[Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory
Hi all The JWIG has got very good functionalities. But vulnerability finding never states that technology should not be used but should be carefully used. The vulnerability points should be taken into account while implementing technology. The growth counts. Thats it. Regards Aditya K Sood SecNiche Security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20070722-0 :: Remote command execution in Joomla! CMS
SEC Consult Security Advisory 20070722-0
===
title: Remote command execution in Joomla! CMS
program: Joomla!
vulnerable version: 1.5 beta 2
Earlier 1.5 versions may be vulnerable too!
impact: critical
homepage: http://www.joomla.org
found: 2007-05-20
by: Johannes Greil / SEC Consult / www.sec-consult.com
===
Vendor description:
---
Joomla! is an award-winning Content Management System (CMS) that will
help you build websites and other powerful online applications. Best of
all, Joomla! is an open source solution that is freely available to
everybody. Joomla! is used all over the world to power everything from
simple, personal homepages to complex corporate web applications.
[source: http://www.joomla.org/content/view/12/26/]
Vulnerability overview:
---
The search component of Joomla! allows an attacker to execute arbitrary
PHP commands. It is e.g. possible to execute OS commands via system()
calls. PHP is set to the settings recommended by the Joomla! installer!
An attacker does not need to be authenticated to perform this attack!
Vulnerability description:
--
The following scripts of a default Joomla! 1.5 beta 2 installation
contain the vulnerable code:
1) components/com_search/views/search/tmpl/default_results.php
line 12: ?php eval ('echo '. $this-result .';'); ?
2) templates/beez/html/com_search/search/default_results.php
line 25: echo 'p' . eval ('echo ' . $this-result . ';');
Input of the searchword parameter is being passed to the mentioned
eval() code and executed. An attacker is able to append new PHP commands
after the echo language construct which can be used for OS command
execution.
In order to bypass the search word length limitation of 20 characters a
new GET parameter is being used to specify the OS commands (see proof of
concept).
Proof of concept:
-
http://$joomlahost/index.php?searchword=;phpinfo();%23option=com_searchItemid=1
http://$joomlahost/index.php?c=idsearchword=;system($_GET[c]);%23option=com_searchItemid=1
Vulnerable versions:
The following versions were found to be vulnerable:
* 1.5 beta 2
Earlier versions of Joomla! 1.5 beta have not been tested and may be
vulnerable too!
The stable version 1.0.13 of Joomla! does not contain the vulnerable
code and is not affected by this security issue.
Vendor contact timeline:
2007-05-21: vendor notified via email ([EMAIL PROTECTED])
2007-05-21: vendor replied and fixed the issue in SVN
URL:
http://joomlacode.org/gf/project/joomla/scmsvn/?action=browsepath=%2Fdevelopment%2Ftrunk%2Fcomponents%2Fcom_search%2Fviews%2Fsearch%2Fview.phpr1=7455r2=7456
2007-07-21: vendor released RC1 of Joomla! 1.5
2007-07-22: coordinated disclosure date, special greetings to Rob!
Solution:
-
The vendor does not recommend using the development version v1.5 beta
for production sites and suggests using the latest stable version(s).
If Joomla! v1.5 beta is being used, upgrade to v1.5 RC1 immediately
which fixes the issue!
Patch/Workaround:
-
Use the fix from SVN (check out at least revision 7456 of
/development/trunk/components/com_search/views/search/view.php)
~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to http://www.sec-consult.com/236.html
EOF Johannes Greil / @2007
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2007-3383: XSS in Tomcat send mail example
CVE-2007-3383: XSS in Tomcat send mail example
Severity:
Low (Cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
4.0.0 to 4.0.6
4.1.0 to 4.1.36
Description:
When reporting error messages, the SendMailServlet does not filter
user supplied data before display. This enables an XSS attack.
Mitigation:
Undeploy the examples web application.
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
On this page
http://localhost:8080/examples/jsp/mail/sendmail.jsp
enter the following text
scriptalert('XSS reflected')/script
in the From field and click Send.
References:
http://tomcat.apache.org/security.html
Mark Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer overflow in Areca CLI, version = 1.72.250
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I - TITLE
Security advisory: Buffer overflow in Areca CLI, version = 1.72.250
II - SUMMARY
Description: Local buffer overflow vulnerability in Areca CLI allows for
arbitrary code execution and eventually privilege escalation
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org
Date: July 22th, 2007
Severity: Medium
References: http://www.devtarget.org/areca-advisory-07-2007.txt
III - OVERVIEW
Areca-CLI (cli32) is a command line interface to query and alter the
settings of Areca ARC-xxx SATA RAID controllers. More information about
the product can be found online at http://www.areca.com.tw.
