Next Page >>
tests
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
addr = net_addr(at);
if( addrcmp( (void *) addr, (void *) &unspec_addr, af ) != 0 ) {
name = dns_lookup(addr); [1]
if(name != NULL) {
/* May be we should test name's length */ [!!]
sprintf(newLine, "%s %d %d %d %d %d %d", name, [2]
net_loss(at),
net_returned(at), net_xmit(at),
net_best(at) /1000, net_avg(at)/1000,
net_worst(at)/1000);
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
Please understand that I will not enter that discussion any longer.
Please note that :
V3D> is not malware/intrusion or malware in the form unused in-the-wild
V3D> is not vulnerability.
Is false. It is recognised malware, else the test woulnd't make sense -
obviously.
Regards,
Thierry
TZ> - Thierry, You cannot evade proventia, because we use special propretary
TZ> ingredients!
>> What are these ingredients?
TZ> - We won't tell !! and by the way you suck! your test methods suck! You aren't even
TZ> EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from
TZ> the big mighty IBM.
>> Sorry, the same poc evaded proventia last year! So you mus miss something!!
- Thierry, You cannot evade proventia, because we use special propretary
ingredients!
> What are these ingredients?
- We won't tell !! and by the way you suck! your test methods suck! You aren't even
EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from
the big mighty IBM.
> Sorry, the same poc evaded proventia last year! So you mus miss something!!
0033:00000000`7701d12c e8dfdc0400 call ntdll!RtlpNotOwnerCriticalSection (00000000`7706ae10)
0033:00000000`7701d131 90 nop
0033:00000000`7701d132 e9c457feff jmp ntdll!RtlpFreeHeap+0x1ea2 (00000000`770028fb)
0033:00000000`7701d137 65488b042530000000 mov rax,qword ptr gs:[30h]
0033:00000000`7701d140 488b4860 mov rcx,qword ptr [rax+60h]
0033:00000000`7701d144 f6817803000001 test byte ptr [rcx+378h],1
0033:00000000`7701d14b 0f846f56feff je ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d151 807c245000 cmp byte ptr [rsp+50h],0
0033:00000000`7701d156 0f856456feff jne ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d15c 448b842498000000 mov r8d,dword ptr [rsp+98h]
0033:00000000`7701d164 498bd5 mov rdx,r13
1. Summary
Product : Vim -- Vi IMproved
Version : >= 7.2a.013; tested with 7.2b
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Improper implementation of the shellescape() function and lack of
1. Summary
Product : Vim -- Vi IMproved
Version : Tested with 7.1.314 and 6.4
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20090725
I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [user] [pass] [OPTIONS] \n". "Options: \n". "--port:[port] - specify a port \n". " default->80 \n". "--prefix - try to extract table prefix from information.schema\n". " default->gl_ \n". "--uid:[n] - specify an uid other than default (2,usually admin)\n". "--proxy:[host:port] - use proxy \n". "--verbose - show more informations \n". "--skiptest - skip preliminary tests \n". "--test - run only tests \n". "Examples: php ".$argv[0]." 192.168.0.1 /glfusion/ bookoo pass \n". " php ".$argv[0]." 192.168.0.
1 / bookoo pass --prefix --proxy:1.1.1.1:8080\n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --prefix --uid:3");
die();
}
error_reporting(E_ALL ^ E_NOTICE);
Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center).
Introduction
------------------
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
Hi,
During my (in)security research, I've discovered what appears initially to be
a design oversight and not necessarily a vulnerability, affecting ZoneAlarm
and various other security vendors. I've tested this on various XP platforms
successfully, please feel free to notify the vendor as you wish and/or to
publish whatever you feel appropriate under the circumstances.
NOTE:
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
8.1. *Windows*
/-----------
.text:1000D64D test esi, esi
.text:1000D64F mov eax, esi
.text:1000D651 jnz short loc_1000D658
.text:1000D653
.text:1000D653 loc_1000D653: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
*Vulnerable Packages*
. Systems using WonderWare SuiteLink prior to version 2.0 Patch 01.
. The vulnerability was discovered and tested on a system running
WonderWare InTouch 8.0.
*Non-vulnerable Packages*
Hello MaXe!
> However, I just tested the vulnerability in chrome and the incidents were
> different.
As I said on my system it's solely Chrome DoS vulnerability. On my system
with Firefox 3.0.13 (and previous versions, when I tested them before) there
is not such issue, when Firefox was DoSed via Chrome, i.e. Cross-Application
DoS. Taking into account that you have this issue with Firefox 3.5.2, than
it can be problem with FF 3.5.x versions, which have tight integration with
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
>
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
> .text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
. XnView 1.97.5
6. *Vendor Information, Solutions and Workarounds*
Update to the latest version of XnView, available on the website
[http://www.xnview.com/]
7. *Credits*
. Foxit Reader 3.0 build 1506
6. *Vendor Information, Solutions and Workarounds*
The latest version 3.0 build 1506 of Foxit Reader has been released.
Please download the latest version from
http://www.foxitsoftware.com/downloads/ and visit the Foxit security
page for details at http://www.foxitsoftware.com/pdf/reader/security.htm.
//----- Proof Of Concept
When the user post the following bbcode :
[color=#000000;xss:expression(alert(document.cookie));]Sysdream Testing XSS[/color]
or
[size=20px;xss:expression(alert(document.cookie));]Sysdream Testing XSS[/size]
The application convert it into the follow HTML code :
The following code is a proof of concept of this flaw:
/-----------
http://<server>/uwc/base/UWCMain?anon=true&calid=test@test.com&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&temporaryCalendars=test@test.com%27;alert(%27hello%27);a=%27
- -----------/
9. *Report Timeline*
Note that it is passed base64_encode()'d !
Now you have access to some dangerous functions:
service_submit_staticpages()
service_delete_staticpages()
service_get_staticpages()
service_getTopicList_staticpages()
in /plugins/staticpages/services.inc.php
to a Windows system with the 'Flags2' field set to 0xc001 (disabling
security signatures, extended attributes and extended security
negotiation) recording the 8-byte challenges obtained from the server
and waiting for duplicates.
The following Ruby script can be used to test for the presence of this
vulnerability:
<test2_ochoa_2010-0209.rb>
most web browsers today, or if the end user agrees to activate an
ActiveX or Java Applet from the webpage hosting the exploit.
Workarounds to avoid this vulnerability include:
a. Using the default security settings or higher on the latest version
of your chosen web browser. In line with general security best practice
we would also encourage end users not to download ActiveX or Java
Applets unless confident about their content.
b. Turning off the Runtime Behavioural Analysis functionality within
a directory. Why? Because barbarianbob, everybody who ran it succesfully,
and me in my initial disclosure [4] were using a patched PHP (for example
Suhosin, both loaded as .so or "build-in", Ubuntu PHP, that is patched
with Suhosin, etc).
This is thanks to a deep and extensive testing and observation plus some
code navigation and gdb magery with the help of evilaliv3 and Wisec.
To overcome this limitation we came out with the universal path
normalization vector for PHP that is not a single "/" but "/.". Well
this is the case in which a single char really changes things.
...
'forum' variable is taken from $_POST[] array and inserted in a sql query without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to post.php
(a little bit complex uh? $forum_id is user controlled ...)
100-102:
...
Next Page>>
|
