xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )
==
xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )
==
Author: geinblues ( geinblues [at] gmail [dot] com )
DATE: 9.7.2008
Site: http://enterblue.net/~x90c/
Risk: Midium
==
[0] Vulnerability Tracing ( Tracing [BREAK 0] ~ [BREAK 6] )
~/xoops-1.3.10/html/class/snoopy.class.php
function _httpsrequest($url,$URI,$http_method,$content_type=,$body=)
{
..
/* [BREAK 5]: $URI(sourceURl in vulnerable Moudle) is Ours
injected parameter From below fetch() */
$URI_PARTS = parse_url($URI);
..
/* [BREAK 6]: $URI (vulerable parameter) If we can reach to
below, Then We can execute system shell command */
exec($this-curl_path. -D
\/tmp/$headerfile\.$cmdline_params. .$URI,$results,$return);
..
}
function fetch($URI)
{
//preg_match(|^([^:]+)://([^:/]+)(:[\d]+)*(.*)|,$URI,$URI_PARTS);
$URI_PARTS = parse_url($URI);
if (!empty($URI_PARTS[user]))
$this-user = $URI_PARTS[user];
if (!empty($URI_PARTS[pass]))
$this-pass = $URI_PARTS[pass];
switch($URI_PARTS[scheme])
{
case http:
..
case https: /* [BREAK 3] sourceURl's first 5Bytes (
https in [BREAK 0] ) */
if(!$this-curl_path ||
(!is_executable($this-curl_path)))
return false;
$this-host = $URI_PARTS[host];
if(!empty($URI_PARTS[port]))
$this-port = $URI_PARTS[port];
if($this-_isproxy)
{
// using proxy, send entire URI
$this-_httpsrequest($URI,$URI,$this-_httpmethod);
}
else
{
$path =
$URI_PARTS[path].($URI_PARTS[query] ? ?.$URI_PARTS[query] : );
/* [BREAK 4] _httpsrequest(.., $URI,
..); Here Our Supplied $URI(sourceURl) */
// no proxy, send only the path
$this-_httpsrequest($path, $URI,
$this-_httpmethod);
}
default:
..
}
return true;
}
~/xoops-1.3.10/class/phpsyndication.lib.php
// | required: - PHP |
// | - Snoopy (find it here: http://freshmeat.net/projects/snoopy) |
/* [BREAK 1] We can supply parameter from RSS file into sourceUrl
firstly */
class RSStoHTML
{
var $sourceUrl; // location of the source RSS file
..
}
/**
* includes Snoopy class for remote file access
*/
require(XOOPS_ROOT_PATH./class/snoopy.class.php);
..
function getData($forcecache=false)
{
if(_PHPSYNDICATION_CONNECTED $forcecache != true
(!file_exists($this-cacheDir.$this-cacheFile) ||
(filemtime($this-cacheDir.$this-cacheFile) + $this-cacheTimeout - time())
0))
{
$snoopy = new Snoopy;
/* [BREAK 2] Here snoopy-fetch(sourceUrl from
[BREAK 1]) member function calling */
$snoopy-fetch($this-sourceUrl);
$data = $snoopy-results;
$cacheFile =
fopen($this-cacheDir.$this-cacheFile, w);
fwrite($cacheFile, $data);
fclose($cacheFile);
}
// fsockopen failed the last time, so force cache
elseif ( $forcecache == true )
{
if
(file_exists($this-cacheDir.$this-cacheFile)) {
$data = implode('',
file($this-cacheDir.$this-cacheFile));
// set the modified time to a future
time, and let the server have time to come up again
phpAdultSite CMS flaws
Original article: http://www.davidsopas.com/2008/09/phpadult-cms-exploit/ phpAdultSite CMS is a PHP-based content management system for a adult pay site that fully supports MySQL. The code, layout, graphics of phpAdultSite are consistent through every single page of your site. It costs between $400 to $1100 depending on the license. I found that this script is vulnerable to a couple of topics. After no reply of this CMS vendors, send about two emails 1 week ago, I decided going to full disclosure. The problem exists on results_per_page variable. If it returns false, it gives a DB Error output on our browser, showing up path disclosure, sql statments that may lead to sql injections and also, it executes XSS attacks. PoC: index.php?results_per_page=50' index.php?results_per_page=50script type=text/javascriptalert(/XSS vuln by DavidSopas.com/)/script It can be fixed with the sanitize of the variable.
