[Full-disclosure] Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]

2007-11-21 Thread XSS Worm XSS Security Information Portal 
*Domain Name System Hijacked: Hackers Abuse Domain-Name Trust*

*InternetWorld's ** Andy
Patrizio
**and Finjan's Yuval Ben-Itzahk  discuss the fundamental
weaknesses in Finjan's Blacklist-based URL Filtering products **
*

Using variations on trusted, popular domains has long been a common tactic
for scammers, spammers and porn sites. But cyber criminals have devised a
new twist on the misspelled domain-name trick by *hijacking IP addresses*.
And they tried it on Yahoo.

To fix the old problem, server-based *security products* would *trace the IP
address* of the server behind the domain. Once *the IP address resolved the
misspelled domain name *, the *products *would then compare the IP address
against a *database of known fraudulent sites* or questionable locations. So
if a site were masquerading as eBay but the filters found it was really a
server in China that had only been established one week earlier, it would
block access.

[image: Finjan's sBen Itzakh on Web 2.0 Risks] " Web 2.0 sites are great fun
but also a great platform for hackers to host malicious code." - Ben Itzahk
from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said *hackers exploited an unused
IP address within Yahoo's hierarchy and used that as the domain address
behind a forged Google Analytics domain name*. This fooled the Finjan
Web-filtering product into believing a person was going to a *highly trusted
Yahoo domain*. The victims, customers of Finjan, never knew they were on a
malicious Web site, and neither did the security mechanisms on the network.
(In this case, Finjan's Web-filtering product.)

"They managed to resolve the domain name to an IP address owned by Yahoo. *How
they added an address into a DNS server to appear to be an IP address owned
by Yahoo is unknown *," Yuval Ben-Itzhak, CTO of Finjan, told *
InternetNews.com*. He added that Yahoo, while responsive and quick to shut
down the compromised address, did not disclose exactly what equipment was
behind the compromised IP address.

[image: finjan network security product] "You can upload anything you like,
so you can upload malicious content, as well." - Ben-Itzahk on design flaws
within Finjan's Web-filtering product.

*Ben-Itzhak thinks something in the server was broken that enabled the bad
guys to push that content down to users without Yahoo knowing. He said **that's
a flaw in social networks .*

"In 2007, something very clear has come out: these Web 2.0 sites are great
fun but also a great platform for hackers to host malicious code as well,"
said Ben-Itzhak. "You can upload anything you like, so you can upload
malicious content, as well. On MySpace we found hundreds of pages with
malicious
code  this year."

Ben-Itzhak said *server-based security is still the primary mode of
defense*but also recommended
*browser plug-ins, such as Finjan's SecureBrowsing * or SnakeOil's
HackerExpert, both of which scan the actual content coming over the wire
from a site and alert the user if it's suspicious.

*InternetWorld* - Hackers Abuse Domain-Name
Trust
 [image: Finjan RUSafe Typical Product]

*"With Finjan's web security there will be no need to worry about getting
caught napping by the latest round of web-based threats" - SC Magazine*
* *



*Giorgei Jorge [xssworm ] writes:*

After explaining that Finjan's server-based web security filtering products
fail to actually inspect web content or protect the user in any significant
way .. beyond checking to see if the target domain name is 'highly trusted'
such as Yahoo.com .. it's patently clear that this vendor is totally
qualified to discuss the emerging threats related to Web 2.0, social
networks and distributed passive attacks. It is also clear that Finjan's
server-based products are highly effective, technically advanced, provide
enhanced security for your users and in the context of modern web
vulnerabilities, are totally relevant and obviously worth the many tens of
thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they
belong only to *"highly trusted domains" such as yahoo.com* it is
recommended that users install Finjan's SecureBrowsing product.
SecureBrowsing does not actually check to see if a web site belongs to a
highly trusted domain such as yahoo.com, but it does actually inspect some
of the content in transit to ensure that only *highly trusted domains such
as yahoo.com* are allowed to install components silently into the browser or
take advantage of client vulnerabilities to execute arbitrary code on the
users desktop. When used in conjunction with the Finjan total security suite
of products, including Finjan's

