Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled

[coderman]

On Mon, Dec 14, 2009 at 12:45 PM, nixlists  wrote:
> Google Chrome ... DNS ... sent to the system's configured DNS cache.

that is why #1 at top of big red WARNING box about using Tor properly says:
https://www.torproject.org/download.html.en#Warning
"1. Tor only protects Internet applications that are configured to
send their traffic through Tor — it doesn't magically anonymize all
your traffic just because you install it. We recommend you use Firefox
with the Torbutton extension."

the only way to avoid DNS leaks despite most application configuration
is a transparent Tor proxy that intercepts all DNS and TCP at the
network layer and performs a redirect to the Tor Tcp and DNS Ports.
(see man page.)

RTFM FTW
... but never hurts to point out the obvious i guess...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [BMSA-2009-08] Multiple Vulnerabilities in PyForum

[Nam Nguyen]

BLUE MOON SECURITY ADVISORY 2009-08
===


:Title: Multiple Vulnerabilities in PyForum
:Severity: Critical
:Reporter: Hoang Quoc Thinh and Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --


Description
---

PyForum is a 100% python-based message board system based in the excellent 
web2py framework.

We have discovered cross site scripting and cross site request forgery 
vulnerabilities in PyForum. The first allows arbitrary script to run when a 
post is viewed. The second allows attackers to submit forms (such as changing 
password) automatically without user's knowledge.

XSS vulnerability lies in the BBcode parsing in module ``models.parser``. The 
``img`` and ``url`` tags do not sanitize inputs and hence are susceptible to 
script injection.

CSRF vulnerability lies in the design of this web application. Forms do not 
have secure cookies and may be automatically submitted on behalf of the user.

These bugs are rated at critical because they can be easily exploited and cause 
lost of integrity.

These bugs may exist in older versions and in zForum, from which pyForum 
derives, too.

Workaround
--

There is no workaround.

Fix
---

There is no fix at the moment.

Disclosure
--

Blue Moon Consulting adapts `RFPolicy v2.0 
`_ in notifying vendors.

:Initial vendor contact:

  December 05, 2009: Notice sent to Julio Flores Schwarzbeck (techfuel.net)

  December 09, 2009: Reminder sent to Julio Flores Schwarzbeck

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: December 15, 2009

:Exploit code:

  No exploit code required.

Disclaimer
--

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.


pgppyadiGuhuk.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] 318x.com and other "bad" domains.

[exploit dev]

Hi to all,

if someone can be interested I tried to do a minimal analysis
regarding something
about 318x.com domain  related to the recent article published by "
theregister.com" focused on recent massive sql injection attack. For more
information:


http://extraexploit.blogspot.com/2009/12/318xcom-and-others-evil-domains.html

Feedback are welcome.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [gif2png] long filename Buffer Overrun

[Jubei Trippataka]

On Mon, Dec 14, 2009 at 6:14 AM, Razuel Akaharnath  wrote:

> Oh I see, Funny... this needs to be brought in notice of the original
> creator to fix the upstream version.
>
>
Posting other peoples bugs for fame! HAHAHAHAHAHAHA.

Love your tekneeqz!

-- 
ciao

JT
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Decaf anyone?

[Ivan .]

http://www.wired.com/threatlevel/2009/12/decaf-cofee/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled

[nixlists]

Google Chrome 3.0.195.33 has DNS pre-fetching feature enabled by
default. If a user is using Chrome with a proxy, the DNS queries must
go through the proxy by design, but with the DNS pre-fetching enabled
they are still sent to the system's configured DNS cache.

This seems also true for the SOCKS proxy in Chromium regardless of
whether DNS pre-fetching is enabled or not as shown here:

http://code.google.com/p/chromium/issues/detail?id=29914

I have not verified the SOCKS proxy issue.

This presents a serious risk for the users of the services such as
Tor, as their DNS data and the little anonymity they have with tor is
leaked outside and in the clear.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover

[Pradip Sharma]

Very nice finding, keep it up.

