Re: [Full-disclosure] Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[Siegfried]

This is actually what i wanted to say, "that" stripslashes if you prefer,
i'm not sure if he wanted to use it to validate the input, or that would
be really dumb, but anyway it's really not important at all

i leave you to the n3td3v trolls now, have fun, but keep an eye on all
advisories :)

Siegfried

Le Dim 2 avril 2006 08:47, Jasper Bryant-Greene a écrit :
> Siegfried wrote:
>> Yes like you said there is no check, because the stripslashes is a joke.
>> And yes this script isn't famous at all, but it was just to show a
>> recent
>> example of an error in the advisory, even if this one is just a detail
>
> Stripslashes is not a joke, it's just not designed for what its being
> used for. The developer that tries to use it for input
> validation/checking, now *there's* the joke!
>
> --
> Jasper Bryant-Greene
> General Manager
> Album Limited
>
> http://www.album.co.nz/ 0800 4 ALBUM
> [EMAIL PROTECTED]  021 708 334
>


-- 
Zone-H Admin
[EMAIL PROTECTED]
www.zone-h.org
www.zone-h.fr

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[Jasper Bryant-Greene]

Siegfried wrote:

Yes like you said there is no check, because the stripslashes is a joke.
And yes this script isn't famous at all, but it was just to show a recent
example of an error in the advisory, even if this one is just a detail


Stripslashes is not a joke, it's just not designed for what its being 
used for. The developer that tries to use it for input 
validation/checking, now *there's* the joke!


--
Jasper Bryant-Greene
General Manager
Album Limited

http://www.album.co.nz/ 0800 4 ALBUM
[EMAIL PROTECTED]  021 708 334

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow

[Mike Nice]

   Tip #4 works precisely because it defeats pharming, MITM and 
type-alike.
The Cert box is nearly impossible to spoof because you would have to 
spoof

the actual bank's certificate.  Any error and your browser will pop up a
warning dialog that the host name on the SSL cert doesn't match the name 
of

the host.That's only assuming that some corrupt CA hasn't issued a
second SSL cert for the real bank host name.



You must not have visited Codefish.  The spoof wrote a https:  web
address in the address bar, and wrote the bottom of the browser to
look just like an SSL connection, complete with a lock. When the lock
was clicked, it popped up something that looked just like the cert
box.  Very well done indeed.


  I have not seen Codefish, but Tip #4 does not rely at all on the user's 
visual acuity except during the initial bookmarking.   It is possible that 
the Codefish technique could work if the Pharming was active during the 
bookmarking when checking the certificate credentials.   This is possible 
but unlikely.


  But later, when the bookmark points to the bank's SSL page, the browser 
would still pop up an error that the certificate name does not match during 
the SSL negotiation phase.   All the user has to know is 'pick the bank page 
from favorites, then don't accept any popup warnings'.



I'm continually amazed by the belief that the cert box is sacrosanct.
If the underlying box is compromised, all bets are off.


  This is a good point - I wouldn't place any trust in your average 
E-commerce site.Hopefully a bank would pay more attention to security. 
The thinking is that if you as a user have secured everything at the client 
end, there is less risk of a drained account.  Presumably in the US, the 
bank assets are insured by the government if the bank's system is 
compromised.





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[Siegfried]

Yes like you said there is no check, because the stripslashes is a joke.
And yes this script isn't famous at all, but it was just to show a recent
example of an error in the advisory, even if this one is just a detail

There are some people who publish really many xss/sql injection
advisories, but really MANY, you all saw it, i'm quite sure some of them
just use their browser to "audit" them (like other people use fuzzers for
other stuff), i don't criticize their work, but i'm more than sure that
some of them provide incomplete and/or incorrect informations because they
didn't look well.

if they audit with their browser and have a php version installed older
than php 5.1.2, they may post a xss advisory while it was something really
different, or just _nothing_ because it was the xss in the php error
message, like that example of the Guppy directory traversal.

well there is no need to talk more about it in my opinion
end of thread for me :)

Siegfried

>From: ascii 
>Date: Sun, 02 Apr 2006 04:06:18 +0200
>
>Siegfried wrote:
>
>> if(!empty($chemin)) $chemin = stripslashes($chemin);
>> else $chemin = $depart;
>[..]
>> $chemintotal = $chemin;
>[..]
>> $handle = @opendir($chemintotal);
>> $file = @readdir($handle);
>
>> This poor check doesn't secure anything as it doesn't check slashes, and
>> it's useless, BUT this isn't just a directory traversal as you can do
>> http://[target]/dir.php?chemin=/etc/
>> and it works as well..
>
>hi Siegfried,
>
>imho there is no check at all (and stripslashes() is called only to
>make the script work smooth with magic_quotes on environments)
>
>the error suppression shows the poor quality of this code
>
>also this code seems to relay on register_globals on..
>
>anyway i found only one location mentioning this script and on the
>comment board there is a post dated 21/04/03 23:14 about $chemin
>security
>
>> je propose de mettre ces 2 ligne (� la ligne 12 de dir.php)
>> $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
>> ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
>> malins :)
>
>http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933
>
>so this bug is pretty old and the script seems to be unmaintained
>>regards, ascii, http://www.ush.it
>
>ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
>completely trust your code snippet : )

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[ascii]

Siegfried wrote:

