[Full-disclosure] [ MDVSA-2011:192 ] mozilla
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:192 http://www.mandriva.com/security/ ___ Package : mozilla Date: December 23, 2011 Affected: 2011. ___ Problem Description: Security issues were identified and fixed in mozilla firefox and thunderbird: The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements (CVE-2011-3658). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors (CVE-2011-3660). YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript (CVE-2011-3661). Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page by using SVG animation accessKey events within that web page (CVE-2011-3663). Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling (CVE-2011-3665). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3665 ___ Updated Packages: Mandriva Linux 2011: 3d0f610ec65f15aa6ec194926fba109b 2011/i586/firefox-9.0-0.1-mdv2011.0.i586.rpm 12093aae23014db9bd5ecbd206074afd 2011/i586/firefox-af-9.0-0.1-mdv2011.0.noarch.rpm e6a23bff8df08b7e6abba411186083ee 2011/i586/firefox-ar-9.0-0.1-mdv2011.0.noarch.rpm 34a9761fcd96cf23914defe30762389e 2011/i586/firefox-ast-9.0-0.1-mdv2011.0.noarch.rpm 1d28a9948e18011666fab7a164ff3810 2011/i586/firefox-be-9.0-0.1-mdv2011.0.noarch.rpm fafb4609847c155826a1b143cc23d594 2011/i586/firefox-bg-9.0-0.1-mdv2011.0.noarch.rpm ad80f2952e510f66cf043117f23fe689 2011/i586/firefox-bn-9.0-0.1-mdv2011.0.noarch.rpm 46d0a3db35d4f5febee0de63c31a5d8a 2011/i586/firefox-br-9.0-0.1-mdv2011.0.noarch.rpm a39083854dd9c8f516db6891dc4d2aa0 2011/i586/firefox-bs-9.0-0.1-mdv2011.0.noarch.rpm 52c665b19ae892f6ba53c5aceb2754c9 2011/i586/firefox-ca-9.0-0.1-mdv2011.0.noarch.rpm a43c5c40f34820a0c35e46b94f44978c 2011/i586/firefox-cs-9.0-0.1-mdv2011.0.noarch.rpm ae1b6024b8cf0b7d7cdcaef847a269b8 2011/i586/firefox-cy-9.0-0.1-mdv2011.0.noarch.rpm ff727672cc79d826857f27d0b21e85e6 2011/i586/firefox-da-9.0-0.1-mdv2011.0.noarch.rpm 7c2cd108dfe8370de2b4f05d21d30525 2011/i586/firefox-de-9.0-0.1-mdv2011.0.noarch.rpm a0577e90a150c662b57e1bc1d73f47d4 2011/i586/firefox-devel-9.0-0.1-mdv2011.0.i586.rpm f6bc86bcf7ae7b5ee508bd850f02583b 2011/i586/firefox-el-9.0-0.1-mdv2011.0.noarch.rpm e1039f89fd8432c8e3aac8e2423b85b8 2011/i586/firefox-en_GB-9.0-0.1-mdv2011.0.noarch.rpm af13f8b888e6e705f75b2bc7d5c7f967 2011/i586/firefox-eo-9.0-0.1-mdv2011.0.noarch.rpm 3bef255c8861c28b9c00cfd5c7e32199 2011/i586/firefox-es_AR-9.0-0.1-mdv2011.0.noarch.rpm 81fdf949f847bea56123323fde9692f3 2011/i586/firefox-es_ES-9.0-0.1-mdv2011.0.noarch.rpm dc418c10248cb871024369c8d18783b8 2011/i586/firefox-et-9.0-0.1-mdv2011.0.noarch.rpm 6f71341fcde5e542e87d24d45f40844b 2011/i586/firefox-eu-9.0-0.1-mdv2011.0.noarch.rpm eefa982180828008408b2f06ef02e74e 2011/i586/firefox-fa-9.0-0.1-mdv2011.0.noarch.rpm 5efb62f11c325fc82507d05565b03ce8 2011/i586/firefox-fi-9.0-0.1-mdv2011.0.noarch.rpm e0ac9d4f36516d16e8c7480cd8c688bc 2011/i586/firefox-fr-9.0-0.1-mdv2011.0.noarch.rpm 14315fa3ff3b0da333eafa277f11f9e9 2011/i586/firefox-fy-9.0-0.1-mdv2011.0.noarch.rpm 0d249308c5d7bc8af9c9eb9080379a4e 2011/i586/firefox-ga_IE-9.0-0.1-mdv2011.0.noarch.rpm 80f85a796ba801872af973512856f6e6 2011/i5
Re: [Full-disclosure] Sunny WebBox Default Password
On Fri, Dec 23, 2011 at 11:02 AM, Hacxx Under wrote: > Sunny Web Box is a device that has a web interface and it's used as a > reader for solar energy microproducers. > > The default password is "SMA" > > The devices can be founfd using intitle: "Sunny WebBox" > --- > Hacked Boxes > > http://mariorodrigues.dynip.sapo.pt > http://gisolar.cannondesign.com > http://pvpichler.dyndns.org:509 > http://217.113.37.189:80 > http://zodiac.hostein.org:8081 > http://79.1742.145.114 > http://67.78.27.35 > http://217.133.100.238:8082 > http://news.hartwellps.vic.edu.au > http://energiasolar.ues.edu.sv > http://solar.amy.gr > http://xserver.clio.it They also use MD5 in a JSON request over HTTP. Not surprisingly: $ echo SMA | md5sum 8872966064a33f7520d11c0fffe7e517 [Google for 8872966064a33f7520d11c0fffe7e517] http://hash.phelix.lv/md5/371bd54577d68567ed50af283052e0d1/SMA.htm It looks like this has been known for some time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploit Pack - Happy new year!
Exploit Pack Team is happy to announce that we reach a new frontier +20k active users and 15+ developers. We want to thank you all for this excelent years we hope to continue improving all our proyects. We have made a new roadmap for 2012 including a lot of bug fixing, new modules and features. Happy Chrismas and Happy new year Exploit Pack Team Juan Sacco Dev Lead http://exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CertificationMagazine - Blind SQL Injection Vulnerability Super vulnerability-lab hack
