[Full-disclosure] Funny smtp helo in the logs
I have been seeing this in my logs over all the public smtp server, from all over the net. Anyone know what sends these kinds of helo ? *please* when responding to this mail trim out anything below this -- 124 09/10/2005 09:54:35 HELO -1209283632 --- 250 my.smtp.domain.server 125 09/10/2005 09:55:27 HELO -1209747464 --- 250 my.smtp.domain.server 126 09/10/2005 09:56:01 HELO -1213477808 --- 250 my.smtp.domain.server 129 09/10/2005 09:56:47 HELO -120870 --- 250 my.smtp.domain.server 12A 09/10/2005 09:57:46 HELO -1209957152 --- 250 my.smtp.domain.server 131 09/10/2005 10:02:36 HELO -1218370912 --- 250 my.smtp.domain.server 134 09/10/2005 10:04:55 HELO -1217834696 --- 250 my.smtp.domain.server 135 09/10/2005 10:05:36 HELO -1217676688 --- 250 my.smtp.domain.server 137 09/10/2005 10:06:23 HELO -1218157032 --- 250 my.smtp.domain.server 13A 09/10/2005 10:06:57 HELO -1216091056 --- 250 my.smtp.domain.server 13B 09/10/2005 10:07:35 HELO -1216184136 --- 250 my.smtp.domain.server 13C 09/10/2005 10:08:13 HELO -1217914984 --- 250 my.smtp.domain.server 13D 09/10/2005 10:08:40 HELO -1209896648 --- 250 my.smtp.domain.server 13E 09/10/2005 10:09:43 HELO -1213166296 --- 250 my.smtp.domain.server 13F 09/10/2005 10:10:35 HELO -1213642136 --- 250 my.smtp.domain.server 140 09/10/2005 10:11:16 HELO -1209605968 --- 250 my.smtp.domain.server 006 11/10/2005 08:43:45 HELO -1212929616 --- 250 my.smtp.domain.server 008 11/10/2005 08:44:26 HELO -1214982448 --- 250 my.smtp.domain.server 009 11/10/2005 08:46:07 HELO -1215268000 --- 250 my.smtp.domain.server 00A 11/10/2005 08:47:06 HELO -1214871440 --- 250 my.smtp.domain.server 00B 11/10/2005 08:49:16 HELO -1215063696 --- 250 my.smtp.domain.server 00C 11/10/2005 08:50:12 HELO -1215031936 --- 250 my.smtp.domain.server 00D 11/10/2005 08:50:55 HELO -1213038648 --- 250 my.smtp.domain.server 010 11/10/2005 08:52:09 HELO -1212896896 --- 250 my.smtp.domain.server 014 11/10/2005 08:53:48 HELO -1212788072 --- 250 my.smtp.domain.server 016 11/10/2005 09:00:02 HELO -1213862536 --- 250 my.smtp.domain.server 017 11/10/2005 09:00:44 HELO -1216032616 --- 250 my.smtp.domain.server 005 20/10/2005 17:55:02 HELO -1208757800 --- 250 my.smtp.domain.server 006 20/10/2005 17:55:43 HELO -1208466864 --- 250 my.smtp.domain.server 009 20/10/2005 17:57:38 HELO -1208425264 --- 250 my.smtp.domain.server 00A 20/10/2005 17:58:36 HELO -1209153048 --- 250 my.smtp.domain.server 00B 20/10/2005 17:59:21 HELO -1208221040 --- 250 my.smtp.domain.server 00C 20/10/2005 18:00:16 HELO -1209204568 --- 250 my.smtp.domain.server 00F 20/10/2005 18:01:36 HELO -1209432360 --- 250 my.smtp.domain.server 027 20/10/2005 18:56:40 HELO -1208740112 --- 250 my.smtp.domain.server 21E 25/10/2005 04:52:01 HELO -1208817024 --- 250 my.smtp.domain.server 21F 25/10/2005 04:53:06 HELO -1207974056 --- 250 my.smtp.domain.server 220 25/10/2005 04:55:26 HELO -1208954808 --- 250 my.smtp.domain.server 221 25/10/2005 04:56:07 HELO -1208091560 --- 250 my.smtp.domain.server 222 25/10/2005 04:56:46 HELO -1215556832 --- 250 my.smtp.domain.server 223 25/10/2005 04:57:16 HELO -1208017712 --- 250 my.smtp.domain.server 224 25/10/2005 04:58:03 HELO -1208351328 --- 250 my.smtp.domain.server 227 25/10/2005 04:58:58 HELO -1215519416 --- 250 my.smtp.domain.server 228 25/10/2005 04:59:46 HELO -1208139640 --- 250 my.smtp.domain.server 229 25/10/2005 05:01:10 HELO -1208158800 --- 250 my.smtp.domain.server 22A 25/10/2005 05:01:53 HELO -1208056904 --- 250 my.smtp.domain.server 22C 25/10/2005 05:03:06 HELO -1215816112 --- 250 my.smtp.domain.server 22D 25/10/2005 05:04:31 HELO -1216238864 --- 250 my.smtp.domain.server 22E 25/10/2005 05:05:15 HELO -1208157944 --- 250 my.smtp.domain.server 22F 25/10/2005 05:05:58 HELO -1215473168 --- 250 my.smtp.domain.server 230 25/10/2005 05:06:56 HELO -1208746080 --- 250 my.smtp.domain.server 231 25/10/2005 05:08:36 HELO -1209142096 --- 250 my.smtp.domain.server 232 25/10/2005 05:09:09 HELO -1210509584 --- 250 my.smtp.domain.server 233 25/10/2005 05:10:34 HELO -1210106016 --- 250 my.smtp.domain.server 234 25/10/2005 05:12:10 HELO -1210964032 --- 250 my.smtp.domain.server 235 25/10/2005 05:12:48 HELO -1209218672 --- 250 my.smtp.domain.server 127 26/10/2005 02:42:59 HELO -1212817800 --- 250 my.smtp.domain.server 128 26/10/2005 02:43:32 HELO -1212894352 --- 250 my.smtp.domain.server 129 26/10/2005 02:43:45 HELO -1213176336 --- 250 my.smtp.domain.server 12C 26/10/2005 02:44:19 HELO -1212856784 --- 250 my.smtp.domain.server 12D 26/10/2005 02:45:29 HELO -1212385064 --- 250 my.smtp.domain.server 12E 26/10/2005 02:47:31 HELO -1212692064 --- 250 my.smtp.domain.server 12F 26/10/2005 02:48:06 HELO -1212321816 --- 250 my.smtp.domain.server 130 26/10/2005 02:49:10 HELO -1212623592 --- 250