> if(!empty($chemin)) $chemin = stripslashes($chemin); 
> else $chemin = $depart;
[..]
> $chemintotal = $chemin;
[..]
> $handle  = @opendir($chemintotal);
> $file= @readdir($handle);

> This poor check doesn't secure anything as it doesn't check slashes, and
> it's useless, BUT this isn't just a directory traversal as you can do
> http://[target]/dir.php?chemin=/etc/
> and it works as well..

hi Siegfried,

imho there is no check at all (and stripslashes() is called only to
make the script work smooth with magic_quotes on environments)

the error suppression shows the poor quality of this code

also this code seems to relay on register_globals on..

anyway i found only one location mentioning this script and on the
comment board there is a post dated 21/04/03 23:14 about $chemin
security

> je propose de mettre ces 2 ligne (à la ligne 12 de dir.php)
> $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
> ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
> malins :)

http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933

so this bug is pretty old and the script seems to be unmaintained

regards, ascii, http://www.ush.it

ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
completely trust your code snippet : )

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RSA HAVE CRACKED PHISHING, NO SERIOUSLY

[Nick FitzGerald]

Nancy Kramer wrote:

> While I have no idea if what RSA is doing works or not but I have noticed 
> the absence of  phishing emails in my in box in the last few days.  I used 
> to get maybe half a dozen or more a day since I don't run spam filters. Not 
> a one in the last two days.  The Ebay and Paypal emails seemed to stop 
> first.  Now even the ones for banks I have never heard of are no longer 
> coming in.
> 
> There must be a reason for this.  ...

Why must there be?

Maybe it's just near one of the far edges of the normal distribution of 
phishing Email your address sees?

Personally, I've seen about what I consider the usual amount of 
phishing over the last few weeks.  A couple of months back I hardly got 
a single phish in about 3-4 days and started to wonder what was going 
on, but most of my professional acquaintances assured me their 
organizations' mail servers were seeing the usual phlow of phish...

> ...  Maybe the phishers decided to take a 
> vacation.

Maybe, but their bots don't need a break, so guess what??  8-)


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[Siegfried]

Recently i saw http://seclists.org/lists/fulldisclosure/2006/Mar/1815.html

The person who found it sent it to me before sending it elsewhere, as i
thought he wouldn't send it to any mailing list, i decided to verify the
information, and the directory traversal isn't just a directory traversal,
if you look at the code, you see this:

--
if(!empty($chemin)) $chemin = stripslashes($chemin); else $chemin
= $depart;


// --- Sécurité navigation
-- //

$chemintotal = $chemin;

// --- Récupération des fichiers et
répertoires dans tableau-- //


$handle  = @opendir($chemintotal);
$file= @readdir($handle);
---

This poor check doesn't secure anything as it doesn't check slashes, and
it's useless, BUT this isn't just a directory traversal as you can do
http://[target]/dir.php?chemin=/etc/
and it works as well..

I usually don't verify them as i don't have the time, but when i verify
and find incorrect informations, i see that i'm the only one correcting it
(on my site), and many security sites just relay the information because
they don't have the time to verify them too.

You guys of mitre can't make something like a "verification process" ? or
another web site to verify all the informations, i think it becomes really
necessary..

Siegfried


Le Sam 1 avril 2006 19:13, Siegfried a écrit :
> About that xss, it was really a normal xss, like i wrote in my second post
> (i respect rgod's work because he always made good analysis and good
> advisories). But there are indeed many vulnerabilities that are classified
> as XSS while they were much more than a XSS, or a XSS in a PHP error
> message.
>
> Those XSS issues are actually vulnerabilities that were fixed in PHP 5.1.2
> (i know at least 2 examples: an inclusion error message, a missing
> function which name is based on user supplied data).
>
> See also:
> http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-10/0040.html
>
> There is also this problem with SQL injection vulnerabilities, everyday we
> see a bunch of XSS and SQL injection advisories, but who has the time to
> check them all? ..
>
> Siegfried
>
Le Sam 1 avril 2006 10:11, Steven M. Christey a écrit :
>
> In a post-disclosure analysis [1] of a security issue announced by
> rgod [2], Siegfried observed that the reported XSS actually originated
> from a file inclusion vulnerability, in which the XSS was reflected
> back from an error message when the file inclusion failed:
>
>>About the xss, it is an xss in the php error message, there are many
>>php functions returning errors without filtering them, anybody noted
>>that?
>
> Yes.
>
> I would greatly appreciate some corroboration from the real PHP/web
> security experts out there on what I'm about to say.  If true, it
> would partly explain why XSS is so rampant in PHP applications.
>
> As I understand it, this behavior is due to an XSS problem in PHP
> itself before 5.1.2 (CVE-2006-0208), as announced in January 2006:
>
>   http://www.php.net/release_5_1_2.php
>
> It's not clear if PHP 4.x was affected.
>
> The XSS happens when display_errors and html_errors are enabled - it
> won't quote the output from raw error messages.
>
> No doubt many so-called XSS errors these days are the result of this
> particular issue in PHP.  They're aren't entirely the application's
> fault, although obviously they indicate the lack of strong input
> validation.
>
> This can hide much more serious vulnerabilities, like file inclusion,
> directory traversal, or SQL injection.  I have mentioned this in the
> past, but now we know why this seems to happen so often.
> (Application-controlled error handlers can still be subject to XSS of
> course, even under a fixed PHP.)
>
> For those who do post-disclosure analysis: there *might* be a
> resultant XSS issue if the researcher claims both XSS and another type
> of bug in the same affected parameter/component, or if the
> researcher's report includes error messages that don't seem to be
> sanitizing XSS-tainted output.
>
> - Steve
>
> [1]
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044756.html
>
> [2] http://retrogod.altervista.org/claroline_174_incl_xpl.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[Siegfried]

About that xss, it was really a normal xss, like i wrote in my second post
(i respect rgod's work because he always made good analysis and good
advisories). But there are indeed many vulnerabilities that are classified
as XSS while they were much more than a XSS, or a XSS in a PHP error
message.