vulnerability-lab.com ->>> Please STOP writing such a bullshits... "He also asked us multiple times for selling the dumps of hacked databases!? To answer that once more we are not interested in selling stolen information as said many times before. Why ?! Mainly due the fact that this is a criminal offence. " hahaha 1. i am not member of ariko-security / but it's not possible what you have wriiten it's primitive slander. 2. i have informed certmag - may 2010 about SQL injection hole. 3. i've sent you similiar e-mail last TIME THAT YOU were posting VERY OLD STUFF - months ago submitted to Vulnerable-Sites-Database. SO check next Time your super HACKs in our DB first. that's all Tomy Wiadomość napisana przez resea...@vulnerability-lab.com w dniu 23 gru 2011, o godz. 17:57: > He also asked us multiple times for selling the dumps of hacked databases!? > To answer that once more we are not interested in selling stolen information > as said many times before. > Why ?! Mainly due the fact that this is a criminal offence. Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Automatic message post in PHP Classified
An inexisting captcha in the message form of PHP Classified allow the submition of messages automaticaly. It only require that the user register and validate an account and it can post ads automaticaly by using a script. Download: http://www.filesonic.com/file/zQJFzCv ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sunny WebBox Default Password
Sunny Web Box is a device that has a web interface and it's used as a reader for solar energy microproducers. The default password is "SMA" The devices can be founfd using intitle: "Sunny WebBox" --- Hacked Boxes http://mariorodrigues.dynip.sapo.pt http://gisolar.cannondesign.com http://pvpichler.dyndns.org:509 http://217.113.37.189:80 http://zodiac.hostein.org:8081 http://79.1742.145.114 http://67.78.27.35 http://217.133.100.238:8082 http://news.hartwellps.vic.edu.au http://energiasolar.ues.edu.sv http://solar.amy.gr http://xserver.clio.it Download: http://www.filesonic.com/file/EBkCj90 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mobile Prank Hacktool
New Link: http://www.filesonic.com/file/Ll1glMy Use it but do not abuse it... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT: Firefox question / poll
On Fri, 23 Dec 2011 21:32:38 +0900, =?UTF-8?B?5aSc56We44CA5bKp55S3?= said: > To begin with, most people click through the DANGER SCREEN warnings > about bad TLS certificates. With this in mind it is obvious that a > developer can't expect the average browser-using population to even know > what a script is. In another thread on another list yesterday, Steve Bellovin said: > See the definition of "dialog box" at http://www.w3.org/2006/WSC/wiki/Glossary pgpxbW4PlATwU.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mobile Prank Hacktool
hi Larry! Hope your doing well mate ;) , anyhow, here.. i did manage to get it via windows..maybe megaupload.com has blocks for lynx or other linux ? notsure and, not caring to test,..lol...anyhow, sanme file..enjoy, cheers. (Oh, id always run this with atleast a basic Sandbox, like sanboxie ,wich would makesure that never loose our data incase there is malws,wich,usually tools like this always do..but, anyhow, it is not from me, altho, many would probably wish it was :s sad... > Looks like the link is unavailable. > > -- Larry C$ Oh, i was able to download what looks like, a very interesting application and files..very cool...well, to look atm, atm :P I did browse the src, just then directly upped it to hotfile.com..i think lynx is abit better with hotfile...anyhow, here is a working link: http://hotfile.com/dl/138283571/f9ef676/Mobile_Prank_Hacktool.rar.html anyhow, cheers larry, letme know if worked, ifnot, ill put it ion a ftp or sumthin :s but, then id be checking my own cobnnection :P~ lol...tc buddy! XD // hax...@haxshells.us @ crazycoders.com crazycoders.us On 21 December 2011 01:19, Larry W. Cashdollar wrote: > Looks like the link is unavailable. > > -- Larry C$ > > > On Dec 19, 2011, at 11:49 AM, Hacxx Under wrote: > > This is a tool that enable anyone to prank mobiles and land phones in > portugal. You can choose calls or sms's. > > http://www.megaupload.com/?d=GKWWWMSY > [Share the link, not the content] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT: Firefox question / poll