IV - DETAILS
The application Areca CLI, version = 1.72.250 (cli32) is prone to a
classic buffer overflow vulnerability when a particularly long
command-line argument is being passed and the application attempts to
copy that argument into a finite buffer. On a Debian 4.0 test system
(kernel 2.6.20) for instance an attacker is required to supply more than
520 characters to completely overwrite the EIP register and thus execute
arbitrary code. Please notice that besides Linux other platforms (e.g.
FreeBSD) might be affected as well (unchecked).
V - ANALYSIS
The severity of this vulnerability is probably medium as it can only
be exploited locally and the file cli32 is not set suid root by default.
However when being used in combination with software such as Nagios to
locally or remotely monitor the status of a RAID controller, many people
tend to assign suid root privileges to this file in order to be able to
query the status of the controller via a web interface. Consequently in
such a sitation, this vulnerability will result in a privilege
escalation enabling local users to gain root privileges.
VI - EXPLOIT CODE
An exploit for this vulnerability has been developed but will not be
released to the general public at this time. However developing an
exploit for this vulnerability is trivial.
VII - WORKAROUND/FIX
The vendor confirmed the vulnerability but failed to respond to several
emails asking for a concrete timeline to fix the problem. Thus to
mitigate the vulnerability, one is advised to ensure the file cli32 is
not set suid root and ask the vendor to develop and supply a patch in
the near future.
VIII - DISCLOSURE TIMELINE
07. June 2007 - Notified {support,security,[EMAIL PROTECTED]
08. June 2007 - Vulnerability confirmed
11. June 2007 - Response from vendor
16. June 2007 - Contact to vendor (several times), no reply
22. July 2007 - Public disclosure
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGo1TKd8QFWG1Rza8RAq0WAKCHv9ngp+wDJHkkoq6UqOkvsoL5QgCfRe0t
Tk/lQgb5LKiSpAP4lGfcXrg=
=S6Um
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1336-1] New mozilla-firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1336-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 22nd, 2007 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1282 CVE-2007-0994 CVE-2007-0995 CVE-2007-0996 CVE-2007-0981 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0778 CVE-2007-0045 CVE-2006-6077 Several remote vulnerabilities have been discovered in Mozilla Firefox. This will be the last security update of Mozilla-based products for the oldstable (sarge) distribution of Debian. We recommend to upgrade to stable (etch) as soon as possible. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2007-1282 It was discovered that an integer overflow in text/enhanced message parsing allows the execution of arbitrary code. CVE-2007-0994 It was discovered that a regression in the Javascript engine allows the execution of Javascript with elevated privileges. CVE-2007-0995 It was discovered that incorrect parsing of invalid HTML characters allows the bypass of content filters. CVE-2007-0996 It was discovered that insecure child frame handling allows cross-site scripting. CVE-2007-0981 It was discovered that Firefox handles URI withs a null byte in the hostname insecurely. CVE-2007-0008 It was discovered that a buffer overflow in the NSS code allows the execution of arbitrary code. CVE-2007-0009 It was discovered that a buffer overflow in the NSS code allows the execution of arbitrary code. CVE-2007-0775 It was discovered that multiple programming errors in the layout engine allow the execution of arbitrary code. CVE-2007-0778 It was discovered that the page cache calculates hashes in an insecure manner. CVE-2006-6077 It was discovered that the password manager allows the disclosure of passwords. For the oldstable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge17. You should upgrade to etch as soon as possible. The stable distribution (etch) isn't affected. These vulnerabilities have been fixed prior to the release of Debian etch. The unstable distribution (sid) no longer contains mozilla-firefox. Iceweasel is already fixed. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17.dsc Size/MD5 checksum: 1641 36715bb647cb3b7cd117edee90a34bfd http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17.diff.gz Size/MD5 checksum: 553311 4ba992e60e5c6b156054c5105b1134ae http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_alpha.deb Size/MD5 checksum: 11221890 5d8d1de73d162edf8ddbaa40844bb454 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_alpha.deb Size/MD5 checksum: 172696 42d5c31ec7a2e3163846c347f04773df http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_alpha.deb Size/MD5 checksum:63574 238529b9d4ae396dc01d786d4fb843b4 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_amd64.deb Size/MD5 checksum: 9429140 8394fcd85a7218db784160702efc5249 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_amd64.deb Size/MD5 checksum: 166496 795a8ec3e1aa1b0a718ad6f4439670ef http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_amd64.deb Size/MD5 checksum:62022 ef315cc90c3780ff151cd2271e913859 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_arm.deb Size/MD5
