[Full-disclosure] [USN-878-1] Firefox 3.5 and Xulrunner 1.9.1 regression
=== Ubuntu Security Notice USN-878-1 January 08, 2010 firefox-3.5, xulrunner-1.9.1 regression https://launchpad.net/bugs/504516 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: firefox-3.5 3.5.7+nobinonly-0ubuntu0.9.10.1 xulrunner-1.9.1 1.9.1.7+nobinonly-0ubuntu0.9.10.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner to effect the necessary changes. Details follow: USN-874-1 fixed vulnerabilities in Firefox and Xulrunner. The upstream changes introduced a regression when using NTLM authentication. This update fixes the problem and added additional stability fixes. We apologize for the inconvenience. Original advisory details: Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel, Olli Pettay, and David James discovered several flaws in the browser and JavaScript engines of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3979, CVE-2009-3980, CVE-2009-3982, CVE-2009-3986) Takehiro Takahashi discovered flaws in the NTLM implementation in Firefox. If an NTLM authenticated user visited a malicious website, a remote attacker could send requests to other applications, authenticated as the user. (CVE-2009-3983) Jonathan Morgan discovered that Firefox did not properly display SSL indicators under certain circumstances. This could be used by an attacker to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984) Jordi Chancel discovered that Firefox did not properly display invalid URLs for a blank page. If a user were tricked into accessing a malicious website, an attacker could exploit this to spoof the location bar, such as in a phishing attack. (CVE-2009-3985) David Keeler, Bob Clary, and Dan Kaminsky discovered several flaws in third party media libraries. If a user were tricked into opening a crafted media file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3388, CVE-2009-3389) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.7+nobinonly-0ubuntu0.9.10.1.diff.gz Size/MD5: 128326 9c43a61bea9183527630d057e246fdbc http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.7+nobinonly-0ubuntu0.9.10.1.dsc Size/MD5: 2940 50f7c1a9cb76736b95e0f74c0689dadb http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.7+nobinonly.orig.tar.gz Size/MD5: 44871531 fdf9997dcafc4fcb7bae2b0c803b7512 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.7+nobinonly-0ubuntu0.9.10.1.diff.gz Size/MD5:61062 35ebeb44bbcd4197864e22edb88edde3 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.7+nobinonly-0ubuntu0.9.10.1.dsc Size/MD5: 2910 2aca7f7b399801e6db987b4d07b9e452 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.7+nobinonly.orig.tar.gz Size/MD5: 44411311 eb6d23438bdf08c0f7fa8be4f10695bd Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/abrowser_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73384 3c2b10c5e6ee82552905bd67c3f17abc http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.0-dev_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73242 c349cc0e7f7036802368d7634feffbe6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.1-dbg_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73242 643d7488bf2ea8e64f1309c4ed5a86f5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.1-dev_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73240 6fb7bf2b0c18954de263f4addc534115 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-gnome-support_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73298 4f613552e4cb4b506bd5741437cab2fc http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73398 e613137f3b56d9904dc400de6b3d57fa http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.5/abrowser-3.0-branding_3.5.7+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73260 d97180d863af2d6f452c903914ae96ae http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.5/ab
[Full-disclosure] [USN-877-1] Firefox 3.0 and Xulrunner 1.9 regression
=== Ubuntu Security Notice USN-877-1 January 08, 2010 firefox-3.0, xulrunner-1.9 regression https://launchpad.net/bugs/504516 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.17+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.17+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser3.0.17+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.17+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.17+nobinonly-0ubuntu0.8.10.1 Ubuntu 9.04: abrowser3.0.17+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.17+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 1.9.0.17+nobinonly-0ubuntu0.9.04.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner to effect the necessary changes. Details follow: USN-873-1 fixed vulnerabilities in Firefox and Xulrunner. The upstream changes introduced a regression when using NTLM authentication. This update fixes the problem and added additional stability fixes. We apologize for the inconvenience. Original advisory details: Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel, Olli Pettay, and David James discovered several flaws in the browser and JavaScript engines of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3979, CVE-2009-3981, CVE-2009-3986) Takehiro Takahashi discovered flaws in the NTLM implementation in Firefox. If an NTLM authenticated user visited a malicious website, a remote attacker could send requests to other applications, authenticated as the user. (CVE-2009-3983) Jonathan Morgan discovered that Firefox did not properly display SSL indicators under certain circumstances. This could be used by an attacker to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984) Jordi Chancel discovered that Firefox did not properly display invalid URLs for a blank page. If a user were tricked into accessing a malicious website, an attacker could exploit this to spoof the location bar, such as in a phishing attack. (CVE-2009-3985) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.17+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 106101 19afe94e4dcb8ecb84ccf79ff72737f9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.17+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2732 a59368e4f862d49c83def04577cd478d http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.17+nobinonly.orig.tar.gz Size/MD5: 11194865 28c350590008703dda403d887fcd8693 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.17+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5:79705 042419ecd03864c3934dada98901a740 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.17+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2783 c408f1eb0c0e2d25f2e00f387a8b00b4 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.17+nobinonly.orig.tar.gz Size/MD5: 41956499 67e8f22253c8cec38caf1821bd9237d4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.17+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66452 bd4e5241f7f18d9442b9dcaee4ea4ebe http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.17+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66460 ca067655b07771ab54c84126f450e8ac http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.17+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66422 0059f36aaad72428678fa887d6d6b3a6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.17+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66408 d7b296af47d95903dd7f235aea24f1a8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.17+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66566 33b9bc7d4b25fc2bc24a527dd4588181 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.17+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66470 8b9fc06108721a90a32cfffe589901bc http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.17+nobinonly-0
Re: [Full-disclosure] Geolocation Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Agreed, there are a lot of things that "try to" phone home. I would have less dislike for MS data collection practices if there was a tick box along the lines of "disable all communication with MS servers" Perhaps with the exception of OS updates with the only information sent to MS being the current patch level of the machine to be updated. After all what other info do they need to update the OS? I concur with your appraisal of Google. That's why I use Scroogle, don't use Chrome and block analytics, syndication, adservices and doubleclick. I guess I am just paranoid. mrx ps I wish Thunderbird would default to the list when replying. Dan Kaminsky wrote: > There's lots of things that phone home, but as long as they're opt-in > and explicitly documented, I don't have a problem with it per se. > > Google can sure identify a heck of a lot more, and doesn't exactly > assail you with the opportunity to browse anonymously. > > > > > > > > On Jan 8, 2010, at 1:12 AM, mrx wrote: > > Dan, > > Windows 7 has a multitude if services that relay usage and hardware > data back to Microsoft. > I would be surprised if you are unaware of this. > > WGA or WAT. > Location awareness. > Smartscreen filter. > Searches defaulting to Live/Bing. > Windows problem reporting. > Windows online help and support. > Customer Experience Improvement Program. > Search string collection. > Windows Media Player. > > There are other services that contact MS with usage data. > > Much of the above is opt in, however MS recommend that these > "features" are enabled to ensure a safe and enhanced Windows experience. > As most computer users are consumers as opposed to knowledgeable > computer users, I would imagine the majority will accept and enable. > > Although MS may not be able to identify me personally, ie: name, > address, age, colour of eyes etc. They can get a pretty good profile > of my > surfing and computer usage habits along with my IP and MAC address. > And this is more information than I am prepared to share. > > Perhaps I am being paranoid, but I would prefer that MS not have a > clue what I do with my PC, what hardware it consists of, what software > I run > on it, or which websites I visit. > > http://news.softpedia.com/news/30-Windows-7-Features-Phone-Home-to-Microsoft-129592.shtml > > > http://news.zdnet.co.uk/software/0,100121,39544372,00.htm > > http://www.microsoft.com/windows/windows-7/m3/privacy-highlights.aspx > > I recently removed the RC version of win7 which I installed out of > curiosity. When I get around to buying the RTM I will run Wireshark > with the > OS for a while, opt in to all that MS recommend, and discover exactly > what data is shared with MS. I will then discover if my paranoia is in > fact warranted. > > mrx > > > > Dan Kaminsky wrote: phone home features? On Thu, Jan 7, 2010 at 11:50 PM, mrx wrote: Dan Kaminsky wrote: >>> On Thu, Jan 7, 2010 at 11:12 PM, wrote: >>> On Thu, 07 Jan 2010 23:07:01 +0100, Dan Kaminsky said: > No, he uses an XSS against the router to pull its wireless MAC, and then > puts that into Firefox's location services API. That bounces off various > wardriving sources and comes up with a latlong. OK, so it only works against wireless routers that have been wardriven already. Makes you wonder what's on those Google Street-View trucks besides a camera. ;) >>> www.wigle.net and SkyHook have been doing this stuff for a while. Though I >>> suppose there is that rule, "It's only creepy if Google does it" >>> Disabling ssid broadcast doesn't mitigate detection either, well not by more than a couple of minutes. If you don't need wireless access disable it. I used to think Microsoft were creepy. I still think Microsoft are creepy, especially after discovering the phone home features in Win 7. Google on the other hand are plain scary, thankfully unlike Microsoft they are entirely altruistic. mrx > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0aCjLIvn8UFHWSmAQI3nQf/fESE130D7N4hgf913y3hEF/ziekTz7xc 4N/sYFLbkIMkwRPMg8oP7DJ8V4DHVR66NlGZBJtCLmWEKIHiZ8E5kCsrLH0hIFPS UV9Aa69tx67PnbigdQC022kzmA94xjg+6E6whz0mFIlEiXQ4hWYS8Os0utzSbLjJ PE2Lm7rrZYT/fJgfzkR8qm14HtmHGKzg5CJ8hQVZSZYeC3dZm/aXloCFURrAVR+H chsVzg0XoczPGChOssvuZV6woiWnm+6c+oZ56OfnJmBgyPW3H4UqOWMxCVfYxgbv Oo37uYh+AyRSFSw/0/3e8nSVMXTLwQCjd4i9Quh+1cJx2f7hvs6
