Next Page >>
site
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
Maybe I'm jaded but I'm my understanding of the risk is right, if all
Hello Susan!
> Pardon me, but you disclosed it at your site before you informed the
> developers?
Yes, and there is a reason for it. In 99% I use advanced responsible
disclosure approach for informing admins and web developers about
vulnerabilities. But in this time I used responsible full disclosure. I
wrote in details about all disclosure policies (including these ones) in my
article "Hacking of web sites, security researches, disclosure and
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
> Chair, OWASP Israel
> Leader, ModSecurity Core Rule Set Project
> Leader, WASC Web Hacking Incidents Database Project
>
>
> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
> ======================================================================
> Reported: 22 December 2007, Occurred: 22 December 2007
>
> Classifications:
>
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
----------------------------------------------------------------
Script : Pluck 4.5.2
Type : Multiple Cross Site Scripting Vulnerabilities
Alert : Medium
----------------------------------------------------------------
Introduction:
=============
osCMax is a powerful e-commerce/shopping cart web application. There are many advantages to using osCMax as your
e-commerce/shopping cart for your web site. It has all the features needed to run a successful internet store
and can be customized to whatever configuration you need. osCmax is community developed software that is free,
open source and hosted on your own web server. It is easy enough to use for small startup stores and feature
rich to support very large operations that need more advanced eCommerce features. There are no artificial limits
placed on the feature set, amount of products or sales amounts which is commonly seen with paid or
hosted eCommerce solutions.
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
2) Severity
Rating: Moderately critical
Impact: SQL Injection
Local File Inclusion
Cross-Site Scripting
Cross-Site Request Forgery
Where: Remote
======================================================================
3) Vendor's Description of Software
======================================================
=================
= Opera Stored Cross Site Scripting Vulnerability
=
= Vendor Website:
= http://www.opera.com
=
= Affected Version:
= -- All desktop versions
=
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
Firefox 3.0.11 and Google Chrome you can't get to cookies this way", which
is the same that your wrote, but in more laconic way. And in the same
paragraph I wrote "but it's possible in old Mozilla (and in those versions
of Firefox where there is relation between data: page and original page)".
So there are such browsers which data: URIs from redirectors inherit context
of the site. In any case JavaScript execution is dangerous even without
relation with original site.
Your position is similar to Mozilla's position. And because Mozilla declined
to fix this hole due to "lack of inheritance" between data: URI and the site
with redirector, and Chrome also has no such inheritance, I didn't send my
Hello Hans!
First, it's not a site specific hole, it's browser specific. So issue in
browser and it'll be working at any site. And I used universal PoC (suitable
for most cases). For online testing and especially for attacking purposes
you can use any working web site (e.g. google.com).
http://www.google.com/webhp?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
The idea of putting XSS code to the parameter (i.e. after '?') is to avoid
> MustLive notified us on 13.4.2010 - that's 13 days after disclosure.
As I wrote in my advisory (in "Timeline") there were next important dates:
17.03.2010 - found vulnerability.
31.03.2010 - disclosed at my site.
01.04.2010 - informed developer of CB Captcha 1.x. And because I found other
version of the plugin by another author, and after checking it later I
informed author of CB Captcha 2.x.
13.04.2010 - additionally informed developers of Community Builder (both
joomlapolis.com and communitybuilder.ru).
This is important note by Vladimir. And about attacks from e-mail vector I
wrote separate advisory (published yesterday, as I mentioned above). And
soon I'll post it to security mailing lists.
> as site's that is allowing the rogue scripts
Don't worry about how bad guys will be placing of JS code or page with
iframes at web site for this attack - it'll be their own problem. And if
they want they will do it. And after they placed attacking code (JS or HTML)
on target-site, then it'll be already a problem of users of this site (which
Hello Bugtraq!
I want to warn you about security vulnerabilities in eSitesBuilder. It's
Ukrainian CMS which used particularly for e-commerce sites.
These vulnerabilities I found in 2007-2008 years at one online shop site
(and later I found some of these vulnerabilities at another site on this
engine). And recently I found, that this engine for online shops - it's
eSitesBuilder.
Timeline:
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
-----------------------------
Pardon me, but you disclosed it at your site before you informed the
developers?
I don't even know what Dunia soccer is but how about you give vendors a
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Cross Site Request Forgery (CSRF) Vulnerabilities
C) Local File Inclusion (LFI) Vulnerability
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
Define vulnerability here. I don't think this is one.
Granted I have to apologize that my post was a very tongue in cheek
snarky comment regarding the fact that Mr. MustLive appears to be
posting up one by one of every web site that he finds with bad captcha
implementation. I was outting myself in advance because the captcha on
my blog site lets spammers wiggle in. But the spam clean up routine
clears it out in a week so at most it's an annoyance to me not a
vulnerability. So I know I have this issue, but on my stack of risks to
worry about, this not one that keeps me awake at night.
Hi,
A new type of vulnerability is described in which publicly available
information from social network sites obtained out of context, can be
used to identify a user in cases where anonymity is taken for granted.
This attack (dubbed Cross Site Identification, or CSID) assumes the
following scenario: A user that is currently logged on to her social
network account visits a 3rd party site, supposedly anonymously, in
another browser tab. The 3rd party site causes her browser to contact
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Global Site Selector Appliances DNS
Vulnerability
Advisory ID: cisco-sa-20090107-gss
http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml
Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'
* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.
* When browsing a remote site, Internet Explorer will not apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
vulnerabilities could allow a remote attacker to execute arbitrary
code on the system with the privileges of a targeted user.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on a WebEx meeting
site or on the computer of an online meeting attendee. The players
can be automatically installed when the user accesses a recording
file that is hosted on a WebEx meeting site. The players can also be
manually installed for offline playback after downloading the
application from www.webex.com
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-0432
- Discovered by : Inferno
=============================================
I. TITLE
-------------------------
Hijacking Safari 4 Top Sites with Phish Bombs
II. VULNERABLE
-------------------------
Safari 4 all versions < 4.0.3
Platforms affected - Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
2. *Vulnerability Information*
Class: Protection Mechanism Failure [CWE-693], Authentication Issues
[CWE-287], Cross-Site Scripting (XSS) [CWE-79]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274
Advisory # 1:
TITLE
Cross Site Scripting vulnerability in ArubaOS and AirWave
Administration Web Interfaces.
SUMMARY
A persistent Cross Site Scripting vulnerability (XSS) was discovered
Next Page>>
|
