Next Page >>
web app
____________________________________________________________________________
Armorlogic Profense Web Application Firewall 2.4 multiple vulnerabilities.
____________________________________________________________________________
An advisory by EnableSecurity.
Trustwave published a joint advisory named TWSL2009-001
ID: ES-20090500
Severity : High
Local/Remote : Remote
[Vulnerability Details]
Modsecurity is an Open source Web Application firewall which runs as an Apache
module. It has a comprehensive set of rules called 'ModSecurity Core
Rules' for common web application
attacks like SQL Injection, Cross-Site Scripting etc.
It is possible to bypass the ModSecurity Core Rules due to the
Trustwave's SpiderLabs Security Advisory TWSL2011-006:
IBM Web Application Firewall Bypass
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-006.txt
Published: 2011-06-21
Version: 1.0
Vendor: IBM
Product: IBM Web Application Firewall
- From an unpacked release directory of jetty-7,
the server can be started with the command: java -jar start.jar
- This will start a HTTP server on port 8080 and
deploy the test web application at: http://localhost:8080/test
II. DESCRIPTION
Multiple Vulnerabilities exist in Jetty software.
compatible with the earlier 1.5.0 release.
Most notably, this release fixes the following security vulnerability.
Thanks to the Red Hat Security Response Team for reporting this issue.
* CVE-2009-0026: Cross site scripting issues in webapp (JCR-1925)
The search.jsp and swr.jsp pages in the Jackrabbit webapp are
vulnerable to script injection. This release fixes the issue
by properly escaping all user input.
Introduction
Internet security threats are migrating from pure network-level attacks
to web server and web application attacks. The web application itself
has become the new security perimeter, and is wide open to the new
generation of attacks. That's the reason why is very important for IT
security staff to have cutting- edge knowledge of web application
security vulnerability testing techniques and tools.
CSS10-01: Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability
April 5, 2010
BACKGROUND
==========
The Imperva SecureSphere Web Application Firewall protects web
applications and sensitive data against sophisticated attacks and
brute force attacks, stops online identity theft, and prevents data
leaks from applications. The Imperva SecureSphere Database Firewall
monitors and proactively protects databases from internal abuse,
Security Advisory
---------------------------------------
Vulnerable Software: Artofdefence Hyperguard Web Application Firewall
Vulnerable Version: 3 branches: prior to 3.1.1-11637; prior to
3.0.3-11636; prior to 2.5.5-11635 (Apache Plug-in)
Homepage: http://www.artofdefence.com/
Found by: Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg)
Impact: Remote Denial of Service
Security Advisory
---------------------------------------
Vulnerable Software: phion airlock Web Application Firewall
Vulnerable Version: 4.1-10.41
Homepage: http://www.phion.com/
Found by: Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg)
Impact: Remote Denial of Service via Management
Interface (unauthenticated) and Command Execution
7. *Technical Description / Proof of Concept Code*
Cross-Site Scripting (commonly referred to as XSS) bugs arise from a web
application's improper encoding or filtering of input obtained from
untrusted sources. These bugs allow an attacker to inject malicious tags
and/or script code that is later executed in the context of a web
browser when the user accesses the vulnerable web site. The injected
code then takes advantage of the trust relationship between the web
browser and the vulnerable web application. Attacks that exploit XSS
Security Advisory
---------------------------------------
Vulnerable Software: radware AppWall Web Application Firewall
Vulnerable Version: Gateway Version 4.6.0.2 / AppWall Version
1.0.2.6
Homepage: http://www.radware.com/
Found by: Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg)
Impact: Source code disclosure on management interface
provide patches for the current vulnerable versions with the 2.7.3
ftf4 release before August, but this release was not confirmed yet
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
1. For [CVE-2010-1929 | 40480], establish a Web Application
Firewall rule for limiting the length of the parameters
'EnteredClassID' and 'NewClassName' in POST requests to the URI
'/nps/servlet/webacc/'.
2. For [CVE-2010-1930 | 40485], establish a Web Application
Firewall rule for limiting the length of the parameter 'Tree' in POST
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.
Mitigation:
6.0.x users should do one of the following:
- remove the examples web application
- apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev
- upgrade to 6.0.19 when released
5.5.x users should do one of the following:
- remove the examples web application
- apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev
> Researcher : Mesut Timur <mesut [at] mavitunasecurity [dot] com>
> Advisory Reference : NS-11-004
>
> Description
> ------------------
> Redmine is a flexible project management web application written using
> Ruby on Rails framework.
>
> Details
> -------------------
> Redmine is affected by a XSS vulnerability in versions from 1.0.1 to 1.1.1.
CORE GRASP for PHP is a web-application protection software aimed at
detecting and blocking injection vulnerabilities and privacy violations.
As mentioned during its presentation at Black Hat USA 2007, GRASP is
being released as open source under the Apache 2.0 license and can be
obtained from http://gasp.coresecurity.com/.
The present implementation protects PHP 5.2.3 against SQL-injection
attacks for the MySQL engine, it can be installed with almost the same
effort as the PHP engine, both in Unix and Windows systems, and
protection is immediate with any PHP web application running in the
Moderator note: this copy of the post has a corrected URL.
CORE GRASP for PHP is a web-application protection software aimed at
detecting and blocking injection vulnerabilities and privacy violations.
As mentioned during its presentation at Black Hat USA 2007, GRASP is
being released as open source under the Apache 2.0 license and can be
obtained from http://grasp.coresecurity.com/.
