| New User, Welcome! Login |
software developer
Discovered by : Khashayar Fereidani
Team Website : HTTP://IRCRASH.COM ( IRCRASH Security Community )
Facebook : http://facebook.com/fereidani
Twitter : https://twitter.com/#!/IRCRASH
Facebook Page : http://www.facebook.com/pages/IRCRASH/127804297326163
Software Developer : http://www.dokuwiki.org/
######################################################################################
Test System Details
OS : Linux
WebServer : Nginx + PHP-5.3.5
WebBrowser : Firefox 10
Dr. David Billard, Expert aux cours en France et Suisse, LERTI & Univ. of Geneva
Mr. Martin Salois, Scientifique de la Défense Nationale, DRDC
Mr. Frédérick Gaudreau, Capitaine, Sûreté du Québec
Dr. Andrew Vallerand, Director, Science & Technology Public Security, DRDC
Mr. Jeremy Ashton, Senior Security Consultant, Bell Canada
Mr. Fabrice Jaubert, Software Developer, Google
Mr. John Weigelt, National Technology Officer, Microsoft
Dr. Bernard Dupont, Professor and CRC Chair, University of Montreal
Mr. Tim Treat, Manager, Mandiant
Me. Michael Power, Barrister and Solicitor, Canada
Mr. Andre Leduc, Senior Policy Analyst, Industry Canada
Charles Morris
cmorris@cs.odu.edu,
cmorris@occs.odu.edu
Network Security Administrator,
Software Developer
Office of Computing and Communications Services,
CS Systems Group Old Dominion University
http://www.cs.odu.edu/~cmorris
vulnerability, hacker is able to insert pieces of code into the path's
link to execute in users' browser, leading to the loss of cookies and
session. Hacker can also trick users into manipulating some of the
system's functions without users' awareness.
Bkis has informed the software developer team, and they have patched the
vulnerability in the latest software version - BigAce 2.7.2.
Details: http://security.bkis.com/multiple-vulnerabilities-in-bigace-5/
SVRT Advisory: Bkis-01-2010
Initial vendor notification: 04/26/2010
======================================================================
3) Vendor's Description of Software
"Whether you require export of documents to Web-ready HTML or valid
XML, high-speed filtering, or high-fidelity viewing capabilities,
KeyView has a software developer kit that you can use.".
Product Link:
http://www.autonomy.com/content/Products/KeyView/index.en.html
======================================================================
forum (http://eocms.com/). On October 15, 2009, Bkis Security detected a
SQL injection vulnerability in some functions of eoCMS.
This is a critical vulnerability which allows hacker to access the data
in the database and execute unauthorized tasks. Bkis has informed the
software developer team, and they have patched the vulnerability in the
latest software version - eoCMS 0.9.02.
Details : http://blog.bkis.com/?p=800
SVRT Advisory: Bkis-12-2009
Initial vendor notification : 11/25/09
1. General Information
BigAce is a free content management software (CMS) written in PHP, and is available at http://www.bigace.de. In April 2010, Bkis Security discovered an XSS and CSRF vulnerability in BigAce 2.7.1. Taking advantage of this vulnerability, hacker is able to insert pieces of code into the path’s link to execute in users’ browser, leading to the loss of cookies and session. Hacker can also trick users into manipulating some of the system’s functions without users’ awareness.
Bkis has informed the software developer team, and they have patched the vulnerability in the latest software version - BigAce 2.7.2.
Details: http://security.bkis.com/multiple-vulnerabilities-in-bigace-5/
SVRT Advisory: Bkis-01-2010
Initial vendor notification: 04/26/2010
Release Date: 05/22/2010
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
======================================================================
3) Vendor's Description of Software
"Whether you are creating content for delivery on cell phones,
broadcast or the Internet, or a software developer looking to take
your application to the next level, QuickTime provides the most
comprehensive platform in the industry."
Product Link:
http://www.apple.com/quicktime/
who is going to fix your system when things go wrong?
Regards
Ansgar Wiechers
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
======================================================================
3) Vendor's Description of Software
"Whether you require export of documents to Web-ready HTML or valid
XML, high-speed filtering, or high-fidelity viewing capabilities,
KeyView has a software developer kit that you can use.".
Product Link:
http://www.autonomy.com/content/Products/KeyView/index.en.html
======================================================================
======================================================================
3) Vendor's Description of Software
"Whether you are creating content for delivery on cell phones,
broadcast or the Internet, or a software developer looking to take
your application to the next level, QuickTime provides the most
comprehensive platform in the industry."
Product Link:
http://www.apple.com/quicktime/
======================================================================
3) Vendor's Description of Software
"Whether you require export of documents to Web-ready HTML or valid
XML, high-speed filtering, or high-fidelity viewing capabilities,
KeyView has a software developer kit that you can use.".
Product Link:
http://www.autonomy.com/content/Products/KeyView/index.en.html
======================================================================
remctl memory-new ood query pending libpam-krb5 --verbose
- Tim Skirvin (tskirvin@stanford.edu)
--
Information Technology Services http://www.stanford.edu/~tskirvin/
System Software Developer, Unix Team Stanford University
> password during install? Why not a default one (and then tell people
> to change it in the manual)?
>
>
> Keep in mind I'm not viewing this from a pure security perspective;
> I'm foremost a software developer, not security specialist, and I see
> it good practice to build on solid practices.
>
> As to the watch analogy, I'm not sure I get it.
>
>
|
|
|
