[Full-disclosure] lulz love
whats with lulz an all them loving to make comments to this list... are you all not doing disclosure on us here... common.. who knows what here? -- been great, thanks RandyM a.k.a System ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Lulzsec leaked accounts -- change your password if affected
*On June 16, 2011, LulzSec released over 62,000 accounts containing emails and passwords in cleartext obtained from random sources. LulzSec announced the release in a Twitter post at https://twitter.com/#!/LulzSec/status/81327464156119040. The table below is the list of these accounts. Passwords have been completely masked to protect the users from further attacks.** **This disclosure was mentioned in Los Angeles Timeshttp://latimesblogs.latimes.com/technology/2011/06/lulzsec-publishes-62000-email-and-password-combinations.html , PCWorldhttp://www.pcworld.com/businesscenter/article/230523/fraud_starts_after_lulzsec_group_releases_email_passwords.html and CBC Newshttp://www.cbc.ca/news/technology/story/2011/06/17/pei-lulzsec-personal-internet-accounts-584.html .** **What should you do? Use the search box below to find out if your email is in the list. If yes, you are advised to change your password immediately if it is still in use elsewhere. For your privacy, do not enter your complete email in the search box. Try using the first part of your email instead, e.g. example instead of exam...@example.com.* * Disclosure URL: *http://dazzlepod.com/lulzsec/ Over 10% accounts appear to be still accessible. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New Security Tool] INSECT Pro 2.6.1 release
Probably in fear that said attribution would kill the notion that they actually wrote the software they're trying to sell. IMHO, none of this ranting would happen if the tool had been free to begin with. It's a long lost cause now. On Thu, Jun 23, 2011 at 8:23 PM, root ro...@fibertel.com.ar wrote: Skipfish is Apache 2.0 and Metasploit is BSD. He don't even has to release the source. The only thing missing is attribution. On 06/23/2011 03:51 AM, Sergio 'shadown' Alvarez wrote: Juan, I've seen you are using Michal Zalewski's skipfish as engine, isn't it a license violation? Cheers, Sergio On Jun 23, 2011, at 3:16 AM, Juan Sacco wrote: Test your network security and audit your website using the same tools as hackers. INSECT Pro 2.6.1 is available for purchase right now worldwide through PayPal! * Run Faster: You not only want to make great security testing, you want a nice performance * Load Better: Major graphical interface and optimizations features * Module Search: Ever wondered where that module? We have a built-in search feature for you * Improvements, and Changes As always, we've added a lot of other features and optimizations * The latest exploits found in the wild We are always trying to be one step ahead of the competition, take a visual tour of some of INSECT Pro most popular features and discover INSECT Pro today! Start here: http://www.insecurityresearch.com Regards Juan Sacco -- Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com INSECT Pro 2.6.1 on track - Stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New DoS, CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
Hello list! I want to warn you about new security vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router). These are Denial of Service, Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities. In April I've already drew attention of Ukrtelecom's representative (and this modem was bough at Ukrtelecom) about multiple vulnerabilities in this model of Callisto modems (and other models also could be affected). SecurityVulns ID: 11700. - Affected products: - Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other firmware and also other models of Callisto also must be vulnerable. -- Details: -- These attacks should be conducted on modem owner, which is logged into control panel. Taking into account that it's unlikely to catch him in this state, then it's possible to use before-mentioned vulnerabilities (http://websecurity.com.ua/5161/) for conducting of remote login (for logining him into control panel). After that it's possible to conduct DoS, CSRF or XSS attack. DoS (WASC-10): http://192.168.1.1/configuration/ports.html?120 At this request the restart of modem occurs. CSRF (WASC-09): These sections are hidden (they are not shown in admin panel), but it's possible to get to them by setting corresponding number in URL. In section RIP Port Configuration (http://192.168.1.1/configuration/ports.html?10) via CSRF