Those XSS issues are actually vulnerabilities that were fixed in PHP 5.1.2
(i know at least 2 examples: an inclusion error message, a missing
function which name is based on user supplied data).

See also:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-10/0040.html

There is also this problem with SQL injection vulnerabilities, everyday we
see a bunch of XSS and SQL injection advisories, but who has the time to
check them all? ..

Siegfried

Le Sam 1 avril 2006 10:11, Steven M. Christey a écrit :
>
> In a post-disclosure analysis [1] of a security issue announced by
> rgod [2], Siegfried observed that the reported XSS actually originated
> from a file inclusion vulnerability, in which the XSS was reflected
> back from an error message when the file inclusion failed:
>
>>About the xss, it is an xss in the php error message, there are many
>>php functions returning errors without filtering them, anybody noted
>>that?
>
> Yes.
>
> I would greatly appreciate some corroboration from the real PHP/web
> security experts out there on what I'm about to say.  If true, it
> would partly explain why XSS is so rampant in PHP applications.
>
> As I understand it, this behavior is due to an XSS problem in PHP
> itself before 5.1.2 (CVE-2006-0208), as announced in January 2006:
>
>   http://www.php.net/release_5_1_2.php
>
> It's not clear if PHP 4.x was affected.
>
> The XSS happens when display_errors and html_errors are enabled - it
> won't quote the output from raw error messages.
>
> No doubt many so-called XSS errors these days are the result of this
> particular issue in PHP.  They're aren't entirely the application's
> fault, although obviously they indicate the lack of strong input
> validation.
>
> This can hide much more serious vulnerabilities, like file inclusion,
> directory traversal, or SQL injection.  I have mentioned this in the
> past, but now we know why this seems to happen so often.
> (Application-controlled error handlers can still be subject to XSS of
> course, even under a fixed PHP.)
>
> For those who do post-disclosure analysis: there *might* be a
> resultant XSS issue if the researcher claims both XSS and another type
> of bug in the same affected parameter/component, or if the
> researcher's report includes error messages that don't seem to be
> sanitizing XSS-tainted output.
>
> - Steve
>
> [1]
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044756.html
>
> [2] http://retrogod.altervista.org/claroline_174_incl_xpl.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow

[Anonymous Squirrel]

On 4/1/06, Mike Nice <[EMAIL PROTECTED]> wrote:
>
> 1) Any different social engineering besides "login to your bank
> account".  For example, "Chase will pay you $20 to fill out a short
> survey!"  (of course, after filling out the survey you must provide
> your debit card number or account login information to get the $20).
>
> This should be tip #5, back to the old 'don't click on anything from
> your bank in an E-mail - for any reason'.

It't not that simple.  With all of the outsourcing nowadays, the
phisher only has to indicate that the survey is being "impartially"
conducted by a third party.  Then the phisher can even supply a
non-bank link without obfuscation!  Really, all we are dealing with
here is tricking the human into going to the web site.  Saying "dont
click on anything" only guards against one social engineering tactic. 
The rest are left on the table.

>
> 3) Any attack that spoofs the SSL cert box (The Codefish web site had
> a good example...what ever happened to Codefish, anyway?...pharming,
> MITM, and type-alike can fit in here, too)
>
>Tip #4 works precisely because it defeats pharming, MITM and type-alike.
> The Cert box is nearly impossible to spoof because you would have to spoof
> the actual bank's certificate.  Any error and your browser will pop up a
> warning dialog that the host name on the SSL cert doesn't match the name of
> the host.That's only assuming that some corrupt CA hasn't issued a
> second SSL cert for the real bank host name.
>

You must not have visited Codefish.  The spoof wrote a https:  web
address in the address bar, and wrote the bottom of the browser to
look just like an SSL connection, complete with a lock. When the lock
was clicked, it popped up something that looked just like the cert
box.  Very well done indeed.

I'm continually amazed by the belief that the cert box is sacrosanct. 
If the underlying box is compromised, all bets are off.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow

[Nick FitzGerald]

Marcos Agüero to Michal Zalewski:

> > Note to self: design my next phishing website to always display "logon
> > failed".

8-)

The phishmongers are well ahead of you there...

> Just as most of the phishing sites already do.

Really?

"Most"?

Still?

Admittedly I don't poke bogus credentials into every phishing site I
see, but I do prod a lot of them and of late the only thing I've seen
"fail" is a few sites doing Luhn checks on supplied CC #s and asking
you to more carefully re-enter the number.

The "iniitial fail" tactic was quite a popular a while back, but I
don't recall having seen it at all lately...