Re: [Full-disclosure] Re: Microsoft AntiSpyware falling furtherbehind
But I classify anti-spyware programs in one encampment only - composed of unneeded programs. Does identification of so called spyware technically differ from identification of usual computer virus or worm? No. Is that which now is called spyware (http://antispywarecoalition.org/documents/definitions.htm) within sphere detected by antiviruses? Yes, it is, with exception of tracking cookies. I for many years use antivirus which excellently detects all classes of harmful programs. Within last year, using the same antivirus, I have found very large number of active harmful programs (which are called spyware by many) in several hundreds of infected computers. And at least one third of these computers had installed the so called anti-spyware. From the point of view of an average user until now the word virus was synonym for all harmful programs. Now for large part of them the name spyware has been introduced. Why? In order to get money - for antivirus and anti-spyware? Then we will see anti-crimeware tomorrow and anti-terrorware - the day after tomorrow. Best regards, Valdis - Original Message - From: Nick FitzGerald [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Saturday, October 29, 2005 2:42 PM Subject: Re: [Full-disclosure] Re: Microsoft AntiSpyware falling furtherbehind Valdis Shkesters wrote: At first you can take look here http://secunia.com/product/4256/. This summer German magazine ComputerBild compared several popular antispyware products. Test results are available in the forum http://www.rokop-security.de/lofiversion/index.php/t8810.html. Scrolling through detailed figures by categories of harmful programs can be seen. I warn that the figures may be very unpleasant for fans of some products. ...which may simply reflect that they are shite tests, rather than anything especially meaningful about the products?? As a rule, anti-spyware products fall into one of two camps: 1. Never mind the quality, feel the width -- you can usually pick these because their advertising lays heavy stress on the 43 quadrillion spyware items they claim to detect. These products will remove 17 bazillion entirely harmless items from normal systems simply because they happended to be string-matches on filename (of course you don't want ANY 'unwise.exe' files on your system!), reg key/value/etc, and so on. 2. Cluefull. These will not have the stupid false-positive rates of the above, but as a result will not apparently score as well on clueless tests of the kind the proponents of the first kind of anti- spyware product push. I'd like to say -- stealing something from a colleague -- welcome to antivirus 101 but actually, I think things in the anti-spyware testing arena are a lot worse than all but the very, very, very worst ever AV tests AND it seems anti-spyware tests will continue to get worse, rather than better... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Funny smtp helo in the logs
Dear Aditya Deshmukh, No clue, just a thought : Covert channel ? program inside might read promiscious mode data? Or smtp logs ? -- http://Thierry.sniff-em.com Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] for IE researchers, found a link crashing IE
This link crashes my fully patched IE on Crash-Windows 2k SP4 Workstation (6.0.2800.1106) Crash-Windows XP SP1 64-bit (IE32-6.0.3790.1830) NoCrash- Windows XP SP1 64-bit (IE64-6.0.3790.1830) Poclink:http://www.kotaku.com/gaming/sex/girl-gives-xbox-360-controller-a-blowjob-134028.php Dunno if its a high risk since I dont really care about IE security but this might interest some security researchers working on IE. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Funny smtp helo in the logs
Quoting Aditya Deshmukh [EMAIL PROTECTED]: I have been seeing this in my logs over all the public smtp server, from all over the net. Anyone know what sends these kinds of helo ? 124 09/10/2005 09:54:35 HELO -1209283632 --- 250 my.smtp.domain.server 125 09/10/2005 09:55:27 HELO -1209747464 --- 250 my.smtp.domain.server snip 02D 29/10/2005 20:39:12 HELO -1208865784 --- 250 my.smtp.domain.server 017 30/10/2005 11:21:26 HELO -1216191992 --- 250 my.smtp.domain.server they look like ip addresses to me (1216191992 = 72.125.157.248 ). I checked a few and they weren't smpt listeners. I would go for the possibility that your mail server is being used as part of a reporting mechanism to notify the mother ship of vulnerable or infected IP addresses. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] for IE researchers, found a link crashing IE