Re: [Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory
Reply from the developer of JWIG regarding Hack Annotations in JWIG by secniche.org Hi Pranay (cc to SecNiche), Thank you for bringing this to our attention. I have now read this document Hack Annotations in JWIG, and I must admit that I have never seen so much bogus in so few pages ever before. Is this a (bad) joke?? It seems that the author Aditya K Sood (a.k.a. Bubba Gump?) has completely misunderstood the processing model of web communication in general and JWIG in particular. JWIG is a research project exploring new ways of programming web applications. JWIG programs run on the server, and the JWIG system obviously does not by itself provide any means for attackers to control which code is being executed on the server. This means that all the example attacks described in this report seem to assume that the attacker is the service programmer, which clearly doesn't make much sense. I hope that anyone reading a report like Hack Annotations in JWIG quickly will see that it is all bogus. However, I would naturally prefer that SecNiche would withdraw these absurd claims whereever they have been published. Regards, Anders Pranay Kanwar wrote: Hello, I would like to bring to your notice the following claims regarding the bogus security problems in JWIG. http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064768.html http://www.securityfocus.com/archive/1/474156/30/0/threaded http://www.webappsec.org/lists/websecurity/archive/2007-07/msg00022.html http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf Kindly comment on these, I would request this as this makes wrong assumptions and will hinder the usage of JWIG technology. I have also negated the claims myself. Regards warl0ck // MSG -- Anders Moeller [EMAIL PROTECTED] http://www.brics.dk/~amoeller Hence kindly do not entertain any more bogus from secniche, also i don't understand what in the world are the CVE maintainers doing. warl0ck // MSG ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory
Hence kindly do not entertain any more bogus from secniche, also i don't understand what in the world are the CVE maintainers doing. this is not first time a CVE been assigned to a fake claims. Since FD has become a short cut to fame, history has proven that many clowns in the past had their fake claim promoted by getting a CVE tagged. It is understood that with more are more exponentially replicating clowns in the industry it is hard for mitre to validate all vague claims. -d On 7/22/07, Pranay Kanwar [EMAIL PROTECTED] wrote: Reply from the developer of JWIG regarding Hack Annotations in JWIG by secniche.org Hi Pranay (cc to SecNiche), Thank you for bringing this to our attention. I have now read this document Hack Annotations in JWIG, and I must admit that I have never seen so much bogus in so few pages ever before. Is this a (bad) joke?? It seems that the author Aditya K Sood (a.k.a. Bubba Gump?) has completely misunderstood the processing model of web communication in general and JWIG in particular. JWIG is a research project exploring new ways of programming web applications. JWIG programs run on the server, and the JWIG system obviously does not by itself provide any means for attackers to control which code is being executed on the server. This means that all the example attacks described in this report seem to assume that the attacker is the service programmer, which clearly doesn't make much sense. I hope that anyone reading a report like Hack Annotations in JWIG quickly will see that it is all bogus. However, I would naturally prefer that SecNiche would withdraw these absurd claims whereever they have been published. Regards, Anders Pranay Kanwar wrote: Hello, I would like to bring to your notice the following claims regarding the bogus security problems in JWIG. http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064768.html http://www.securityfocus.com/archive/1/474156/30/0/threaded http://www.webappsec.org/lists/websecurity/archive/2007-07/msg00022.html http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf Kindly comment on these, I would request this as this makes wrong assumptions and will hinder the usage of JWIG technology. I have also negated the claims myself. Regards warl0ck // MSG -- Anders Moeller [EMAIL PROTECTED] http://www.brics.dk/~amoeller Hence kindly do not entertain any more bogus from secniche, also i don't understand what in the world are the CVE maintainers doing. warl0ck // MSG ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1337-1] New xulrunner packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1337-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 22nd, 2007 http://www.debian.org/security/faq - -- Package: xulrunner Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-3089 CVE-2007-3285 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3089 Ronen Zilberman and Michal Zalewski discovered that a timing race allows the injection of content into about:blank frames. CVE-2007-3656 Michal Zalewski discovered that same-origin policies for wyciwyg:// documents are insufficiently enforced. CVE-2007-3734 Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson and Vladimir Sukhoy discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2007-3735 