[Full-disclosure] Wordpress 0day: Hacking into computers now easier than previously believed - Heise Security

2007-11-20 Thread XSS Worm XSS Security Information Portal 
*Wordpress 0day: Hacking into computers now easier than previously believed,
says Heise 
Security
"A design flaw in the WordPress  blog
software authentication process makes it easier than previously believed for
attackers to compromise a system. Most content management systems and blogs
save user passwords as hashes in the underlying database. So even if
attackers were to get access to the hashes stored in the database, for
instance by means of an SQL injection hole, they have not been able to do
much with them up to now."*

*"Specifically, if they want to recover the passwords, they would have to
compare a hash with entries in a "rainbow table" – a process that can take
some time and may not work at all for long passwords, for which there simply
are no tables."*
**

*[image: Ed Henning]*

*"A design flaw in the WordPress blog software authentication process makes
it easier than previously believed for attackers to compromise a system."*

*"But according to a security advisory published by Stephen J. Murdoch of
the University of Cambridge, a property in WordPress can be exploited to get
access without the password. Instead of trying to obtain the password,
Murdoch used its hash to generate an authentication cookie to gain access to
the system. A member of the core team behind The Onion Router (TOR)
anonymization project, Murdoch says that the MD5 hash only has to be hashed
a second time with MD5. According to his report, the authentication
procedure implemented in WordPress then looks like:*

* wordpresspass_=MD5(user_pass) *

*Here, the URL is clearly spelled out, and user_pass corresponds to the hash
(MD5(password)). Along with the wordpressuser cookie (that
wordpressuser_=admin), access is then reportedly provided to the
WordPress admin account. Murdoch says he has informed the developers of
WordPress of the problem, but they have yet to react."*

Please Mr Murdoch No more talking to the media about security. or maybe we
create new media now (-;

vaj

-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site
--
XSS Cross Site Scripting Attacks
Media Manipulation and Web 2.0 Insecurity Blog (tm) 2007
http://www.XSSworm.com/
--
"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability

2007-11-20 Thread XSS Worm XSS Security Information Portal 
"A remote attacker, with read access to the password database can gain
administrator rights."

This also applies to many other blog software and also every system with a
password database.

-- 
Francesco Vaj [CISSP - GIAC]
Senior Content Manipulation Consultant
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site

XSS Worm: Cross Site Scripting Attacks
Wordpress Blog Password Hash Replay Information Portal (tm) 2007
http://www.XSSworm.com/
--
"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com

2007-11-18 Thread XSS Worm XSS Security Information Portal 
This is a breathtakingly candid post. for once.

thank you!