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow

[Nick FitzGerald]

[EMAIL PROTECTED] wrote:

> Tip #2: Invalid credentials work on impersonated websites.
> 
> If you feel there is something wrong with a website, use invalid
> username and invalid password to log in. If the website then presents you
> with the "Logon failed" page, you are possibly on a legitimate website, so
> you may proceed with logging in using your correct credentials. If it gets
> you right through - it is definitely a phishing attempt. "
> 
> argghh

8-)

There was a series of phish a while back (early last year was the last 
I think saw one of these) where the phisher seemed to be aware of this 
possible tactic, and always "failed" the first login (and always 
accepted the second no matter what you put, including exactly the same 
(bogus) credentials).


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow

[Nick FitzGerald]

Dave Korn to Jasper Bryant-Greene:

> > Phishing scams are public in nature. They aren't trying to avoid
> > detection :) ...

Actually, that depends on the scam.

Some phishers go to elaborate lengths to hide the real location of 
their phishing sites, using fast-changing DNS entries with multiple 
host (A) records for their bogus domains, quickly rotating the domain 
through sizable chunks of widely distributed IP address space across 
their vast botnets.  The bots at the business end of these setups act 
as HTTP proxies to the "real" phishing site, but are incredibly 
difficult to "catch in the act" and analyse (and doing so requires a 
level of inter-ISP, etc cooperation you're unlikely to find in 
practice).

Why they go to that much trouble unless they are trying to avoid 
detection of the real scam site's location I cannot imagine.

> > ... and the IP address would of course be spoofed.
> 
>   No it wouldn't.  IP address spoofing is easy over UDP but incredibly 
> difficult over TCP.

Exactly.

BUT, it can be "practically" implemented -- i.e. the same end result 
(the phisher's real location remaining unknown) can be achieved with 
readily available means...

There's nothing to prevent a phishmonger who is running a botnet much 
like that described above to also distribute the "check the supplied 
login credentials" effort across the botnet, rate-limiting the requests 
to a specific target banking site from each bot to "a few per hour", 
such that each bot might look, to any traffic or other pattern 
monitoring at the banking site, much like an "Internet cafe" or other 
similar public access node.  And don't forget that, unlike the actual 
spamming of such phishing schemes, the total traffic involved here 
would be quite small anyway, as normally only a very small proportion 
of the phishing scam recipients will actually get as far as visiting 
the phish site _and then_ entering login data (in fact, this response 
rate is probably so low that the checking could be done by the bot 
proxying the current victim's HTTP traffic to the real scam site).


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: A Move to Remove

[Peter Besenbruch]

Stuart Dunkeld <[EMAIL PROTECTED]> wrote: 


If you had filtered out all n*td*v related mail you wouldn't have 
responded to this thread..


Steve Russell wrote:

I *have* filtered the posts into another folder, and if I choose I
can just delete all of those posts with one click. Doesn't mean I
lack the choice to sometimes read one or two of them and indeed reply
to any of them, I wonder why sometimes... Perhaps time for a new
hobby...


A list like this needs filtering, regardless of the presence of trolls. 
A lot of my filters target outfits like Gentoo, or Mandriva, not because 
they are bad "citizens," but because I am not using their product.


As for the trolls, they get added as an extra to to my list filters. It 
doesn't take long to recognize which people never contribute anything 
positive. It's easy enough to do, and Full Disclosure becomes pretty 
useful when you do that.


It's a lot like Usenet. Filters made the place usable. What people kept 
forgetting was that one rule: Don't feed the troll. This is the first 
"netdev" related thread on this list that I have seen in a while, and 
for that I am grateful.

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] In da beginnin...

[Phrack Staff]

It's time for our dove.

The Management.

cc: Noah

--
 ... Phrack is dead. Long Live Phrack.

[-]=[-]

 +++
   =: P H R A C K - R E B O R N :=
 +++

   ... Phrack is dead. Long Live Phrack. 


   CALL FOR PAPERS * CALL FOR PAPERS * CALL FOR PAPERS

--
Deadline: 14 April 2006 at 11:59pm
Submissions: phrackstaff at gmail.com
Subject : w3 w4n7 j00r fsckju1c3
--

   Submissions should _NOT_ disclose new exploit methods, new backd00ring
   methods, or any other informa71on that may be used by the informa71on
   security extor71on industry to further increase their profit margins.

   As another special treat to our readers, this CFP includes yet more
   samples of the m473rial we l00k forward to bringing you, our new Phrack
   readership in the future. 

   Ar71cles under conzidera71on 4 the next relese:
- I'm a former NGS Employ33 listen to me
- 0wning juniper networkz the easy way
- Remote Apple package management the HTTP way
- WhiteHat bai71ng through Aquiring ImmunitySec Deficenzys  



|=---=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=-=|

Editors   : phrackstaff at gmail.com
Submissions   : phrackstaff at gmail.com
Commentary: phrackstaff at gmail.com
Phrack World News : phrackstaff at gmail.com
(ChiX|H4X)0r Porn : phrackstaff at gmail.com