On 12/21/2011 03:54 AM, metasans...@gmail.com wrote: > I would say usability, by the time it pops up the nasty is probably already > done. > --Original Message-- > From: Charles Morris > Sender: full-disclosure-boun...@lists.grok.org.uk > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] OT: Firefox question / poll > Sent: Dec 20, 2011 13:40 > > I'm curious what everyone's opinion is on the following question... > esp. to any FF dev people on list: > > Do you think that the Firefox "warning: unresponsive script" is meant > as a security feature or a usability feature? Usability. To begin with, most people click through the DANGER SCREEN warnings about bad TLS certificates. With this in mind it is obvious that a developer can't expect the average browser-using population to even know what a script is. However, the string("not responding") + situation("browser gets stuck") resonates with the average retard, so this approach is sensible from a usability standpoint. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 2368-1] lighttpd security update
> For the testing distribution (squeeze), this problem will be fixed soon. isn't that wheezy? David -Oorspronkelijk bericht- Van: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] Namens Nico Golde Verzonden: woensdag 21 december 2011 1:25 Aan: debian-security-annou...@lists.debian.org Onderwerp: [Full-disclosure] [SECURITY] [DSA 2368-1] lighttpd security update Urgentie: Hoog -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Debian Security Advisory DSA-2368-1 secur...@debian.org http://www.debian.org/security/ Nico Golde Dec 20th, 2011 http://www.debian.org/security/faq - --- Package: lighttpd Vulnerability : multiple Problem type : remote Debian-specific: no Debian bug : 652726 CVE IDs: CVE-2011-4362 CVE-2011-3389 Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint. CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions. CVE-2011-3389 When using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called "BEAST" attack allows man-in-the-middle attackers to obtain plaintext HTTP traffic via a blockwise chosen-boundary attack (BCBA) on an HTTPS session. Technically this is no lighttpd vulnerability. However, lighttpd offers a workaround to mitigate this problem by providing a possibility to disable CBC ciphers. This updates includes this option by default. System administrators are advised to read the NEWS file of this update (as this may break older clients). For the oldstable distribution (lenny), this problem has been fixed in version 1.4.19+lenny3. For the stable distribution (squeeze), this problem has been fixed in version 1.4.28-2+squeeze1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.4.30-1. We recommend that you upgrade your lighttpd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk7xJ1MACgkQHYflSXNkfP+N5ACgtImneTJSdyEiCLnWTFA0uxzz qP0An07LJwL5K3NmrMRfKeCVpigpn1zR =QU3k -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook security bypassed with One single link
Affected Application: Facebook.com Exploit Platform: Remote Impact: Full Access to Facebook profile Severity: High Author: Anand Pandey Email: anandkpandey1 (at) gmail (dot) com Video: http://www.youtube.com/watch?v=9CtxQxyEf40 ->Description: • Accessing Facebook account with just one single link and by passing all security mechanism implemented by Facebook for preventing unauthorised access and provide secure login to users. • No way to track the unauthorized access and to know that someone accessed your account. (Unless the intruder made some changes) ->What it can do ? It has the power to by pass all the security machanisms applyied by Facebook. It will not require the username/password, won’t present you with Check point, will not track your location (so no geographical location based restrictions) and no login review for the user, user will not be presented with any notification that wheather the user or some one else has accessed his/her account, and most importantly, there will not be any active sessions created or listed, so you will have full access to those resources where password is not required (because you don’t have the password), and there is no way any one can track you, unless you make a mistake of changing the profile picture or scream loudly ? ->How this link is generated? This link is generated by Facebook for those who have registered their cell phone on Facebook to receive the