Re: [Full-disclosure] Geolocation Question
--On Thursday, January 07, 2010 16:50:25 -0600 mrx wrote: > > I used to think Microsoft were creepy. I still think Microsoft are creepy, > especially after discovering the phone home features in Win 7. > Google on the other hand are plain scary, thankfully unlike Microsoft they > are entirely altruistic. > Or you are entirely naive. :-) -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
On Thu, Jan 7, 2010 at 11:54 PM, wrote: > On Thu, 07 Jan 2010 23:14:36 +0100, Dan Kaminsky said: > > On Thu, Jan 7, 2010 at 11:12 PM, wrote: > > > OK, so it only works against wireless routers that have been wardriven > > > already. Makes you wonder what's on those Google Street-View trucks > > > besides a camera. ;) > > > www.wigle.net and SkyHook have been doing this stuff for a while. > Though I > > suppose there is that rule, "It's only creepy if Google does it" > > Not creepy, just a simple matter of scale. I'm fairly sure that Google's > done several orders of magnitude more driving around than the other guys. > > I'm not. "Wigle has 18,837,276 points from 1,058,769,231 unique observations." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
On Thu, 07 Jan 2010 23:14:36 +0100, Dan Kaminsky said: > On Thu, Jan 7, 2010 at 11:12 PM, wrote: > > OK, so it only works against wireless routers that have been wardriven > > already. Makes you wonder what's on those Google Street-View trucks > > besides a camera. ;) > www.wigle.net and SkyHook have been doing this stuff for a while. Though I > suppose there is that rule, "It's only creepy if Google does it" Not creepy, just a simple matter of scale. I'm fairly sure that Google's done several orders of magnitude more driving around than the other guys. Main Street in beautiful downtown Grundy, Virginia. Yes, it's that small. Yes, Google drove by. I wonder how many other wardrivers have hit Grundy. ;) http://maps.google.com/?ie=UTF8&ll=37.278588,-82.099366&spn=0,359.997028&z=19&layer=c&cbll=37.278685,-82.099343&panoid=C8d_pjVMpK6LG7b2lk8qIA&cbp=12,181.19,,0,5 (Full disclosure - Verizon did do a Wimax trial in Grundy serving about 1400 subscribers. So if anything, there should be *more* wardriving hitting Grundy than other similar small towns that that same Google drive-by drove through that day. pgpgtA8YXxEOp.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-001: Novell iManager eDirectory Plugin Remote Code Execution Vulnerability
ZDI-10-001: Novell iManager eDirectory Plugin Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-001 January 7, 2010 -- CVE ID: CVE-2009-4486 -- Affected Vendors: Novell -- Affected Products: Novell iManager -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Novell iManager. Authentication is not required to exploit this vulnerability. The flaw exists in an application called by the iManager in order to handle importing/exporting of schema information. While importing/exporting from the schema, the sub-application fails to validate the length of its arguments while copying user-supplied data into statically allocated stack buffer. This can result in code execution under the privileges of the application. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/viewContent.do?externalId=7004985&sliceId=1 -- Disclosure Timeline: 2009-03-26 - Vulnerability reported to vendor 2010-01-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * 1c239c43f521145fa8385d64a9c32243 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Kaminsky wrote: > On Thu, Jan 7, 2010 at 11:12 PM, wrote: > >> On Thu, 07 Jan 2010 23:07:01 +0100, Dan Kaminsky said: >>> No, he uses an XSS against the router to pull its wireless MAC, and then >>> puts that into Firefox's location services API. That bounces off various >>> wardriving sources and comes up with a latlong. >> OK, so it only works against wireless routers that have been wardriven >> already. Makes you wonder what's on those Google Street-View trucks >> besides a camera. ;) >> > > www.wigle.net and SkyHook have been doing this stuff for a while. Though I > suppose there is that rule, "It's only creepy if Google does it" > Disabling ssid broadcast doesn't mitigate detection either, well not by more than a couple of minutes. If you don't need wireless access disable it. I used to think Microsoft were creepy. I still think Microsoft are creepy, especially after discovering the phone home features in Win 7. Google on the other hand are plain scary, thankfully unlike Microsoft they are entirely altruistic. mrx - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0ZlMbIvn8UFHWSmAQJBhQf+KewhGZYaTYtX7pkBgeGacEwvN4NEe7p8 tL2pWU/XHjrvZZ/N6q0okH0/Pw6KKgEd9zgPVkwst3HnM3af6d5NbGnczlP1NDWg vTljj602USAuFn0U7EaubQf2PbaFLbXHCKfe/0JOar3U4fxu27UAOegm214QcIsM 1oWp+FSSgh6+CaWwkBA5DGMtceyp+fPMQ5ktwIG0r4Yy02OGMojatMAPc+QRx8OA EEbwP8oh9QWYPrp4RX3YjcrOTYEx8kVBXdt/LL2A6wq34LeBcv6mRBIOyeULrKjn PMeC1s2fiKT5dJhr3ze1K3oum8wiNgiUE/Jrj8f6ueO0aFi/Knv72Q== =nLhe -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
On Thu, Jan 7, 2010 at 11:12 PM, wrote: > On Thu, 07 Jan 2010 23:07:01 +0100, Dan Kaminsky said: > > No, he uses an XSS against the router to pull its wireless MAC, and then > > puts that into Firefox's location services API. That bounces off various > > wardriving sources and comes up with a latlong. > > OK, so it only works against wireless routers that have been wardriven > already. Makes you wonder what's on those Google Street-View trucks > besides a camera. ;) > www.wigle.net and SkyHook have been doing this stuff for a while. Though I suppose there is that rule, "It's only creepy if Google does it" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
On Thu, 07 Jan 2010 23:07:01 +0100, Dan Kaminsky said: > No, he uses an XSS against the router to pull its wireless MAC, and then > puts that into Firefox's location services API. That bounces off various > wardriving sources and comes up with a latlong. OK, so it only works against wireless routers that have been wardriven already. Makes you wonder what's on those Google Street-View trucks besides a camera. ;) pgpxIdBWUEELw.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
No, he uses an XSS against the router to pull its wireless MAC, and then puts that into Firefox's location services API. That bounces off various wardriving sources and comes up with a latlong. On Thu, Jan 7, 2010 at 10:56 PM, wrote: > On Thu, 07 Jan 2010 04:26:26 EST, "McGhee, Eddie" said: > > > I only have one question how does Google get the information of MAC > address's and locations. > > I suspect it's a case of bad reporting and they confused MAC and IP > addresses: > > "For now, it works only on FiOS routers supplied by Verizon, and then only > when > users are logged in to the device's administrative panel." > > I'm guessing it works by poking the router, asking it what its upstream IP > address is, and then geolocating that. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
On Thu, 07 Jan 2010 04:26:26 EST, "McGhee, Eddie" said: > I only have one question how does Google get the information of MAC address's > and locations. I suspect it's a case of bad reporting and they confused MAC and IP addresses: "For now, it works only on FiOS routers supplied by Verizon, and then only when users are logged in to the device's administrative panel." I'm guessing it works by poking the router, asking it what its upstream IP address is, and then geolocating that. pgp5klkPE01Ih.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1967-1] New transmission packages fix directory traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1967-q secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff January 07, 2010 http://www.debian.org/security/faq - Package: transmission Vulnerability : directory traversal Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2010-0012 Dan Rosenberg discovered that Transmission, a lightwight client for the Bittorrent filesharing protocol performs insufficient sanitising of file names specified in .torrent files. This could lead to the overwrite of local files with the privileges of the user running Transmission if the user is tricked into opening a malicious torrent file. For the stable distribution (lenny), this problem has been fixed in version 1.22-1+lenny2. For the unstable distribution (sid), this problem has been fixed in version 1.77-1. We recommend that you upgrade your transmission packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.diff.gz Size/MD5 checksum:11339 ab8089177ea598bae94487142efb7c32 http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22.orig.tar.gz Size/MD5 checksum: 4931481 fcb56a527db138cfbe83e9cf7ed16179 http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.dsc Size/MD5 checksum: 1481 9202a190563dc229b3297d9748692e66 Architecture independent packages: http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2_all.deb Size/MD5 checksum: 860 a61eae34864fe101ed5c2ec8a3511411 http://security.debian.org/pool/updates/main/t/transmission/transmission-common_1.22-1+lenny2_all.deb Size/MD5 checksum:14854 7da6a8e90ea5ece48503cc2b6d5324b8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_alpha.deb Size/MD5 checksum: 635620 03d3801c2313261d2f578c0a3b06db1a http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_alpha.deb Size/MD5 checksum: 493178 10bfd690bf97902a1ce556ff568c9161 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_amd64.deb Size/MD5 checksum: 526544 60fdd255828b74bfc5bf88e469924c7e http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_amd64.deb Size/MD5 checksum: 448664 da7f9bcffbb9f628b604d1f8421348cf arm architecture (ARM) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_arm.deb Size/MD5 checksum: 489984 1d3a15a43977376100420f4ebab67b13 http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_arm.deb Size/MD5 checksum: 424216 243ef4d6906701651cf12bf79fe2e682 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_armel.deb Size/MD5 checksum: 494624 87b5b59f5333471975ba277c37c30409 http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_armel.deb Size/MD5 checksum: 423284 a2470ec71ae32eb102bdb32d4043b40a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_hppa.deb Size/MD5 checksum: 585786 eb020bdf5c04a602bac0c5d4a96f1712 http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_hppa.deb Size/MD5 checksum: 472772 061acf64ccd9332c01e8d4b56fc719b4 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_i386.deb Size/MD5 checksum: 480444 7d894d2e5dce801403fb1fb0385e9dce http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_i386.deb Size/MD5 checksum: 430638 09debafd690dd13fcf9b00d88e683667 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1
[Full-disclosure] dotProject 2.1.3 Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The full text of this advisory can also be found at
http://www.madirish.net/?article=444
Description of Vulnerability:
- -
dotProject (http://www.dotproject.net/) is a robust open source project
management tool written in PHP and MySQL. dotProject contains numerous
serious cross site scripting (XSS) and SQL injection vulnerabilities.
Systems affected:
- -
dotProject 2.1.3 was tested and shown to be vulnerable
Mitigating factors
- --
None of the vulnerabilities described below can be exploited by
unauthenticated users. An attacker must have credentials to access the
site in order to perform the proof of concept attacks detailed below.