  ...
   #,..P
hr,  . ..   .Ac
'K#ph,   ..  .   .rAcK'
 #ph'Rac,.   ..K#P'Hra
  Ck'   #PHr  ...  .aCk'  #Ph
   rA,'cK#, .pHr'.AC
   'K#   'Phr,   .aCk'   #P'
  ...   rAc ' .K.#P Hra   ...
 .   cK#   .pHR  .a,   cK#   .
 . .. pH,   .rAc'  .  'k#P.HR. ..
 ..  .'Ac .K#' . 'PHr. ''..  .
 .   . aCk '   .'#PH,.   .
  ...  .rA.'cK'... '#PH,  ...
.rAc'k#, . .PH'rAc,
 .K#P'   'Hr   .   aC'   'k#P,
  .hRa'   cK#  .  pHr   'aCk,
   .#Ph' rAc __'K#P,
.HRACK#PHRACK#PHRACK#PHRACK#PHRACK#'.PH RAC#PHRACK#PHRACK#PHRa.
... cK'
 #Pr   aCk
  #Ph rAc
   K#,   .Ph
   'RA   CK'
#P. .hR
 aC.K#
  PhR
   A


   .
   Or contact us via seance



[-]=[-]


Dearest readers, following our ini71al publica71on last wh0r3con.. 
many many things have happened.

We have a new management who share many things in common with the old
management.

Our shoutoutz would go to all of those people who contributed, but they b33n 
busy all by dem selfz and so, it is with pride that we bringz to j0 bits of
the next chapter in our b00k "Know your enemy: The Security Industry".

j0 may realize dear reader that we have only included extractz from chapter 3,
whilzt every efort waz made to publish chapter 2 "How to own a publisher",
j0r friendz found demselves with a few t33ny PDF issues we have to c 2 1st...

For j0 whitehats and snake oil salesmen who know we don't exist

"BOO!"

your friends,

The Management.

P.S. Due to the team effort required to write this l473st CFP please excuse
the not so perfect english, the quality of teaching has gone down the CISSP 
pan l473ly, especialy so in non-tershiary economys.

[-]=[-]
A word from der sponzor :
[listen ok, 1 diddn wan to put dis in ere but otherwise 1 lose my brazilian 
broke-backbonin connec71onz -Ed.] 

Reader,
Bow before me and suckle on my toes whilst 1 give forth wisdom unto you.

Recently, I have no71ced a number of posts written which have me in mind, 
some may say in a "fantasy" role. Gadi, I can understand that 1 turn j0 on. 
I understand that j0 have to express your SQL Injected f33lings to
me through leading others to bel33ve that you, Gadi E [zenzored -Ed.] 
are merely a pawn [ p0rn -Ed.] in this industrial target71ng and are 
of course a whitehat-bl00ded male.

Whilst I ACK that many, many people declare open love 4 my overhyped yet 
large python object I cannot help but f33l that the industry is 

Re: [Full-disclosure] Howto filter n3td3v from your mail client

[Robert \"Nexis\" Nelson]

Out of all seriousness, here's the best way to do it in
thunderbird. Its already been said, but some people don't take the hint.

 Go to your inbox, then Tools -> Message Filters.

 Click New.

 If 
   sender     contains n3td3v
   body       contains n3td3v
   subject    contains n3td3v
   to or cc   contains n3td3v
 Then
   Move to Trash
   -or-
   Move to Junk



I can testify that this gets rid of 90% of all troll-ish mail on FD.

Cheers.

Alexander Hristov wrote:

  First u have to go to preferences then click on :

Gay filter on
Asshole filter on
Noob filter on
Kiddie filter on

Thats all

WARNING : U have to check all of them so the mail client can filter
n3td3v , otherwise youll receive mails

--
Best Regards,
Aleksander Hristov < root at securitydot.net > < http://securitydot.net >

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linus mass killing integer overflows

[Georgi Guninski]

On Sat, Apr 01, 2006 at 10:48:22AM +0200, f y wrote:
> My wishlist for 2.8:
> -jvm (should boost my swing apps)

agreed. i vote for implementing parrot - http://www.parrotcode.org/ to avoid
perl vs python vs java flames. 

> -sql support to query kernel table and fs data

this seems a bad idea. what if a mcse discovers a sql injection in
kernelspace? the side effects may be worse than a cake on b1l1.

> -lisp and prolog interpreters (don't have a use for this but I'm sure
> somebody will need it)

rms likes lisp, so we can count on him.

junk


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY

[John Doe]

> In any case, it's d clear that the person who posted that response has *no> idea*> how most bank's anti-fraud systems work.>> First off, the phishers *can't* just run through all the data they've 
> gotten> in just a few seconds, unless they distributed the work across a bunch of> botnet> zombies - hits for more than a few dozen different accounts from the same> IP> in the same timespan are suspicious at the very least. 
>> Secondly, the phishers can currently usually be sure that the victims have> given them reasonably good data (unless the victim is a dweeb who can't> enter> their DoB or account number correctly).  On the other hand, if the phished 
> data> has been polluted by 90% bad data, then only 1 of 10 attempted> transactions> will succeed - and the fact that they're trying lots of different bad data> will> again hopefully trigger an alert.  If you only succeed every 10th time, 
> and you> get locked out after 3 attempts with different bad data, it's going to> take you> a lot longer to figure out which ones are good and which ones are badConsider that some of these fake accounts could also be used as Honey keys. 
They would of course have to work in conjunction with the banks /sites to utilize this.It would be rather difficult for a phisher to sort through thousandsof Id's when IP addresses keep getting shut off based on a Honey Key. 
You would have to own a lot of BOTs and a lot of patience.Duck 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Doctoral Thesis

[Native Code]

I have simple question for the guy, if he is so proud of his group, then why he does not troll there instead of on FD?
 
