| New User, Welcome! Login |
Next Page >>
you'd
php -r 'include("/etc/passwd/.");'
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
This doesn't happen under normal circumstances.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ cat /etc/passwd/.
cat: /etc/passwd/.: Not a directory
If an admin who doesn't follow bugtraq doesn't know about the issue it's
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.
Hello Susan and other readers, who replied to my previous advisory.
Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
answer John. But now one important note to every reader of the list,
including John Smith. Which I already wrote about 1,5 week ago (after
posting of a first advisory about DoS in browsers) to one reader of
Full-disclosure who inattentively read that advisory (he missed message
about attacking without JS) and also to Mozilla (who became discussing this
issue and only drew attention to attacking with JS vector). That, as I wrote
in both advisories, this attack via iframes can also be conducted without
> I could only imagine. The other problem is that many people seem to think I'm saying something against
> the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call
> ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's
> network. It's the machines I'm concerned with the attacks coming from those machine. Just because the
> machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against
> the machines. However, that unfortunately comes across to those who choose not to think it through as me
> saying something against the Chinese themselves.
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational,
> and to have something to rail about. In the face of the reality of China's horribly infected network, when I
What happens if slash when for some reason or another the government decides that you
should not read a news site, will Microsoft willingly oblige and rewrite the news in
accordance to what the government deems readable?
How about the potential to give Microsoft a warrantless order to discover who doesn't
like a President's "health care plan", or who is irrate and whatever policy; Will Microsoft
sift through a machine to retrieve relevant data to disclose to authorities?
That doesn't include the potential for say technological espionage and gouging of sorts.
What's to stop Microsoft from say, mapping a network and reporting all "non-Microsoft"
> should not read a news site, will Microsoft willingly oblige and
> rewrite the news in
> accordance to what the government deems readable?
>
> How about the potential to give Microsoft a warrantless order to
> discover who doesn't
> like a President's "health care plan", or who is irrate and whatever
> policy; Will Microsoft
> sift through a machine to retrieve relevant data to disclose to
> authorities?
>
> reasonable security practices were employed. I have been saying that for
> years.
Amen.
> Because it does not apply to your particular environment doesn't invalidate
> the issue. There are many, many situations where someone would want to
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
to find a flags field there. This is only a problem if the extra size
index is 0, because CDispNode::_extraSizeTable[0] == 0, and in
Internet Explorer 6 and 7, that is exactly what happens --
CDispNode::SetExpandedClipRect is called for a CDispScroller class
instance with an extra size index of 0, so SetExpandedClipRect backs
up the 'this' pointer by 0 machine words (i.e., it doesn't move the
pointer at all) and operates on the class instance's vtable pointer as
though it were a flags field.
Although Internet Explorer 8 may call CDispNode::SetExpandedClipRect
during an attempted exploitation, it only does so for CDispContainer
#
#If you find a valid username, it can use --> "ON DUPLICATE KEY UPDATE column=value",
#
#this clause updates the previous row if a unique index is affected (username) and
#
#doesn't insert a new row. So (username=admin --> valid user):
#
#Username --> admin','any','any') ON DUPLICATE KEY UPDATE password=MD5(12345)%23
#
#Other parameters --> something
#
#Error
if(($i>127) || ($j>32)){
if(!$pass){
print "\t-----------------------------------------------------------------\n";
print("\tEXPLOIT FAILED!\n");
print("\tFatal error: Datas doesn't find!\n");
print "\t-----------------------------------------------------------------\n";
exit(1);
}
}
return $pass;
:exe[cute] {expr1} .. Executes the string that results from the evaluation
of {expr1} as an Ex command.
-- Vim Reference Manual (eval.txt)
``execute'' is similar e.g. to the ``eval'' command of the POSIX shell. As Vim
Script doesn't allow variables as arguments to commands, only literals,
``execute'' is very popular:
let a = "vim"
execute "setfiletype" a " Alternative is cumbersome
let b = "/path/to/foo"
Moin moin Bugtraq readers,
Bill Paul and I have discovered that LoginWindow.app doesn't clear
credentials after a user is authenticated. We discovered this while
testing our EFI-based memory recovery utilities discussed recently[0].