Correcting my previous post , IE64 also crashes, gogo it smells the secbug : De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoy: dimanche 30 octobre 2005 13:56 : full-disclosure@lists.grok.org.uk Objet: [Full-disclosure] for IE researchers, found a link crashing IE Importance: Haute This link crashes my fully patched IE on Crash-Windows 2k SP4 Workstation (6.0.2800.1106) Crash-Windows XP SP1 64-bit (IE32-6.0.3790.1830) NoCrash- Windows XP SP1 64-bit (IE64-6.0.3790.1830) Poclink:http://www.kotaku.com/gaming/sex/girl-gives-xbox-360-controller-a-blowjob-134028.php Dunno if its a high risk since I dont really care about IE security but this might interest some security researchers working on IE. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] for IE researchers, found a link crashing IE
Strange, I have tested here on english OS , I notice 1/5 tries passes on XP try to refresh with ?? caracters at the end of the link to retrieve outside of the cache dunno, it crashes at all else here on 2k sp4 english. -Message d'origine- De : Thierry Zoller [mailto:[EMAIL PROTECTED] Envoyé : dimanche 30 octobre 2005 14:27 À : [EMAIL PROTECTED] Cc : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] for IE researchers, found a link crashing IE Dear Ad.., aco Poclink:http://www.kotaku.com/gaming/sex/girl-gives-xbox-360-controller-a-bl owjob-134028.php Does not crash GERMAN XP SP2 6.0.2900.2180.xpsp_sp2_gdr-050301-1519 -- Thierry Zoller mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] for IE researchers, found a link crashing IE
Windows XP Professional SP1 ENGLISH 64-bit (IE32-6.0.3790.1830) -crash- Windows XP Professional SP1 ENGLISH 64-bit (IE64-6.0.3790.1830) -crash- Windows XP Professional SP2 ENGLISH 32-bit (IE32-6.0.2900.2180) -nocrash- Windows XP Professional SP1 ENGLISH 32-bit (IE32-6.0.2900.1106) -crash- Windows 2k Workstation SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -crash- Windows 2k Server SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -crash- Windows NT4 Workstation SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -nocrash- Windows NT4 Server SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -nocrash- Windows 2k3 Server Std SP1 ENGLISH 32-bit (IE32-6.0.3790.1830) -crash- Hope it helps :) -Message d'origine- De : Thierry Zoller [mailto:[EMAIL PROTECTED] Envoyé : dimanche 30 octobre 2005 14:27 À : [EMAIL PROTECTED] Cc : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] for IE researchers, found a link crashing IE Dear Ad.., aco Poclink:http://www.kotaku.com/gaming/sex/girl-gives-xbox-360-controller-a-bl owjob-134028.php Does not crash GERMAN XP SP2 6.0.2900.2180.xpsp_sp2_gdr-050301-1519 -- Thierry Zoller mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Fwd: Re: [Full-disclosure] for IE researchers, found a link crashing IE]
sorry, was a direct reply Thierry Zoller schrieb: Dear Ad.., aco Poclink:http://www.kotaku.com/gaming/sex/girl-gives-xbox-360-controller-a-blowjob-134028.php Does not crash GERMAN XP SP2 6.0.2900.2180.xpsp_sp2_gdr-050301-1519 Hmmm, Win XP Home Version 2002 Service Pack2 German AppName: iexplore.exeAppVer: 6.0.2900.2180 ModName: mshtml.dll ModVer: 6.0.2900.2668Offset: 0021727c Crash 2. Restart Browser Copy Link nothing Klick through page all cool... Reload Page.crash Restart Browsernothing - reload page nothing reload page nothing, again ... crash . Strange, it does not crash the browser everytime... m ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] for IE researchers, found a link crashing IE
Here -nocrash- and -noshutdown- :-P Everything works fine... On 2k3 there is prolly a security restriction because it has shutdown iexplorer without a crash here on the English os ye ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Funny smtp helo in the logs
They are looking for a bad configured SMTP server; it's looking for a server that accept unauthenticated session from supposed old mail client (HELO in front of EHLO) whitout authentication funcionality. Perhaps they are spammers searching unautheticated SMTP servers. Note.- HELO is the old command to begin session. Sorry by my english! El Domingo, 30 de Octubre de 2005 08:09, Aditya Deshmukh escribió: I have been seeing this in my logs over all the public smtp server, from all over the net. Anyone know what sends these kinds of helo ? *please* when responding to this mail trim out anything below this -- 124 09/10/2005 09:54:35 HELO -1209283632 --- 250 my.smtp.domain.server ... ... 