Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)
I couldn't agree more with Adriel. -- netinfinity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)
Especially the ones working for governments, the surveillance and espionage etc, scares more On 1/4/10, netinfinity netinfinity.security...@gmail.com wrote: I couldn't agree more with Adriel. -- netinfinity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosig...@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS in Zoneedit
Anyone want to p0wn ZoneEdit? http://www.zoneedit.com/error.html?subject=%3Cscript%3Ealert%28%22p0 wned%22%29;%3C/script%3E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)
Your are correct Sent from my iPhone On Jan 4, 2010, at 6:16 AM, Gichuki John Chuksjonia chuksjo...@gmail.com wrote: Especially the ones working for governments, the surveillance and espionage etc, scares more On 1/4/10, netinfinity netinfinity.security...@gmail.com wrote: I couldn't agree more with Adriel. -- netinfinity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosig...@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: PDF-XChange Viewer Content Parsing Memory Corruption Vulnerability
== Secunia Research 04/01/2010 - PDF-XChange Viewer Content Parsing Memory Corruption Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * PDF-XChange Viewer 2.0.42.9 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Those wishing to view PDF files on their Windows PC's now have a choice when it comes to Viewing PDF files - the PDF-XChange Viewer is smaller, faster and more feature rich than the Adobe Reader which has until now been the Reader of choice for PDF files - we think that's about to change!. Product Link: http://www.docu-track.com/home/prod_user/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in PDF-XChange Viewer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error in PDFXCview.exe when parsing certain content and can be exploited to corrupt memory via a specially crafted PDF file. Successful exploitation allows execution of arbitrary code when a user views a malicious PDF document. NOTE: The vulnerable code is e.g. also present in the bundled PDF-XChange shell extension (XCShInfo.dll), which is installed by default. This vector allows exploitation as soon as a user e.g. selects a malicious PDF file or hovers the mouse pointer over it. == 5) Solution Update to version 2.044. == 6) Time Table 29/12/2009 - Vendor notified. 29/12/2009 - Vendor response received. 31/12/2009 - Vendor issues fixed version and statement. 04/01/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has not currently assigned a CVE identifier for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-64/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Magento eCommerce Multiple XSS Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The full text of this advisory can be found at: http://www.madirish.net/?article=445 Description of Vulnerability: - - Magento (http://www.magentocommerce.com/) is an eCommerce platform written in MySQL and PHP. Magento contains numerous serious cross site scripting (XSS) vulnerabilities. Systems affected: - - Magento community edition version 1.3.2.43 was tested and shown to be vulnerable Mitigating factors - -- None of the vulnerabilities described below can be exploited by unauthenticated users. An attacker must have credentials to access the site in order to perform the proof of concept attacks detailed below. Vulnerable fields: - -- The following is a list of fields and presentation screens that suffer from cross site scripting vulnerabilities: == Product Name == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'product name' Proof of concept: 1. Click on Catalog - Manage Products and click the 'Add Product' button 2. Select default settings and click the 'Continue' button 3. Enter scriptalert('xss');/script in the 'Name' field 4. Enter arbitrary data in the other required fields and click the 'Save' button 5. Click on Sales - Orders then 'Create New Order' 6. Select any customer 7. Click 'Add Products' 8. Select the newly created product and lick 'Add Selected Product(s) to Order' 9. Observe the JavaScript alert == Product SKU == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'product SKU' Proof of concept: 1. Create a new product as above, except enter the script value for the product SKU 2. Create a new review of the product from Catalog - Reviews and Ratings - Cutomer Reviews - All Reviews and clicking the 'Add New Review' button 3. Save the product review to view the JavaScript == Product Description == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'product description'. Any Javascript in a product description will be rendered when a customer views the product details of that product. == Customer Group Name == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'customer group name' Proof of concept: 1. Click on Customers - Customer Groups 2. Click the 'Add New Customer Group' button 3. Enter scriptalert('xss');/script for the 'Group