Warm regards,
Pradip

On Mon, Dec 14, 2009 at 7:33 PM, Ofer Maor  wrote:

> Hacktics Research Group Security Advisory
> http://www.hacktics.com/#details=;view=Resources%7CAdvisory
> By Shay Chen, Hacktics.
> 14-Dec-2009
>
> ===
> I. Overview
> ===
> During a penetration test performed by Hacktics' experts, certain
> vulnerabilities were identified in the Oracle eBusiness Suite deployment.
> Further research has identified several vulnerabilities which, combined,
> can
> allow an unauthenticated remote user to take over and gain full control
> over
> the administrative web user account of the Oracle eBusiness Suite.
>
> A friendly formatted version of this advisory, including a video
> demonstrating step-by-step execution of the exploit, is available in:
>   http://www.hacktics.com/content/advisories/AdvORA20091214.html
>
> ===
> II. The Finding
> ===
> Three separate issues have been identified:
>
> 1. Unauthenticated Guest Access
> ---
> It is possible for unauthenticated users to access certain pages with guest
> privileges (according to Oracle's security representative - this is a
> standard functionality of this component). While some pages may not be
> directly accessible as a guest in this manner, this can be bypassed by
> taking advantage of the session management behavior in the application.
>
> 2. Authorization Bypass
> ---
> Malicious users can access and manage content of other users, relying on
> the
> lack of access control in the page management interface. Attackers can use
> parameter tampering techniques to directly access the resource identifiers
> of pages owned by other users, and delete or modify their content.
>
> 3. Persistent Cross Site Scripting
> --
> Certain web interfaces in the user's menu management interface enable
> attackers to inject malicious scripts into user-specific content, causing
> the scripts to be executed in the browser of any user viewing the infected
> content (Persistent Cross Site Scripting).
>
> By combining all three vulnerabilities, an unauthenticated attacker can
> initially gain guest access, leverage it to access pages belonging to the
> administrative user, and inject malicious Java-script into their content,
> in
> order to steal session identifiers, which allow taking over the
> administrative user account.
>
> 
> III. Details
> 
> 1. Unauthenticated Guest Access
> 
> By accessing certain internal pages directly, attackers can cause the
> application to grant them guest access and load certain objects into the
> user's server side session. At this point, the attacker is able to access
> other internal components in the application as the guest user, including
> management services, configuration interfaces and information disclosing
> components, etc.
>
> Unauthenticated attackers can bypass the login phase by directly accessing
> certain internal URLs such as (partial list):
>   http://host:port/OA_HTML/OA.jsp
>   http://host:port/OA_HTML/RF.jsp
>
> When accessing one of these URLs, the system generates an exception and an
> error is presented to the client. However, as part of the process, the JSP
> code populates the session object of the user with guest privileges. The
> attacker can then access other pages in the systems which allow guest
> operations, such as:
>   http://host:port/OA_HTML/AppsChangePassword.jsp
>   http://host:port/pls/[DADName]/OracleMyPage.home
>   http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> 2. Authorization Bypass
> ---
> Various page management URLs in the Oracle eBusiness Suite rely on the
> parameter named [p_page_id] to determine which page to manage. An attacker
> can easily access the page of another user, by simply altering that
> parameter value to a value representing the other's user page. No
> authorization checks are performed to verify the authenticity of the user
> attempting the access.
>
> The following proof-of-concept samples are provided (the [p_page_id] has to
> be associated with a page of a valid user):
>
> http://host:port
> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>
> http://host:port
> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
> &p_page_id=[page_id]
>   http:// host:/pls/TEST/oracleconfigure.customize?p_page_id=1
>
> 3. Persistent Cross Site Scripting
> --
> Various interfaces under the personal page management interface are
> vulnerable to Persistent Cross Site Scripting:
>   http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> http://host:port
> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>
> An attacker can inject malicious scripts into the various properties of a
> new or existing page object (via submitted forms).
>
> http://host:port
> /pls/[DADName

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

[Michael Coyne]

Interesting, perhaps CVE-2008-5458 and CVE-2008-5446 maybe the
vulnerabilities you have described. Tough to say, as Oracle does not provide
much information in their security updates.

Thanks for your time!