[ GLSA 200809-06 ] VLC: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: VLC: Multiple vulnerabilities Date: September 07, 2008 Bugs: #235238, #235589 ID: 200809-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two vulnerabilities in VLC may lead to the remote execution of arbitrary code. Background == VLC is a cross-platform media player and streaming server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-video/vlc 0.8.6i-r2 = 0.8.6i-r2 Description === g_ reported the following vulnerabilities: * An integer overflow leading to a heap-based buffer overflow in the Open() function in modules/demux/tta.c (CVE-2008-3732). * A signedness error leading to a stack-based buffer overflow in the mms_ReceiveCommand() function in modules/access/mms/mmstu.c (CVE-2008-3794). Impact == A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All VLC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-video/vlc-0.8.6i-r2 References == [ 1 ] CVE-2008-3732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3732 [ 2 ] CVE-2008-3794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3794 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET ValidateRequest for Script Injection Attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi kuza55, Are you trying the payload that includes the tilde or the one without? The one with the tilde (~) only works if the payload returns after an opening angle bracket (). Please see: http://www.procheckup.com/Vulnerability_PR08-20.php And yes, it also works on IE7. Just tried it on a live environment last week. kuza55 wrote: Sorry for digging this up, but I can't replicate your findings on the IE7 version you claim is vulnerable on your advisory. Your paper seems to say you only tested this on IE 5.5 and IE6 (no mention of IE7), so does is that the case, or am I just doing it wrong? 2008/8/22 ProCheckUp Research [EMAIL PROTECTED]: The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors. The original version of this paper was released in January 2006 for private CPNI distribution. This paper has now been updated in August 2008 to include additional materials such as input payloads that bypass the latest anti-XSS .NET patches (MS07-40) released in July 2007. Paper: http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf Advisory: http://www.procheckup.com/Vulnerability_PR08-20.php - Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxN1JoR/Hvsj3i8sRAv14AKCa6DCX9aUmEOMoey8BKxwFTDJHdgCeK6yG Cs+5wbxgZollx7U0qQYX/F0= =RU0G -END PGP SIGNATURE-
[scip_Advisory 3808] D-Link DIR-100 long url filter evasion
D-Link DIR-100 long url filter evasion scip AG Vulnerability ID 3808 (09/08/2008) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808 I. INTRODUCTION D-Link DIR-100 is a small and cost-effective router and firewall device for small offices and home users. More details are available at the official product web site (German link): http://www.dlink.de/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oV492gqltbNlwaaFp6DQoHDrpxC5H+40AAdvl II. DESCRIPTION Marc Ruef at scip AG found a possibility to evade url filters of the web proxy to prevent access to web sites. An attacker might add a very long string to the url to access web resources althought their access is forbidden. This problem could be verified in all firmware versions up to v1.12. A similar vulnerability was already detected years ago in a similar device Netgear RP114. [1, 2] III. EXPLOITATION It is possible to exploit the vulnerability with a common web browser by using a long url (approx. 1'300 chars). You can expand the length of the url by adding a non-used http get request parameter. Example url: http://www.scip.ch/?foo=aaa(...) A video illustrating this issue is available at the following url: http://de.youtube.com/watch?v=WTzPn37XNl4 The Attack Tool Kit (ATK)[3] is able to exploit this vulnerability with the following generic ASL code (expand the long URL request): open|send GET http://www.scip.ch/?foo=aaa(...) HTTP/1.0\n\n|sleep|close|pattern_not_exists *This URL is font color=redblocked/font by administrator !* IV. IMPACT With this vulnerability users are able to access forbidden web resources without being filtered by the integrated web proxy service. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. VI. SOLUTION We have informed D-Link on an early stage. Our technical requests were not answered nor confirmed. Therefore, not official statement, patch or upgrade is available. We suggest the use of another device for filtering forbidden web resources successfully. VII. VENDOR RESPONSE D-Link has been informed first via the unhandy web form at http://www.dlink.com (no public mail address for such cases could be found). The first responses claimed that the problem must be within a wrong configuration setting. Further discussions were initiated. The support was not able to understand the problem. Not even after several step-by-step guides and examples. They always suggest I have to upgrade to the latest firmware and they could not verify the problem. Therefore, no official solution, workaround or patch is available. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch/ scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808 computec.ch document data base (german) http://www.computec.ch/download.php IX. DISCLOSURE TIMELINE 2008/07/25 Identification of the vulnerability by Marc Ruef 2008/07/28 First information to D-Link via web form 2008/07/28 First reply by D-Link support via [EMAIL PROTECTED] (ticket id 1375981) 2008/07/29 Providing our config for further analysis 2008/08/06 Request for actual status (no reply) 2008/08/29 Another request for actual status 2008/08/29 Response could not verify the problem 2008/09/01 Detailed explanation of the exploitation 2008/09/01 Responder could still not understand the problem 2008/09/08 Public disclosure of the advisory X. CREDITS The vulnerability was discovered by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch/ A1. BIBLIOGRAPHY [1] http://www.securityfocus.com/bid/10404 [2] http://seclists.org/bugtraq/2004/May/0263.html [3] http://www.computec.ch/projekte/atk/ A2. LEGAL NOTICES Copyright (c) 2007-2008 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.