On 11/17/07, worried security <[EMAIL PROTECTED]> wrote:
>
> On Nov 14, 2007 11:33 PM, Dan Egerstad <[EMAIL PROTECTED]> wrote:
> > Do you know the powers? Powerrangers? Can they help me? Ohhh please help
> me
> > ohhh you mighty...
> >
> > I'm free, kicking and not charged for shit... don't know who you are and
> > couldn't care less but it does give something to laugh at =)
> > Go play with the other kids now
> >
> > //D
>
> At the end of the day you're the dude with the secret service
> following you everywhere you go now in real life for at least the next
> 6 /12 months or longer I would imagine.
>
> Enjoy the privacy or not as the case maybe.
>
> Sleepless nights, looking out your window every five minutes, turning
> round in the street seeing if anyones following you and generally not
> being able to trust people around you because they might be the secret
> service. Not knowing who the next phone call will be from, knowing
> everything you do on the internet is being watched by a human, every
> keystroke, every e-mail, every draft.
>
> I've been there, done that, bought the t-shirt.
>
> Its paranoia and it destroys you!!! It crushes you, this whole
> derangedsecurity.com stuff will crush you mentally if it hasn't
> already. I'm talking from experience, i've gone through these phrases
> of paranoia, it'll eat you alive.
>
> Maybe you're not feeling it yet, but it will creep up on you in a short
> while.
>
> Thats the down side to doing big hacks, the mental strain of not
> knowing if you've got away with it or not.
>
> One day you'll wish you hadn't your picture on those news articles and
> you hadn't drawn attention to yourself, it may take a few months for
> it to kick in if it hasn't already.
>
> The only reason its not already kicked in if it hasn't is you're
> young, guilible and immature, and you're still feeding off the ego
> rush of the media attention right now, but later in life it'll hit
> you!!!
>
> You're thinking "i've not been charged for shit". The possibility of a
> criminal charge is the least of the problems which comes with fame,
> being known by a large amount of people is a bad experience walking
> down the street, trying to get employed by people and generally
> operating as a normal person in life.
>
> You wonder all the time "Does he know!, "Do they know". And you get
> the people who do know, know everything about you, but you've never
> met them in your life before, and it scares you!
>
> I've been approached by people in real life who know more about me and
> what I do online than I do, it ain't nice.
>
> Strange people start being a part of your life, and you know why, but
> its never officially confirmed by anyone. The paranoia and suspicion
> destroys you.
>
> But basically you get the worlds intelligence services following you
> around from different countries with different agendas to find out
> things about you.
>
> I imagined at first it would just be one team of survallience from one
> country, but you end up having folks from a handful of countries
> following you about in everyday life. And those individual
> survallience teams aren't connected with each other. You can be
> walking down a busy high street with a crowd of folks all around you,
> you think are legitimate folks, but they are actually secret service
> from multiple countries working independently of each other, who don't
> know each other, but they all have one thing in common, they are
> following you
>
> It sent the shitters up me and it'll do the same to you.
>
> And you get the folks who have nothing to do with government following
> you around, and thats the scarist part. You get independant
> investigators following you around from the worlds security companies
> who have their own intelligence wings. The big corporations hire folks
> to do this, just for the sake of knowing intelligence about you. And
> then you just get the normal weirdos following you about who aren't a
> part of any government or private investigation company, and thats
> what is the worst part. Oh, and the random people who claim to be news
> journalists, who could actually be anyone, walking upto you, knocking
> at your door, e-mailing etc. You take the first interview, then you
> realise, that could of been anyone. It screws you up in the head
> afterwards.
>
> When you become public in the security community, its not the secret
> service which are the biggest problems, there are 100's of companies
> who follow you about because they want their own intelligence about
> you. You see all these websites that offer intelligence, who aren't
> the government but offer yahoo,google etc intelligence on folks and
> get paid for it, its not just technical intelligence they have,
> they've got folks checking up on you in real life too.
>
> who's gonna be on your tail for a while:
>
> secret services (world wide) they follow you for national security
> reasons to build

Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com

2007-11-14 Thread XSS Worm XSS Security Information Portal 
The deceptively clever and incredibly important and prolific hacker n3td3v
wrote: "Why should fucks like you get away with this while gary mckinnon
faces a life time in jail. you dick."

Seconded.

Note to self: setup nph-proxy.cgi on random box and log everything going
through it and email media and become famous security consultant.


On Nov 15, 2007 9:58 AM, worried security <[EMAIL PROTECTED]>
wrote:

> On Sep 10, 2007 9:34 AM, Dan Egerstad <[EMAIL PROTECTED]> wrote:
> > LOL, you are indeed funny =)
> >
> > If you actually tried to figure out the whole story instead of just
> reading
> > the propaganda forced out by your government you might get another idea.
> > They HAVE been told about this, not once, not twice but several times
> more.
> > Also I can prove that hackers, terrorist, criminals and governments
> alrady
> > have the hardware set up to do this to the accounts I exposed. You are
> an
> > idiot if you claim that it would be ok to publish companies passwords
> and
> > not Governments. Private and companies could get personally hurt and
> lose
> > their job/money for a misstake. Governments are already in so much
> trouble
> > due to the fact that they already are exposed and refuse to do anything
> > about it. They if ANY should know better... They are actually CHOOSING
> to
> > expose themself, it's not a misstake!
> >
> > Stop with your pathetic national crap... I don't give a shit
>
> If you think this is funny it isn't, i've had my eye on you for a
> while now. you are guilty of Espionage and you have admitted to the
> world you are involved in Espionage, don't be suprised if the secret
> service start monitoring you now. Why should fucks like you get away
> with this while gary mckinnon faces a life time in jail. you dick.
>
> fellow scots stick up for each other, so remember that the next time
> you talk to a scotsman, because we're tough and bold and we'll kick
> you in the teeth you swedish fuck.
>
> i have links with the powers that be, i'm going to make sure you're
> locked up for sure.
>
> enjoy your freedom, although it won't last long.
>
> n3td3v
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site
--
XSS Cross Site Scripting Attacks
Web 2.0 Application Security Information Blog (tm) 2007
http://www.XSSworm.com/
--
"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com

2007-11-14 Thread XSS Worm XSS Security Information Portal 
"[I'm] losing money and trust in my company and even if i'm never charged I
will not get any compensation it looks like."

"Well, if they want to try to manipulate, I can play that game too. [I] gave
every known body signal there is telling of lies ... covered my mouth,
scratched my elbow, looked away and so on."

Sure sounds like a trustworthy mature IT professional. Have fun gaming the
police and your government while feeling self-righteous and invincible and
untouchable. That usually works out great for hackers.


On Nov 15, 2007 9:58 AM, worried security <[EMAIL PROTECTED]>
wrote:

> On Sep 10, 2007 9:34 AM, Dan Egerstad <[EMAIL PROTECTED]> wrote:
> > LOL, you are indeed funny =)
> >
> > If you actually tried to figure out the whole story instead of just
> reading
> > the propaganda forced out by your government you might get another idea.
> > They HAVE been told about this, not once, not twice but several times
> more.
> > Also I can prove that hackers, terrorist, criminals and governments
> alrady
> > have the hardware set up to do this to the accounts I exposed. You are
> an
> > idiot if you claim that it would be ok to publish companies passwords
> and
> > not Governments. Private and companies could get personally hurt and
> lose
> > their job/money for a misstake. Governments are already in so much
> trouble
> > due to the fact that they already are exposed and refuse to do anything
> > about it. They if ANY should know better... They are actually CHOOSING
> to
> > expose themself, it's not a misstake!
> >
> > Stop with your pathetic national crap... I don't give a shit
>
> If you think this is funny it isn't, i've had my eye on you for a
> while now. you are guilty of Espionage and you have admitted to the
> world you are involved in Espionage, don't be suprised if the secret
> service start monitoring you now. Why should fucks like you get away
> with this while gary mckinnon faces a life time in jail. you dick.
>
> fellow scots stick up for each other, so remember that the next time
> you talk to a scotsman, because we're tough and bold and we'll kick
> you in the teeth you swedish fuck.
>
> i have links with the powers that be, i'm going to make sure you're
> locked up for sure.
>
> enjoy your freedom, although it won't last long.
>
> n3td3v
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site
--
XSS Cross Site Scripting Attacks
Web 2.0 Application Security Information Blog (tm) 2007
http://www.XSSworm.com/
--
"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com

2007-11-13 Thread XSS Worm XSS Security Information Portal 
Thank you for these points Dave, I am replying:

With the XSS we can say it is shellcode because shellcode is the code
injected into process or programme that contain bad validation of input - we
say shellcode because it contains system call to execute shell commands - i
think so?

XSS vulnerability is bad validation of input also (and output as you said in
bold)

and with injected code and web 2.0 and fat rich clients (like in the USA) we
can make java scripts with reverse shell to desktop with XSS
& get interactive control over fat clients and make them do things and we
can write interpreter and make it 'shell' if you want it easy (-;

So XSS is input validation bug just like buffer overflow and we inject code
that will be interactive 'shell' and execute action or command on behalf of
user so XSS injection code = shellcode. Only differences in what you
consider 'shell', 'command', 'action', 'user', no?

