Next Page >>
validation
Content-Type header and
the "magic" signature at the beginning contradict or when the
Content-Type header
is unknown. In that case, IE will try to establish the content type and can be
tricked into assuming text/html by placing certain HTML tags within the first
255 bytes of the file. Note that such files can be valid image files
despite their
HTML payload.
A frequent example for unknown content-types is "image/bmp", which is created by
PHP's (< 5.3.0) getimagesize API function[4].
This is - the obvious XSS issue aside - used for phishing attachs[3].
Bypassing servlet input validation filters (OWASP Stinger + Struts example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. ORIGINAL ADVISORY
~~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/o0o_bypassing_servlet_input_validation_filters.txt
I. BACKGROUND
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Insufficient argument validation of hooked SSDT functions
on multiple Antivirus and Firewalls
*Advisory Information*
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-
PHP 5.3.0 Windows XP (WampServer 2.0i install)
C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)
! Valid strings are all combinations of the above chars.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)
Comment out affected statements in ``filetype.vim''.
-- autocommand triggered by filename matching pattern (i.e. having the
right extension)
-- possible to create valid syntax
-- menu.lst won't work in usual locations
3.4.2.2. filetype.vim (the ``strong'' exploit)
>>
>> A site with a screen shot:
>> http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha
>>
>> I found a security problem with the pam_captcha. If you enter a username
>> that is not a valid user followed by the correct CAPTCHA, you do not get
>> prompted for a password. You simply get prompted for another CAPTCHA.
>> However, if you enter a username that is a valid user followed by the
>> correct CAPTCHA, you will get prompted for a password. This means an
>> attacker, or a script/bot could easily harvest a list of valid usernames
>> simply by whether or not it prompts for a password after a valid captcha
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
HP System Management Homepage (SMH) is prone to a XSS vulnerability because it
fails to check the input parameter used to show a generic error message.
The vulnerability affects the "message.php" script. In detail, this page uses the
JavaScript property "location.search" in order to create a contextual error message.
If the error ID provided in the URL does not match any valid code, a generic error
is reported ("An unknown error (%INVALID_CODE%) occurred") instead.
In the first versions of the HP System Management Homepage (probably <= 2.1.1) there
is a client-side only input validation:
copy of these headers. Examples include TRACE/TRACK requests being
honored by the back-end web servers or debugging components in web
applications which echo client headers.
Issue 2: Lack of HTTP Request Validation
----------------------------------------
Cisco Bug Id - CSCTA04885
Affects - Cisco CSS & ACE
A second weakness that manifests itself on the CSS and ACE through
$md5pass = $fws_cust[2];
}
If the fws_cust cookie has not been set, FWS will check if the fws_guest
is set. If not, FWS creates a new session identifier that is stored
within an new fws_guest cookie. This cookies is valid for one hour. Its
value is stored within the parameter customerid. If the fws_guest cookie
is set, FWS will just store its value in customerid.
includes/readcookie.inc.php:
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco
Internetwork Operating System (IOS) contains a vulnerability that
allows any valid user, regardless of privilege level, to transfer files
to and from an IOS device that is configured to be a Secure Copy
server. This vulnerability could allow valid users to retrieve or write
to any file on the device's filesystem, including the device's saved
configuration. This configuration file may include passwords or other
sensitive information.
system is required.
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.
Vendors contacted: VMware Inc.
Release mode: User release
*Vulnerability Information*
Class: Input Validation Error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Client-side Exploitable: No
Bugtraq ID: 27944
CVE Name: CVE-2008-0923
generated DNS queries with trivially guessable values in the transaction
ID field. The issue was addressed in MS10-024 by adding a call to the
'CAsyncDns::GenerateRandWord' method when building the DNS query.
3.2. *Missing validation of DNS responses*
[CVE-2010-1690 | 39910] Prior to MS10-024 the Windows SMTP Service did
not check that the value of the ID field of a DNS response received from
the network actually matched the value of the ID field of a
corresponding DNS query packet previously sent. The issue was addressed
#
#-------
#NEED:
#-------
#
#**valid username
#
#**real captcha code/img
#
#**maybe PHPSESSID (with securimage captcha plugin)
#
format. A common use of this mechanism is for the creation of supposedly
non-repudiable signatures on legal documents, including scenarios where
digital signatures are mandated by law.
This advisory shows how a signed PDF document can be constructed in such a
way that its appearance can be changed without necessarily invalidating the
signature.