On Mon, Dec 14, 2009 at 10:15 AM, Ofer Maor  wrote:

>  I’ve been in touch with Oracle’s security alerts center and they have
> provided this information.
>
> As I said in the advisory – we have not tested their patches.
>
>
>
> I have asked Oracle for references to existing publications and was told
> there were none. I guess it could be worthwhile to try and see if it’s
> hidden behind one of the CVEs…
>
>
>
> Ofer.
>
>
>
>
>
>
>
> *From:* mikeyc...@gmail.com [mailto:mikeyc...@gmail.com] *On Behalf Of 
> *Michael
> Coyne
> *Sent:* Monday, December 14, 2009 4:52 PM
> *To:* Ofer Maor
>
> *Cc:* full-disclosure@lists.grok.org.uk
> *Subject:* Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle
> eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover
>
>
>
> If this is the case, how do you know these issues were addressed in the Jan
> 2009 patches? Did Oracle say so or did further testing indicate that Oracle
> silently patched these issues?
>
> On Mon, Dec 14, 2009 at 9:35 AM, Ofer Maor  wrote:
>
> I do not believe there are CVEs for these issues.
>
> According to the correspondence with Oracle, this was never published
> (otherwise we would not publish it…)
>
> Oracle’s main claim is that this interface was removed in Oracle 12,
> however, we still encounter this vulnerability with many of our customers
> using the Oracle eBusiness Suite.
>
>
>
> Ofer.
>
>
>
>
>
> *From:* mikeyc...@gmail.com [mailto:mikeyc...@gmail.com] *On Behalf Of 
> *Michael
> Coyne
> *Sent:* Monday, December 14, 2009 4:31 PM
> *To:* ofer.m...@owasp.org
> *Cc:* full-disclosure@lists.grok.org.uk
> *Subject:* Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle
> eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover
>
>
>
> Anyway you can figure out what are the CVEs for the two Oracle confirmed
> issues?
>
>
>
>
> --
> Michael J Coyne
> Towson University class of 2009
> www.mjcblog.net
>



-- 
Michael J Coyne
Towson University class of 2009
www.mjcblog.net
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DC4420 - London DEFCON - Christmas drinks - Wednesday 16th December

[Major Malfunction]

yes, another year has gone by and some of the survivors will be 
gathering together to swap tales of horror and/or triumph and to soothe 
our wounds with liberal applications of alcohol...

all are welcome to join us, and as it's just a social, there is no 
pressure to perform! unless, of course, jumping up on the bar is your 
kind of thing... :)

note that this is a slight change to the originally advertised date of 
the 17th, so to be doubly clear:

we are meeting on WEDNESDAY the 16th DECEMBER, 2009...

starting location (as this is a pub crawl):

   The Black Horse, 6 Rathbone Place, London W1.

   http://tinyurl.com/dc4420-venue

Right next to Tottenham Court Rd. tube...

we will be there from about 17:00, and are looking to move to the next 
venue at 19:30 (we will tweet on http://twitter.com/dc4420 as we move, 
so don't worry if you miss us at the first stop)

hope to see you there!

cheers,
MM
-- 
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

[Ofer Maor]

I've been in touch with Oracle's security alerts center and they have
provided this information.

As I said in the advisory - we have not tested their patches. 

 

I have asked Oracle for references to existing publications and was told
there were none. I guess it could be worthwhile to try and see if it's
hidden behind one of the CVEs. 

 

Ofer.

 

 

 

From: mikeyc...@gmail.com [mailto:mikeyc...@gmail.com] On Behalf Of Michael
Coyne
Sent: Monday, December 14, 2009 4:52 PM
To: Ofer Maor
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle
eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

 

If this is the case, how do you know these issues were addressed in the Jan
2009 patches? Did Oracle say so or did further testing indicate that Oracle
silently patched these issues?

On Mon, Dec 14, 2009 at 9:35 AM, Ofer Maor  wrote:

I do not believe there are CVEs for these issues.

According to the correspondence with Oracle, this was never published
(otherwise we would not publish it.)

