Re: [Full-disclosure] Hacking in Schools
Horse riding around schools won't be allowed, if they wouldn't let me bring a paintball gun in, they won't allow this. On 25 Feb 2014 18:19, "Pete Herzog" wrote: > How to teach hacking in school and open up education: > > https://opensource.com/education/14/2/teach-hacking-schools-open-education > > Sincerely, > -pete. > > -- > Pete Herzog - Managing Director - p...@isecom.org > ISECOM - Institute for Security and Open Methodologies > > Need impartial, expert advice? Request a call: > http://clarity.fm/peteherzog > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking in Schools
Wut? This isn't about golf? On 2/25/2014 1:39 PM, Brandon Perry wrote: > I, for one, believe lumberjack skills are a must have for anyone entering the > workforce today. The ability to hack trees down swiftly and efficiently is > something i am not willing to train my employees to do. I fully expect our > school systems to cover this in enough detail that, as an employer, I can > expect recent graduates to hit the ground running. > > Just my 2c. > > Sent from a computer > >> On Feb 25, 2014, at 8:33 AM, Pete Herzog wrote: >> >> How to teach hacking in school and open up education: >> >> https://opensource.com/education/14/2/teach-hacking-schools-open-education >> >> Sincerely, >> -pete. >> >> -- >> Pete Herzog - Managing Director - p...@isecom.org >> ISECOM - Institute for Security and Open Methodologies >> >> Need impartial, expert advice? Request a call: >> http://clarity.fm/peteherzog >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking in Schools
I, for one, believe lumberjack skills are a must have for anyone entering the workforce today. The ability to hack trees down swiftly and efficiently is something i am not willing to train my employees to do. I fully expect our school systems to cover this in enough detail that, as an employer, I can expect recent graduates to hit the ground running. Just my 2c. Sent from a computer > On Feb 25, 2014, at 8:33 AM, Pete Herzog wrote: > > How to teach hacking in school and open up education: > > https://opensource.com/education/14/2/teach-hacking-schools-open-education > > Sincerely, > -pete. > > -- > Pete Herzog - Managing Director - p...@isecom.org > ISECOM - Institute for Security and Open Methodologies > > Need impartial, expert advice? Request a call: > http://clarity.fm/peteherzog > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Joomla-Base
Hello list! These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities in Joomla-Base. This is package of Joomla with different plugins (with their vulnerabilities). These vulnerabilities are in Google Maps plugin for Joomla, which is used in this package. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53). - Affected products: - Vulnerable are all versions of Joomla-Base, which includes this plugin. After my informing, the developer removed this plugin from his package (https://github.com/pabloarias/Joomla-Base/issues/1). - Affected vendors: - Pablo Arias https://github.com/pabloarias/Joomla-Base -- Details: -- Denial of Service (WASC-10): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=google.com Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html). XML Injection (WASC-23): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xml.xml It's possible to include external xml-files. Which also can be used for XSS attack: XSS via XML Injection (WASC-23): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xss.xml File xss.xml: XSS xmlns="http://www.w3.org/1999/xhtml";>alert(document.cookie) Cross-Site Scripting (WASC-08): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E Full path disclosure (WASC-13): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php This is possible with corresponding PHP settings, when warnings are shown. Insufficient Anti-automation (WASC-21): In this functionality there is no reliable protection from automated requests. Also in my third advisory concerning Google Maps plugin, I wrote about security bypass for built-in domain restriction functionality and described method of bypass protection against automated requests introduced in version 3.2. So even the latest version is vulnerable to IAA. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hacking in Schools
How to teach hacking in school and open up education: https://opensource.com/education/14/2/teach-hacking-schools-open-education Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org ISECOM - Institute for Security and Open Methodologies Need impartial, expert advice? Request a call: http://clarity.fm/peteherzog ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS 2k8 DNS server trivial DDoS contributor
On Mon, Feb 24, 2014 at 09:39:37PM -0400, Pedro Luis Karrasquillo wrote: > Microsoft has responded to my report to sec...@microsoft.com and I can now > disclose what I found. If they didn't respond you can't disclose it? This appears quite profitable for them. -- f.ck ..em ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS 2k8 DNS server trivial DDoS contributor