We've found that depending on the state of capture, the passwords for
currently active accounts are stored in memory in plain text form, at
least once if not more times.
mentioned in your letter). As you can found it in my post DoS in Firefox,
Internet Explorer and Google Chrome (http://websecurity.com.ua/2575/).
I showed three variants of this attack, to show possibilities of bypassing
browsers protection. This variant of exploit is not universal DoS - because
it doesn't work in all browsers. If you, John, didn't know, so I'll tell
you, that already in 2008 there were browsers which can block such attacks.
So your statement "it'd work for every browser on the planet" is incorrect
already for two years. And in my post I published three exploits for such
DoS attack and the third one bypassed Google Chrome's protection (versions
0.2.149.30 and 0.3.154.9 at that time). But Opera 9.52 was not affected at
information on VMware security best practices.
c. WebAccess URL Forwarding Vulnerability
The WebAccess component doesn't sufficiently validate user supplied
input and allows for forwarding of an incoming request to another
destination. The destination will not be able to see the true origin
of the request URL but instead will see the address of the machine
that runs WebAccess. An attacker could use the forwarding
vulnerability to direct traffic at servers while disguising the
> For starters, There's no reason why varnish ever has to run as root.
> It never listens on privileged ports, and the C compiler is never
> available over a network interface.
The proxy process doesn't run as root by default, but that's not much
consolation if the master process can reconfigure it at will. The C compiler
is available over whatever interface the master port is bound to, and in most
cases that will be localhost:6082. I've seen that as a default configuration
for FreeBSD, Fedora, Debian and Ubuntu packages.
On 1/15/10 6:40 PM, Thor (Hammer of God) wrote:
> I could only imagine. The other problem is that many people seem to think I'm saying something against the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's network. It's the machines I'm concerned with the attacks coming from those machine. Just because the machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against the machines. However, that unfortunately comes across to those who choose not to think it through as me saying something against the Chinese themselves.
>
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational, and to have something to rail about. In the face of the reality of China's horribly infected network, when I suggest blocking that traffic (as many others have and do), they seize the opportunity to call me prejudice and a racist.
The Chinese network is indeed very infected, which in turn causes the
rest of the world great computerized harm. Nobody disputes this.
The solution of blocking China, however, is one which harms both people
outside of China, as well as those inside of China. Therefore, it
I was carried away because the author used scripts (in a global script tag)
in the PoC of the issue in question which made unconditional recursion
possible.
Without scripts enabled, if iframe's src property is set to itself(?), it is
parsed upto 1 level (i.e. not recursed). Hence it doesn't affect or DoS the
latest browsers (the best I can say...).
A few other points:
1. if a links/ads or any other content-syndication provider allow unverified
> >> People always try and send me Hebrew using Google Translate... it's
> >> usually word for word which means it breaks sentence structure. Then
> it
> >> misses context, translating words with different meanings. Then it
> >> completely mistranslates by using the root of the word, or similar,
> >> anything it doesn't know.
> >>
> >> All in all, while it can't be confused with real Hebrew, it is quite
> >> clear.
> >>
> >> Chinese seems a bit (understatement) more complicated, though.
There's a nearly identical case that works in all Unixen, AFAIK: You
have /a/b/file1, which is writable to user1. The user has permission
to descend /a and /a/b. At some point user1 does a cd to /a/b. Then
at some later point, while the user still has that shell open, the
sysadmin closes off permission to /a, and user1 no longer can descend
it. But it doesn't matter... user1 has already got a shell open in
/a/b, and therefore full access to all the files there which are not
otherwise protected against that user's access. user1 can copy them,
mail them to friends, make hard links to them, etc.... Anything
desired, until that shell is closed. This case won't work if you
close off /a/b, because you need to be able to modify the directory in
Hi ,
With all due respect - this is known to be a vulnerability class since
over a century. Just because it doesn't have a acronym la XSS
doesn't mean it's not known to be a vulnerability. Can we please stop
the attitude of inventing acronyms for vulnerabilites, making it look
like it's something new and funky.