Oracle's main claim is that this interface was removed in Oracle 12,
however, we still encounter this vulnerability with many of our customers
using the Oracle eBusiness Suite.

 

Ofer.

 

 

From: mikeyc...@gmail.com [mailto:mikeyc...@gmail.com] On Behalf Of Michael
Coyne
Sent: Monday, December 14, 2009 4:31 PM
To: ofer.m...@owasp.org
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle
eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

 

Anyway you can figure out what are the CVEs for the two Oracle confirmed
issues?




-- 
Michael J Coyne
Towson University class of 2009
www.mjcblog.net

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

[Michael Coyne]

If this is the case, how do you know these issues were addressed in the Jan
2009 patches? Did Oracle say so or did further testing indicate that Oracle
silently patched these issues?

On Mon, Dec 14, 2009 at 9:35 AM, Ofer Maor  wrote:

>  I do not believe there are CVEs for these issues.
>
> According to the correspondence with Oracle, this was never published
> (otherwise we would not publish it…)
>
> Oracle’s main claim is that this interface was removed in Oracle 12,
> however, we still encounter this vulnerability with many of our customers
> using the Oracle eBusiness Suite.
>
>
>
> Ofer.
>
>
>
>
>
> *From:* mikeyc...@gmail.com [mailto:mikeyc...@gmail.com] *On Behalf Of 
> *Michael
> Coyne
> *Sent:* Monday, December 14, 2009 4:31 PM
> *To:* ofer.m...@owasp.org
> *Cc:* full-disclosure@lists.grok.org.uk
> *Subject:* Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle
> eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover
>
>
>
> Anyway you can figure out what are the CVEs for the two Oracle confirmed
> issues?
>



-- 
Michael J Coyne
Towson University class of 2009
www.mjcblog.net
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

[Michael Coyne]

Anyway you can figure out what are the CVEs for the two Oracle confirmed
issues?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

[Valdis . Kletnieks]

On Mon, 14 Dec 2009 16:35:37 +0200, Ofer Maor said:

> Oracle's main claim is that this interface was removed in Oracle 12,

Oracle knows *damned* well that very few of their sites are running 12.
Most are still on 11, a lot on 10, and probably more than a few scary places
still running 9 on Solaris 7 and 8 boxes. ;)


pgpJUyvg2yqdk.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

[Ofer Maor]

I do not believe there are CVEs for these issues.

According to the correspondence with Oracle, this was never published
(otherwise we would not publish it.)

Oracle's main claim is that this interface was removed in Oracle 12,
however, we still encounter this vulnerability with many of our customers
using the Oracle eBusiness Suite.

 

Ofer.

 

 

From: mikeyc...@gmail.com [mailto:mikeyc...@gmail.com] On Behalf Of Michael
Coyne
Sent: Monday, December 14, 2009 4:31 PM
To: ofer.m...@owasp.org
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle
eBusinessSuite - Multiple Vulnerabilities Allow Remote Takeover

 

Anyway you can figure out what are the CVEs for the two Oracle confirmed
issues?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover

[Freddie Vicious]

Very nice findings, good job!

On Mon, Dec 14, 2009 at 4:03 PM, Ofer Maor  wrote:

> Hacktics Research Group Security Advisory
> http://www.hacktics.com/#details=;view=Resources%7CAdvisory
> By Shay Chen, Hacktics.
> 14-Dec-2009
>
> ===
> I. Overview
> ===
> During a penetration test performed by Hacktics' experts, certain
> vulnerabilities were identified in the Oracle eBusiness Suite deployment.
> Further research has identified several vulnerabilities which, combined,
> can
> allow an unauthenticated remote user to take over and gain full control
> over
> the administrative web user account of the Oracle eBusiness Suite.
>
> A friendly formatted version of this advisory, including a video
> demonstrating step-by-step execution of the exploit, is available in:
>   http://www.hacktics.com/content/advisories/AdvORA20091214.html
>
> ===
> II. The Finding
> ===
> Three separate issues have been identified:
>
> 1. Unauthenticated Guest Access
> ---
> It is possible for unauthenticated users to access certain pages with guest
> privileges (according to Oracle's security representative - this is a
> standard functionality of this component). While some pages may not be
> directly accessible as a guest in this manner, this can be bypassed by
> taking advantage of the session management behavior in the application.
>
> 2. Authorization Bypass
> ---
> Malicious users can access and manage content of other users, relying on
> the
> lack of access control in the page management interface. Attackers can use
> parameter tampering techniques to directly access the resource identifiers
> of pages owned by other users, and delete or modify their content.
>
> 3. Persistent Cross Site Scripting
> --
> Certain web interfaces in the user's menu management interface enable
> attackers to inject malicious scripts into user-specific content, causing
> the scripts to be executed in the browser of any user viewing the infected
> content (Persistent Cross Site Scripting).
>
> By combining all three vulnerabilities, an unauthenticated attacker can
> initially gain guest access, leverage it to access pages belonging to the
> administrative user, and inject malicious Java-script into their content,
> in
> order to steal session identifiers, which allow taking over the
> administrative user account.
>
> 
> III. Details
> 
> 1. Unauthenticated Guest Access
> 
> By accessing certain internal pages directly, attackers can cause the
> application to grant them guest access and load certain objects into the
> user's server side session. At this point, the attacker is able to access
> other internal components in the application as the guest user, including
> management services, configuration interfaces and information disclosing
> components, etc.
>
> Unauthenticated attackers can bypass the login phase by directly accessing
> certain internal URLs such as (partial list):
>   http://host:port/OA_HTML/OA.jsp
>   http://host:port/OA_HTML/RF.jsp
>
> When accessing one of these URLs, the system generates an exception and an
> error is presented to the client. However, as part of the process, the JSP
> code populates the session object of the user with guest privileges. The
> attacker can then access other pages in the systems which allow guest
> operations, such as:
>   http://host:port/OA_HTML/AppsChangePassword.jsp
>   http://host:port/pls/[DADName]/OracleMyPage.home
>   http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> 2. Authorization Bypass
> ---
> Various page management URLs in the Oracle eBusiness Suite rely on the
> parameter named [p_page_id] to determine which page to manage. An attacker
> can easily access the page of another user, by simply altering that
> parameter value to a value representing the other's user page. No
> authorization checks are performed to verify the authenticity of the user
> attempting the access.
>
> The following proof-of-concept samples are provided (the [p_page_id] has to
> be associated with a page of a valid user):
>
> http://host:port
> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>
> http://host:port
> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
> &p_page_id=[page_id]
>   http:// host:/pls/TEST/oracleconfigure.customize?p_page_id=1
>
> 3. Persistent Cross Site Scripting
> --
> Various interfaces under the personal page management interface are
> vulnerable to Persistent Cross Site Scripting:
>   http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> http://host:port
> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>
> An attacker can inject malicious scripts into the various properties of a
> new or existing page object (via submitted forms).
>
> http://host:port
> /pls/[DADName]/icx_define_pages.Disp

[Full-disclosure] Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover

[Ofer Maor]

Hacktics Research Group Security Advisory 
http://www.hacktics.com/#details=;view=Resources%7CAdvisory
By Shay Chen, Hacktics. 
14-Dec-2009

===
I. Overview
===
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in the Oracle eBusiness Suite deployment.
Further research has identified several vulnerabilities which, combined, can
allow an unauthenticated remote user to take over and gain full control over
the administrative web user account of the Oracle eBusiness Suite. 

A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in: 
   http://www.hacktics.com/content/advisories/AdvORA20091214.html

===
II. The Finding
===
Three separate issues have been identified:

1. Unauthenticated Guest Access
---
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
taking advantage of the session management behavior in the application. 

2. Authorization Bypass
---
Malicious users can access and manage content of other users, relying on the
lack of access control in the page management interface. Attackers can use
parameter tampering techniques to directly access the resource identifiers
of pages owned by other users, and delete or modify their content. 

3. Persistent Cross Site Scripting
--
Certain web interfaces in the user's menu management interface enable
attackers to inject malicious scripts into user-specific content, causing
the scripts to be executed in the browser of any user viewing the infected
content (Persistent Cross Site Scripting).