Name' 4. Click 'Save Customer Group' 5. Click Customers - Manage Customers 6. Observe the JavaScript alert (twice) == Product Category Name == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Product category name' Proof of concept: 1. Click on Catalog - Manage Categories 2. Click on 'Add Root Category' 3. Click on the 'General Information' tab 4. Enter scriptalert('xss');/script for the 'Name' 5. Click the 'Save Category' button 6. Click the new category name from the left 7. Observe the Javascript alert == Attribute Set == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Attribute set name' Proof of concept: 1. Click on Catalog - Attributes - Manage Attribute Sets 2. Click the 'Add New Set' button 3. Enter scriptalert('xss');/script for the 'Name' 4. Click 'Save Attribute Set' 5. Observe the JavaScript alert == Sitemap Path == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Sitemap path' Proof of concept: 1. Click on Catalog - Google Sitemap 2. Click 'Add Sitemap' 3. Enter scriptalert('xss');/script for the Path 4. Click 'Save Generate' button 5. Observe the Javascript alert == Customer Tax Class, Product Tax Class, Tax Rate ID == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Customer tax class name', 'Product tax class name', or 'Tax rate id' fields Proof of concept is only provided for Customer Tax Class (others follow same methodology): 1. Click on Sales - Tax - Customer Tax Classes 2. Click the 'Add New' button 3. Enter scriptalert('xss');/script for the Class Name 4. Click 'Save Class' 5. Click on Sales - Tax - Manage Tax Rule 6. Observe Javascript N.B. The Product Tax Class XSS also affects the Catalog Advanced Search page at index.php/catalogsearch/advanced/ == Poll Question == The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Poll Question' or 'Poll Answer' fields Proof of concept: 1. Click on CMS - Poll Manager 2. Click the 'Add New Poll' button 3. Enter scriptalert('xss');/script for the Poll Question 4. Click the 'Poll Answers' tab 5. Click the 'Add New Answer' button 6. Enter scriptalert('xss');/script for the Answer Title 7. Click the 'Save Poll' 8. Observe the Javascript alerts when the poll renders at index.php == Architecture
[Full-disclosure] Windows Account Password Guessing with WinScanX
Original article: http://windowsaudit.com/winscanx/windows-account-password-guessing-with-winscanx/ WinScanX download (free): http://windowsaudit.com/ Watch the video: http://www.youtube.com/watch?v=i9ZI7A-IpDw One of the most dangerous things you can do with WinScanX is lockout a Windows account password using the Guess Windows Passwords option recklessly. The account lockout threshold value should always be taken into consideration before attempting to guess Windows account passwords. Prerequisites to Windows account password guessing: For Windows account password guessing to occur you must have a list of valid user accounts from the remote host to guess passwords against. When WinScanX enumerates these user accounts they are stored in a file in the UserCache directory named hostname.users. There are three different options WinScanX can use to generate user cache files for Windows password guessing, all of which are safe: - Get User Information - Get User Information via RA Bypass - Guess SNMP Community Strings If the appropriate options are selected, WinScanX will attempt to enumerate a list of valid user account the normal way, using a Restrict Anonymous bypass method, or by guessing a valid SNMP community string (if the SNMP service is available). Review the account lockout threshold: It is very important to review the account lockout threshold on the remote host before performing Windows account password checking. Run WinScanX with the Get Account Policy Info option selected to retrieve the account lockout threshold. Machines where accounts do not lockout are the safest to guess passwords against. Review the dictionary.input file: The dictionary.input file is the file that lists the passwords that will be attempted for each valid Windows account. By default there are two passwords attempted for each Windows account: lcusername – the username in lowercase blank – a blank or null password Feel free to add as many passwords to this file as you wish. A password of “password” is also common. Remember that every password in this list will be attempted against every valid Windows account. Initiating Windows account password guessing: If you’ve obtained a user cache file from the remote host and verified that you’re comfortable with the account lockout threshold set on the remote host, then you are ready to start the Windows account password guessing process. Select the Guess Windows Passwords option in the WinScanX GUI and click Start Scan. When the scan is complete, check the Reports folder for the GuessedWindowsPasswords.txt file. You may also want to review the ConnectErrorLog.txt file to ensure you have not accidentally locked out any Windows account passwords. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/