017 30/10/2005 11:21:26 HELO -1216191992 --- 250 my.smtp.domain.server Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Fco. Jose Garrido Matamoros Ingeniero Sup. Telecomunicacion TecVD - Seguridad y Control de Sistemas de Informacion http://www.tecvd.com NOTA.- Las tildes de este mensaje han sido omitidas expresamente para evitar cualquier tipo de alteracion en los caracteres del texto. **AVISO LEGAL** Este mensaje es privado y confidencial y solamente para la persona a la que va dirigido. Si usted ha recibido este mensaje por error, no debe revelar, copiar, distribuir o usarlo en ningun sentido. Le rogamos lo comunique al remitente y borre dicho mensaje y cualquier documento adjunto que pudiera contener. No hay renuncia a la confidencialidad ni a ningun privilegio por causa de transmision erronea o mal funcionamiento. Cualquier opinion expresada en este mensaje pertenece unicamente al autor remitente, y no representa necesariamente la opinion de Tecnologias de Vigilancia y Deteccion, S.L., a no ser que expresamente se diga y el remitente este autorizado para hacerlo. Los correos electronicos no son seguros, no garantizan la confidencialidad ni la correcta recepcion de los mismos, dado que pueden ser interceptados, manipulados, destruidos, llegar con demora, incompletos, o con virus. Tecnologias de Vigilancia y Deteccion, S.L. no se hace responsable de las alteraciones que pudieran hacerse al mensaje una vez enviado. Este mensaje solo tiene una finalidad de informacion, y no debe interpretarse como una oferta de venta o de compra de cualquier producto o servicio. En el caso de que el destinatario de este mensaje no consintiera la utilizacion del correo electronico via Internet, rogamos lo ponga en nuestro conocimiento. Se le informa que los datos de caracter personal que libremente suministre pueden ser incluidos en un fichero para facilitar la oferta de servicios y/o productos basados en las preferencias y requerimientos que comunique. En todo caso le asiste el derecho de acceso, rectificacion, cancelacion u oposicion al tratamiento de esos datos; para ejercer estos derechos debe dirigirse por escrito adjuntando fotocopia de DNI, o documento equivalente, a la sede de la empresa. **DISCLAIMER** This message is private and confidential and it is intended exclusively for the addressee. If you receive this message by mistake, you should not disseminate, distribute or copy this e-mail. Please inform the sender and delete the message and attachments from your system. No confidentiality nor any privilege regarding the information is waived or lost by any mistransmission or malfunction. Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of Tecnologias de Vigilancia y Deteccion, S.L., unless otherwise specifically stated and the sender is authorised to do so. E-mail transmission cannot be guaranteed to be secure, confidential, or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. Tecnologias de Vigilancia y Deteccion, S.L. does not accept responsibility for any changes in the contents of this message after it has been sent. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any product or service. If the addressee of this message does not consent to the use of internet e-mail, please communicate it to us. pgpSewYaTVNQW.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] for IE researchers, found a link crashing IE
- Original Message - From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Sunday, October 30, 2005 11:55 PM Subject: [Full-disclosure] for IE researchers, found a link crashing IE This link crashes my fully patched IE on Unsure if this was a real bug-crash report or not but for the heck of it, tested it from 2 Windows boxes. 1) Win XPSP2 with IE6SP2 all fully patched and running, because I was too lazy to stop it running, Zone Alarm Pro (yes, I know but I like to do this for other reasons). No crash. 2) Networked (runs wired through the XP box as above and out of that, wireless to a router) 98SE machine with IE6SP2 fully patched on it. No crash. Was this one an honest report or just someone having a laugh? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory 17/2005: phpBB Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: phpBB Multiple Vulnerabilities
Release Date: 2005/10/31
Last Modified: 2005/10/31
Author: Stefan Esser [EMAIL PROTECTED]
Application: phpBB = 2.0.17
Severity: Multiple vulnerabilities allow XSS, SQL injection
and remote code execution
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_172005.75.html
Overview:
Quote from www.phpbb.com:
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database
servers, phpBB is the ideal free community solution for all
web sites.