With the code is posted we cannot see any bugs either but as you say maybe
fundamentals

output $_GET['variable']

is this a vulnerability? I am not programmer but I have heard said that
input validation is sometimes maybe the cause of vulnerabilities.

Thanks vaj.



On Nov 14, 2007 5:51 PM, dave-san <[EMAIL PROTECTED]> wrote:

> Comments inline..
>
> XSS Worm XSS Security Information Portal wrote:
> > *0day XSS Exploit for Wordpress 2.3* – wp-slimstat 0.92 – [xssworm.com]
> >
> > Source:
> >
> http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/
> >
> > There is a serious holes in wordpress 2.3 that can be used with XSS by a
> > blackhat hacker to attack the wordpress administrator and steal cookies
> from
> > blogmins. This attack is known as 0day because it has just been reported
> to
> > public and this is first day of public vulnerability, and *0day means
> > 'published.*'
> > Proof of concept:
> >
> >
> http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=
>  > shellcode>
> >
>
> Hmm.. XSS shellcode? That's a new one for me. I'll take this to mean the
> injected script. From your post, I don't think you mean "shellcode" in
> the traditional sense.
>
> > This attack to be used against wordpress web blog blogmin to steal
> > blogosphere token to hack blogs. Of course we have included exploit code
> for
> > this bug at the below.
> >
> > We have looked at coding for wp-slimstat but we cannot see any problem
> with
> > input validating. Maybe some of the xssworm.com readers can show us
> where
> > problem is in the php code because we cannot see any porblem here:
> >
> > –snips:
> >
> > C:\temp>findstr GET wp-slimstat.php
> > $myFilterField = intval( $_GET['ff'] );
> > $myFilterType = intval( $_GET['ft'] );
> > $myFilterString = $_GET['fi'];
> > $myFilterInterval = $_GET['fd'];
> > $myFilterField = intval( $_GET['ff'] );
> > $myFilterType = intval( $_GET['ft'] );
> > $myFilterString = $_GET['fi'];
> > $myFilterInterval = $_GET['fd'];
> > '.(!empty($myFilterString)?'—  > href="?page='.$_GET['page'].'&panel='.$_GET["panel"].'">'.__('Reset
> > filters', 'wp-slimstat').'':").'
> > 
> > 
> > ';
> >
>
> It's late, and I might have missed something, but from the above, I
> don't see where the vulnerable parameter is being written back to the
> HTML response. Therefore, I don't think there is enough code in the
> lines above to locate the entire issue (though it looks like other
> parameters are vulnerable too). You mentioned:
>
>  ft=
>
> So, in this example, "ft" is the vulnerable parameter. Trace what
> happens in code with that parameter after it receives input. I'd guess
> that there is something like..
>
>   echo ''. $myFilterType .' more...
>
> or
>
>   echo ''.$_GET["ft"].'..
>
> Perhaps take a look at where they missed the output formatting/encoding
> for HTML. I may be so bold as to suggest that the lack of output
> encoding is the major reason that XSS exists.
>
> > –snips
> >
> > With programmor using $_GET variable from user into echo into html
> output
> > maybe php automatic GET validation filtering is not working for
> security? We
> > are not programmers of php so we cannot see any porblem

[Full-disclosure] Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com

2007-11-13 Thread XSS Worm XSS Security Information Portal 
*0day XSS Exploit for Wordpress 2.3* – wp-slimstat 0.92 – [xssworm.com]

Source:
http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/

There is a serious holes in wordpress 2.3 that can be used with XSS by a
blackhat hacker to attack the wordpress administrator and steal cookies from
blogmins. This attack is known as 0day because it has just been reported to
public and this is first day of public vulnerability, and *0day means
'published.*'
Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=

This attack to be used against wordpress web blog blogmin to steal
blogosphere token to hack blogs. Of course we have included exploit code for
this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with
input validating. Maybe some of the xssworm.com readers can show us where
problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET['ff'] );
$myFilterType = intval( $_GET['ft'] );
$myFilterString = $_GET['fi'];
$myFilterInterval = $_GET['fd'];
$myFilterField = intval( $_GET['ff'] );
$myFilterType = intval( $_GET['ft'] );
$myFilterString = $_GET['fi'];
$myFilterInterval = $_GET['fd'];
'.(!empty($myFilterString)?'— '.__('Reset
filters', 'wp-slimstat').'':").'