notification of activity on their accounts by SMS on phone. Facebook generates this link for the convenience of those mobile users, and send it via SMS. You will receive a notification from Facebook stating that XYZ have commented on your photo (with the comment made) and a direct link to that photo. So you will not have to login every time to view your photos for comment or for anything using that particular link. ->What all notifications contain this link? • Comment made on your photo. • Comment on your link. • Comment made after you on a photo or a link. • Tagged you in photo. ->What this link looks like and what does it contain? The link that you receive from the above mentioned notifications are all different and also have a history of change. So here we will discuss each of these with their examples. * Type 1 http://m.facebook.com/photo.php?pid=xx&id=&mlid=xx&l= Now let us understand the links Here “m.facebook.com” shows that it’s a Facebook site for mobile users and “photo.php” shows it is something related to photos on Facebook. “pid” is the unique number assigned to that particular photo on which the comment is made or on which someone tagged you. “id” is the unique numeric user id associated to the user who commented on your photo or tagged you in, or we can say that this is the user id of the person due to whose action this notification is generated. “mlid” is the unique numeric user id of the account holder for whom the notification is generated. “l” is the 8 character long random combination of number, alphabets both in lower and upper caps, and this is the key to enter in the account, so we will call it the “key”. This is the link generated specially for the photos. It can be generated when someone is either tagging you in a photo, commenting on any photo uploaded by you, commenting on a photo after your comment. For this link to work there are two parameters required, the “mlid” and the “l”; rest anything can be any number or they even can be removed and this is true for all the links. * Type 2 http://m.facebook.com/story.php?share_id=&mlid=xx&l= Here “m.facebook.com” shows that it’s a Facebook site for mobile users and “story.php” shows it is something related to share links on Facebook. “share_id” is the unique numeric id assigned to the link shared by you. “mlid” is the unique numeric user id of the account holder for whom the notification is generated. “l” is the 8 character long random combination of number, alphabets both in lower and upper caps, and this is the key to enter in the account, so we will call it the “key”. This is the link that is generated and sent to you by SMS when someone comments on the link shared by you. These above mentioned links are what Facebook used to send earlier, but as you know that these links will take more SMS space, so they implemented URL shortening feature to shorten these links and save some space and cost for SMS. So here we will understand how the shortened link looks like. * Type 3 http://fb.me/p/xxx. This is the shortened URL of “Type 1” link. “fb.me” is the domain used specially for the shortening feature of URL
Re: [Full-disclosure] OT: Firefox question / poll
I would say usability, by the time it pops up the nasty is probably already done. --Original Message-- From: Charles Morris Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] OT: Firefox question / poll Sent: Dec 20, 2011 13:40 I'm curious what everyone's opinion is on the following question... esp. to any FF dev people on list: Do you think that the Firefox "warning: unresponsive script" is meant as a security feature or a usability feature? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from my BlackBerry® wireless device available from bmobile. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mobile Prank Hacktool
Looks like the link is unavailable.-- Larry C$On Dec 19, 2011, at 11:49 AM, Hacxx Under wrote:This is a tool that enable anyone to prank mobiles and land phones in portugal. You can choose calls or sms's. http://www.megaupload.com/?d=GKWWWMSY [Share the link, not the content] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CertificationMagazine - Blind SQL Injection Vulnerability
http://www.vs-db.info/?p=593 MAY 2010 - Nice that you can find 1.5 YEARS old hole LOL! Tomy Wiadomość napisana przez resea...@vulnerability-lab.com w dniu 20 gru 2011, o godz. 17:08: > http://www.certmag.com/ Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New awstats.pl vulnerability?
