Next Page >>
sites
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
Maybe I'm jaded but I'm my understanding of the risk is right, if all
Hello Susan!
> Pardon me, but you disclosed it at your site before you informed the
> developers?
Yes, and there is a reason for it. In 99% I use advanced responsible
disclosure approach for informing admins and web developers about
vulnerabilities. But in this time I used responsible full disclosure. I
wrote in details about all disclosure policies (including these ones) in my
article "Hacking of web sites, security researches, disclosure and
- Discovered by : Inferno
=============================================
I. TITLE
-------------------------
Hijacking Safari 4 Top Sites with Phish Bombs
II. VULNERABLE
-------------------------
Safari 4 all versions < 4.0.3
Platforms affected - Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'
* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.
* When browsing a remote site, Internet Explorer will not apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
> Chair, OWASP Israel
> Leader, ModSecurity Core Rule Set Project
> Leader, WASC Web Hacking Incidents Database Project
>
>
> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
> ======================================================================
> Reported: 22 December 2007, Occurred: 22 December 2007
>
> Classifications:
>
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
----------------------------------------------------------------
Script : Pluck 4.5.2
Type : Multiple Cross Site Scripting Vulnerabilities
Alert : Medium
----------------------------------------------------------------
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
2) Severity
Rating: Moderately critical
Impact: SQL Injection
Local File Inclusion
Cross-Site Scripting
Cross-Site Request Forgery
Where: Remote
======================================================================
3) Vendor's Description of Software
Firefox 3.0.11 and Google Chrome you can't get to cookies this way", which
is the same that your wrote, but in more laconic way. And in the same
paragraph I wrote "but it's possible in old Mozilla (and in those versions
of Firefox where there is relation between data: page and original page)".
So there are such browsers which data: URIs from redirectors inherit context
of the site. In any case JavaScript execution is dangerous even without
relation with original site.
Your position is similar to Mozilla's position. And because Mozilla declined
to fix this hole due to "lack of inheritance" between data: URI and the site
with redirector, and Chrome also has no such inheritance, I didn't send my
======================================================
=================
= Opera Stored Cross Site Scripting Vulnerability
=
= Vendor Website:
= http://www.opera.com
=
= Affected Version:
= -- All desktop versions
=
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
Hello Hans!
First, it's not a site specific hole, it's browser specific. So issue in
browser and it'll be working at any site. And I used universal PoC (suitable
for most cases). For online testing and especially for attacking purposes
you can use any working web site (e.g. google.com).
http://www.google.com/webhp?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
The idea of putting XSS code to the parameter (i.e. after '?') is to avoid
Hi,
A new type of vulnerability is described in which publicly available
information from social network sites obtained out of context, can be
used to identify a user in cases where anonymity is taken for granted.
This attack (dubbed Cross Site Identification, or CSID) assumes the
following scenario: A user that is currently logged on to her social
network account visits a 3rd party site, supposedly anonymously, in
another browser tab. The 3rd party site causes her browser to contact
Hello Bugtraq!
I want to warn you about security vulnerabilities in eSitesBuilder. It's
Ukrainian CMS which used particularly for e-commerce sites.
These vulnerabilities I found in 2007-2008 years at one online shop site
(and later I found some of these vulnerabilities at another site on this
engine). And recently I found, that this engine for online shops - it's
eSitesBuilder.
This is important note by Vladimir. And about attacks from e-mail vector I
wrote separate advisory (published yesterday, as I mentioned above). And
soon I'll post it to security mailing lists.
> as site's that is allowing the rogue scripts
Don't worry about how bad guys will be placing of JS code or page with
iframes at web site for this attack - it'll be their own problem. And if
they want they will do it. And after they placed attacking code (JS or HTML)
on target-site, then it'll be already a problem of users of this site (which
> MustLive notified us on 13.4.2010 - that's 13 days after disclosure.
As I wrote in my advisory (in "Timeline") there were next important dates:
17.03.2010 - found vulnerability.
31.03.2010 - disclosed at my site.
01.04.2010 - informed developer of CB Captcha 1.x. And because I found other
version of the plugin by another author, and after checking it later I
informed author of CB Captcha 2.x.
13.04.2010 - additionally informed developers of Community Builder (both
joomlapolis.com and communitybuilder.ru).
Timeline:
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
-----------------------------
Pardon me, but you disclosed it at your site before you informed the
developers?
I don't even know what Dunia soccer is but how about you give vendors a
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Cross Site Request Forgery (CSRF) Vulnerabilities
C) Local File Inclusion (LFI) Vulnerability
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
(http://www.securityfocus.com/archive/1/505251/30/0/threaded). There I made
enough arguments why it's dangerous vulnerability and why Mozilla and
Michal are not right and so it's better to fix it. Read my message at
Bugtraq, maybe it'll change your mind on this issue ;-).
> The best way to defend against any Cross Site Scripting attacks is to
> sanitize all inputs and outputs properly on your website
XSS vulnerabilities must be fixed and when they are made at web sites, then
they must be fixed at web sites. But in this case browsers developers made
XSS holes (JavaScript execution) in redirectors, so they just from
Product web page: http://brownbearsw.com/calcium/WhatIsIt.html
Vendor's Product Description:
Calcium is a Web Calendar application. It will run on nearly any machine with a web server that can run Perl CGI scripts; a web browser is all you need to view, edit, and manage any number of calendars from any network connected computer. All administration is done with your browser - after installation, there's no need to log in to the web server.
Vulnerability class: Cross-Site Scripting
Severity: Medium
Vulnerability details:
Calcium web calendar is vulnerable to "reflected" (type 1) cross-site scripting (XSS). For a discussion of the various types of XSS, and XSS in general, see
http://en.wikipedia.org/wiki/Cross_Site_Scripting
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
==========================================================================
Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability
==========================================================================
1. OVERVIEW
Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting.
Define vulnerability here. I don't think this is one.
Granted I have to apologize that my post was a very tongue in cheek
snarky comment regarding the fact that Mr. MustLive appears to be
posting up one by one of every web site that he finds with bad captcha
implementation. I was outting myself in advance because the captcha on
my blog site lets spammers wiggle in. But the spam clean up routine
clears it out in a week so at most it's an annoyance to me not a
vulnerability. So I know I have this issue, but on my stack of risks to
worry about, this not one that keeps me awake at night.
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-0432
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Global Site Selector Appliances DNS
Vulnerability
Advisory ID: cisco-sa-20090107-gss
http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml
Next Page>>
|