DEFCON London - DC4420 - September meet this Thursday 11th
yes, we've recovered enough from the rigours of DC16 to be able to scrape together another London meet, this Thursday, at the Glassblower... http://www.beerintheevening.com/pubs/s/20/2081/Glassblower/Piccadilly as usual, we have our own room with it's own bar (1st floor, with it's own entrance from the street or from the back of the downstairs bar). as well as real ales and wife beater, good food is also available but last food orders are strictly at 21:00, so make sure you get yours in in plenty of time and don't go hungry like i did last time!!! :P meet starts at 19:00, talks at 19:30 this month we have: DEFCON badges - i will go through some of the cool stuff you can do with these, including my own 'tv-be-a.d.d.' hack... i'll also have a couple of human badges to donate to whoever comes up with the coolest potential projects (and promise to come back and demo them!) Merlin's DEFCON experience Tompsci - Windows DLL trampolining ... and anyone else that feels like it on the night. all are welcome, but don't forget we run Fight Club rules... if this is your first night, you *will* talk... ; cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones...
Re: Re: SECURITY ADVISORY - Level Platforms, Inc. Service Center Install Data HTTP Vulnerability
Managed Workplace 6.0 Service Pack 3 fully resolves this exposure and was released at the end of March 2008 and made generally available to all Level Platforms users on May 5, 2008. No exploits of this exposure occurred prior to the release of this service pack. In fact there are no attributed exploits of any kind for any version of Managed Workplace.
Chrome(0.2.149.27) title(not the tag) Denial of Service(Freeze) exploit
a vulnerability was found which allow a remote attacker to freeze the users browser by convincing him to visit a malicious web page Chrome(0.2.149.27) Denial of Service(Freeze) exploit poc: http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html Exodus.
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. Goals 1. Identify the prevalence and probability of different vulnerability classes 2. Compare testing methodologies against what types of vulnerabilities they are likely to identify. The statistics was compiled from web application security assessment projects which were made by the following companies in 2007 (in alphabetic order): - Booz Allen Hamilton - BT - Cenzic with Hailstorm and ClickToSecure - dblogic.it - HP Application Security Center with WebInspect - Positive Technologies with MaxPatrol - Veracode with Veracode Security Review - WhiteHat Security with WhiteHat Sentinel The overall statistics includes analysis results of 32,717 sites and 69,476 vulnerabilities of different degrees of severity. The detailed information can be found here: http://www.webappsec.org/projects/statistics/ If you represent an organization that performs vulnerability assessments on websites, particular in those in custom web applications, through a manual or automated process and would like to participate please let us know. Please contact Sergey Gordeychik ([EMAIL PROTECTED]). Regards, - [EMAIL PROTECTED] http://www.webappsec.org/ The Web Application Security Consortium
Re: Chrome(0.2.149.27) title(not the tag) Denial of Service(Freeze) exploit
Missing opening BODY tag. What it is supposed to do? 31337 iterations of any loop...
[ GLSA 200809-07 ] libTIFF: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libTIFF: User-assisted execution of arbitrary code Date: September 08, 2008 Bugs: #234080 ID: 200809-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple buffer underflow vulnerabilities in libTIFF may allow for the remote execution of arbitrary code. Background == libTIFF provides support for reading and manipulating TIFF (Tagged Image File Format) images. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/tiff 3.8.2-r4= 3.8.2-r4 Description === Drew Yao (Apple Product Security) and Clay Wood reported multiple buffer underflows in the LZWDecode() and LZWDecodeCompat() functions in tif_lzw.c when processing TIFF files. Impact == A remote attacker could entice a user to open a specially crafted TIFF file with an application making use of libTIFF, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All libTIFF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/tiff-3.8.2-r4 References == [ 1 ] CVE-2008-2327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 200809-08 ] Amarok: Insecure temporary file creation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Amarok: Insecure temporary file creation Date: September 08, 2008 Bugs: #234689 ID: 200809-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Amarok uses temporary files in an insecure manner, allowing for a symlink attack. Background == Amarok is an advanced music player. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/amarok 1.4.10= 1.4.10 Description === Dwayne Litzenberger reported that the MagnatuneBrowser::listDownloadComplete() function in magnatunebrowser/magnatunebrowser.cpp uses the album_info.xml temporary file in an insecure manner. Impact == A local attacker could perform a symlink attack to overwrite arbitrary files on the system with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Amarok users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-sound/amarok-1.4.10 References == [ 1 ] CVE-2008-3699 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3699 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
Re: Chrome(0.2.149.27) title(not the tag) Denial of Service(Freeze) exploit
I could not duplicate this with either Chrome v0.2.149.29. I think this problem was now solved. -- _Wellington Wagner F. Sarmento Where is the wisdom we have lost in knowledge? Where is the knowledge we have lost in information? T.S. Eliot 2008/9/8 Rotem Kerner [EMAIL PROTECTED]: a vulnerability was found which allow a remote attacker to freeze the users browser by convincing him to visit a malicious web page Chrome(0.2.149.27) Denial of Service(Freeze) exploit poc: http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html Exodus. -- _Wellington Wagner F. Sarmento Where is the wisdom we have lost in knowledge? Where is the knowledge we have lost in information? T.S. Eliot