Microsoft has responded to my report to sec...@microsoft.com and I can now disclose what I found. There is a minor bug on the MS Server 2008 DNS service that responds with the list of all root servers when queried for non-authoritative domains, EVEN when recursion is set to OFF. This allows a malicious party to spoof the source ip on a udp DNS request to any MS Server 2008 DNS and elicit a 533 byte response to a victim, making the server a contributor to coordinated Distributed Denial of Service attacks. The response contains the default list of root DNS servers. Version tested: MS DNS on MS Server 2008 R2 version 6.1.7601.17514 Server is Authoritative to only one .com domain. Config Parameters: DNS Recursion set to "disable" Enable Round Robin Enable Netmask Ordering Secure Cache against pollution And My Mitigation steps: Remove all root DNS servers listed on the "Root Hints" tab. This will not negatively affect the DNS functionality of the server when deployed only as an authoritative server for a specific domain. Although RFC1034 on page 21 does allow the DNS to reply with the list of root servers (if configured) as a response option, ultimately it is preferable for it to mimic the behavior of BIND and not respond at all under these test conditions, to discourage abuse from malicious entities. More details with images and packet captures and MS responses, in my web file http://pe.lúka.com/ Pedro CCNP, CCDA, CCNA-Security, SANS GPEN ...But mostly a curious guy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [RT-SA-2014-001] McAfee ePolicy Orchestrator: XML External Entity Expansion in Dashboard
Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in Dashboard RedTeam Pentesting identified an XML external entity expansion vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature. Users with the ability to create new dashboards in the ePO web interface who exploit this vulnerability can read local files on the ePO server, including sensitive data like the ePO database configuration. Details === Product: McAfee ePolicy Orchestrator Affected Versions: 4.6.7 and below Fixed Versions: 4.6.7 + hotfix 940148 Vulnerability Type: XML External Entity Expansion Security Risk: high Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx Vendor Status: hotfix released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001 Advisory Status: public CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction McAfee ePO allows to centrally manage other systems, including deploying new software and collecting system information. Dashboards allow privileged users to view statistics and current data about ePO and associated systems. More Details Users with access to McAfee ePO's web interface can have the permission to add new dashboards. Dashboard definitions can be exported as XML data and also be imported again. A basic XML dashboard definition looks like follows: RedTeam Pentesting false Importing a dashboard consists of uploading the XML data and confirming the import afterwards. On the confirmation page the dashboard's name defined in the XML tag "name" is shown. The ePO system allows to add a user-defined DTD to the XML data and therefore add additional entities, which will be expanded by the system. The following example results in an dashboard with the name "RedTeam Pentesting Entity": ]> &redteam; false It is also possible to specify external entities that for example point to local files on the ePO server. The entity will then be expanded to contain the file's content. This works as long as the file contents do not make the resulting XML data invalid. Data that cannot be read includes for example binary data or files containing XML data themselves. If the entity is used in the dashboard's name, the confirmation page shown when importing a dashboard displays the contents of the file. The following example XML data can be uploaded to read the file C:\boot.ini: ]> &redteam; false It is also possible to get directory listings by using a file URL that points to a directory, for example the C: drive: Workaround == RedTeam Pentesting is not aware of any workarounds. Fix === McAfee has issued a hotfix[0] for version 4.6.7 that removes the vulnerability. An upgrade to the newer 5.x branch of the product will also resolve this problem. Security Risk = The vulnerability is mitigated by the fact that users already need valid login credentials for the ePO system and the permission to create dashboards for a successful exploitation. It is still considered to be of a high risk potential however, as it gives attackers the opportunity to read potentially sensitive file contents on the server. This includes for example ePO's database credentials, which are typically stored in a file available at a path like the following: C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties The credentials in this file are encrypted with a static key that is publicly known and included for example in Metasploit[1]. Depending on the actual network structure, it might be possible to use the decrypted credentials to read and alter the information in the ePO database. This might lead to a compromise of the clients that are managed by ePO. Timeline 2013-11-20 Vulnerability identified 2013-11-22 Customer decided to coordinate disclosure with vendor 2014-02-14 Vendor replied to customer 2014-02-24 Vendor released hotfix for version 4.6.7 and a public Security Bulletin[0] 2014-02-25 Advisory released References == [0] https://kc.mcafee.com/corporate/index?page=content&id=SB10065 [1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr.
