Next Page >>
view
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
Cc: Thomas Roethlisberger
Subject: RE: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001
Hi all,
There is an ongoing conversation about a potential XSS with ViewState of
the .NET framework. However, some were not able to reproduce the issue
and therefore we decided to prepare a short and high resolution movie.
http://www.hacking-lab.com/download/
Hi all,
There is an ongoing conversation about a potential XSS with ViewState of
the .NET framework. However, some were not able to reproduce the issue
and therefore we decided to prepare a short and high resolution movie.
http://www.hacking-lab.com/download/
Regards
Ivan
-----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0004
Synopsis: VMware View privilege escalation and cross-site scripting
Issue date: 2012-03-15
Updated on: 2012-03-15 (initial advisory)
CVE numbers: CVE-2012-1508, CVE-2012-1509, CVE-2012-1510, CVE-2012-1511
-----------------------------------------------------------------------
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0008
Synopsis: VMware View 3.1.3 addresses an important
cross-site scripting vulnerability
Issue date: 2010-05-05
Updated on: 2010-05-05 (initial release of advisory)
CVE numbers: CVE-2010-1143
- ------------------------------------------------------------------------
Any input from a user is susceptible to tampering. The advisory is specifically about vulnerabilities in how frameworks handle view states. While the frameworks provide functions to secure the view states, the specific vulnerabilities are not documented by the vendors.
Apache's documentation states that the encryption is only needed when t:SaveState tag is used. Sun provides no specific recommendations on encrypting the view state. Microsoft recommends securing the view state, but doesn't provide concise information about what will happen if you don't.
The purpose of our advisory was to show that unsecured view states will always be vulnerable to real-world attacks. This changes view state security from a best-practice to a demonstrable vulnerability for all applications developed on the three frameworks described.
Regarding your specific questions:
1) Yes, we did find specific vulnerabilities in all three products listed. The Microsoft vulnerability is demonstrated in the advisory. The Apache MyFaces vulnerability is described in the advisory, but a specific attack is beyond the scope of the advisory. Trustwave has released Deface (https://www.trustwave.com/spiderLabs-tools.php) to demonstrate an actual attack. The Sun Mojarra vulnerability is essentially the same as the one in Apache MyFaces, but is not supported by Deface. If you are familiar with Java, Deface can be modified for use with Mojarra.
I respectfully defend our statement as very realistic. The .Net exploit provided in the advisory is all that is required to work; no code-behind is required because the vulnerability related to "innerhtml" lies in the .Net code.
The specific flaw is actually in System.Web.UI.HTMLControls.HtmlContainerControl class, which is the super class of the HTMLForm control (among others). The bug is easy to spot in the LoadViewState method as revealed in .Net Reflector:
protected override void LoadViewState(object savedState)
{
if (savedState != null)
{
base.LoadViewState(savedState);
Summary
=======
Unified Contact Center and Intelligent Contact Management products
contain a vulnerability that may result in unauthorized access to the
web-based reporting and script monitoring tool (Web View) and the
web-based configuration tool (Web Admin).
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071017-IPCC.shtml.
Lotus Notes is the integrated email, calendar, instant messenger, browser
and business collaboration application developed by IBM to work as a
desktop client in conjunction with IBM’s Lotus Domino server application.
The email functionality of Lotus Notes supports previewing and processing
file attachments in various formats. To preview and process files in the
Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client
uses a library from a third-party software vendor (Autonomy’s Verity
KeyView SDK). Several buffer overflow vulnerabilities were found in the
third-party library used by Lotus Notes to process Lotus 1-2-3 file
A HTTP GET request against the following URL will, on a web browser
with Javascript support, cause a dialog box saying '1' to be displayed:
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
against Cacti or if both the guest user has been activated (default:
disabled) and the graph view permission was set to 'guest' (default:
'No User').
Summary
=======
Cisco Small Business Video Surveillance Cameras and Cisco RVS4000 4-port
Gigabit Security Routers contain a vulnerability that could allow an
authenticated user to view passwords for other users, regardless of the
authenticated user's level of authorization.
An unprivileged user could take advantage of this vulnerability to
gain full administrative access on the device or view another user's
credentials.
Attackers with an administrator account, possibly gained by using the
exploits described above can exploit local file inclusion and command
execution vulnerabilities to execute arbitrary commands. Journalist and
Editor level accounts can edit any article. Administrator and editor
level accounts can also exploit a partial file disclosure vulnerability
to view all usernames.
Cute News suffers from other security failures such as:
* User registration, in register.php the password input field should be
shown as stars to prevent shoulder surfing. This is fixed in UTF-8b.
Administrators may verify the configuration of affected devices by
using one of the following methods:
For devices that are running TC4.0 or 4.1 software, administrators may
view the serial number of an affected device by logging in to the
command line of an affected device with the admin account and issuing
the xstatus systemunit hardware command.