Because of our research into register_globals deregistration
codes, the implementation within phpBB was audited and several
weaknesses were found, that allowed to completely bypass the
protection on PHP5 servers.
After these weaknesses were found and disclosed to the vendor
nearly 80 days ago, several problems with unitialised variables
were discovered that allow XSS, SQL injection and even remote
execution of arbitrary PHP code, when phpBB is used with
register_globals turned on.
While register_globals=off is the recommended setting, most web-
hosters, even those that actually run PHP5, still have it
enabled because it is their customers wish.
Details:
To get rid of possible security problems caused by not properly
initialised variables phpBB comes with the following piece of
code, that is intended to deregister global variables, which were
created because of the register_globals directive. Unfortunately
there are atleast 3 ways to bypass the protection.
// PHP4+ path
$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS',
'HTTP_SESSION_VARS', 'HTTP_ENV_VARS',
'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');
// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($HTTP_SESSION_VARS))
{
$HTTP_SESSION_VARS = array();
}
// Merge all into one extremely huge array; unset
// this later
$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS,
$HTTP_COOKIE_VARS, $HTTP_SERVER_VARS,
$HTTP_SESSION_VARS, $HTTP_ENV_VARS,
$HTTP_POST_FILES);
unset($input['input']);
unset($input['not_unset']);
while (list($var,) = @each($input))
{
if (!in_array($var, $not_unset))
{
unset($$var);
}
}
unset($input);
Bypass Vulnerabilities
--
[1] In PHP5 = 5.0.5 it is possible to register f.e. the global
variable $foobar by supplying a GET/POST/COOKIE variable
with the name 'foobar' but also by supplying a GPC variable
called 'GLOBALS[foobar]'. If the variable is supplied in
that way, the code above will not try to unset $foobar, but
$GLOBALS, which completely bypasses the protection.
[2] When the session extension is not started by a call to
session_start(), PHP does not know about the variables
$_SESSION or $HTTP_SESSION_VARS, which means, it is possible
to fill them with any value if register_globals is turned on.
Combined with the fact (that was even documented in the phpBB
code), that array_merge() will fail in PHP5, when at least
one of the parameters is not an array, it is possible for an
attacker to simply set HTTP_SESSION_VARS to a string and let
the complete protection fail, because $input ends up empty.
[3] When register_long_array is turned off PHP does not know
anymore about all the HTTP_* variables. This means they can
be filled with anything that is completely unrelated to the
existing global variables. It is obvious that the protection
cannot work, when this configuration is choosen.
Additonally to the 3 possible ways to bypass the globals
deregistration code, several not properly initalised variables
were disclosed to the vendor, that can even lead to remote code
execution.
Not properly initialised variables
--
[1] Within usercp_register.php the variable 'error_msg' is not
properly initialised and can therefore be used to inject
arbitrary HTML code
Re: [Full-disclosure] Funny smtp helo in the logs
On Sun, 30 Oct 2005 12:39:52 +0530, Aditya Deshmukh said: 124 09/10/2005 09:54:35 HELO -1209283632 --- 250 my.smtp.domain.server I'm not sure which is sadder, that the spamware is totally untested and buggy, or that so many sites will accept this syntactically invalid HELO command that the spammers weren't forced to fix their code. And yes, it looks like somebody did an 'sprintf(HELO %d,my_ip_addr);' without bothering to check what that produced pgpSEEesseeZE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Funny smtp helo in the logs
Aditya Deshmukh([EMAIL PROTECTED])@Sun, Oct 30, 2005 at 12:39:52PM +0530: I have been seeing this in my logs over all the public smtp server, from all over the net. Anyone know what sends these kinds of helo ? My server gets those as well. I think it's just some broken spam-ware. -- Bill Weiss How To Write Good 14. Don't be redundant; don't use more words than necessary; it's highly superfluous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