[Full-disclosure] Private Camera Pro v5.0 iOS - Multiple Web Vulnerabilities
Document Title: === Private Camera Pro v5.0 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1216 Release Date: = 2014-02-24 Vulnerability Laboratory ID (VL-ID): 1216 Common Vulnerability Scoring System: 8.1 Product & Service Introduction: === Private Camera is an iPhone and iPad camera app that could protect your privacy. It supports taking photos and recording videos, password lock protect, Fake password guest mode, share photos anytime and anywhere. Take photos and videos quick and easily. Support autofocus, tap to focus, flash light switch, camera switch, brand new UI, easy to use. Support taking still photo and recording video. Switch the video and photo mode one click. Create, rename, delete album, set album cover. Add photos to Album, remove photos from Album. Multiple photos can be handled at a time, you can import photos from system camera roll, export photos to system camera roll, add photos to album, remove photos from album, delete multiple photos. Wi-Fi web access for photos upload, you can upload many photos from computer to iPhone or iPad in one shot. With iOS 5, Private Camera can sync all your photos and videos on your iCloud account, you can access these photos & videos on all your iOS devices, use and share these photos & videos anytime, everywhere. Protect photos and videos that you don’t want to share. User requires enter password when access the photos/videos library. Share photos and videos on Twitter, Facebook, Email with your friends. With Password-lock functionality, can protect your personal photos and videos. Its unique Pseudo-password(decoy-password) guest mode, can cope with annoying friends from seeing your private photos and videos. With easy to use camera features, let you using iPhone or iPad take photos & videos and enjoy your photography life! ( Copy of the Homepage: https://itunes.apple.com/us/app/private-camera-photo-vault/id477970594 ) ( Copy of the Homepage: https://itunes.apple.com/us/app/private-camera-pro-photo-vault/id473538611 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Private Camera Pro v5.0 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2014-02-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Apple AppStore Product: Private Camera Pro - iOS Web Application 5.0 Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: 1.1 A local file include vulnerability has been discovered in the official Private Camera Pro v5.0 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application/device. The vulnerability is located in the upload module of the mobile web-application web-interface. Remote attackers can manipulate the `upload > submit` POST method request with the vulnerable `filename` value to compromise the application or connected device components. The issue allows remote attackers to include local app path values or wifi web-server files. The exploitation appears on the application-side and the inject request method is POST. The exection occurs in the main index file dir list. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3. Exploitation of the local file include vulnerability requires no user interaction or privileged mobile application user account. Successful exploitation of the file include web vulnerability results in mobile application compromise, connected device compromise or web-server compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] Upload (UI) & Import (Device Sync) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] File Dir Index Listing 1.2 A local command/path injection web vulnerabilities has been discovered in the official Private Camera Pro v5.0 iOS mobile web-application. A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the vulnerable `[devicename] (srvName)` value of the device-info module. Local attackers are able to inject own malicious system specific commands or path
[Full-disclosure] Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass & Persistent Web Vulnerabilities