Cross Site Scripting Vulnerabilities
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The persistent cross site scripting attacks described below could expose
users to credential theft, browser based attacks (such as remote
iframe), invisible redirects (phishing), or other client side vectors.
== Company ===
The company creation screen fails to filter form details before creating
a new company.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new company
2. Click the 'Companies' link in the top navigation bar
3. Click the 'new company' button in the upper right
4. Fill in "alert('xss');" for each field except for
phone, phone2, and fax. These fields restrict the input size so simply
put "alert('1');" in these fields.
5. Click the 'submit' button in the lower right hand corner
6. On the resulting screen the company name XSS will appear.
7. To view the other company XSS attacks browse to
index.php?m=companies&a=view&company_id=X where 'X' is the id of the new
company. Alternatively you can click on the 'Projects' link in the top
navigation then the 'new project' button in the upper right. Create a
new project, selecting the newly created company, which will appear as a
blank choice in the company drop down list. Save the project and then
in the project list click on the company name.
Impact
Any user with the permissions to create new companies can expose other
users of dotProject to XSS attacks.
== Project ===
The project creation screen fails to filter form details before creating
a new project.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new project
2. Click the 'Projects' link in the top navigation bar
3. Click the 'new project' button in the upper right
4. Fill in "alert('xss');" for the 'Project Name',
'URL', 'Starting URL', and 'Description' fields
5. Click the 'submit' button in the lower right hand corner
6. On the resulting screen the project name XSS will appear.
7. To view the other project XSS attacks browse to
index.php?m=projects&a=view&project_id=X where 'X' is the id of the new
project.
Impact
Any user with the permissions to create new projects can expose other
users of dotProject to XSS attacks.
== Task ===
The task creation screen fails to filter form details before creating a
new task.
Proof of Concept
1. Log into dotProject as a user with privileges to create a task
2. Click the 'Projects' link in the top navigation bar
3. Click on a project name to which the user account has permissions
4. Click the 'new task' button in the upper right
5. Fill in "alert('xss');" for the 'Task Name', 'Web
Address', 'Description', and 'Description' fields
6. Click on the 'Dates' tab and select an appropriate date
7. Click the 'save' button in the lower right hand corner
8. On the resulting screen the task name XSS will appear.
9. To view the other task summary XSS attacks browse to
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task.
Impact
Any user with the permissions to create new tasks can expose other users
of dotProject to XSS attacks.
== Task Log ===
The task log creation screen fails to filter form details before
creating a new task log.
Proof of Concept
1. Log into dotProject as a user with privileges to create a task
2. Click the 'Tasks' link in the top navigation bar
3. Click on a task name to which the user account has permissions
4. Click the 'New Log' tab
5. Fill in "alert('xss');" for the 'Summary', and
'Description' fields, enter "">alert('log url');" for
the 'URL' field
6. Click the 'update task' button in the lower right hand corner
7. On the resulting screen the task name XSS will appear.
8. To view the other task log XSS attacks browse to
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task.
Impact
Any user with the permissions to create new task logs (virtually all
dotProject users) can expose other users of dotProject to XSS attacks.
== Files ===
The file attachment screen fails to filter form details before creating
a new file attachment.
Proof of Concept
1. Log into dotProject as a user with privileges to create a file
2. Click the 'Files' link in the top navigation bar
3. Click on a 'new folder' button
[Full-disclosure] Web Issue phpinfo.php
Hello all, I am testing the tool nikto 2.1.0 against a Linux Box running Tomcat and I have a doubt. The report saids that could be a bug in the server: http://www.securityfocus.com/archive/1/430449 My surprise is that the server offers me to download de phpinfo.php Does Somebody found the same issue before today? Any idea? Regards and thanks in advance. signature.asc Description: Esta parte del mensaje está firmada digitalmente ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gmen use Gmail how appropriate. There is a point here, who's to say that there is full disclosure of the result of the scan? But then again when professional and qualified pen-testers are used is there full disclosure? "Each man has his price bob... and yours was pretty low". Roger Waters who to trust? I'm not professional nor skilled enough yet to trust myself, but when I am, I could still have an off day. I am smart enough however to never submit a mission critical site to any online scanning system, especially when unaware of the methods used. And I would never presume a site to be safe even if the scan reported so. This system did reveal 3 low level security risks I did not detect with Nikto and Nessus. However as I am a novice, this could have been a result of my lack of skill in using these tools. mrx Michael Holstein wrote: >> This definitely sounds like a clueless federal agent. >> Especially since he uses an autogenerated email address. > > Yeah, because government employees want to state on-the-record from > their @leo.gov email address that "China is bad, m'kay?". Actually, in > all my (informal) contacts with FBI folks, I've never had one of them > say to use their "official" email address, it's always Gmail (or > something else) with PGP at the client side. > > By the way, the FBI folks I've dealt with have been anything but > clueless. It's the local barny-fife types that provide the hilarity. > >> Get with the programthe internet is wide open for people to scan. > > True, but when I see a bunch of *unsolicited* scans I know they're > malicious. You're asking for them, and then you don't know what happens > to the results. > > It's not paranoia when they really *are* out to get you. > > Cheers, > > Michael Holstein > Cleveland State University > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0YkH7Ivn8UFHWSmAQJhWggAz6bp8jWs+9L4KxZEJ5oBpH5PThUyO5HP dXkw6HG9MMjyzCIRqe/AAXwoRC/qouh/bKwChPd6llBtZTcR2ZkqABhC5m7PDrXD EBpXSHmwXlXDO6lFezPK9EGUdovPbnId7hpeZOjHY4QWwPtEwv+kxZfb16hhJt6y 5qlsSrJhosIpijWyZyt/MsG+VxDvLTY7UO1xXUKQ170d6+ZVOsYYSMbJxRd0moX3 W4ZTKHx5LvlTEwgp7zC+fu6p51BSA8uMIl3a282HalCVupd5hJHdpkoP7nbv0AO5 SeZ/kJ4O01GcN2ai9W8hXDzinY4k9SHsUioopVk/26GWENIzYmCBMw== =2Th7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan
> This definitely sounds like a clueless federal agent. > Especially since he uses an autogenerated email address. Yeah, because government employees want to state on-the-record from their @leo.gov email address that "China is bad, m'kay?". Actually, in all my (informal) contacts with FBI folks, I've never had one of them say to use their "official" email address, it's always Gmail (or something else) with PGP at the client side. By the way, the FBI folks I've dealt with have been anything but clueless. It's the local barny-fife types that provide the hilarity. > Get with the programthe internet is wide open for people to scan. True, but when I see a bunch of *unsolicited* scans I know they're malicious. You're asking for them, and then you don't know what happens to the results. It's not paranoia when they really *are* out to get you. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan
You didn't know that the Feds own hushmail?&€$#!! Sent from my iPhone On 7 Jan 2010, at 16:52, Jeffrey Walton wrote: > Hi Robin, > > Suppose that acquiring the code requires you to agree to unfavorable > terms of service hidden somewhere on the site, including agreeing to > future (and possibly unwanted) scans, agreeing to allow the company to > plant malware, and indemnification. > > IMHO, I think auto454357 raised some valid concerns. As for the auto > generated email, he/she used hushmail (instead of > yahoo/hotmail/gmail), which tells me the person might not fit your > classification. > > Jeff > > On Thu, Jan 7, 2010 at 11:16 AM, Robin Sage > wrote: >> This definitely sounds like a clueless federal agent. >> Especially since he uses an autogenerated email address. >> Get with the programthe internet is wide open for people to >> scan. >> >> >> From: Cody Robertson >> To: full-disclosure@lists.grok.org.uk >> Sent: Thu, January 7, 2010 10:51:14 AM >> Subject: Re: [Full-disclosure] iiscan >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 1/7/10 10:18 AM, auto454...@hushmail.com wrote: >>> So let me see if I got this the right way. >>> >>> You guys are allowing an unknown company to scan for your webapps, >>> being those apps business critical or not. On top of that, the >>> unknown company is based on a country where government supports >>> acts of electronic espionage against other nations, mainly those >>> where you guys are based. >>> >>> Is this correct? or am I missing something? >>> >>> [SNIP] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan
Hi Robin, Suppose that acquiring the code requires you to agree to unfavorable terms of service hidden somewhere on the site, including agreeing to future (and possibly unwanted) scans, agreeing to allow the company to plant malware, and indemnification. IMHO, I think auto454357 raised some valid concerns. As for the auto generated email, he/she used hushmail (instead of yahoo/hotmail/gmail), which tells me the person might not fit your classification. Jeff On Thu, Jan 7, 2010 at 11:16 AM, Robin Sage wrote: > This definitely sounds like a clueless federal agent. > Especially since he uses an autogenerated email address. > Get with the programthe internet is wide open for people to scan. > > > From: Cody Robertson > To: full-disclosure@lists.grok.org.uk > Sent: Thu, January 7, 2010 10:51:14 AM > Subject: Re: [Full-disclosure] iiscan > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 1/7/10 10:18 AM, auto454...@hushmail.com wrote: >> So let me see if I got this the right way. >> >> You guys are allowing an unknown company to scan for your webapps, >> being those apps business critical or not. On top of that, the >> unknown company is based on a country where government supports >> acts of electronic espionage against other nations, mainly those >> where you guys are based. >> >> Is this correct? or am I missing something? >> >> [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VMware server (2.0.2) insecure file creation
