Re: [Full-disclosure] FWD: PhotoPost vBGallery Important Security Bulletin
Addendum to my ealier post: Since php and perl and etc etc are all vulnerable, and php files can have many file suffixes beside (.php), perhaps the better Files statement would just allow images and deny everything else: Files ~ \.(gif|jpe?g|png)$ or maybe FilesMatch \.(gif|jpe?g|png)$ You get the idea. tr - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FWD: PhotoPost vBGallery Important Security Bulletin
Quoting [EMAIL PROTECTED] [EMAIL PROTECTED]: http://www.photopost.com/forum/showthread.php?t=134910 http://www.photopost.com/forum/showthread.php?p=1213648 It's unclear what type of bug is it about, they are refering to an apache bug but since all hacks used to access the database it could be a SQL injection. This is critical bug. This is sort of clever, but obvious in hindsight. If a web site has an upload directory that is also readable, it will be vulnerable. Normal sysadmin configurations can prevent this exposure. Upload directories should not be directly viewable. That was the basis for numerous exploits of frontpage systems back in the day. A script should validate the uploaded file and separately move it to a viewable directory. The reason this is an apache bug is because the default install uses an insecure setting for php scripts (perl also). The AddType statement for php is normally system-wide, which means the web server will execute php scripts that may be found in the upload directory. This can be fixed multiple ways: Move the php AddType statement into a directory stanza, or Set directory options for directories where we would not expect to execute things or use a AddType statement in the images directory, like: Directory /www/htdocs/images Options +IncludesNoExec -ExecCGI AddType text/html .php Files ~ \.php Order allow,deny Deny from all /Files /Directory that should be redundant enough. tr - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
I am a pentester and IDS/IPS administrator for a large-ish security firm. None of our tech staff worked on the corporate web site. We are too busy, and frankly, it's just not my bag. Public facing websites are usually outsourced to professional graphics arts firms and developed under the supervision of the Director of Business Development. It's usually a solid pile of fluffy buzzwords and crap. I like where you are going, you're just not there yet. Your methodology is weak. You need to review the actionability of the deliverables. Ask for sanitized sample reports. The argument of who has the most leet hackers is unmeasurable and pointless. For commercial security firms the real criteria needs to be focused on the business process that helps their clients improve their overall security posture. Not just, I found an XSS on your site, but how is the security infrastructure being managed and improved. Try looking at the actionability aspect of the companies' deliverables and see if you don't get better findings. Some possible things to look for: Do they include a screen shot for every finding? Do they correlate each finding to a specific spot of code in the vulnerable app? Do they work with your developers to assist with remediation and permanent resolution? How much app dev experience do the pentesters have? Do they have Language and framework specialists on staff to review each finding and make relevant remediation recommendations? Do they meet with the security team, the networking team, the server support team and the developer team separately in break-out sessions with specialists in each area? Does every finding include a recommendation for permanent remediation? Please get better. I like where you are going, you're just not there yet. t.r. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Professional IT Security Service Providers - Exposed
Quoting [EMAIL PROTECTED]: Greetings List: My team and I have started doing critical reviews of security companies that offer Professional IT Security Services. We find ... snip May I offer a correction. Try this message: My Team and I have reviewed web sites of companies and (based on their web dev skillz and marketing lingo) have rated the companies' security capabilities. based on their web sites. that makes me sad. that's right in there with counting the number CISSPs at a company. the sales people I have to work with assure me that the product doesn't matter. they keep telling me, all that matters is the sizzle on the website and the well engineered marketing message. Every day I tell them they are f'd up aholes. It looks like they are right. * sigh * tr - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
Quoting n/a n/a [EMAIL PROTECTED]: How much would you value this service ? Would you pay $100, $10, $1 per hash to crack ? Would you require anonymity to use the service ? I would pay $1 each for md5 cracks of this type, $5 for DES crypt. Anonymity hosted outside the US would be an expected criteria. t.r. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Signal to Noise Ratio
One person's noise is another person's signal. Except maybe for n3td3v. :)) t.r. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kazaa