The present implementation protects PHP 5.2.3 against SQL-injection
attacks for the MySQL engine, it can be installed with almost the same
of PoC code, discussion of fixes, etc.
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
* Open XML File Format Converter for Mac
* Microsoft Excel Viewer SP 2
* Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats SP 2
* Excel Services
* Microsoft Excel Web App 2010 and Microsoft Excel Web App 2010 SP 1
V. WORKAROUND
Microsoft suggested workarounds can be found under the Workaround
section within Microsoft Security Bulletin MS11-072.
3. *Vulnerability Description*
Hyperic HQ [1] is an open source monitoring software designed to
manage web applications and infrastructure. It auto-discovers system
resources (including hardware, operating systems and databases), and
is able to monitor hosts and services.
Multiple cross-site scripting vulnerabilities (both stored and
reflected) have been found in the web interface of Hyperic HQ, which
> "If We Wean the Web Off of Session Cookies, This Is Some of What We'd
> Have to do". I wasn't convinced at all that Weaning the Web Off of
> Session Cookies was the logical conclusion of the data you presented.
>
> To solve problems with forms-based auth + session tokens, we only have
> to fix some things in Web app frameworks, many of which have already
> been fixed in major platforms. Predictable session identifiers, for
> instance, pretty much died out years ago. To migrate to HTTP Digest
> Auth, not only would we have to fix a few things in Web app
> frameworks, we'd have to refactor a massive amount of custom code AND
> convince all major browser vendors all to do the same right things and
3. *Vulnerability Description*
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request, resulting in a cross-site scripting vulnerability.
In order to be able to sucessfully make the attack, the Secure Desktop
application on the Cisco Appliance must be turned on.
Workaround
Within PeopleSoft, select the “Enable password controls” checkbox and then define the number of days that a password is valid. The actual number of days does not matter for this purpose.
When an account is locked because of too many login attempts, the administrator can unlock the account and then manually set the status of the password for the account to “expired”. This will force the user to change the password during the next login.
An alternative workaround is to create a custom Web application policy in the SecureSphere Web Application Firewall. The policy match criteria would include the URL prefix of the PeopleSoft login page (the action URL for the authentication form) and the number of occurrences within a specified period of time.
Discovered by:
Yaniv Azaria of Imperva’s ADC
interface. These include XSS Type I, XSS Type II, weak session
management and insecure default configuration.
XSS Type 1:
-----------
Web application fails to validate and/or htmlencode user input when
handling erroneous requests. This allows attacker to inject HTML and
client-side scripts to victim's browser by creating suitable links.
This vulnerability cannot be used for session hijacking, because
CMC-TC PU II requires each valid request to contain current session
Block your calendar on 6th September 2007 to join us on the event. Registrations for the event are FREE !!
Interested in Speaking / Sharing your thoughts??
The topic of the event will be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop)
Send a mail to dharmeshmm at mastek dot com to confirm your presentation for the event.
Interested in Sponsoring??
Andre Gironda - A little TLC for your SDL
Bruno G Oliveira - Knowing and Enjoying the Cold Boot Attack
Chema Alonso & Jose Parada - RFD (Remote File Downloading) using Blind Techniques
Chris Gates - New School Information Gathering
Christian Heinrich - Google Denied
David Byrne - Advanced Techniques in Automated Web Application Testing
Dennis Brown - Anatomy of the Asprox/Danmec Botnet
Joshua Brashars - Owning telephone entry systems (aka why you shouldn't sleep so well)
Sergey Bratus, Cory Cornelius, Daniel Peebles, & Axel Hansen - Active Fingerprinting of 802.11 APs
Strom Carlson - Why your mother will never care about Linux (a rant)
Stephan Chenette - Ultimate Script Deobfuscation: Browser Hooking versus simulation
> # \___ >__| \___ >\/\_/ #
> # est.2007 \/ \/ forum.darkc0de.com #
>
> ################################################################
>
> # Web Application: FAR - PHP Project version:1.0
> # Vendor's Address :www.far-php.ro
> ################################################################
>
>
> ################################################################
4. *Vulnerability Description*
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.
For additional information, please read [1].
* Open XML File Format Converter for Mac
* Microsoft Excel Viewer SP 2
* Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats SP 2
* Excel Services
* Microsoft Excel Web App 2010 and Microsoft Excel Web App 2010 SP 1
V. WORKAROUND
Microsoft suggested workarounds can be found under the Workaround
section within Microsoft Security Bulletin MS11-072.
4. *Vulnerability Description*
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.
This vulnerability can be exploited to force a logged in Administrator
First let me start by saying im not writing to flame anyone (or whatever you kids say these days). I know its can be a daunting to release a paper to the security community because if any of its incorrect you're gonna hear about it.
However releasing a paper and claiming it to be a new class (or sub-class) of vulnerability, well im sorry, its like wearing Gold football boots, you better get it right after a statement like that.
If this paper was titled "Bypassing Broken Input Validation Filters" then there would be no problems. However none of what exists in this document is new, in fact most of it is in the Web Application Hackers Handbook or in much older papers. Constructing attackers of all kinds to bypass black list filters is a common duty of the web application tester, also take a look at all of the recent SQL injection worms.
The main thing wrong here is claiming it to be something new, or even claiming it to be a "sub-class", it not!
Its several methods for encoding sql queries or tricking multi layered input validation/sanitisation routines, none of which are new, all of which are implemented by every pen/app tester i have ever worked with.
Next Page>>
|