W'd the guy answer?
On 4/1/06, f y <[EMAIL PROTECTED]> wrote:


2006/3/31, pwnd. security. pwnd <[EMAIL PROTECTED]>: 

Wouldn't it be ironic if 'someones' thesis was: Can one individual,acting as a loud-mouth Skiddy, using inflamatory speech use social 
engineering techniques to take down a Security site, render ituseless, make most of its 'members' go somewhere else, or damage itsreputation and namesake?
 
interesting subject, is there a proposed solution already? Server-side filters putting messages containing blacklisted words in a moderation queue for instance.
 ___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linus mass killing integer overflows

[Brian Eaton]

On 4/1/06, f y <[EMAIL PROTECTED]> wrote:
>
>
> > currently there are discussions for implementing COM in the
> > kernel and/or scripting the kernel from userland, but Linus hasn't made up
> > his mind yet.
>
> My wishlist for 2.8:
> -jvm (should boost my swing apps)
> -sql support to query kernel table and fs data
> -lisp and prolog interpreters (don't have a use for this but I'm sure
> somebody will need it)

The kernel folks have taken a seriously wrong turn here.  They should
have delayed the preview release until the garbage collector was
ready.  That's where the real value for these patches starts.

Regards,
Brian

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance

[Bipin Gautam]

n3td3v, not everyone likes s much of noise and you can understand
that without loosing your temper. (maybe there are many older ppl. in
the list :) And you sometimes make half of the message of the day in
FULL-DISCLOSURE "SECURITY" MALING LIST... about you/on you.
SOMETIMES too much is JUST TOO IRRITITATING; even when if its your
favourate food. You know it, don't you?

post topics that WORTHS discussing, NOT the topics thats simply there
to notify us. As you, we all follow the same websites and maybe* have
the same first response pattern topics. why talk on such obvious
stuffs. Please focus on QUALITY DISCUSSION, not on quantative
discussion. seems like FD croud love to hear COMCLUSIONS on topics
that worths discussing. NOT THE WHOLE DISCUSSION ITSELF.
BRAINSTORM in your private group and if you think... not many of
us could have reached to the conclusion that you guys made. Let us
know, we'd love to hear that. you don't have to explain mature ppl.
most of the stuffs... (you know it) and kids will never get it. IGNORE
THE KIDS and let the mature ppl. know things they might not know &
worth knowing. ELSE, mantain the silence.

ppl. here don't dislike you, its just you are sometimes all over the
list & be the TOPIC of discussion. WE ARE HERE TO DISCUSS ON TOPICS.
NOT TO BE THE TOPIC OF DISCUSSION. JUST USE YOUR INTELLIGENCE AND
AVOID THAT BROTHER. Everyone will surely love to hear from you... i do
understand and everyone will agree some stupid ppl.  will try to make
joke of you nomatter what you talk on... assume them as bratty
little kids. Ignore them on whatever they say. Mantaining the silence
won't make you look stupid. NEVER!!! you don't need to defend
everything. Leave it on the list members to judge the situation. They
are behaving like KIDS if they start rants and give stupid coments...
you too is being like them (kid) if you get in their stupid GAME of
flame-war.

  SILENCE IS VIRTUE.

peace,
-bipin
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment

[TheGesus]

On 3/30/06, Marc SCHAEFER <[EMAIL PROTECTED]> wrote:

>
>However, accessing \\192.168.1.2\c$ did go through the Ethernet
>interface, and *not the tunnel*, and strangely half-using the private
>addresses!
>

As soon as you put an IP from a disjoint network on an XP box, XP
starts multicasting the new route you have made available to it. 
Other XP boxes join the party.

Since they are on the same segment it makes no difference to the stack
which interface the data goes out.  It knows two routes and it'll use
any one it damn well pleases, thank you.

Unless you shut this multicasting off (registry mod - there is no user
interface), XP will rat you out to the rest of the network.  I learned
this the hard way after creating a (VERBOTEN!) ad hoc wireless network
between my laptop and desktop at work.  In minutes the network guys
were on the phone asking about the multicast traffic and what it was
doing (I feigned innocence & blamed it on Windows as I yanked the USB
wireless NIC off the desktop box... that seemed to satisfy them).  XP
was telling the world it knew a route to 169.254.x.x (which it really
shouldn't do, at least according to RFC 3927).

If you want to run a covert Openvpn network from work to home, learn
about this and KILL it because a knowledgable net admin will ferret
you out.  Luckily we don't have any of those where I work.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Kazaa

[James_gmail-ij]

> Other than removing Kazaa and preventing installation, how else can I block
> it from being used?

At the firewall, with some additonal programming. There was an article in one of
the Linux Magazines - LinuxJournal? - some time ago. Dont have the Mag. to hand.

Perhaps it can be found online?

There are various modes, designed to evade trivial block rules. The
article examines
the protocols in detail and describes how to defeat it completely.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance

[Scott T. Cameron]

On Sat, Apr 01, 2006 at 05:34:20AM +0100, n3td3v wrote:
> No one actually knows how RSA are carrying out their database attacks yet,
> hence the reason I called for clarity on the issue. But I really am suspect
> about the exact technical setup of the attacks that the RSA are carrying out
> against fake logins and their databases. Theres no way however they could
> carry out world wide attacks on hundreds of fake login targets, without the
> use of more than one ip host. And whats the definition of a bot network,
> isn't it more than one computer used to send data? In which case you would
> need to define the RSA as using a bot network to send their fake raw data to
> fake world wide phishing targets. And if they are, is it ok for everyone
> else to join in. No I didn't say I had a botnet, and I didn't say I was
> attacking anything, all I asked was for RSA to clarify their stance, to make
> it clear that its ok or not ok for everyone to join in the attacks they
> recommended via the Cnet news article as  a good method to beat phishers.