it's possible to change parameters of RIP port. In section Advanced RIP Port Configuration (http://192.168.1.1/configuration/ports_advanced.html?10) via CSRF it's possible to change parameters of RIP port. In section Bridge Port Configuration (http://192.168.1.1/configuration/ports.html?12) via CSRF it's possible to change parameters of Bridge port. In section Advanced Bridge Port Configuration (http://192.168.1.1/configuration/ports_advanced.html?12) via CSRF it's possible to change parameters of Bridge port. XSS (WASC-08): These sections are hidden (they are not shown in admin panel), but it's possible to get to them by setting corresponding number in URL. In section RIP Port Configuration (http://192.168.1.1/configuration/ports.html?10) there are persistent XSS vulnerabilities in all text fields and some hidden fields. In section Advanced RIP Port Configuration (http://192.168.1.1/configuration/ports_advanced.html?10) there are persistent XSS vulnerabilities in all text fields and some hidden fields. In section Bridge Port Configuration (http://192.168.1.1/configuration/ports.html?12) there are persistent XSS vulnerabilities in some text fields and some hidden fields. In section Advanced Bridge Port Configuration (http://192.168.1.1/configuration/ports_advanced.html?12) there are persistent XSS vulnerabilities in some text fields and some hidden fields. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5231/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For those, who did not already know: Due to specification, apache follows symlinks even when -FollowSymLinks is set, when the data is modified concurrently. This can be trivially shown as demonstrated in http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ . When performing host hardening, do not think, the -FollowSymLinks option alone will prevent you from symlink attacks. - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOBKnlxFmThv7tq+4RAssHAJ4jiIVCzRLrVFeR6NOXaMSnyOf17ACdEnop yY8Z4UJ9saIxDmDBy/KEZTI= =eNhL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
I think you meant apache follows symlinks even when -FollowSymLinks is *not * set. Otherwise it doesn't seem to make sense? Cheers, Chris. On Fri, Jun 24, 2011 at 5:14 PM, halfdog m...@halfdog.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For those, who did not already know: Due to specification, apache follows symlinks even when -FollowSymLinks is set, when the data is modified concurrently. This can be trivially shown as demonstrated in http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ . When performing host hardening, do not think, the -FollowSymLinks option alone will prevent you from symlink attacks. - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOBKnlxFmThv7tq+4RAssHAJ4jiIVCzRLrVFeR6NOXaMSnyOf17ACdEnop yY8Z4UJ9saIxDmDBy/KEZTI= =eNhL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Sciberras wrote: I think you meant apache follows symlinks even when -FollowSymLinks is *not* set. Otherwise it doesn't seem to make sense? No. Unless I made a mistake while testing AND misunderstood the documentation, even with -FollowSymLinks set, apache will follow symlinks (see POC). You might want to read the last line in section FollowSymlink in http://httpd.apache.org/docs/2.2/mod/core.html#options I, for myself, made the same assumption about -FollowSymLink, but the specification states, that the symlink-check is not race-free. On Fri, Jun 24, 2011 at 5:14 PM, halfdog m...@halfdog.net mailto:m...@halfdog.net wrote: For those, who did not already know: Due to specification, apache follows symlinks even when -FollowSymLinks is set, when the data is modified concurrently. This can be trivially shown as demonstrated in http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ . When performing host hardening, do not think, the -FollowSymLinks option alone will prevent you from symlink attacks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOBLUWxFmThv7tq+4RAtS5AJ9mZN4MxHZSqSDUmbAXZXboj63d6ACfbUrZ 6zO2slfjjl2Motme3y+Affo= =1CyN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Apple Updates SA-2011-06-23-1 and Security Update 2011-004
On Jun 23, 2011, at 8:29 PM, Jeffrey Walton wrote: It appears the latest Apple Updates available through Software Updates are bricking Wintels: https://discussions.apple.com/message/15474962. Pick your poison: run with a vulnerable machine, or don't run at all! No. Say it isn't so! Software running on unauthorized hardware against the EULA isn't working! /sarcasm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASHX, ASMX or What?
