some client-side validation is performed to check that the IP address
provided is in valid format, however no such validation is performed
on server-side. Hence, a malicious user can easily bypass client-side
validation checks by using an in-line proxy tool and inject an OS
command.
Legitimate input:
__RequestType=ajax&mode=758&tool=1&interface=&host=127.0.0.1&pingipfqdn=127.0.0.1&size=&tracerouteipfqdn=&namelookupipfqdn=&dns=&routelookupipfqdn=&pinginterface=&tracerouteinterface=&selectdns=10.0.0.5&
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-3433
Tim Bunce discovered that PostgreSQL, a database server software, does
not properly separate interpreters for server-side stored procedures
which run in different security contexts. As a result, non-privileged
authenticated database users might gain additional privileges.
Note that this security update may impact intended communication through
global variables between stored procedures. It might be necessary to
- High
[Affected Version]
- Version:5.10.014
[Bug Description and Proof of Concept]
Attackers use source code disclosure attacks to try to obtain the
source code of server-side applications. The basic role of Web servers
is to serve files as requested by clients. Files can be static, such
as image and HTML files, or dynamic, such as ASP, JSP and PHP files.
When the browser requests a dynamic file, the Web server first
executes the file and then returns the result to the browser. Hence,
dynamic files are actually code executed on the Web server.
access to a restricted number of web pages (basically, all the pages under
the "/cgi/maker/" directory).
b) Command-injection vulnerabilities
Some of the web pages the "productmaker" can access to are subject to a
command-injection vulnerability, as the server-side script does not properly
validate user-supplied input.
The following URL exploits a command-injection vulnerability inside
"unittest.cgi" page. The payload executes the "ls" command and displays
its output inside the generated web page:
On 3/21/2011 12:16 PM, Luigi Auriemma wrote:
> The following are almost all the vulnerabilities I found for a quick
> experiment some months ago in certain well known server-side SCADA
> softwares still vulnerable in this moment.
At what point in time did you try contacting any of the vendors for
these issues?
Analogy: Car owner has his car speed up ending up in almost near
catastrophe. Car owner goes to media outlets condemning the
IOActive has discovered multiple critical vulnerabilities within the
Mercury SiteScope server monitoring software, some of which allow for
complete remote compromise of the entire monitored network, as well as
arbitrary code execution on all servers managed by the SiteScope
software. It is stressed that, by design, the compromise of a single
SiteScope node, or the server side, allows for the compromise of every
server on the network with the SiteScope agent active.
IOActive is coordinating with the owners of this product, Hewlett
Packard, in order to expediently provide remediation patches for all
effected versions of the system. As such, technical details will not be
The following are almost all the vulnerabilities I found for a quick
experiment some months ago in certain well known server-side SCADA
softwares still vulnerable in this moment.
In case someone doesn't know SCADA (like me before the tests): it's
just one or more softwares (usually a core, a graphical part and a
database) that allow people to monitor and control the various hardware
sensors and mechanisms located in industrial environments like nuclear
plants, refineries, gas pipelines, airports and other less and more
critical fields that go from the energy to the public infrastructures
injection and other attacks. Their TLS sessions are only encrypted
but not protected.
A similar plaintext injection flaw may exist in the way SMTP clients
handle SMTP-over-TLS server responses, but its impact is less
interesting than the server-side flaw.
SMTP is not the only protocol with a mid-session switch from plaintext
to TLS. Other examples are POP3, IMAP, NNTP and FTP. Implementations
of these protocols may be affected by the same flaw as discussed here.
The Pwnie Awards is an annual awards ceremony celebrating the achievements and
failures of security researchers and the wider security community in the past
year. We're currently accepting nominations in nine award categories:
* Best Server-Side Bug
* Best Client-Side Bug
* Mass 0wnage
* Most Innovative Research
* Lamest Vendor Response
* Most Overhyped Bug
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
In contrast to stealing a user's session ID after they have logged into a web site, session fixation provides a much wider window of opportunity. The active part of the attack takes place before the user logs in.
Pollution [1]. I would like to share it with you.
HPP attacks consist of injecting encoded query string delimiters into
other existing parameters. If a web application does not properly
sanitize the user input, a malicious user can compromise the logic of
the application to perform either client-side or server-side attacks.
One consequence of HPP attacks is that the attacker can potentially
override existing hard-coded HTTP parameters to modify the behavior of
an application, bypass input validation checkpoints, and access and
possibly exploit variables that may be out of direct reach.
Vendor informed: 4th July 2007
Successfully tested on: Absolute Poll Manager XE - Version 4.1. Earlier versions are possibly affected as well but have NOT been tested.
Description: Absolute Poll Manager XE is vulnerable to a vanilla XSS within the "/AbsolutePollManager/xlaapmview.asp" server-side script and "msg" parameter.
No authentication is required to exploit this vulnerability
Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a polls management user who clicks on a link to a site managed by Absolute Poll Manager. Such code would run within the context of the target domain.
Next Page>>
|