You realize ARIN assigns blocks of IPs, right?  In various parts of North 
America?  Then you have RIPE for your precious UK.

I would be completely overwhelmed if RSA had more than a /30 from their 
provider.  That is unfathomable.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: A Move to Remove

[Steve Russell]

Stuart Dunkeld <[EMAIL PROTECTED]> wrote: > I was going to ask how sending an email explains how you know whether or not> someone has filters in place,  But I won't bother...If you had filtered out all n*td*v related mail you wouldn't haveresponded to this thread..RegardsI *have* filtered the posts into another folder, and if I choose I can just delete all of those posts with one click. Doesn't mean I lack the choice to sometimes read one or two of them and indeed reply to any of them, I wonder why sometimes... Perhaps time for a new hobby...
		Does your mail provider give you FREE antivirus protection? Get Yahoo! 
Mail___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3td3v group calls on RSA to clarify theirstance

[GroundZero Security]

So you think the only system that they could 
possibly have used is wondows based?
I doubt they would use windows and even if 
so, on a Gigabit link and with a clever
programmed Software with multithreads this could 
push out a lot of requests from a single
IP. Not that i belive RSA has no subnets 
and only a single IP.

  - Original Message - 
  From: 
  n3td3v 
  To: Morning Wood ; full-disclosure@lists.grok.org.uk 
  
  Sent: Saturday, April 01, 2006 6:50 
  AM
  Subject: Re: [Full-disclosure] n3td3v 
  group calls on RSA to clarify theirstance
  If the RSA aren't using a bot network, then are you suggesting 
  they are sending garbage data from one single user Microsoft Windows XP 
  computer to all the worlds phishing logins? Wake up mr se cur ity at 
  hotmail dot com 
  On 4/1/06, Morning 
  Wood <[EMAIL PROTECTED]> 
  wrote: 
  >*while 
RSA are carrying out these attacks, is it legally OK for hackers 
to>"HELP OUT" the RSA by pointing a few of our bot net's at some 
Yahoo and >eBay>fake login web pages that we know about and 
feed them with fake username>and>password data. We don't want 
to end up in jail, but since the RSA are doing>it, so we can tell our 
lawyers that the RSA recommended the tactic to us.* >*Much 
regards,*>*n3td3v international security group*so... the 
"n3td3v group" has "a few [of our ] botnets"  did I hear 
thisright? ( *blink* )somehow I dont think RSA is using "botnets", 
which BTW are ILLEGAL in *most* countries( yes, including your 
precious UK )I just want to thank the biggest security group ( lol ) 
for using tehbotz!!!I am sure Yahoo-Inc, Google, EBay, Microsoft and 
FooBarBlehCo will thankyou publicly on CNN so we will know how n3td3v 
group saved us all with botnets!!!thanks b0td3v 
gr0upz,MW___Full-Disclosure 
- We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored 
  by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Howto filter n3td3v from your mail client

[Alexander Hristov]

First u have to go to preferences then click on :

Gay filter on
Asshole filter on
Noob filter on
Kiddie filter on

Thats all

WARNING : U have to check all of them so the mail client can filter
n3td3v , otherwise youll receive mails

--
Best Regards,
Aleksander Hristov < root at securitydot.net > < http://securitydot.net >

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Doctoral Thesis

[f y]

2006/3/31, pwnd. security. pwnd <[EMAIL PROTECTED]>:
 
Wouldn't it be ironic if 'someones' thesis was: Can one individual,acting as a loud-mouth Skiddy, using inflamatory speech use social 
engineering techniques to take down a Security site, render ituseless, make most of its 'members' go somewhere else, or damage itsreputation and namesake?
 
interesting subject, is there a proposed solution already? Server-side filters putting messages containing blacklisted words in a moderation queue for instance.
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linus mass killing integer overflows

[f y]

currently there are discussions for implementing COM in thekernel and/or scripting the kernel from userland, but Linus hasn't made up
his mind yet.
 
My wishlist for 2.8:
-jvm (should boost my swing apps)
-sql support to query kernel table and fs data
-lisp and prolog interpreters (don't have a use for this but I'm sure somebody will need it)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY

[Ian stuart Turnbull]

succinctly put.we cant all be wrong in that this prick is a moron can we? 
ayway its fitered now - it didnt get noral. now anything useful it might 
have to say will be missed. BIG deal now!!