Document Title: === Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass & Persistent Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1069 Barracuda Networks Security ID (BNSEC): BNSEC-2069 Release Date: = 2014-02-24 Vulnerability Laboratory ID (VL-ID): 1069 Common Vulnerability Scoring System: 4 Product & Service Introduction: === The Barracuda Firewall goes beyond traditional network firewalls and UTMs by providing powerful network security, granular layer 7 application controls, user awareness and secure VPN connectivity combined with cloud-based malware protection, content filtering and reporting. It alleviates the performance bottlenecks in Unified Threat Management (UTM) appliances through intelligent integration of on-premise and cloud-based technologies. While the powerful on-premises appliance is optimized for tasks like packet forwarding and routing, Intrusion Prevention (IPS), DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like virus scanning, content filtering and usage reporting benefit from the scalable performance and elasticity of the cloud. (Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple input validation web vulnerabilities in the Barracuda Networks Web Firewall appliance application. Vulnerability Disclosure Timeline: == 2013-09-27: Researcher Notification & Coordination (Ateeq ur Rehman Khan) 2013-09-28: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2013-10-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric ** ] 2014-02-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Barracuda Networks Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 & X600 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: Multiple persistent input validation vulnerabilities and a filter bypass issue has been discovered in the official Barracuda Networks Web Firewall appliance web application. The vulnerability allows remote attackers or local low privileged application user accounts to inject (persistent) own malicious script codes on application-side of the vulnerable module or connected module components. The vulnerability is located in the `Firewall > Firewall Rules > Add Access Rule` module. The vulnerable input fields are `Source` and `Destination` IP Address in the general menu. Remote attackers are able to inject custom malicious script codes to the `Source` and `Destination` input fields as IP. Attackers can also add new access rules into the application or edit the existing ones with their custom injected payloads. To bypass the filter and to be able to save the injected code into the application, attacker needs to create 2 entries. First entry should be the Attackers payload and second entry should be any dummy IP address. Application only performs validation on the active field which is freshly added and ignores the earlier entries thus allowing successful injection of the script code into the application. Exploitation of the persistent bug and filter bypass issue requires a low privileged application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishing, persistent external redirects & persistent manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Application(s): [+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016) Vulnerable Module(s): [+] Firewall > Firewall Rules > Add Access Rule > General Vulnerable Parameter(s): [+] fw_access_rule_src_net_type [+] fw_access_rule_dst_net_type Proof of Concept (PoC): === The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. Manual steps to reproduce the vulnerability: 1. Login with the user account to the barracuda networks web firewall appliance application 2. Goto Firewall > Firewall Rules > Add Access Rul