By combining all three vulnerabilities, an unauthenticated attacker can
initially gain guest access, leverage it to access pages belonging to the
administrative user, and inject malicious Java-script into their content, in
order to steal session identifiers, which allow taking over the
administrative user account.


III. Details

1. Unauthenticated Guest Access

By accessing certain internal pages directly, attackers can cause the
application to grant them guest access and load certain objects into the
user's server side session. At this point, the attacker is able to access
other internal components in the application as the guest user, including
management services, configuration interfaces and information disclosing
components, etc. 

Unauthenticated attackers can bypass the login phase by directly accessing
certain internal URLs such as (partial list):
   http://host:port/OA_HTML/OA.jsp
   http://host:port/OA_HTML/RF.jsp

When accessing one of these URLs, the system generates an exception and an
error is presented to the client. However, as part of the process, the JSP
code populates the session object of the user with guest privileges. The
attacker can then access other pages in the systems which allow guest
operations, such as: 
   http://host:port/OA_HTML/AppsChangePassword.jsp
   http://host:port/pls/[DADName]/OracleMyPage.home
   http://host:port/pls/[DADName]/icx_define_pages.editpagelist

2. Authorization Bypass
---
Various page management URLs in the Oracle eBusiness Suite rely on the
parameter named [p_page_id] to determine which page to manage. An attacker
can easily access the page of another user, by simply altering that
parameter value to a value representing the other's user page. No
authorization checks are performed to verify the authenticity of the user
attempting the access. 

The following proof-of-concept samples are provided (the [p_page_id] has to
be associated with a page of a valid user):
 
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
 
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
&p_page_id=[page_id]
   http:// host:/pls/TEST/oracleconfigure.customize?p_page_id=1

3. Persistent Cross Site Scripting
--
Various interfaces under the personal page management interface are
vulnerable to Persistent Cross Site Scripting: 
   http://host:port/pls/[DADName]/icx_define_pages.editpagelist 
 
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]

An attacker can inject malicious scripts into the various properties of a
new or existing page object (via submitted forms).
 
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
&p_page_id=[page_id]
 
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE


The injected script will be executed when the user accesses the main URL:
   http://host:port/pls/[DADName]/OracleMyPage.home 

It is important to no

[Full-disclosure] Cross-Site Scripting vulnerabilities in Invision Power Board

[MustLive]

Hello Full-Disclosure!

I want to warn you about new vulnerabilities in Invision Power Board.

These are Cross-Site Scripting vulnerabilities. Attack is going via 
attachment (at click on the attachment in the post at forum or on the link 
to this attachment). These are persistent XSS vulnerabilities.

I know for a long time about possibility of attacks via swf-files. So many 
years ago I turned off support of swf-files in attachments (and in avatars 
and photos). Also I wrote at beginning of 2008 about XSS vulnerability in 
IPB (http://websecurity.com.ua/1893/) via embedded flash files and released 
fix for it in my MustLive Security Pack (http://websecurity.com.ua/1896/).

In 2008 there was found Cross-Site Scripting vulnerability in IPB 
(http://securityvulns.ru/Tdocument862.html) via htm and html files in 
attachments. It was concerned Internet Explorer, in which a code was 
executing in context of the site (in Mozilla and Firefox a code was 
executing locally). But as I checked at 12.12.2009, in Opera a code also is 
executing in context of the site.

And recently there was found new XSS vulnerability in IPB 
(http://securityvulns.ru/Wdocument899.html), this time via txt-files. Which 
concerns Internet Explorer. In case of htm, html and txt-files (and also 
below-mentioned php, rtf and xml-files) the best method of protection 
against XSS is turning off of their support at forum (similarly to 
swf-files).

At 12.12.2009 I found new Cross-Site Scripting vulnerabilities in Invision 
Power Board. Attack is going via files php, rtf and xml (in attachments).