From: "php0t" <[EMAIL PROTECTED]>
To: 
Subject: RE: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Date: Sat, 1 Apr 2006 05:35:45 +0200
MIME-Version: 1.0
Received: from lists.grok.org.uk ([195.184.125.51]) by 
bay0-pamc1-f13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 
31 Mar 2006 19:36:41 -0800
Received: from lists.grok.org.uk (localhost [127.0.0.1])by 
lists.grok.org.uk (Postfix) with ESMTP id F200CC8B;Sat,  1 Apr 2006 
04:36:10 +0100 (BST)
Received: from felipe.hu (jump.felipe.hu [195.228.157.209])by 
lists.grok.org.uk (Postfix) with ESMTP id BCC77A07for 
;Sat,  1 Apr 2006 04:35:40 +0100 (BST)
Received: from DORKA (jangce-2020.adsl.datanet.hu [195.56.20.242])by 
felipe.hu (Postfix) with ESMTP id C592E6219for 
;Sat,  1 Apr 2006 05:44:42 +0200 (CEST)

X-Message-Info: JGTYoYF78jGCwSX0I8zVOkzeEBBaSH+UwLHMWBwxHTI=
X-Original-To: full-disclosure@lists.grok.org.uk
Delivered-To: full-disclosure@lists.grok.org.uk
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-BeenThere: full-disclosure@lists.grok.org.uk
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: An unmoderated mailing list for the discussion of security 
issues
List-Unsubscribe: 
, 


List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: 
, 


Errors-To: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 01 Apr 2006 03:36:42.0340 (UTC) 
FILETIME=[7E166240:01C6553D]



  Dear technically challenged netdev,

1) 'Is that the same as...' - ummm... you probably IMAGINED a different
email to which you replied to
2) The address is legit, it isn't 'hacked'. It has a story why I use it
here, but it's not like anybody cares.
3) http://www.ietf.org/rfc/rfc0821.txt - the world is bigger than gmail
believe it or not.
4) If I sent the email from gmail, it would show in the headers.
5) If it was a spoofed email only used for subscription, the FD posts
sent to it would not get back to me
6) The email in question wasn't even an FD comment, it went straight to
your inbox to avoid bugging others who still don't have you filtered
(like me, until this very email). What did you do? Post it right back to
the list. Nice.

  Sure, everybody can filter, so can I. The thing is, i never NEEDED to,
because there hasn't been anybody dropping such ignorance in my mailbox
so often. I was hoping that you would either turn normal or keep your
word and leave the list.
Since the trolling just goes on, it's grep -v for you, especially after
this stupid bullcrap you made up and decided to share with the probably
not-so-interested list members. I responded this time because 1) it was
a personal attack based on nothing, and 2) because it's my last email
that has the word netdev in it. (sent or received ;]) - and i can keep
my word, unlike 'some people'.

php0t



-Original Message-
From: n3td3v [mailto:[EMAIL PROTECTED]
Sent: Friday, March 31, 2006 11:12 PM
To: php0t; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO
SERIOUSLY


Is that the same as hacking someones "domain", accepting the Gmail
confirmation to say you're allowed to send from a Gmail account with
that hacked domain, then delete all forensic logs from the hacked domain
and then go back to your Gmail account, where you can continue to send
your inflamed FD comments from as [EMAIL PROTECTED] Figures.


On 3/31/06, php0t <[EMAIL PROTECTED]> wrote:

If you kept your word (and didn't post my emails back to the list), it'd
be better. :)


-Original Message-
From: n3td3v [mailto: [EMAIL PROTECTED]  ]
Sent: Friday, March 31, 2006 10:47 PM
To: php0t; full-disclosure@lists.grok.org.uk

Subject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO
SERIOUSLY


Why don't you just "filter" me like "the experts" have told you to do?
Or haven't you worked out the technical background architecture of
Outlook and Thunderbird yet? Figures.


On 3/31/06, php0t <[EMAIL PROTECTED]> wrote:

For real, please keep your word.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 ] On Behalf Of n3td3v
Sent: Friday, March 31, 2006 9:55 PM
To: full-disclosure@lists.grok.org.uk

Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY


This is funny as well, http://news.com.com/5208-1029-0.html?forumID=

[Full-disclosure] Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[Steven M. Christey]

In a post-disclosure analysis [1] of a security issue announced by
rgod [2], Siegfried observed that the reported XSS actually originated
from a file inclusion vulnerability, in which the XSS was reflected
back from an error message when the file inclusion failed:

>About the xss, it is an xss in the php error message, there are many
>php functions returning errors without filtering them, anybody noted
>that?

Yes.

I would greatly appreciate some corroboration from the real PHP/web
security experts out there on what I'm about to say.  If true, it
would partly explain why XSS is so rampant in PHP applications.

As I understand it, this behavior is due to an XSS problem in PHP
itself before 5.1.2 (CVE-2006-0208), as announced in January 2006:

  http://www.php.net/release_5_1_2.php

It's not clear if PHP 4.x was affected.

The XSS happens when display_errors and html_errors are enabled - it
won't quote the output from raw error messages.

No doubt many so-called XSS errors these days are the result of this
particular issue in PHP.  They're aren't entirely the application's
fault, although obviously they indicate the lack of strong input
validation.

This can hide much more serious vulnerabilities, like file inclusion,
directory traversal, or SQL injection.  I have mentioned this in the
past, but now we know why this seems to happen so often.
(Application-controlled error handlers can still be subject to XSS of
course, even under a fixed PHP.)

For those who do post-disclosure analysis: there *might* be a
resultant XSS issue if the researcher claims both XSS and another type
of bug in the same affected parameter/component, or if the
researcher's report includes error messages that don't seem to be
sanitizing XSS-tainted output.

- Steve

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044756.html

[2] http://retrogod.altervista.org/claroline_174_incl_xpl.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/