It's the impact of something that makes it a vulnerability no the
name.
Thierry Zoller wrote:
> Hi ,
>
> With all due respect - this is known to be a vulnerability class since
> over a century. Just because it doesn't have a acronym la XSS
> doesn't mean it's not known to be a vulnerability. Can we please stop
> the attitude of inventing acronyms for vulnerabilites, making it look
> like it's something new and funky.
>
> It's the impact of something that makes it a vulnerability no the
On Fri, Sep 11, 2009 at 1:06 PM, Thierry Zoller <Thierry@zoller.lu> wrote:
> Hi ,
>
> With all due respect - this is known to be a vulnerability class since
> over a century. Just because it doesn't have a acronym la XSS
> doesn't mean it's not known to be a vulnerability. Can we please stop
> the attitude of inventing acronyms for vulnerabilites, making it look
> like it's something new and funky.
>
> It's the impact of something that makes it a vulnerability no the
Vulnerability Explaination
=======================================
Let's wait for the Cisco response, so, we'll have a better understanding on this
issue. Meanwhile...
I think this is a design error because ACE XML doesn't have in mind that the
client could probably be in the same network segment internally, so, it receives
the request, which cannot be processed, and throws an error message disclosing
an internal IP address.
According to the ACE XML Gateway User Guide, Log Messages chapter, the listed
All the slashes were replaced with "-".
Even more, we cannot fully control the include path, the user input is
automatically prefixed with "./themes/garland/page-".
So, this vulnerability doesn't look exploitable, right?
Actually, this is exploitable, but only on Windows systems.
On Unix systems, something like "cat
/var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work
because some_invalid_filename is not a directory.
-- IMPORTANT NOTES --
HTTPBruteForcer requires Internet Explorer (IE WebBrowser ActiveX)
* This version has some limitations...
* It doesn't include proxys' support
* It doesn't support threads
* It doesn't include the "login-name" bruteforce functionnality
* Sources are not publicly available
...
>
> -- IMPORTANT NOTES --
>
> HTTPBruteForcer requires Internet Explorer (IE WebBrowser ActiveX)
> * This version has some limitations...
> * It doesn't include proxys' support
> * It doesn't support threads
> * It doesn't include the "login-name" bruteforce functionnality
> * Sources are not publicly available
> ..
>
Eric Rescorla <ekr@networkresonance.com> writes:
>It's easy to compute all the public keys that will be generated
>by the broken PRNG. The clients could embed that list and refuse
>to accept any certificate containing one of them. So, this
>is distinct from CRLs in that it doesn't require knowing
>which servers have which cert...
You'd also end up with a rather large list for the client to carry around,
which would be especially problematic for lightweight clients. You'd need to
represent it as something like a Bloom filter to avoid this (given that most
The icabar.exe file does launch during an administrator logon to the
desktop via RUN registry key. Unfortunately the IcaBar key value
doesn't have a full binary path, which allows an attacker to escalate
privilege in Windows NT, 2000 in the default configuration and in
Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows
tries to locate the icabar.exe file in the directories listed in its
(HGFS) and other features.
An input validation error is present in the Windows-based VMware
HGFS.sys driver. Exploitation of this flaw might result in
arbitrary code execution on the guest system by an unprivileged
guest user. It doesn't matter on what host the Windows guest OS
is running, as this is a guest driver vulnerability and not a
vulnerability on the host.
The HGFS.sys driver is present in the guest operating system if the
VMware Tools package is loaded. Even if the host has HGFS disabled
Next Page>>
|
|
|