[Full-disclosure] [SECURITY] CVE-2013-4590 Information disclosure via XXE when running untrusted web applications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxJAAoJEBDAHFovYFnnyWAQAIoducHGYKhqCCq7SbbkeUxC 2y8HxdYKo0T/AfolZoTlFInPnVDG8cvoPjEKO7MVzmWJaXjH4lOPYWAzss/N5//M SCczevb1CSmw+m6d6TWs5YeJSGdJdEZuGjIo4GBTLYymUGPB88JdbeeIDvsVeWIx agPaXN80aNady+uPbbpPh3mLIRchi00Ui7vI+0eWMVzcOED1MsvNiPyaGk7eHIhQ nAoiG1QqY68yps1i9lTL1y5jaTklhf6Rh0BKRHA5oLBC2XH6vzKfVw4DVbYTDIve N74s4BssSCMgKDzIGG1zwvU6EdLrHW+NVmfKDey+D0j6THT3rTPiQC4QVjZfVY0u YLuLkX/kobjV2ESgXj7EBTzxuOB/F+bweZ4PfdSV723ggQclwotzLQvEfKkcc4WY taYl4D33gL55QvCsKCCDYbCZklZxOyQ34mly70064tOEFE/nuSq5hIS887Jh0WW2 5pDweW2GZxjXMPAs3sFpmx2UW8VEepxYOhVla/9O+AseHePlyjihEekpB+83Gotk YAFCpCrkXLX9i2B/LW65DYJYUycW+s6j1kQzGyJmsF0ff45airKhrcHvBLtPGm4B dhY5hLhaQh//eJvJlNoAq2QfDEiPEqR5Ks91mhkp+4JBP1ubMyGbQo/Di0jShoJR dwR7dpwk2mIO/l6BnAv6 =hR9C -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2005-2090 was not complete. It did not cover the following cases: - - content-length header with chunked encoding over any HTTP connector - - multiple content-length headers over any AJP connector Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC3 or later (8.0.0-RC2 contains the fix but was not released) - - Upgrade to Apache Tomcat 7.0.47 or later (7.0.43 to 7.0.46 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team while investigating an invalid report related to CVE-2005-2090. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw/AAoJEBDAHFovYFnn8HgP/107ixjTiS7es6ka2fXl01Ag A2GUdevvgKXrbgtY6nVS1Sx65GZcG1k5Knpn6Cwg31dtipnEJmuk4+ScVlA43Jjy 8UpQbI0zm0oCgIRV6lRuYGn1kz5p7cSEF+s36QOAMym3qKNJ3YZn+pALVLgmF+D8 k7Yqe3Fwih68sJm3GRStZ9zlt5s7NNfHzSfnIe4wSyleA8xyK98Xa/8tlr3p0usK J7V5Dz1VSmi8TRpzXUVl8cWjQrD+tCZOWrrBgkWs2oj/TXiVZfiAA5Cv7p1F7HoJ ElF7dny5PJIFdAK3TU5WAkXRQJk2yp0FNv0YRSJGx4OLsiv+IrIXpVR4K12Hmc0n T4RzqyhfB7VGtxrLC/PpC6hoqd+LkuT6uJJA8lcfc+F51UWSHtOV5iW0h2kC6olu s/SKsljDOzx5L2nMdFGqs49cV4uIC8CFC8yP84EJO1gyRqyABxw3LwzUZvdMJ1Sl 29QM3vpMc3EypKXEZWe28Wbr7cZLK2oJt7pSF1DoPF/8DStYYhqztooKCyXAhjum 6Juf3C+w3HvaoR2YyIu5ZhbcGqkt0GHL+ZfvyPVcIFv+TeSYejmus0zdvQGWmnep Fgsdlbz2dUg7ncvmj7LYwCv4U6yj2oYUgMaVrocNVB8bSg0qMnfByg0tc4h8XzDv kNN3kqRWjmDaE37ZHywC =YF3X -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2012-3544 was not complete. It did not cover the following cases: a) Chunk extensions were not limited b) Whitespace after the : in a trailing header was not limited Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was partly identified by the Apache Tomcat security team and party by Saran Neti of TELUS Security Labs. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxCAAoJEBDAHFovYFnnAtcP/0U8NgjCuhFBps1tAIqAa+ty nLMYz3rgxHcY9ClWrJEBgGiIGb2wDQfylNsWR67PF/ue6yhLf+Bu5xs858Thr8V1 98ODkrQemNc9dcIdLJaRcSo05vzNCEN3v4vR9cpPpQpW8TB9y8L1HXmZEiGkM7ZD nwa6E6GDJizkwR+3Qs11r3tAxNAHPn611EYajYLf7+4vPLqgV4GOx2/D7ol/wTm0 3BM15VZjTtlHqrtghUOdXYEzoXwR9BKMVoMtED3e++5i0vCuvvLToxTJ6jI/QjjE UNm/hrfZK5ro3d+rzjOboLXIooAksK3A5UXxlvRi26ZgP3Nd0y8dN925WWfg2jXX V1saa+42vpI6g4NcINIbFnBqfPdM/xKSIuyyXDmmTF2rUHQftcToLikzmSDZlm4c edTyL+A4FcbEq8uymXwE/iA9KKa3PDcZheUw07YALp9JhFI6rfQT472cUavfNcGy h0nxkHg2hU4yUBPm2PSyoTAokkjhDgRvGgX0hA3ljSi0SpHyTwPfoUIwUb+Emgmb Vk00OJRJGtZs/GAL0TCd+LW96664Tx9oAqvgcLA3dZwLk94ivD5SC3Rl9xlyd4lF cgLCOvzwxHcAh7syNd8orWjmyZsJ1vVqGoL1waK1hl1AQNxoJRfDixSlNjchpBxO tCLvVC7UbgC0PFda+7kL =Hzxr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.33 to 6.0.37 Description: Previous fixes to path parameter handling [1] introduced a regression that meant session IDs provided in the URL were considered even when disableURLRewriting was configured to true. Note that the session is only used for that single request. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://svn.apache.org/viewvc?view=revision&revision=r1149220 [2] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw3AAoJEBDAHFovYFnnNM8QAJZRox6JZVDSygO8ddp3S9Gp FADhlqFpusDGkhO/4x+5UNaZ6nci2CVHYbVftsvxyZrsEZbmJk2rcQIcwwRtwtgj ZTG7Vt2v5Z+PqAeFSI+7rXsaumqD+itV2M/S9o4sPjsNSHoJ4+a00S8cYs8XBG5Q bnibxMGHbJi/ew037CTxvlZhPTM2Fir1YDwfagbNJvTbU379fg+NjZXJRa7AzWLW 46mFtRh7/PlYV9GP2rfy+l603Zgz/u9oiBAuXWkBqccUbSsgmauFJTk5jMnwF+By PHCsbe/ptkxEqlIkUYKBv4LPlJB5rjrvTcknrwXrx6WE79pdi37rd20nwuoIuCj5 kkZkrGIKUp029BGgGe+vVnJjjWcGuCsieyDMzvU/quNE9MX5oK5SEB+20QpZvQ6v PuAtv+h8DSvwYKlmGBoepztjXLUCfptlHu/txw4mYJhWTttaoA3mDkYoQNLpd90O N0lZJ04OTGDpRUiUNM1//Rq+MPaN5nwM4TNQiSY7c6su8C/ol3XYBCoBIYZPgxXk DbgD7B5ubOl/HDVzkpJifgbvX9EcrseZq62UV2Gh1ngw6QEY+XANCFE+7xX4/glt h6F3/9AEPuppeohboG0tuR6B0BDF5lj8gEUAHl4YdAgR6uem34QULxDMMnu7ULif 7gsVJdXCzt8BS5Znvhsp =HGNG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