';

–snips

With programmor using $_GET variable from user into echo into html output
maybe php automatic GET validation filtering is not working for security? We
are not programmers of php so we cannot see any porblems here as bug are too
complex to understand.

Exploit code for perl whitehats included here:

# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he's blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj ([EMAIL PROTECTED])
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#

#use Net::DNS:Simple;
#use Math;
use Socket;

print "Welcome. What is target email address of wordpress blog admin : \n";
my $target = ;
print "ok target is $target\n";
sleep(3);
print "ok What is address of wordpress blog : \n";
sleep(5); my $address = ;
print "ok target is $target\n";
sleep(6);
# print "testing"
print "ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php
?panel=1&ft=SHELLCODE\n";
print "\n\n — CUT OUTPUT HERE — \n\n";
print "HELO xssworm.com\n";
print "RSET\n";
PRINT "MAIL FROM: <[EMAIL PROTECTED]>\n";
print "RCPT TO: <$target>\n";
print "DATA\n"; print "Free x pciture and movies at $address\n";
print "\r\n.\r\nquit\r\n";
print "\n\n — END OF OUTPUT CUT HERE –\n";
print "";
print "Ok now you neeed to cut the exploit above and paste it to:\n";
print "$address : 25 \n";
print "Shellcode by [EMAIL PROTECTED] c. 2007\n";
print "End of attack.\n";
print "";
#print "Debug mode on"
#print "XSS initialized"
#payload
sleep(1); return(0);
# snips
#

Please note that this wp-slimstat does not contain any code injection or
mysql injection bug vector that is opened to blackkhat attack via transport
of xss.

Many thanks for your comments on this vulnerability in wordpress 2.4

Thanks vaj

-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site
--
XSS Cross Site Scripting Attacks
Web 2.0 Application Security Information Blog (tm) 2007
http://www.XSSworm.com/
--
"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] 0day Shockwave and Flash XSS Fish Exploits on Youtube, Revver, Metacafe, Google.

2007-11-09 Thread XSS Worm XSS Security Information Portal 
Foxnews 0day XSS Shock Attack

Demo link to send to a fish:

http://www.foxnews.com/video2/launchPage.html?http://localhost/

With netcat listen on localhost :

listening on [any] 80 ...
connect to localhost [127.0.0.1] from localhost [127.0.0.1] 1964
GET
/E05510/a3/0/3/1380/1/0/116282DDC64/0/0//312340660.gif?D=DM%5FLOC%3D
http%3A%2F%2Fwww%252Efoxnews%252Ecom%2Fvideo2%2FlaunchPage%252Ehtml%253Fhttp%3A%
2F%2Flocalhost%2526pageType%253Dmisc%2526miscPage%253DVideo%252520Launch%252520P
age%26DM%5FREF%3D%26DM%5FTIT%3DFOXNews%252Ecom%20%2D%20Video%20Launch%20Page%20%
2D%20FOXNews%252Ecom%26DM%5FEOM%3D1 HTTP/1.1
Host: pix01.revsci.net
User-Agent: Mozilla/5.0 (Mandriver)
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.foxnews.com/video2/launchPage.html?http://localhost
*Cookie: [EMAIL PROTECTED];
NETSEGS_J05532=960C7930BE970CE4&J05532
&3F149836&472757D9&0&&4723FE85&C2C6A1738F3B885FCA46DE74CFF355ED*


I think maybe this is to make many shock waves with XSS !
 Zero Day Shockwave SWF Player Exploit with XSS
Attack
in the hacking metacafe we discover Shockwave XSS 0day attack to use by
blackhat to steal fish:

MetaCafe XSS Worm Vulnerabilities - ZeroDay Shockwave Attack POC - :

http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028&mediaURL=http://xssworm.com/?fish&normalizedTitle=space_trip&isViral=false&isWatermarked=false&postrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swf&networkingAllowed=true
&

We see this outputs in xssworm.com log - :


GET /crossdomain.xml HTTP/1.1
Host: metacafe.122.2o7.net
Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B294DB|472A0
D2D[CE];
s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C4D74-A170C543A87|472DA4DB[
CE]; s_vi_jdghjlgdijg=[CS]v4|472605E7606-A170BAE639DC|4726056DCE]
s_vi
_wzvqcdsx7F7×60qx7isx7Fx7D[CS]v4|.

snips…

We see many more serious vulnerability in the web 2.0 today. As you must be
sure to visit http://xssworm.com/ security portal to discuss this shock
problem && many thanks for your reply. I am interested.

*vaj


-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site
--
XSS Cross Site Scripting Attacks and
Web 2.0 AJAX Security Information News -
http://xssworm.com/
--
"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gmail 0day

2007-11-09 Thread XSS Worm XSS Security Information Portal 
Yes all XSS is very serious and not for making jokes, if pdp said that
hacker can steal data the CSS on google could be very damgerous
vulnerability

Blackhat SEO XSS
hacker example:

http://mail.google.com/mail.%5CINBOX.%3C%252E18%252E/%2E%2E/local_url?%2E\l.%5CINBOX.%3C%252E18%252E/[EMAIL
 PROTECTED]@@[EMAIL 
PROTECTED]@!&q=/mail.%5CINBOX.%3C%252E18%252E/%2E%2E/local_url?%2E\l.%5CINBOX.%3C%252E18%252E/[EMAIL
 PROTECTED]@@[EMAIL 
PROTECTED]@!&q=http://xssworm.com/&seo=blackhat

Please if you search XSS hacking also visit XSSWORM.COM
here: http://xssworm.com we have updates with blackhat and whitehat video
with XSS hacking tutorial by blackhat[2] Sunjester frome litehackers.info

vaj

-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher - xssworm.com
mailto:[EMAIL PROTECTED]
aim: XSS Cross Site
--

[2]
http://xssworm.blogvis.com/9/xssworm/what-is-a-blackhat-hacker-and-where-are-black-hats-hacking/


On Nov 9, 2007 8:36 AM, pdp (architect) <[EMAIL PROTECTED]>
wrote:

> well this XSS can lead to so much data being stolen that it is not even
> funny!
>
>
> On Nov 8, 2007 8:55 PM, Juergen Marester <[EMAIL PROTECTED] >
> wrote:
>
> > wow ! 0day !
> > damn, 0day, XSS ...
> >
> >
> > On 11/8/07, silky <[EMAIL PROTECTED]> wrote:
> > >
> > > worked for me minutes after it was posted. seems fixed now.
> > >
> > > On 11/9/07, crazy frog crazy frog < [EMAIL PROTECTED]> wrote:
> > > > i tested xssworm on gmail latest version
> > > >
> > > > On Nov 8, 2007 7:04 AM, Scripter Hack <[EMAIL PROTECTED] > wrote:
> > > > > There is a html injection video in 
> > > > > https://www.xssworm.com
> > > .
> > > > > It  is very critical,you can get the cookie to login into gmail or
> > > other
> > > > > service.
> > > > >
> > > > > POC:
> > > > >
> > > https://www.google.com/accounts/ServiceLogin?service=mail&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl > > ">xssworm
> > > > >
> > > > > More:http://[EMAIL PROTECTED]/
> > > > > ___
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > why advertise on secgeeks?
> > > > http://[EMAIL 
> > > > PROTECTED]
> > > > http://newskicks.com
> > > >
> > > > ___
> > > > Full-Disclosure - We believe in xss.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - 
> > > > http://xssworm./secunia.com/
> > > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> pdp (acronym) | petrol v. petco
> http://www.xssworm.com 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [xssworm.com] Alert : XSS Worms - Cross-Site Scripting and Web 2.0 Application Security Blog