On Wed, 06 Jan 2010 11:07:07 -0400, d...@sucuri.net said: > Have anyone noticed that the files created by the VMware server > installer all have the 777 permissions > to it? Check your umask? % ls -l /usr/lib/vmware/hostd/docroot/print.css -r--r--r--. 1 root root 793 Dec 21 16:08 /usr/lib/vmware/hostd/docroot/print.css I'm running with 'umask 022' - is yours set to 0? (Yes, the install script *should* set the umask itself). pgpj06tWbDWBk.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
They're using wardriving. See www.wigle.net or skyhook. On Jan 7, 2010, at 10:26 AM, "McGhee, Eddie" wrote: http://www.theregister.co.uk/2010/01/05/geo_location_stealing_hack/ I am sure most of you would have seen this yesterday at some point. I only have one question how does Google get the information of MAC address's and locations. I change my MAC quite a lot on my router when needing a new IP address if mitigating any attacks etc so does the ISP share this info with Google? Isn't that a breach of privacy laws if this is the case? If it is not the case then how does it pinpoint locations via MAC address? Bearing in mind ARP is a non routable protocol.. p.s this worked for me and my friend around 1 mile away and the accuracy was perfect!! I would got to say it got my house and friends by 10 metres max! My other friend same ISP maybe 2-3 miles away shows nothing from his MAC. Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiScan - Full-function web application security scanning platform for free
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/7/10 10:09 AM, Adrian liu wrote: > Hello everybody, > > I need a valid invitation code to complete the registration of IIScan.com. > Who can help me? > Thanks a lot. > > > 5f7bac649224c1eb af30832079267605 2986138b3d901cc1 747584abfb916cad 4d5c10cbadba36fe On Wed, Jan 6, 2010 at 12:37 AM, McGhee, Eddie wrote: >> Hi. >> >> where can we receive a invite code to test? >> >> From: full-disclosure-boun...@lists.grok.org.uk >> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of iiScan >> support >> Sent: 05 January 2010 02:33 >> To: full-disclosure@lists.grok.org.uk >> Subject: [Full-disclosure] iiScan - Full-function web application security >> scanning platform for free >> >> Dear all friends: >> iiScan is pleased to announce our new gerneration of Web Application >> Security Evalution Platform which is totally FREE. It provides web security >> as a service through the Cloud, no installation of hardware or software is >> needed. Here is some description: >> i) New generation of web application security evaluation platform >> iiScan provide a cloud-computing based security service which focus on web >> application security. With iiScan, you can get your web application assessed >> by iiScan expert and the only thing you have to do is clicking the START >> botton. After that, a report contained all details of vulnerabilities or >> risks of your website will be sent to your mailbox. Then you can fix it and >> make your website safer. >> ii) iiScan can detect and test most Web Vulnerabilities without manual >> intervention : >> SQL injection >> Cross Site Scripting (XSS) >> File Upload Vulnerability >> Information Leakage >> Insecure Direct Object References >> Buffer overflow >> Path Traversal >> OS Commanding >> Session Fixation >> XPath Injection >> …… >> iii) Rich Statements >> The statements we offered include abundant informations. You can find all >> the details about every vulnerabilities and fix it with our suggestion. We >> also provide report for web develop and testing engineer. >> iv) Easy to use >> There is no longer technical research which difficult to comprehend and no >> process of configuration items. Through iiScan,you are the security expert >> of web application security. And you can finish the security assessment of >> web application deeply and thoroughly through only several clicks. >> v) Absolute free >> Security as a basic service should be provided free,so we firmly believe >> that the security industry needs revolution. As a new free service provider >> , we build the domestic first and only assessment platform of security >> assignment of web application which full functions are free. In the iiScan >> platform,the basic policy of scanning is absolute free. >> We hope our work can help you. More information please visit >> http://www.iiScan.com/ >> Demo video can be found here http://www.iiscan.com/help/manual >> Sincerely >> NOSEC iiScan support team >> supp...@iiscan.com >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktGD28ACgkQAr2PPaFwRupClACfbkK21lhBm0eyfWuVI52xiGR9 1hUAnRhEDWwab9Ys2UBt40XuZmf0AMP3 =oHmv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-880-1] GIMP vulnerabilities
=== Ubuntu Security Notice USN-880-1 January 07, 2010 gimp vulnerabilities CVE-2009-1570, CVE-2009-3909 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: gimp2.4.5-1ubuntu2.1 Ubuntu 8.10: gimp2.6.1-1ubuntu3.1 Ubuntu 9.04: gimp2.6.6-0ubuntu1.1 Ubuntu 9.10: gimp2.6.7-1ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Stefan Cornelius discovered that GIMP did not correctly handle certain malformed BMP files. If a user were tricked into opening a specially crafted BMP file, an attacker could execute arbitrary code with the user's privileges. (CVE-2009-1570) Stefan Cornelius discovered that GIMP did not correctly handle certain malformed PSD files. If a user were tricked into opening a specially crafted PSD file, an attacker could execute arbitrary code with the user's privileges. This issue only applied to Ubuntu 8.10, 9.04 and 9.10. (CVE-2009-3909) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.4.5-1ubuntu2.1.diff.gz Size/MD5:45573 e3a0607d09505759d3527f9fa0136d05 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.4.5-1ubuntu2.1.dsc Size/MD5: 1758 b9f0e7cd8df8c21dfa32dfdbcd5b04c0 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.4.5.orig.tar.gz Size/MD5: 25674455 9d254f575862a64c56e00d5bab97e12c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-data_2.4.5-1ubuntu2.1_all.deb Size/MD5: 1986324 fbc2f79585a39fdc959d047ade14610a http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0-doc_2.4.5-1ubuntu2.1_all.deb Size/MD5: 937142 c1f3f79cbe31a3a9a882d82d0e978d2d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-dbg_2.4.5-1ubuntu2.1_amd64.deb Size/MD5: 12895588 b1940b369ebe5cffe780a7c246033a94 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-gnomevfs_2.4.5-1ubuntu2.1_amd64.deb Size/MD5: 9020 ac64f66d2938698a4bd6f66ecceae5bf http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-python_2.4.5-1ubuntu2.1_amd64.deb Size/MD5: 169596 7c1f1f27ad5baff9566a5a3bab6410ba http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.4.5-1ubuntu2.1_amd64.deb Size/MD5: 4303518 29bcc38111e5f159281bd303b0540136 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0-dev_2.4.5-1ubuntu2.1_amd64.deb Size/MD5:87948 e8484f6be3143dc988c97da103dd3bbc http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0_2.4.5-1ubuntu2.1_amd64.deb Size/MD5: 616920 7137bfc0fe613b1657b24778a0a6f6e5 http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-libcurl_2.4.5-1ubuntu2.1_amd64.deb Size/MD5: 7426 b684d21548e825fa84855bbfafd80c0f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-dbg_2.4.5-1ubuntu2.1_i386.deb Size/MD5: 12164218 cac1709e5b0a92796816b9741827da5d http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-gnomevfs_2.4.5-1ubuntu2.1_i386.deb Size/MD5: 8410 83117ceb61b826456c4b444e8abd6d2f http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-python_2.4.5-1ubuntu2.1_i386.deb Size/MD5: 147400 1f08740c4c2c1c44178900083ea9ad19 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.4.5-1ubuntu2.1_i386.deb Size/MD5: 3929136 187f6e243b061e09ec79738629b50adf http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0-dev_2.4.5-1ubuntu2.1_i386.deb Size/MD5:87952 9cda9f9d5a8a8d7872a1b84f0b65f34a http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0_2.4.5-1ubuntu2.1_i386.deb Size/MD5: 568520 b1ce39d3c94b28be84f7889f147f7355 http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-libcurl_2.4.5-1ubuntu2.1_i386.deb Size/MD5: 6912 fe90170b43381e94647d353327a32bbd lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/g/gimp/gimp-dbg_2.4.5-1ubuntu2.1_lpia.deb Size/MD5: 12351032 b9f18aac05a409efa8c5101f8b133257 http://ports.ubuntu.com/pool/main/g/gimp/gimp-gnomevfs_2.4.5-1ubuntu2.1_lpia.deb Size/MD5: 8282 41a8dce3705798d5c6150b1206b0ed37 http://ports.ubuntu.com/pool/main/g/gimp/gimp-python_2.4.5-1ubuntu2.1_lpia.deb Size/MD5: 146334 3ee132add2f80b1521a41719a48a1452 http://ports.ubuntu.com
Re: [Full-disclosure] iiscan
This definitely sounds like a clueless federal agent. Especially since he uses an autogenerated email address. Get with the programthe internet is wide open for people to scan. From: Cody Robertson To: full-disclosure@lists.grok.org.uk Sent: Thu, January 7, 2010 10:51:14 AM Subject: Re: [Full-disclosure] iiscan -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/7/10 10:18 AM, auto454...@hushmail.com wrote: > So let me see if I got this the right way. > > You guys are allowing an unknown company to scan for your webapps, > being those apps business critical or not. On top of that, the > unknown company is based on a country where government supports > acts of electronic espionage against other nations, mainly those > where you guys are based. > > Is this correct? or am I missing something? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan results
