Next Page >>
testing
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
0033:00000000`7701d12c e8dfdc0400 call ntdll!RtlpNotOwnerCriticalSection (00000000`7706ae10)
0033:00000000`7701d131 90 nop
0033:00000000`7701d132 e9c457feff jmp ntdll!RtlpFreeHeap+0x1ea2 (00000000`770028fb)
0033:00000000`7701d137 65488b042530000000 mov rax,qword ptr gs:[30h]
0033:00000000`7701d140 488b4860 mov rcx,qword ptr [rax+60h]
0033:00000000`7701d144 f6817803000001 test byte ptr [rcx+378h],1
0033:00000000`7701d14b 0f846f56feff je ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d151 807c245000 cmp byte ptr [rsp+50h],0
0033:00000000`7701d156 0f856456feff jne ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d15c 448b842498000000 mov r8d,dword ptr [rsp+98h]
0033:00000000`7701d164 498bd5 mov rdx,r13
addr = net_addr(at);
if( addrcmp( (void *) addr, (void *) &unspec_addr, af ) != 0 ) {
name = dns_lookup(addr); [1]
if(name != NULL) {
/* May be we should test name's length */ [!!]
sprintf(newLine, "%s %d %d %d %d %d %d", name, [2]
net_loss(at),
net_returned(at), net_xmit(at),
net_best(at) /1000, net_avg(at)/1000,
net_worst(at)/1000);
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
Please understand that I will not enter that discussion any longer.
Please note that :
V3D> is not malware/intrusion or malware in the form unused in-the-wild
V3D> is not vulnerability.
Is false. It is recognised malware, else the test woulnd't make sense -
obviously.
Regards,
Thierry
1. Summary
Product : Vim -- Vi IMproved
Version : Tested with 7.1.314 and 6.4
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center).
Introduction
------------------
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.
TZ> - Thierry, You cannot evade proventia, because we use special propretary
TZ> ingredients!
>> What are these ingredients?
TZ> - We won't tell !! and by the way you suck! your test methods suck! You aren't even
TZ> EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from
TZ> the big mighty IBM.
>> Sorry, the same poc evaded proventia last year! So you mus miss something!!
- Thierry, You cannot evade proventia, because we use special propretary
ingredients!
> What are these ingredients?
- We won't tell !! and by the way you suck! your test methods suck! You aren't even
EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from
the big mighty IBM.
> Sorry, the same poc evaded proventia last year! So you mus miss something!!
1. Summary
Product : Vim -- Vi IMproved
Version : >= 7.2a.013; tested with 7.2b
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Improper implementation of the shellescape() function and lack of
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
>
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
> .text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
8.1. *Windows*
/-----------
.text:1000D64D test esi, esi
.text:1000D64F mov eax, esi
.text:1000D651 jnz short loc_1000D658
.text:1000D653
.text:1000D653 loc_1000D653: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20090725
I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
As we can see, previously constructed file path is used as argument for
php function "require_once()". Sanitization against "../" works well in
most cases, but in case of underlying Windows operating system attacker
can use backslashes and bypass such filtering with use of "..\".
Test (on Windows platform):
http://localhost/opencart1521/index.php?route=..\..\admin\index
Result:
//----- Proof Of Concept
When the user post the following bbcode :
[color=#000000;xss:expression(alert(document.cookie));]Sysdream Testing XSS[/color]
or
[size=20px;xss:expression(alert(document.cookie));]Sysdream Testing XSS[/size]
The application convert it into the follow HTML code :
The following code is a proof of concept of this flaw:
/-----------
http://<server>/uwc/base/UWCMain?anon=true&calid=test@test.com&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&temporaryCalendars=test@test.com%27;alert(%27hello%27);a=%27
- -----------/
9. *Report Timeline*
Core Security Technologies - CoreLabs
Advisory
http://www.coresecurity.com/corelabs/
Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System
1. *Advisory Information*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Andres,
That seems to be really cool stuff! We need more of these test suites
for both SCAs/WebApps Scanners (every body uses WebGoat, even vendors,
so it's not fun and doesn't mean anything anymore).
Hope many will contribute to this project!
------------------
Information
------------------
Name: SQL Injection Vulnerabilities in TestLink
Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be
affected)
Vendor Homepage: http://www.teamst.org
Vendor Notification: 27 January 2012
Vendor Patch: 4 February 2012
Public Disclosure: 20 February 2012
. XnView 1.97.5
6. *Vendor Information, Solutions and Workarounds*
Update to the latest version of XnView, available on the website
[http://www.xnview.com/]
7. *Credits*
The Windows operating system supports a range of file permissions
for files stored on volumes formatted in the NTFS file system format.
For executing EXE files, the acting user account only needs the
"Execute File" permission, while all others might be missing or denied,
allthough there are cases when this is not true. The exact rule is unknown
to the author. In the system used to test and verify the vulnerability
the Execute File was enough to run programs. On another system running
Windows 7 that was not true. Start of EXE files succeeded only if other
permissions were enabled, including the Read Data permission. On another
older system (XP or Windows 2003) the "Read Attributes" permission was
required for program execution.
. Foxit Reader 3.0 build 1506
6. *Vendor Information, Solutions and Workarounds*
The latest version 3.0 build 1506 of Foxit Reader has been released.
Please download the latest version from
http://www.foxitsoftware.com/downloads/ and visit the Foxit security
page for details at http://www.foxitsoftware.com/pdf/reader/security.htm.
>
> The New ISO Hacking Standard
>
> New York, May 17, 2010 -- The world’s national standards bodies met
> again during April, this time in Malaka, Malaysia and they extended
> talks about the Open Source Security Testing Methodology Manual. This
> ultimate security guide, better known to security experts and hackers
> alike as the OSSTMM (spoken like “awesome” but with a “t”), is a formal
> methodology for breaking any security and attacking anything the most
> thorough way possible. So why is the International Standards
> Organization talking about it?
The New ISO Hacking Standard
New York, May 17, 2010 -- The world’s national standards bodies met
again during April, this time in Malaka, Malaysia and they extended
talks about the Open Source Security Testing Methodology Manual. This
ultimate security guide, better known to security experts and hackers
alike as the OSSTMM (spoken like “awesome” but with a “t”), is a
formal methodology for breaking any security and attacking anything
the most thorough way possible. So why is the International Standards
Organization talking about it?
most web browsers today, or if the end user agrees to activate an
ActiveX or Java Applet from the webpage hosting the exploit.
Workarounds to avoid this vulnerability include:
a. Using the default security settings or higher on the latest version
of your chosen web browser. In line with general security best practice
we would also encourage end users not to download ActiveX or Java
Applets unless confident about their content.
b. Turning off the Runtime Behavioural Analysis functionality within
* 24/09/2009: Vulnerability discovery and analysis;
* 26/09/2009: The vendor was notificated via e-mail;
* 26/09/2009: Vendor response and a new release publicly available;
* 27/09/2009: The researcher starts coding the exploit;
* 29/09/2009: Exploit complete and tested.
Workaroud
---------
Update to the newer version 0.812.2
Next Page>>
|