There are possible next attacks:

1. Attack via uploading php-files with JavaScript code. Works in IE and 
Opera in context of the site. In browsers Mozilla and Firefox file will open 
locally (not in context of the site) at selecting open in browser. 
Accordingly in case of attack via htm, html and php files at browsers 
Mozilla and Firefox, which open them locally (at selecting in dialog window 
by user), attack at local computer of the user it possible.

2. Attack via uploading rtf-files with JavaScript code. Works only in 
Internet Explorer.

3. Attack via uploading xml-files with JavaScript code. Works in Mozilla, 
Firefox, Opera and Chrome (but without access to cookies).

XSS:

For attacks via htm, html, php, rtf and txt-files, it's needed to create a 
file with next content (and upload it as attachment to forum):

alert(document.cookie)

I tested on Invision Power Board 1.3 and 2.2.2. All versions of IPB 1.x 
(particularly for txt), 2.x and 3.0.x must be vulnerable. Author of advisory 
about attack via txt-files noted, that there are filters against XSS during 
uploading of the files in IPB 3.0.4, but they can be bypassed.

I made checking in next browsers: Internet Explorer 6 (6.0.2900.2180), 
Mozilla 1.7.x, Mozilla Firefox 3.0.15, Opera 9.52 and Google Chrome 
1.0.154.48.

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/3764/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Zabbix Server : Multiple remote vulnerabilities

[Nicob]

>From Wikipedia : "Zabbix is a network management system application
[...] designed to monitor and track the status of various network
services, servers, and other network hardware."

[Zabbix Server : Remote command execution]

Impacted software : Zabbix Server
Zabbix reference : https://support.zabbix.com/browse/ZBX-1030
Patched version : 1.8

Faulty source code : function node_process_command() in
zabbix_server/trapper/nodecommand.c

Changelog entry : fixed security vulnerability in server allowing remote
unauthenticated users to execute scripts

[Zabbix Server : Remote SQL execution]

Impacted software : Zabbix Server
Zabbix reference : https://support.zabbix.com/browse/ZBX-1031
Patched version : 1.6.8 (patch for 1.6.7 was insufficient)

Faulty source code : function send_history_last_id() in
zabbix_server/trapper/nodehistory.c

Changelog entry (1.6.7) : fixed security vulnerability in server,
allowing remote unauthenticated users to execute arbitrary SQL queries
Changelog entry (1.6.8) : added more security checks for communication
between nodes

[Zabbix Server : Remote DoS (NULL deref)]

Impacted software : Zabbix Server
Zabbix reference : https://support.zabbix.com/browse/ZBX-993
Patched version : 1.6.6

Faulty source code : function process_trap() in
zabbix_server/trapper/trapper.c

Changelog entry : fixed possible vulnerability of trapper

[Zabbix Server : Remote DoS (NULL deref)]

Impacted software : Zabbix Server
Zabbix reference : https://support.zabbix.com/browse/ZBX-1355
Patched version : 1.6.8

Faulty source code : function zbx_get_next_field() in
libs/zbxcommon/str.c

Changelog entry : fixed possible server crash when receiving invalid
data

Nicob


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Zabbix Agent : Bypass of EnableRemoteCommands=0

[Nicob]

>From Wikipedia : "Zabbix is a network management system application
[...] designed to monitor and track the status of various network
services, servers, and other network hardware."

[Zabbix Agent : Bypass of EnableRemoteCommands=0]

Impacted software : Zabbix Agent (FreeBSD and Solaris only)
Zabbix reference : https://support.zabbix.com/browse/ZBX-1032
Patched version : 1.6.7

Faulty source code : function NET_TCP_LISTEN() in
libs/zbxsysinfo/(freebsd|solaris)/net.c

Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn x 10050
Limitation : attacker must come from (or spoof) a trusted IP address

Changelog entry : fixed security vulnerability in processing of
net.tcp.listen under FreeBSD and Solaris agents

Nicob

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [gif2png] long filename Buffer Overrun

[Raphael Geissert]

Razuel Akaharnath wrote:

> I see, well according to the bug report, its fixed in 2.5.2-1. I tested
> that version itself and sadly the fix isn't there.
> 

The Debian maintainer added a patch to fix it, not upstream. It is fixed.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/