If anyone has any more invite codes please send one to me. I tried the ones posted and they were not functional. I also emailed support and never received a response. Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or Acunetix ? How many trials do you get per invite code? Just 1 app? Thanks! From: Jardel Weyrich To: p8x Cc: full-disclosure@lists.grok.org.uk Sent: Thu, January 7, 2010 9:33:07 AM Subject: Re: [Full-disclosure] iiscan results It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version. A more verbose logging strategy would demystify. Or maybe Vincent? On Thu, Jan 7, 2010 at 12:28 PM, p8x wrote: > Hi Jan, > > I am not sure what you mean. > > Maybe I should clarify, I used some bash magic to make it a bit easier > to read the results from my log file. Here is a copy of the log pre me > making it easy to read: http://pastebin.com/m512018cb > > If you read the above log file you will be able to see the duplicate > requests, as an example these two time stamps are have the same request: > > [07/Jan/2010:09:25:32 +0800] > [07/Jan/2010:09:25:36 +0800] > > I did the test twice, so the results in my previous post that were > requested twice can be ignored. > > p8x > > On 7/01/2010 10:08 PM, Jan G.B. wrote: >> What you see is not an issue or error. It is, what the application is >> supposed to do. >> >> * As you can see, these requests are not the same. >> * Thinking about muiltiple POST requests on WP-Login or your "logs" >> below, you could have guessed in the first place that the app is either >> trying multiple Login/Passwort combinations or (as seen below) some >> patterns to detect Injection possibilities. >> >> Regards >> >> 2010/1/7 p8x mailto:l...@p8x.net>> >> >> Hi Vincent, >> >> I also experied the same issue as mrx. I did see multiple get and post >> requests to the same page. >> >> As an example, I took a random page with a form on it, here are the >> totals: >> >> 2 /password.html >> 2 /password.html?key=8&form_validated=12345&submit_form=8 >> 2 /password.html?key=8&form_validated=12345&submit_form=8' >> 2 >> >> /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='6 >> 2 >> >> /password.html?key=8&form_validated=12345&submit_form=8%20and%205=6 >> 2 >> >> /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=6%20and%20'%25'=' >> 2 /password.html?key=8&submit_form=8&form_validated=12345 >> 2 /password.html?key=8&submit_form=8&form_validated=12345' >> 2 >> >> /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='6 >> 2 >> >> /password.html?key=8&submit_form=8&form_validated=12345%20and%205=6 >> 2 >> >> /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=6%20and%20'%25'=' >> 2 /password.html?submit_form=8&form_validated=12345&key=8 >> 2 /password.html?submit_form=8&form_validated=12345&key=8' >> 2 >> >> /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='6 >> 2 >> >> /password.html?submit_form=8&form_validated=12345&key=8%20and%205=6 >> 2 >> >> /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=6%20and%20'%25'=' >> 4 >> >> /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='5 >> 4 >> >> /password.html?key=8&form_validated=12345&submit_form=8%20and%205=5 >> 4 >> >> /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=5%20and%20'%25'=' >> 4 >> >> /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='5 >> 4 >> >> /password.html?key=8&submit_form=8&form_validated=12345%20and%205=5 >> 4 >> >> /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=5%20and%20'%25'=' >> 4 >> >> /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='5 >> 4 >> >> /password.html?submit_form=8&form_validated=12345&key=8%20and%205=5 >> 4 >> >> /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=5%20and%20'%25'=' >> >> Also, the contact forms on the websites I tested got hammered with >> emails (and they also seemed to have duplicate requests). >> >> p8x >> >> On 7/01/2010 8:00 PM, mrx wrote: >> > Vincent, >> > >> > Although the actual results of the scan were displayed in English >> in the online html report, >> > the suggested solutions were in
Re: [Full-disclosure] iiscan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/7/10 10:18 AM, auto454...@hushmail.com wrote: > So let me see if I got this the right way. > > You guys are allowing an unknown company to scan for your webapps, > being those apps business critical or not. On top of that, the > unknown company is based on a country where government supports > acts of electronic espionage against other nations, mainly those > where you guys are based. > > Is this correct? or am I missing something? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Call me cynical but unless you're trying to scan something that's supposed to be private it's wide open anyway - who cares if you send them a URL? They're fully capable of scraping URL's - having someone simply submit it isn't really going to benefit them much. You forgot the tin foil hat. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktGAvEACgkQAr2PPaFwRuqJ5QCfTtsJRPVHSKNalzpUhWx6jMa0 pfkAoIam1UAIaQdfOBgC2krstU71icVm =r8G7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iiscan
So let me see if I got this the right way. You guys are allowing an unknown company to scan for your webapps, being those apps business critical or not. On top of that, the unknown company is based on a country where government supports acts of electronic espionage against other nations, mainly those where you guys are based. Is this correct? or am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiScan - Full-function web application security scanning platform for free
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everybody, I need a valid invitation code to complete the registration of IIScan.com. Who can help me? Thanks a lot. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10) iQIcBAEBAgAGBQJLRfk7AAoJEJU/p50NjqCs+vAP/jRG3riHsDKmqkuhF7jmjVY7 Gzany2VROqpKeO3TbdLd20/fxvZPQA6614DkEze1dnBKEnR9IhGpcj1I3HCf4n4b tNvSzaVocTl9CEzE2zwoVpv3bwvFyLfWJYeCaqSIwQhMVajwas5zuKSEx6+aNQvQ efyVFFIuMt20FpR+vB7KrBtM5oLfLo5AruywJi/Lr0j/wWo3rqNkjomhxHLs1cLu u+hglQVtLCk3hT/+UUDtUqMsi0s4ds1ucRxGz5yMaAS0xNJ1gf2olbK/MhrtLzJT 2DkMuWunUaS4fyo1uB0H/G8T09q2RMp5X2S90Yk1ArKSGHh8m3MOa5JAlPlgbnXN YcJp50W5BL5xRBCzG77GXbxHk7SfpGREevvTKf5nVmC5taqEdzBzYoacvEtP8kvi ykT6EDclvdsWwyUM+ANvLuAiuHtUqkauYUWNJHIz8BUkEjrQ86HhaHGzVHDf84AI gaNYcX6iZM1ptWXYeK+PQnfSLkOqTC5QD59s9Tpu7vJREiQubuW0NB+66mXA660P saT/LK2IL/MxMM4G8H6rHEiFCGWuoeQiJxaPrc2ct4Y6DYcFJ/hVE+IUt2PSFxWi YXJTDbGXmx+EUEOurt+Tnp6DRI7mW/lzwqLxuk8BrVxf94xMtw9vbntu8oZ2gv9+ +/MTAj3mjnBz6VWiwcUL =ZZYe -END PGP SIGNATURE- On Wed, Jan 6, 2010 at 12:37 AM, McGhee, Eddie wrote: > Hi. > > where can we receive a invite code to test? > > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of iiScan > support > Sent: 05 January 2010 02:33 > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] iiScan - Full-function web application security > scanning platform for free > > Dear all friends: > iiScan is pleased to announce our new gerneration of Web Application > Security Evalution Platform which is totally FREE. It provides web security > as a service through the Cloud, no installation of hardware or software is > needed. Here is some description: > i) New generation of web application security evaluation platform > iiScan provide a cloud-computing based security service which focus on web > application security. With iiScan, you can get your web application assessed > by iiScan expert and the only thing you have to do is clicking the START > botton. After that, a report contained all details of vulnerabilities or > risks of your website will be sent to your mailbox. Then you can fix it and > make your website safer. > ii) iiScan can detect and test most Web Vulnerabilities without manual > intervention : > SQL injection > Cross Site Scripting (XSS) > File Upload Vulnerability > Information Leakage > Insecure Direct Object References > Buffer overflow > Path Traversal > OS Commanding > Session Fixation > XPath Injection > …… > iii) Rich Statements > The statements we offered include abundant informations. You can find all > the details about every vulnerabilities and fix it with our suggestion. We > also provide report for web develop and testing engineer. > iv) Easy to use > There is no longer technical research which difficult to comprehend and no > process of configuration items. Through iiScan,you are the security expert > of web application security. And you can finish the security assessment of > web application deeply and thoroughly through only several clicks. > v) Absolute free > Security as a basic service should be provided free,so we firmly believe > that the security industry needs revolution. As a new free service provider > , we build the domestic first and only assessment platform of security > assignment of web application which full functions are free. In the iiScan > platform,the basic policy of scanning is absolute free. > We hope our work can help you. More information please visit > http://www.iiScan.com/ > Demo video can be found here http://www.iiscan.com/help/manual > Sincerely > NOSEC iiScan support team > supp...@iiscan.com > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Adrian Liu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1966-1] New horde3 packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1966-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 07, 2010 http://www.debian.org/security/faq - Package: horde3 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Ids: CVE-2009-3237 CVE-2009-3701 CVE-2009-4363 Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3237 It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration file. CVE-2009-3701 It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators. CVE-2009-4363 It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages. For the stable distribution (lenny), these problems have been fixed in version 3.2.2+debian0-2+lenny2. For the oldstable distribution (etch), these problems have been fixed in version 3.1.3-4etch7. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 3.3.6+debian0-1. We recommend that you upgrade your horde3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc Size/MD5 checksum: 691 48b9e415b5f6ab912615d4da1fdbf972 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz Size/MD5 checksum:17280 15471b64c8321f477800da4cfe3ff8e4 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7 Architecture independent packages: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb Size/MD5 checksum: 5282070 b0788ebca983b9059a7fa05ada2de4cb Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc Size/MD5 checksum: 1389 c7d03777a3a09845206364f689752f30 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz Size/MD5 checksum:27993 866df86724501fbd550d5e164e4cdd3c http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz Size/MD5 checksum: 7180761 fb22a594bbdad07a0fbeef035a6d2f39 Architecture independent packages: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb Size/MD5 checksum: 7240984 9298abd370d67b6a4861f015e330d1c5 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktFssAACgkQ62zWxYk/rQf9kACgmyXz0l/5q9TZiiafcbmrEWqf x/8An3Daz3amIFFmj0uGbiQ+g4CtZw9w =4/Rk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Geolocation Question
http://www.theregister.co.uk/2010/01/05/geo_location_stealing_hack/ I am sure most of you would have seen this yesterday at some point. I only have one question how does Google get the information of MAC address's and locations. I change my MAC quite a lot on my router when needing a new IP address if mitigating any attacks etc so does the ISP share this info with Google? Isn't that a breach of privacy laws if this is the case? If it is not the case then how does it pinpoint locations via MAC address? Bearing in mind ARP is a non routable protocol.. p.s this worked for me and my friend around 1 mile away and the accuracy was perfect!! I would got to say it got my house and friends by 10 metres max! My other friend same ISP maybe 2-3 miles away shows nothing from his MAC. Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] pdp petkov files still available?