It is not entirely clear whether the files provided as a demonstration of
the vulnerability can actually be considered (syntactically valid) PDF
documents or not--I haven't found a cleaner way so far. Also, the
Vulnerble functionality lies under SYSTEM --> Diagnostics --> Tools.
The Java Server page /corporate/Controller requires several parameters
to the server when a user attempts to perform these diagnostic
actions. The parameter 'host' is vulnerable to OS command injection.
Some client-side validation is performed to check that the IP address
provided is in valid format, however no such validation is performed
on server-side. Hence, a malicious user can easily bypass client-side
validation checks by using an in-line proxy tool and inject an OS
command.
Google SketchUp is a 3D modeling program designed for architects, civil
engineers, filmmakers, game developers, and related professions. Google
SketchUp bundles an old version of 'lib3ds', a library used to process
3DS files. This library is being compiled in a way that leads to
improper validation of data when importing 3DS files; this condition can
be exploited by remote attackers to trigger a memory corruption
vulnerability by enticing an unsuspecting user to open a specially
crafted 3DS file, possibly leading to arbitrary code execution.
First let me start by saying im not writing to flame anyone (or whatever you kids say these days). I know its can be a daunting to release a paper to the security community because if any of its incorrect you're gonna hear about it.
However releasing a paper and claiming it to be a new class (or sub-class) of vulnerability, well im sorry, its like wearing Gold football boots, you better get it right after a statement like that.
If this paper was titled "Bypassing Broken Input Validation Filters" then there would be no problems. However none of what exists in this document is new, in fact most of it is in the Web Application Hackers Handbook or in much older papers. Constructing attackers of all kinds to bypass black list filters is a common duty of the web application tester, also take a look at all of the recent SQL injection worms.
The main thing wrong here is claiming it to be something new, or even claiming it to be a "sub-class", it not!
Its several methods for encoding sql queries or tricking multi layered input validation/sanitisation routines, none of which are new, all of which are implemented by every pen/app tester i have ever worked with.
The Papoo CMS allows authenticated users to upload GIF, JPG and PNG images
if they have the "upload images" privilege, which is true for all default
groups that can access the administrative interface. The CMS checks the
uploaded images only for their header, but not for the file extension. It
is therefore possible to upload images with the file extension ".php" and
a valid image header. By embedding PHP code into the image (e.g. by using
the GIF comments field), arbitrary code can be executed when requesting
the image.
Details
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.
Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.
It must be noted that further vulnerabilities are to be expected
within the software (such as buffer overflows, etc.). Due to lack of
time no further vulnerabilities could be searched.
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host domaintest.fr isn't a valid user
# + Host xpliamaclient.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
only) has been assigned the CVE identifier CVE-2011-0372
CGI Command Injection
I've just got an interesting idea about how a malicious e-mail sender
could try to get a unseen by the recipient reading confirmation,
including the IP address of the recipient. I was working on S/MIME
messages and I thought about the signature validation process, where
some of the steps could require external information (like a CRL) to
be accessed. The interesting part of it is that the location of this
information can be included in the message itself, as the PKCS#7
package can also include the certificate used to generate the
signature.
(port 5060), TCP (port 5060), or TLS (TCP port 5061) as the
underlying transport protocol.
Multiple denial of service vulnerabilities exist in the SIP
implementation in Cisco IOS. In all cases vulnerabilities can be
triggered by processing valid SIP messages.
Memory Leak Vulnerability
+------------------------
CSCse56800 causes a memory leak in affected devices. The memory
restricted to administrative users only. The attacker would need the
ability to submit a crafted request to an affected device on TCP port
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
* CTMS - CSCtf42008 ( registered customers only) has been assigned
the CVE identifier CVE-2011-0383.
* CTMS - CSCtf01253 ( registered customers only) has been assigned
the CVE identifier CVE-2011-0384.
Published: 22 March 2011
===========
Description
===========
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s). With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.
=================
Technical Details
=================
This output shows an aggressive query against the device specifying an invalid group:
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
+------------------------------------------------------------------------+
| Discussion | A lot of time was spent trying to come up with a way to |
| | resolve this issue in a way that was completely backwards |
| | compatible. However, the final resolution ended up |
| | requiring a modification to the IAX2 protocol. This |
| | modification is referred to as call token validation. |
| | Call token validation is used as a handshake before call |
| | numbers are assigned to IAX2 connections. |
| | |
| | Call token validation by itself does not resolve the |
| | issue. However, it does allow an IAX2 server to validate |
Next Page>>
|