List, Imagine that you're in front of an insecure file upload in the context of an IIS6,7 (no ;.jpg :P) and the regex filtering the file is like: [anything].asp[anything] (yeah, my.aspirator.jpg is filtered hehe) No .aspx, no .asp and no .aspx;jpg even if the server is vulnerable... So... is there any way to bypass this control? Like uploading a malicious Webservice (can we simply upload a Webservice file? I think they need to be precomplied first) or something like that? Thanks a lot! regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberras uuf6...@gmail.com wrote: I think you meant apache follows symlinks even when -FollowSymLinks is not set. Otherwise it doesn't seem to make sense? -FollowSymLinks turns off the FollowSymLinks option without resetting the other Options. http://wiki.apache.org/httpd/FAQ#Why_do_my_Options_directives_not_have_the_desired_effect.3F Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
Ah, I see . For a moment I confused -FollowSymLinks with a shell parameter. My bad, Chris. On Fri, Jun 24, 2011 at 6:15 PM, Ferenc Kovacs tyr...@gmail.com wrote: On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberras uuf6...@gmail.com wrote: I think you meant apache follows symlinks even when -FollowSymLinks is not set. Otherwise it doesn't seem to make sense? -FollowSymLinks turns off the FollowSymLinks option without resetting the other Options. http://wiki.apache.org/httpd/FAQ#Why_do_my_Options_directives_not_have_the_desired_effect.3F Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASHX, ASMX or What?
You shouldn't filter against known files, but do the reverse, you should filter against known good files. Oh and the medium you decide to throw this data should have special checks against execution etc... On Fri, Jun 24, 2011 at 6:16 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote: List, Imagine that you're in front of an insecure file upload in the context of an IIS6,7 (no ;.jpg :P) and the regex filtering the file is like: [anything].asp[anything] (yeah, my.aspirator.jpg is filtered hehe) No .aspx, no .asp and no .aspx;jpg even if the server is vulnerable... So... is there any way to bypass this control? Like uploading a malicious Webservice (can we simply upload a Webservice file? I think they need to be precomplied first) or something like that? Thanks a lot! regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASHX, ASMX or What?
Chris, On 06/24/2011 01:37 PM, Christian Sciberras wrote: You shouldn't filter against known files, but do the reverse, you should filter against known good files. Oh and the medium you decide to throw this data should have special checks against execution etc... Yeap! I know that, yes to white lists and avoid the use of black lists, and other stuff related to a secure file up-loader, but the filter I'm trying to bypass is like the one I described. anyway, thanks for your quick response! regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASHX, ASMX or What?
It all depends on how the files are being validated, but I would guess for IIS6,7 the use of a RegularExpressionValidator would be run against the upload control with whatever ValidationExpression would be in place given how easy it is to implement. That would ensure the filetype extension was .jpg directly in the upload control. There wouldn't be any bypass via the control - you'd have to go around the control somehow. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Friday, June 24, 2011 9:38 AM To: Nahuel Grisolia Cc: full-disclosure@lists.grok.org.uk; owasp-argent...@lists.owasp.org Subject: Re: [Full-disclosure] ASHX, ASMX or What? You shouldn't filter against known files, but do the reverse, you should filter against known good files. Oh and the medium you decide to throw this data should have special checks against execution etc... On Fri, Jun 24, 2011 at 6:16 PM, Nahuel Grisolia nah...@bonsai-sec.commailto:nah...@bonsai-sec.com wrote: List, Imagine that you're in front of an insecure file upload in the context of an IIS6,7 (no ;.jpg :P) and the regex filtering the file is like: [anything].asp[anything] (yeah, my.aspirator.jpg is filtered hehe) No .aspx, no .asp and no .aspx;jpg even if the server is vulnerable... So... is there any way to bypass this control? Like uploading a malicious Webservice (can we simply upload a Webservice file? I think they need to be precomplied first) or something like that? Thanks a lot! regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107tel:%28%2B54-11%29%204777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ferenc Kovacs wrote: On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberrasuuf6...