Back in Aug. 2008 GNUCITIZEN pdp petkov was hacked and his files have been exposed. I wonder whether this files are still available. Are they? ~ excuseme ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-1965-1] New phpldapadmin packages fix remote file inclusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1965 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano January 06, 2010http://www.debian.org/security/faq - Package: phpldapadmin Vulnerability : missing input sanitising Problem type : remote Debian-specific: no Debian bug : 561975 CVE Id : CVE-2009-4427 It was discovered that phpLDAPadmin, a web based interface for administering LDAP servers, doesn't sanitize an internal variable, which allows remote attackers to include and execute arbitrary local files. The oldstable distribution (etch) is not affected by this problem. For the stable distribution (lenny), this problem has been fixed in version 1.1.0.5-6+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.1.0.7-1.1 We recommend that you upgrade your phpldapadmin package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny1.dsc Size/MD5 checksum: 1068 ebc99daefc4b94085ad54ce370e7dfed http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_1.1.0.5.orig.tar.gz Size/MD5 checksum: 1031912 5ea78a6758e347c77ef291882675f266 http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny1.diff.gz Size/MD5 checksum:21645 99a56a04aebcd351d9ad737b36d7d553 Architecture independent packages: http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny1_all.deb Size/MD5 checksum: 933570 eedb4237de11744a51142a9dfeaec806 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktE1mgACgkQNxpp46476apVFwCgj7EiNolAq4RfakCpV/44s+op 83kAn1l104MRaWGUTS6ZWFHMELiWmhHx =avux -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMware server (2.0.2) insecure file creation
Have anyone noticed that the files created by the VMware server installer all have the 777 permissions to it? I just installed it on two systems with the same problem These are the alerts coming from ossec (the whole /usr/lib/vmware is 777): File '/usr/lib/vmware/hostd/docroot/print.css' is owned by root and has written permissions to anyone. File '/usr/lib/vmware/hostd/docroot/client/clients.xml' is owned by root and has written permissions to anyone. File '/usr/lib/vmware/hostd/docroot/sdk/vim.wsdl' is owned by root and has written permissions to anyone. .. more hundred files... File '/usr/lib/vmware/hostd/docroot/sdk/vimServiceVersions.xml' is owned by root and has written permissions to anyone. File '/usr/lib/vmware/hostd/docroot/error-32x32.png' is owned by root and has written permissions to anyone. Link to it: http://blog.sucuri.net/2010/01/vmware-insecure-file-creation.html --dd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Need a invitation code of the IIScan.com for test.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everybody, I need a valid invitation code to complete the registration of IIScan.com. Who can help me? Thanks a lot. - -- Adrian Liu -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10) iQIcBAEBAgAGBQJLRfyZAAoJEJU/p50NjqCswM4QAKcS0jvDZplXTXz6cLFpfIBi QiQcskcYV9ntxWFE98AnnPQwMHJArtZjcojTeXXaoAexQF3Xr1R2Qe2toK4dX+JV Tvje1VrrKhU9JPnRsFt7F7cu/Dj/leoLstRmxLTdfvWwV0SRK98ScRHkE2DlI5BD ptJWC3vnyOSLlttwX3+9iXryz246J2f3XWC+PNQlKEHn+3auvCxVB4QXYisnlUK4 ZHT/CzOav4CcEhsbMGWoNV7yx/TrI6b1z/lluVQp5v1KsURfOxhY0K43qwjzX68L 4Thf+JkVs1/HUFKwMdFJ/qGNCNadNskCWyINoIM2b9h7h/TKBq6PpwT/0XAXcZ72 JDmcusV7jxMuK4dbpRcMGrgyeu59N2wMexdEOlws5XmconjSBkPtGajWBLnxxT13 cixTcO74WKcFRKRyzOWLk+sJas6HDcJPVke99gzCwZh8IBXbX4rQqfAVj4obpazH /kip5Y49LsGqNduRsigH7lwtAtQvjAhgmCiLHCI+snQjDR43xMmnAjfZaq2whb5q Qlx8lw8Gzs+sgxiOGU4adRfLBRSBRwMEdIu2Jg3idaAJteW5dNIVAgJ6v1n58mxK CzozP4gmMq+5Wps0Kr7GbxDRETXfq7bxnT1eYoxz4A6I96uKnHcKSnr1ykPjrk+G Q4K2M80K7zt8Rs+JDI/d =aMOg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan results
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adrian liu wrote: > Hi all, > > Is there any valid invitation code? > > Best Regards, > > Adrian, check the: iiScan - Full-function web application securityscanning platform for free thread Many have been posted, though I cannot guarantee all have not been used. regards mrx - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0X3/bIvn8UFHWSmAQLM5ggA0PAoKOgs36pUmW1QrSawSXkWCKCuOK5r ZkWhubBllrG7jfgT+R6s0PYsYbNvKROk5maE+XV2sv4NPV2oZB1ZWMCHKf2WB2Dm AsbN+y3kc+UHieyNs4PsjGX8FdelLBEQpmvbJKQ32gkeFzPiJcqN8n6qu1q77rHI ikOuPl4v59XHGUM1Hkr1tyzlBQ3QGTf3fmqEGAvZYstQfh0e9D3NxSiargBUX/6i cCX/t8oHFcdbqjBtmZBAQ8CqdfBjRwq67QUl6XYANfyHLfzsCQLHMiaZMYlLy8uC hnjzLCULgOLj9laWdl/NcvdEoGFNdhqb2U+WN1cod/cYKPRk14qjSA== =MYaM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:300-2 ] apache-conf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:300-2 http://www.mandriva.com/security/ ___ Package : apache-conf Date: January 7, 2010 Affected: 2008.0 ___ Problem Description: A vulnerability was discovered and corrected in apache-conf: The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software (CVE-2009-2823). This update provides a solution to this vulnerability. Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2823 http://www.kb.cert.org/vuls/id/867593 ___ Updated Packages: Mandriva Linux 2008.0: e4add07b886a421101be638c495e36d3 2008.0/i586/apache-conf-2.2.6-1.1mdv2008.0.i586.rpm e5312c85bedded03f9f8f20a0385a377 2008.0/SRPMS/apache-conf-2.2.6-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 1f0b1fc20f619ef688b180e354337456 2008.0/x86_64/apache-conf-2.2.6-1.1mdv2008.0.x86_64.rpm e5312c85bedded03f9f8f20a0385a377 2008.0/SRPMS/apache-conf-2.2.6-1.1mdv2008.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLRcormqjQ0CJFipgRApIzAKCQ7NYtqf07rGnVs3x8m+RNdnVLZwCfVIfW eIg2oUI/jK9ZoHYXrZLrr+A= =+D0t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:300-1 ] apache-conf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:300-1 http://www.mandriva.com/security/ ___ Package : apache-conf Date: January 7, 2010 Affected: 2009.1 ___ Problem Description: A vulnerability was discovered and corrected in apache-conf: The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software (CVE-2009-2823). This update provides a solution to this vulnerability. Update: The wrong package was uploaded for 2009.1. This update addresses that problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2823 http://www.kb.cert.org/vuls/id/867593 ___ Updated Packages: Mandriva Linux 2009.1: d20085bdf2db6c017ae2bbd1e66b95a3 2009.1/i586/apache-conf-2.2.11-5.1mdv2009.1.i586.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 3621be7e9f192f73f0c0435891d5ee1e 2009.1/x86_64/apache-conf-2.2.11-5.1mdv2009.1.x86_64.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLRcf1mqjQ0CJFipgRAu1hAKD028okjckw8ACr/FJhfKYKLYaWKACfYIQK uxRECffkMfmnBqa56GkQhAA= =MP9m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan results
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Thierry, Thanks for the pointer...Done ;-) regards mrx Thierry Zoller wrote: > Hi mrx, > > POST data is not included in apache logs perdefault, google about how > to configure apache as to log more details (verbose) > > m> -BEGIN PGP SIGNED MESSAGE- > m> Hash: SHA1 > > m> Hi Thierry, > > m> Could you please elucidate? > m> Although not a complete newbie, I am a novice with regard to security and > Apache. > m> I would have though that all data in the POST request would be recorded in > the Apache logs. > > m> Is this the way Apache logging works? > m> Or can an attacker craft a request in such a way as the changing > m> posted data you mention is not visible? > > m> A quick scroogle for "html post request spoofing" did not produce the > desired results, > m> so any link to subject matter covering this would be appreciated. > > m> I respond to you directly, because you contacted me off list :) > > m> Thank you > m> regards mrx > > > > > m> Thierry Zoller wrote: >>> Hi mrx, >>> >>> Your logs don't show the posted data that actually changes ;) >>> >>> m> -BEGIN PGP SIGNED MESSAGE- >>> m> Hash: SHA1 >>> >>> m> Vincent, >>> >>> m> Although the actual results of the scan were displayed in English in the >>> online html report, >>> m> the suggested solutions were in fact in Chinese. >>> >>> m> Checking my access logs reveals multiple attempts of the same >>> m> attack/probe, for example multiple identical POSTs to the same page: >>> >>> m> 216.18.22.46 - - [06/Jan/2010:11:33:01 +] "POST >>> m> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 >>> (compatible; MSIE 7.0; Windows >>> m> NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" >>> >>> m> There are around 100 entries identical to the above in my log. I >>> m> don't know if this is by design or not but it does seem to be a little >>> inefficient. >>> >>> >>> m> I also noticed there were no attempts at information disclosure >>> m> via the TRACE method, nor were any attempts made at SQL injection >>> despite my >>> m> selecting "all" in the scan options. Not that my site is vulnerable in >>> any way ;-) >>> >>> m> Hope this helps >>> >>> m> regards >>> m> mrx >>> >>> >>> >>> m> Vincent Chao wrote: > Thank you for your analysis. It really helps me. > > And I also found the PDF report mail to us is in Chinese, in the website > of > iiScan, however, to see the report of html or PDF format is English (of > course can change to Chinese). > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of mrx > Sent: Wednesday, January 06, 2010 8:45 PM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] iiscan results > > Well, this scanner managed to find a couple of low level vulnerabilities > on > my site which were missed by both Nikto and Nessus. > > Two directories allowed a directory listing and a test.php file I created, > an information disclosure vulnerability, was also detected. My dumb > ass forgot to delete this "test.php" file after I finished testing the > server. > > Possible sensitive directories were also listed, however browsing to these > directories returned 403 errors, blank pages or a wordpress logon > prompt, which is what I expected. > > So all in all this scanner seems to do it's job well. At least for a LAMP > server running wordpress > > Of course I have addressed the vulnerabilities reported. > > My command of the Chinese language is limited to zero, so I cannot > understand the pdf report emailed to me nor the information within the web > based report. Hopefully the developers will address this language problem. > > regards > mrx > > >>> m> ___ >>> m> Full-Disclosure - We believe in it. >>> m> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> m> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> >>> >>> >>> >>> > > > > > - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0XzNLIvn8UFHWSmAQLfsAf8C9xFp/AZ9HXiYwc0aRDXjZ8ApcT+GOTL +26/SSyTDaS3urSrAXZ/pn6BRAW+/VANfUlgyvEfdGi2JaHtSiFOR3ZI5IMlhKpL RW+fTE6PWDSsuYihdrpwCTasnGU91+3P/P6UZe4aBfznXyJMYUoO/xzi06/uu2pF DSyOrDceNy4chBnJSOha/DMAu9xl6Gr7ALtJ9BvgpP4K2RJd1uYp66nrOXIPqR+L LLuUZEvVx06UwWS8zJCjr2Zy686a6HraCg6TqvuKmO5rYthvSAjt+nOeWlaymIba IMxa2PzZ5YEb9hcEMSsJ2eaBmVHlRqLglphYr+bJbTmzt2rEikvPwQ== =MTM8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
Re: [Full-disclosure] iiscan results