2007-10-26 Thread XSS Worm XSS Security Information Portal 
Greetings To All

We are proud to announce the grand-opening of XSS Worm : Cross Site
Scripting Attacks ™ - http://www.xssworm.com/ - Cross Site Scripting Attacks
: the new site for discussion of XSS (also known as CSS (not to be confused
with Cascading Style Sheets (also sometimes referred to as CSS))
vulnerabilities) security issues in web-enabled networks and dynamic
Internet applications.

XSS - a word commonly used by modern security experts to categorize a wide
range of emerging web-enabled security threats. This unpronounceable word
was once said to derive from the common term "Cross Site Scripting" (the
leading X in this instance perhaps alluding to the Cross of the popular
novel.) Yes friends our Web sites are being more complicated from day to
day; and the web sites which has been produced by html is decreasing on the
net. The popular ones are php;asp;jsp and other technologies and with this
increasing the attacks are being more dangerous.

It's very common and unfortunately still an issue we have to deal with in
many web-aware applications. Internally the XSS WORM Team has been working
on several XSS Security projects to help mitigate and fix these security
issues, as well as to detect them in the code sources that are available
online so that they can be fixed a worm is developed.

According to a new study, up to over *90% of all (100%) web sites* may be
vulnerable to some form of security attack.

Prominent Jeremiah Grossman of WhiteHat Security (whitehat.com) — the Web
applications security founded by vulnerability scanning whiz Jeremiah
Grossman — concludes that as many as 90 percent of all the sites that it has
tested in the last year remain open to some form of hijack or infection.

The leading problem remains many sites' vulnerability to cross-site
scripting (XSS) hacks, through which attackers place malicious code on
legitimate sites to trick end users into handing over their personal
information or passwords.

As many as 75 percent of the pages scanned by WhiteHat had some form of
XSS-exploitable flaw, according to the paper. But it's not only XSS Worms
that application developers have to be conerned about - according to
Whitehat, Cross Request Forgery attacks are emerging as the "new .. [xss] "
and hackers are scrambling to update their virus engines.

"The best way to think about Response Splitting is that it's executed
similarly to Cross-Site Scripting (XSS) … *but more powerful*."  -- Jeremiah
Grossman

As in the rest of the online world, however, WhiteHat contends that XSS
threats top the list of vulnerability classes by vertical, followed closely
by Information Leakage.

"These statistics continue to reveal recurring and emerging issues that are
affecting Web sites across industries," said Grossman, who wears the title
of CTO at WhiteHat. "As increasing amounts of sensitive data are stored
online, WhiteHat remains vigilant about alerting companies to common attack
methods and emphasizing the importance of Web site vulnerability management
as part of their overall security posture."

The original security article source can be located at
http://weblog.infoworld.com/zeroday/archives/2007/10/study_90_percen.html

This is our introduction for the newest premium security information service
XSSworm.com : cross-site scripting attacks - we will be posting news and
updates on these topics and we welcome all of your comments on the topics of
Web 2.0 Security, Cross-Site Scripting, XSS Worms, XSRF Worms, Digg and
Social Networking worms, Youtube worms, Facebook worms, Web 2.0 Security and
XML and so much more.

Please pay our XSS page a visit and leave your comments! - only the most
relevant XSS security news and tools and comments only - no spam please your
blackhat SEO  tricks is not welcome here.

This email has been cross-posted for discussion on our XSS Security
Discussion Forum board: http://tiniuri.com/f/n7 - replies welcome on list or
on site. Thanks.

Regards

The XSSWorm . Com Security Team.

--
Francesco Vaj
CSS Security Researcher -- XSSworm.com
mailto:[EMAIL PROTECTED]
Aim: XSS Cross Site
http://www.XSSworm.com - Cross Site Scripting Attacks
Web 2.0 Application Security Information Blog 2007 

"Vaj, bella vaj."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/