Asaf Romano, Jesse Ruderman and Igor Bukanov discovered crashes in the javascript engine, which might allow the execution of arbitrary code. CVE-2007-3736 moz_bug_r_a4 discovered that the addEventListener() and setTimeout() functions allow cross-site scripting. CVE-2007-3737 moz_bug_r_a4 discovered that a programming error in event handling allows privilege escalation. CVE-2007-3738 shutdown and moz_bug_r_a4 discovered that the XPCNativeWrapper allows the execution of arbitrary code. The oldstable distribution (sarge) doesn't include xulrunner. For the stable distribution (etch) these problems have been fixed in version 1.8.0.13~pre070720-0etch1. A build for the mips architecture is not yet available, it will be provided later. For the unstable distribution (sid) these problems have been fixed in version 1.8.1.5-1. We recommend that you upgrade your xulrunner packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.13~pre070720-0etch1.dsc Size/MD5 checksum: 1343 a37a2616fb763e235c302c9447130812 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.13~pre070720-0etch1.diff.gz Size/MD5 checksum: 142519 da13edae4972a96bbde266c42a4080b5 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.13~pre070720.orig.tar.gz Size/MD5 checksum: 41410770 e30ab38e9926b780baf7b500fb6201ab Architecture independent components: http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum: 1025740 1bed1974e10bc6a292c22be8dd819fd1 http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum: 175032 12d259d28f639b20cc6c1a96dd645d45 http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-dev_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum: 206146 a7949a4cf99cba9f089dc7d303dbad84 http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum: 229660 30268c95ecffd8cfb4c897245a7705e3 http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs-dev_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum:34914 49bd1763b6490ff9eb2ceabaf8d3dc6b http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs1_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum:34880 e70de907f7cbc32e087b85a86854d37e http://security.debian.org/pool/updates/main/x/xulrunner/libxul-common_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum: 1047844 34c67cfdd585938584649af591864a1a http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.13~pre070720-0etch1_all.deb Size/MD5 checksum: 2677434 729ad3cda351343ba59870966ef78310 Alpha architecture:
[Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Aditya K Sood, Can you just please stop posting shit on Full Disclosure? Honestly I'm sick of reading your advisories for vulnerabilities (such the orkut ones posted in the past and url redirection bugs). It's too sad some people, in special from third world countries, want to make their way into the security industry like this, with fake claims and bullshit. Unfortunately The Black And The White Ball conference was cancelled because I was seriously thinking about the possibility of buying a ticket to London just to rip off your face. PS: You and Ankit Fadia belong to the same trash can. - -- Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. PGP public key: http://www.rootshell.be/~sandimas/juliocesarfort.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGo8LFySo2QtzTl10RAqHvAJ0d2ToxHmaIr2e08yNc3ouNH2KtywCfQtAg yYN8IZwJ23IRxNRiNT34W5o= =e4Tq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
just to add, Google WebSearch is just one of the many services that offer feed export. Pretty much everything else has that option too and can be accessed through basic auth. I know that this is an obstacle. However, keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it s OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger. On 7/22/07, Greenarrow 1 [EMAIL PROTECTED] wrote: Well, for one, for security purposes why would anyone log into Google for search purposes. Second, most people I know who use any type of security usually use a proxy if they are doing unknown type searches or surfing the web. This would place a kink in the ease of getting the info you stated in your email. While yes if anyone wanted to get your info that bad it would not matter what method one uses but I see the way you show as being the way a common Window home user would seek search data and I sure hope that corporate does not go this route. Regards, George Greenarrow1 InNetInvestigations-Forensic - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; OWASP Leaders [EMAIL PROTECTED]; WASC Forum [EMAIL PROTECTED] Sent: Saturday, July 21, 2007 2:04 AM Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] In ur server-status
WOW! 2007/7/22, John Kinsella [EMAIL PROTECTED]: also fun is /server-info... On Sat, Jul 21, 2007 at 10:53:42PM -0500, Todd Troxell wrote: Noticing lots of admins tend to forget about /server-status, I typed at random: http://www.cnn.com/server-status http://www.webshots.com/server-status http://www.download.com/server-status http://slashdot.org/server-status I am sure there are ten billion others. In some cases this is worse than someone grabbing your access log. -- Todd Troxell http://rapidpacket.com/~xtat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://lcl.sytes.net:3880 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