It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version. A more verbose logging strategy would demystify. Or maybe Vincent? On Thu, Jan 7, 2010 at 12:28 PM, p8x wrote: > Hi Jan, > > I am not sure what you mean. > > Maybe I should clarify, I used some bash magic to make it a bit easier > to read the results from my log file. Here is a copy of the log pre me > making it easy to read: http://pastebin.com/m512018cb > > If you read the above log file you will be able to see the duplicate > requests, as an example these two time stamps are have the same request: > > [07/Jan/2010:09:25:32 +0800] > [07/Jan/2010:09:25:36 +0800] > > I did the test twice, so the results in my previous post that were > requested twice can be ignored. > > p8x > > On 7/01/2010 10:08 PM, Jan G.B. wrote: >> What you see is not an issue or error. It is, what the application is >> supposed to do. >> >> * As you can see, these requests are not the same. >> * Thinking about muiltiple POST requests on WP-Login or your "logs" >> below, you could have guessed in the first place that the app is either >> trying multiple Login/Passwort combinations or (as seen below) some >> patterns to detect Injection possibilities. >> >> Regards >> >> 2010/1/7 p8x mailto:l...@p8x.net>> >> >> Hi Vincent, >> >> I also experied the same issue as mrx. I did see multiple get and post >> requests to the same page. >> >> As an example, I took a random page with a form on it, here are the >> totals: >> >> 2 /password.html >> 2 /password.html?key=8&form_validated=12345&submit_form=8 >> 2 /password.html?key=8&form_validated=12345&submit_form=8' >> 2 >> >> /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='6 >> 2 >> >> /password.html?key=8&form_validated=12345&submit_form=8%20and%205=6 >> 2 >> >> /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=6%20and%20'%25'=' >> 2 /password.html?key=8&submit_form=8&form_validated=12345 >> 2 /password.html?key=8&submit_form=8&form_validated=12345' >> 2 >> >> /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='6 >> 2 >> >> /password.html?key=8&submit_form=8&form_validated=12345%20and%205=6 >> 2 >> >> /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=6%20and%20'%25'=' >> 2 /password.html?submit_form=8&form_validated=12345&key=8 >> 2 /password.html?submit_form=8&form_validated=12345&key=8' >> 2 >> >> /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='6 >> 2 >> >> /password.html?submit_form=8&form_validated=12345&key=8%20and%205=6 >> 2 >> >> /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=6%20and%20'%25'=' >> 4 >> >> /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='5 >> 4 >> >> /password.html?key=8&form_validated=12345&submit_form=8%20and%205=5 >> 4 >> >> /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=5%20and%20'%25'=' >> 4 >> >> /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='5 >> 4 >> >> /password.html?key=8&submit_form=8&form_validated=12345%20and%205=5 >> 4 >> >> /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=5%20and%20'%25'=' >> 4 >> >> /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='5 >> 4 >> >> /password.html?submit_form=8&form_validated=12345&key=8%20and%205=5 >> 4 >> >> /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=5%20and%20'%25'=' >> >> Also, the contact forms on the websites I tested got hammered with >> emails (and they also seemed to have duplicate requests). >> >> p8x >> >> On 7/01/2010 8:00 PM, mrx wrote: >> > Vincent, >> > >> > Although the actual results of the scan were displayed in English >> in the online html report, >> > the suggested solutions were in fact in Chinese. >> > >> > Checking my access logs reveals multiple attempts of the same >> attack/probe, for example multiple identical POSTs to the same page: >> > >> > 216.18.22.46 - - [06/Jan/2010:11:33:01 +] "POST >> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 >> (compatible; MSIE 7.0; Windows >> > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" >> > >> > There are around 100 entries identical to the above in my log. I >> don't know if
Re: [Full-disclosure] iiscan results
Hi Jan, I am not sure what you mean. Maybe I should clarify, I used some bash magic to make it a bit easier to read the results from my log file. Here is a copy of the log pre me making it easy to read: http://pastebin.com/m512018cb If you read the above log file you will be able to see the duplicate requests, as an example these two time stamps are have the same request: [07/Jan/2010:09:25:32 +0800] [07/Jan/2010:09:25:36 +0800] I did the test twice, so the results in my previous post that were requested twice can be ignored. p8x On 7/01/2010 10:08 PM, Jan G.B. wrote: > What you see is not an issue or error. It is, what the application is > supposed to do. > > * As you can see, these requests are not the same. > * Thinking about muiltiple POST requests on WP-Login or your "logs" > below, you could have guessed in the first place that the app is either > trying multiple Login/Passwort combinations or (as seen below) some > patterns to detect Injection possibilities. > > Regards > > 2010/1/7 p8x mailto:l...@p8x.net>> > > Hi Vincent, > > I also experied the same issue as mrx. I did see multiple get and post > requests to the same page. > > As an example, I took a random page with a form on it, here are the > totals: > > 2 /password.html > 2 /password.html?key=8&form_validated=12345&submit_form=8 > 2 /password.html?key=8&form_validated=12345&submit_form=8' > 2 > > /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='6 > 2 > > /password.html?key=8&form_validated=12345&submit_form=8%20and%205=6 > 2 > > /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?key=8&submit_form=8&form_validated=12345 > 2 /password.html?key=8&submit_form=8&form_validated=12345' > 2 > > /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='6 > 2 > > /password.html?key=8&submit_form=8&form_validated=12345%20and%205=6 > 2 > > /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?submit_form=8&form_validated=12345&key=8 > 2 /password.html?submit_form=8&form_validated=12345&key=8' > 2 > > /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='6 > 2 > > /password.html?submit_form=8&form_validated=12345&key=8%20and%205=6 > 2 > > /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=6%20and%20'%25'=' > 4 > > /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='5 > 4 > > /password.html?key=8&form_validated=12345&submit_form=8%20and%205=5 > 4 > > /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=5%20and%20'%25'=' > 4 > > /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='5 > 4 > > /password.html?key=8&submit_form=8&form_validated=12345%20and%205=5 > 4 > > /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=5%20and%20'%25'=' > 4 > > /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='5 > 4 > > /password.html?submit_form=8&form_validated=12345&key=8%20and%205=5 > 4 > > /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=5%20and%20'%25'=' > > Also, the contact forms on the websites I tested got hammered with > emails (and they also seemed to have duplicate requests). > > p8x > > On 7/01/2010 8:00 PM, mrx wrote: > > Vincent, > > > > Although the actual results of the scan were displayed in English > in the online html report, > > the suggested solutions were in fact in Chinese. > > > > Checking my access logs reveals multiple attempts of the same > attack/probe, for example multiple identical POSTs to the same page: > > > > 216.18.22.46 - - [06/Jan/2010:11:33:01 +] "POST > /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 > (compatible; MSIE 7.0; Windows > > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" > > > > There are around 100 entries identical to the above in my log. I > don't know if this is by design or not but it does seem to be a > little inefficient. > > > > > > I also noticed there were no attempts at information disclosure > via the TRACE method, nor were any attempts made at SQL injection > despite my > > selecting "all" in the scan options. Not that my site is > vulnerable in any way ;-) > > > > Hope this helps > > > > regards > > mrx > > > > > > > > Vincent Chao wro
Re: [Full-disclosure] iiscan results
What you see is not an issue or error. It is, what the application is supposed to do. * As you can see, these requests are not the same. * Thinking about muiltiple POST requests on WP-Login or your "logs" below, you could have guessed in the first place that the app is either trying multiple Login/Passwort combinations or (as seen below) some patterns to detect Injection possibilities. Regards 2010/1/7 p8x > Hi Vincent, > > I also experied the same issue as mrx. I did see multiple get and post > requests to the same page. > > As an example, I took a random page with a form on it, here are the totals: > > 2 /password.html > 2 /password.html?key=8&form_validated=12345&submit_form=8 > 2 /password.html?key=8&form_validated=12345&submit_form=8' > 2 > > /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='6 > 2 > /password.html?key=8&form_validated=12345&submit_form=8%20and%205=6 > 2 > > /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?key=8&submit_form=8&form_validated=12345 > 2 /password.html?key=8&submit_form=8&form_validated=12345' > 2 > > /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='6 > 2 > /password.html?key=8&submit_form=8&form_validated=12345%20and%205=6 > 2 > > /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?submit_form=8&form_validated=12345&key=8 > 2 /password.html?submit_form=8&form_validated=12345&key=8' > 2 > > /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='6 > 2 > /password.html?submit_form=8&form_validated=12345&key=8%20and%205=6 > 2 > > /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=6%20and%20'%25'=' > 4 > > /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='5 > 4 > /password.html?key=8&form_validated=12345&submit_form=8%20and%205=5 > 4 > > /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=5%20and%20'%25'=' > 4 > > /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='5 > 4 > /password.html?key=8&submit_form=8&form_validated=12345%20and%205=5 > 4 > > /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=5%20and%20'%25'=' > 4 > > /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='5 > 4 > /password.html?submit_form=8&form_validated=12345&key=8%20and%205=5 > 4 > > /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=5%20and%20'%25'=' > > Also, the contact forms on the websites I tested got hammered with > emails (and they also seemed to have duplicate requests). > > p8x > > On 7/01/2010 8:00 PM, mrx wrote: > > Vincent, > > > > Although the actual results of the scan were displayed in English in the > online html report, > > the suggested solutions were in fact in Chinese. > > > > Checking my access logs reveals multiple attempts of the same > attack/probe, for example multiple identical POSTs to the same page: > > > > 216.18.22.46 - - [06/Jan/2010:11:33:01 +] "POST > /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; > MSIE 7.0; Windows > > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" > > > > There are around 100 entries identical to the above in my log. I don't > know if this is by design or not but it does seem to be a little > inefficient. > > > > > > I also noticed there were no attempts at information disclosure via the > TRACE method, nor were any attempts made at SQL injection despite my > > selecting "all" in the scan options. Not that my site is vulnerable in > any way ;-) > > > > Hope this helps > > > > regards > > mrx > > > > > > > > Vincent Chao wrote: > >> Thank you for your analysis. It really helps me. > > > >> And I also found the PDF report mail to us is in Chinese, in the website > of > >> iiScan, however, to see the report of html or PDF format is English (of > >> course can change to Chinese). > > > >> -Original Message- > >> From: full-disclosure-boun...@lists.grok.org.uk > >> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of mrx > >> Sent: Wednesday, January 06, 2010 8:45 PM > >> To: full-disclosure@lists.grok.org.uk > >> Subject: [Full-disclosure] iiscan results > > > >> Well, this scanner managed to find a couple of low level vulnerabilities > on > >> my site which were missed by both Nikto and Nessus. > > > >> Two directories allowed a directory listing and a test.php file I > created, > >> an information disclosure vulnerability, was also detected. My dumb > >> ass forgot to delete this "test.php" file after I finished testing the > >> server. > > > >> Possible sensitive directories were also listed, how