@gmail.com wrote: I think you meant apache follows symlinks even when -FollowSymLinks is not set. Otherwise it doesn't seem to make sense? -FollowSymLinks turns off the FollowSymLinks option without resetting the other Options. http://wiki.apache.org/httpd/FAQ#Why_do_my_Options_directives_not_have_the_desired_effect. The FAQ says: You can usually avoid problems by either finding the Options directive that already applies to a specific directory and changing it, or by putting your Options directive inside the most specific possible Directory section. The option is in the most specific directory section and it also takes effect, returning forbidden on http request. But when you use the RenameLoop program in parallel, it fails to detect the symlink and delivers the linked data. This specific TOCTOU issue is known and part of the apache specification. - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOBM5jxFmThv7tq+4RAoLbAJ9JUlpXxGM6vXOBIP7fQZgVphdn+wCcDv8O Hu4gjjxAONZm6KU8vrTE+m8= =L1O7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Updates SA-2011-06-23-1 and Security Update 2011-004
On Friday, June 24, 2011, Joel Esler joel.es...@me.com wrote: On Jun 23, 2011, at 8:29 PM, Jeffrey Walton wrote: It appears the latest Apple Updates available through Software Updates are bricking Wintels: https://discussions.apple.com/message/15474962. Pick your poison: run with a vulnerable machine, or don't run at all! This is genuine apple hardware and software :( But in the past, I did have better experiences with leopard and snow leopard on virtual box. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
The FAQ says: You can usually avoid problems by either finding the Options directive that already applies to a specific directory and changing it, or by putting your Options directive inside the most specific possible Directory section. The option is in the most specific directory section and it also takes effect, returning forbidden on http request. But when you use the RenameLoop program in parallel, it fails to detect the symlink and delivers the linked data. This specific TOCTOU issue is known and part of the apache specification. I didn't mean to imply otherwise, I've just explained what does the +/- before an option does. Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and AoF vulnerabilities in Drupal
Hello list! I want to warn you about Cross-Site Scripting and Abuse of Functionality vulnerabilities in Drupal. - Affected products: - Vulnerable are Drupal 6.22 and previous versions. Taking into account that developers didn't fixed these holes, then versions 7.x also must be vulnerable. -- Details: -- XSS (WASC-08): At adding or editing of data in any internal forms (add/edit post, etc.) it's possible to conduct persistent XSS attack. XSS code will execute at visiting of edit page (edit post, etc.). The attack is conducting on any forms with turned on FCKeditor/CKeditor (which are very widespread on sites on Drupal). Such attack can be conducted and on forms with TinyMCE - I wrote already about such vulnerabilities in PHP-Nuke via TinyMCE (http://packetstormsecurity.org/files/view/99162/phpnuke-iaaxss.txt). For attack it's needed to set in filed of the form in Source mode: img onerror=alert(document.cookie) src=1 / Also it's possible to send POST request with token and attacking code in parameter body. The attack can be conducted only on logged-in user which is an owner of this account or on admin of the site. I.e. user will save attacking code by himself and trick admin on that page, or with taking into account anti-CSRF protection the token will be received via reflected XSS vulnerability to conduct persistent XSS attack on the user or admin. Abuse of Functionality (WASC-42): There are two new vulnerabilities which allow to enumerate logins of the users. At special request to search on users it's possible to reveal logins of all users of the site. http://site/search/user/%25 http://site/search/user_search/%25 In rss-feeds of the site, particularly in main rss-feed (http://site/rss.xml), it's possible to reveal logins of users of the site, which materials are shown in this feed. As developers noted me about last vulnerabilities, they didn't see risk in them and considered them as feature. And officially state (http://drupal.org/node/1004778) they will not be fixing them. Leaving all users of Drupal engine with these issues (and I wrote about 8 such vulnerabilities in total in this engine), at that recommending in above- mentioned document for those who concerned to use third-party solutions. Timeline: 2010.12.11 - when I informed developers about previous multiple vulnerabilities in Drupal, I told them briefly about these holes. 2011.04.12 - announced at my site. 2011.04.13 - informed developers. 2011.06.24 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5074/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/