View Serial Number:
+------------------
Affected: 2008.0
_______________________________________________________________________
Problem Description:
MySQL 5.0.x did not update the DEFINER value of a view when the view
is altered, which allows remote authenticated users to gain privileges
via a sequence of statements including a CREATE SQL SECURITY DEFINER
VIEW statement and an ALTER VIEW statement (CVE-2007-6303).
The federated engine in MySQL 5.0.x, when performing a certain SHOW
Two serious functionality issues after installing this service pack. See following thread for details...
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2173615&SiteID=1
in brief
i) Pages with customized data view web parts or data view web parts linked to lists on other sites are not accesible. Error message either "access denied" or "Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator."
ii) No user can use the Edit in Datasheet view feature on lists. (Possible ok for admins). When the 'Edit in Datasheet View' button is clicked the Datasheet control appears to load however the page is redirected back to the default view in every case.
Issues currently unconfirmed by Microsoft.
+ else if (op.length == 0)
return svn_error_createf
(SVN_ERR_SVNDIFF_INVALID_OPS, NULL,
- _("Invalid diff stream: insn %d has non-positive length"), n);
+ _("Invalid diff stream: insn %d has length zero"), n);
else if (op.length > tview_len - tpos)
return svn_error_createf
(SVN_ERR_SVNDIFF_INVALID_OPS, NULL,
@@ -499,7 +525,8 @@ count_and_verify_instructions(int *ninst,
switch (op.action_code)
{
LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities:
- SQL Injection
1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.
This PoC creates an arbitrary record into logcon_views table.
attribute "context_vmdirect" to store various settings,
including the URL to the XML web service backend. By default,
the URL is http://localhost/sdk, but the web service URL can be
manually set from a client browser in several locations. One
location is /ui/vmDirect.do, by passing a base64-encoded value
to in the "view" parameter as shown below:
/ui/vmDirect.do?view=d3NVcmw9aHR0cDovL2xvY2FsaG9zdC9zZGsmdm1JZD1WaXJ0dWFsTWFjaGluZXwxMjgmdWk9OQ==_
Decoded, the view value is:
- Vulnerability:
####################
+--> Blind SQL Injection
The archive page is vulnerable to SQL injection. The GET variable,
namely 'view',
is not sanitized correctly in the SQL query. This hole can be used
for extracting
admin password. For deatils see 'Exploits' section.
####################
The SNMP community names can be removed; however, the hard-coded
community names are reapplied to the running configuration when the
device reloads. Cisco has provided a workaround that ensures the
community names are removed when the device reloads.
Note: Configuring an access list or a restricted mib view:
snmp-server community public RO 99
snmp-server community private RW 99
snmp-server community public view <mib> RO 99
snmp-server community private view <mib> RO 99
=======
The Management Center for Cisco Security Agents is affected by a
directory traversal vulnerability and a SQL injection vulnerability.
Successful exploitation of the directory traversal vulnerability may
allow an authenticated attacker to view and download arbitrary files
from the server hosting the Management Center. Successful
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
instability of the product or changes in the configuration.
Mac OS X v10.3 and higher. Safari for the Microsoft Windows platform first
released on 11 June 2007 and currently supports both Windows XP and Windows
Vista. The current stable release of the browser is 4.0.3 for Mac OS X and
Windows. (Source - Wikipedia).
Safari 4 introduced the Top Sites feature to provide an at-a-glance view of
a user's favorite websites. It is the most hyped feature of Safari 4 and
widely used by users to quickly jump to their frequently used sites which
can include their banks, email accounts, shopping sites, etc.
IV. DESCRIPTION
vulnerability that could result in a reboot on systems that receive a
crafted packet.
Cisco Video Surveillance 2500 Series IP Cameras contain an
information disclosure vulnerability that could allow an
authenticated user to view any file on a vulnerable camera.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
=======
IBM BladeCenter LS21 (7971)
IBM BladeCenter LS41 (7972)
IBM BladeCenter QS21 (0792)
IBM BladeCenter QS22 (0793)
Overview:
Quotes from
http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
I work and live in Estonia, and I was a witness to all happening here,
especially on the cyber-sphere starting the first day.
Let's skip the details on the political context of your story, which from my
point of view is far from being neutral, and pass-on to technical part of
it.
First of all, neither I, nor (well as far as I know) anybody here have seen
any evidence that attacks have originated from Russia. I certainly have no
doubt that there may have been adresses located in Russian IP-pools
>
> I work and live in Estonia, and I was a witness to all happening here,
> especially on the cyber-sphere starting the first day.
>
> Let's skip the details on the political context of your story, which from my
> point of view is far from being neutral, and pass-on to technical part of
> it.
>
> First of all, neither I, nor (well as far as I know) anybody here have seen
> any evidence that attacks have originated from Russia. I certainly have no
> doubt that there may have been adresses located in Russian IP-pools
Next Page>>
|