Re: [Full-disclosure] iiscan results
Hi Vincent, I also experied the same issue as mrx. I did see multiple get and post requests to the same page. As an example, I took a random page with a form on it, here are the totals: 2 /password.html 2 /password.html?key=8&form_validated=12345&submit_form=8 2 /password.html?key=8&form_validated=12345&submit_form=8' 2 /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='6 2 /password.html?key=8&form_validated=12345&submit_form=8%20and%205=6 2 /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=6%20and%20'%25'=' 2 /password.html?key=8&submit_form=8&form_validated=12345 2 /password.html?key=8&submit_form=8&form_validated=12345' 2 /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='6 2 /password.html?key=8&submit_form=8&form_validated=12345%20and%205=6 2 /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=6%20and%20'%25'=' 2 /password.html?submit_form=8&form_validated=12345&key=8 2 /password.html?submit_form=8&form_validated=12345&key=8' 2 /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='6 2 /password.html?submit_form=8&form_validated=12345&key=8%20and%205=6 2 /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=6%20and%20'%25'=' 4 /password.html?key=8&form_validated=12345&submit_form=8'%20and%20'5'='5 4 /password.html?key=8&form_validated=12345&submit_form=8%20and%205=5 4 /password.html?key=8&form_validated=12345&submit_form=8%25'%20and%205=5%20and%20'%25'=' 4 /password.html?key=8&submit_form=8&form_validated=12345'%20and%20'5'='5 4 /password.html?key=8&submit_form=8&form_validated=12345%20and%205=5 4 /password.html?key=8&submit_form=8&form_validated=12345%25'%20and%205=5%20and%20'%25'=' 4 /password.html?submit_form=8&form_validated=12345&key=8'%20and%20'5'='5 4 /password.html?submit_form=8&form_validated=12345&key=8%20and%205=5 4 /password.html?submit_form=8&form_validated=12345&key=8%25'%20and%205=5%20and%20'%25'=' Also, the contact forms on the websites I tested got hammered with emails (and they also seemed to have duplicate requests). p8x On 7/01/2010 8:00 PM, mrx wrote: > Vincent, > > Although the actual results of the scan were displayed in English in the > online html report, > the suggested solutions were in fact in Chinese. > > Checking my access logs reveals multiple attempts of the same attack/probe, > for example multiple identical POSTs to the same page: > > 216.18.22.46 - - [06/Jan/2010:11:33:01 +] "POST /properblog/wp-login.php > HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" > > There are around 100 entries identical to the above in my log. I don't know > if this is by design or not but it does seem to be a little inefficient. > > > I also noticed there were no attempts at information disclosure via the TRACE > method, nor were any attempts made at SQL injection despite my > selecting "all" in the scan options. Not that my site is vulnerable in any > way ;-) > > Hope this helps > > regards > mrx > > > > Vincent Chao wrote: >> Thank you for your analysis. It really helps me. > >> And I also found the PDF report mail to us is in Chinese, in the website of >> iiScan, however, to see the report of html or PDF format is English (of >> course can change to Chinese). > >> -Original Message- >> From: full-disclosure-boun...@lists.grok.org.uk >> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of mrx >> Sent: Wednesday, January 06, 2010 8:45 PM >> To: full-disclosure@lists.grok.org.uk >> Subject: [Full-disclosure] iiscan results > >> Well, this scanner managed to find a couple of low level vulnerabilities on >> my site which were missed by both Nikto and Nessus. > >> Two directories allowed a directory listing and a test.php file I created, >> an information disclosure vulnerability, was also detected. My dumb >> ass forgot to delete this "test.php" file after I finished testing the >> server. > >> Possible sensitive directories were also listed, however browsing to these >> directories returned 403 errors, blank pages or a wordpress logon >> prompt, which is what I expected. > >> So all in all this scanner seems to do it's job well. At least for a LAMP >> server running wordpress > >> Of course I have addressed the vulnerabilities reported. > >> My command of the Chinese language is limited to zero, so I cannot >> understand the pdf report emailed to me nor the information within the web >> based report. Hopefully the developers will address this language problem. > >> regards >> mrx > > > > _
Re: [Full-disclosure] iiscan results
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincent, Although the actual results of the scan were displayed in English in the online html report, the suggested solutions were in fact in Chinese. Checking my access logs reveals multiple attempts of the same attack/probe, for example multiple identical POSTs to the same page: 216.18.22.46 - - [06/Jan/2010:11:33:01 +] "POST /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" There are around 100 entries identical to the above in my log. I don't know if this is by design or not but it does seem to be a little inefficient. I also noticed there were no attempts at information disclosure via the TRACE method, nor were any attempts made at SQL injection despite my selecting "all" in the scan options. Not that my site is vulnerable in any way ;-) Hope this helps regards mrx Vincent Chao wrote: > Thank you for your analysis. It really helps me. > > And I also found the PDF report mail to us is in Chinese, in the website of > iiScan, however, to see the report of html or PDF format is English (of > course can change to Chinese). > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of mrx > Sent: Wednesday, January 06, 2010 8:45 PM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] iiscan results > > Well, this scanner managed to find a couple of low level vulnerabilities on > my site which were missed by both Nikto and Nessus. > > Two directories allowed a directory listing and a test.php file I created, > an information disclosure vulnerability, was also detected. My dumb > ass forgot to delete this "test.php" file after I finished testing the > server. > > Possible sensitive directories were also listed, however browsing to these > directories returned 403 errors, blank pages or a wordpress logon > prompt, which is what I expected. > > So all in all this scanner seems to do it's job well. At least for a LAMP > server running wordpress > > Of course I have addressed the vulnerabilities reported. > > My command of the Chinese language is limited to zero, so I cannot > understand the pdf report emailed to me nor the information within the web > based report. Hopefully the developers will address this language problem. > > regards > mrx > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0XM4bIvn8UFHWSmAQIG9QgAr+sNvPzgo+HoimQ1xo/hzcSjT4zf6EsN sFkVxjg3yOZyFqnDDEo74YQyAIedSwNDwVKGXwTMgt+aENPCbQjfJNDPuWe1rJns ZzCwWTNuKnoqMKqJZM9lmwCc5pg/Bb88ztwxMbGXETsPW1kbIwsuuxVajWC+k+WW Q8LXngbLzaUD3htQ0Sl+pRPk5ezAF2krD6dhYNbTDQdW5RCyVHCMQ7x/ixYEgSaC AL80eWUo/GnAC36PDr9Vh1cCrETo9lM2z7YGKNr99776WyxCASrbY1pshx/IS2Ou GzCz60bXLWsf0ZiSuUZJG5IWN20NFkkSgv+xz2uR96kq+p6Q8QNXyQ== =XI+8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HTTP Digest Integrity: Another look, in light of recent attacks
On Thu, Jan 7, 2010 at 3:17 AM, Timothy D. Morgan wrote: > > Hi Dan, > > Thanks for taking the time to read it. > > > I haven't been wildly impressed by Digest as implemented in > > browsers, > > Heh, no doubt. When you look into it, it's quite sad how incomplete > and inconsistent many implementations are. > > The problem is that browser developers have basically been locked out of the UI experience for some time, so there hasn't been much push to improve. Passwords in forms is the gold standard. Microsoft tried to address some of this with Cardspace...didn't work out all that well. > > but it's a legitimate point that Digest has of at least *some* of the URI > > embedded into it, so the TLS reneg attack can be somewhat mitigated by > > leveraging that. Empirically though, this is going to be a big pain in > the > > butt, not least of which is the dramatic change to the user experience. > > Yes, there are some serious limitations to the user interface with > Digest auth. I have some ideas for that, which may be cooked up in a > future paper. Stay tuned. > Happy to review when it's available. > The level of mitigation right now against TLS renegotiation attacks > may be contestable. In fact I'd love to hear of any exploits which > workaround digest auth restrictions. Mostly though, I just wanted > to throw it out there as food for thought and to give people a > possible option if their hair was still on fire after hearing of this > latest bug. > > What's neat about your stuff is that the GET request becomes somewhat inviolate. What sucks is that the attacker can still play games shifting to unauthenticated content, making a Range-Request, changing the Host to something else behind the same load balancer, etc. Ultimately, we need to fix TLS, and that's so amazingly hard. I've seen people try to do similar challenge-response protocols in > JavaScript, but I've never taken the time to think carefully about how > much benefit that provides. Hashing request bodies might be useful > against TLS renegotiation, but I'm not sure how verification of > responses would work. I guess with lots of AJAX and a lack of > checking on the first response. Seems like a lot of work though. > > Well, there hasn't been a benefit before, because the right answer was always "just use TLS". Now TLS has its issues. You're absolutely correct that it's an impossible pain in the butt. WS-* kinda does it though already. > > Regards, > tim > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