I am really curious as to the motivation of the parties deploying these types of scans. I understand that they would like to find vulnerable systems to compromise... but for what purpose? S dor what ? Mainly the smarter ones, are, not malign, non botters, and dont use these shit systems to make money but, many poorer countries, this can make even, a small amount, with rooted boxes also, you have the power to charge a sip call for example...to an isp...and they would, as usually..bill it... but, it seems, anything thats new/big, is being scanned, its simple..one engine, MANY addons :P siimple formula, to exploit tonnes, of thousdands, of hosts...and, i have seen many public lists ranging upto 50-100megs of ips all vuln...fullnily, most of amazon aws 50. range is pwned...phpmyadmini believe..hehewen will ppl learn...security is a MUST, not an item to be glanced at and, presumed over for 100days..it has to be fast,responsive,and knows what todo..so,.. buy into immunity :P~~ lol... i know many others are using this to fuzz...great fopr mass fuzzing to i hear...altho then. acutenix could be obtained freely, and, made to look pro...so i guess..is lesser of the evils...ones 20 grand with a few addons, ones free... ill take both :P On 23 December 2011 18:34, wrote: > >From analysis on compromised sites I've been receiving abuse messages for at > >$day_job they're launched from irc bots on compromised servers, mainly > >cpanel- cpanel is cool for novices but skimps on security out of the box. > > Will dig out some signatures when I get into the office. > > Sent from my BlackBerry® wireless device > > -Original Message- > From: Lamar Spells > Sender: full-disclosure-boun...@lists.grok.org.uk > Date: Thu, 22 Dec 2011 23:23:11 > To: Nikolay Kichukov > Cc: > Subject: Re: [Full-disclosure] New awstats.pl vulnerability? > > Here is an update on this: > > Over the past week, we have seen the awstats activity continue, but > morph to include other vulnerabilities. Details of this are at > http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html > -- but the summary is that we have seen activity change to include > Local File Inclusion and command injection in phpAlbum and other > components written in PHP. > > We started seeing today some activity related to phpthumb and > CVE-2010-1598... Details of this are at > http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html > > I am really curious as to the motivation of the parties deploying > these types of scans. I understand that they would like to find > vulnerable systems to compromise... but for what purpose? Sending > spam? So far, based on what I am seeing, it looks like they are > compromising systems just to have those systems look for more systems > to compromise. At this point, I have to assume that they are still in > the construction and building phase... > > On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells wrote: >> Here are some additional IPs and some analysis of the IPs in question. >> Looks like very few of the scanning IPs are running awstats, but many >> are legitimate business running old apache versions. I am guessing >> they didn't self install an awstats scanner... >> >> http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html >> >> >> On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells wrote: >>> Today we are also seeing requests like this one which is looking to >>> exploit CVE-2008-3922: >>> >>> GET /awstatstotals/awstatstotals.php ? >>> sort={${passthru(chr(105).chr(100))}}{${exit()}} >>> >>> >>> >>> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov >>> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from. - -Nik On 12/13/2011 07:30 AM, Bruce Ediger wrote: > On Mon, 12 Dec 2011, Lamar Spells wrote: > >> For the past several days, I have been seeing thousands of requests >> looking for awstats.pl like this one: > > Yeah, me too. They just started up. I haven't seen any awstats.pl > requests since 2010-05-18, and now I've gotten batches of them, since > about 2011-11-22, but heavier since the start of December. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9 t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Cs