Quoting James_gmail-ij [EMAIL PROTECTED]: Other than removing Kazaa and preventing installation, how else can I block it from being used? At the firewall, with some additonal programming. There was an article in one of the Linux Magazines - LinuxJournal? - some time ago. Dont have the Mag. to hand. I remember this article: http://linuxjournal.com/article/6945 There are various modes, designed to evade trivial block rules. The article examines the protocols in detail and describes how to defeat it completely. At the time, I used the article's info to put together some snort rules, etc, but the protocol proved to be very adaptive. and it has mutated since 2003. My current best effort is to not block the initial conversation setup. the same goes for bittorrent. If you try to block it, it just keeps adapting till it gets through. you will lose that game. What I do instead is capture the initial kazaa and bittorrent traffic with snort, then shun the outside servers for one hour. It doesn't stop kazaa or bittorrent from working, but it does make the products work very, very poorly. Over time, we have seen a significant drop in the amount of traffic, and bittorrent traffic has dropped to nearly zero. The reason you have to let the initial traffic burst out is because the first protocol it tries is easy to monitor and dissect. the later, adaptive traffic is harder to associate and dissect. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
Quoting Edward Pearson [EMAIL PROTECTED]: Guys, Please don't turn this into spam/flame/troll. This is a quick note to say, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, please make it known. let him stay. If I don't stick up for his right to post whatever, who will stick up for my right to post once I have alienated you? everyone is allowed to speak. everyone is allowed to filter. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] -ADVISORY- + x Thu Mar 16 21:00:22 EST 2006 x + Heap Overflow in ISC INN
-ADVISORY- + x Thu Mar 16 21:00:22 EST 2006 x + Heap Overflow in ISC INN o/ å DESCRIPTION It is possible to make ISC INN crash or run arbitrary code by the use of malformed input. å \o WORKAROUND This advisory has no workarounds on the issue in question. o/ å VENDOR RESPONSE ISC INN is extended no identified commentary. APPENDIX A VENDOR INFORMATION http://www.isc.org/index.pl?/sw/inn/ APPENDIX B REFERENCES RFC 1191 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] msgina.dll
Quoting khaalel [EMAIL PROTECTED]: Google, I find msgina.dll ( http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx) but I don't know how to modify it (I'm a linux and bsd hacker, windows working is a world I visit rarely...). Did someone already work with this dll?? I'm looking for some code examples, some tutorials, some help to know how to use a smartcard and not login/password at startup... I have written my own, plus I have modified others. It is not too difficult, but the available documentation is sparse. Had I known about pgina, I never would have written my own. http://pgina.xpasystems.com/ Another open source gina is the agreement gina that puts up security notices. I cannot find the link right now. The gina model is quite simplistic (if not simple) and readily understandable. Anyway, if you have never worked with windows system development tools, you are in for a treat. 8) Microsoft publishes two gina samples with the SDK. Both are flawed, but it might get you started. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Undeletable user account.
Quoting James Bower [EMAIL PROTECTED]: Hi all, one of my servers has recently been compromised. No suprise but the hacker created himself a user account. The problem is that I can't seem to delete the account. The account is not part of any group. When you look at the account it and go to Member Of it doesn't show anything. When I try to delete it as the local admin I You might find an interesting answer here: http://neworder.box.sk/newsread.php?newsid=13948 I have used the exploit described therein and it does work as advertised. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST
You'd think guys could learn to ignore the trolls, but such is life. Reply not to find out for whom the belle trolls, she trolls for thee. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Funny smtp helo in the logs
Quoting Aditya Deshmukh [EMAIL PROTECTED]: I have been seeing this in my logs over all the public smtp server, from all over the net. Anyone know what sends these kinds of helo ? 124 09/10/2005 09:54:35 HELO -1209283632 --- 250 my.smtp.domain.server 125 09/10/2005 09:55:27 HELO -1209747464 --- 250 my.smtp.domain.server snip 02D 29/10/2005 20:39:12 HELO -1208865784 --- 250 my.smtp.domain.server 017 30/10/2005 11:21:26 HELO -1216191992 --- 250 my.smtp.domain.server they look like ip addresses to me (1216191992 = 72.125.157.248 ). I checked a few and they weren't smpt listeners. I would go for the possibility that your mail server is being used as part of a reporting mechanism to notify the mother ship of vulnerable or infected IP addresses. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
Quoting Andrey Bayora [EMAIL PROTECTED]: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte. AUTHOR: Andrey Bayora (www.securityelf.org) Some file types like .bat, .html and .eml can be properly executed even if they have some unrelated beginning. For example, in the case of .BAT files - it is possible to prepend some junk data at the beginning of the file without altering correct execution of the batch file. In my tests, I used the calc.exe headers (first 120 bytes - middle of the dosstub section) to change 5 different files of existing viruses. In addition, the simplest test of this vulnerability is to prepend only the magic byte (MZ) to the existing malicious file and check if this file is detected by antivirus program. I have used inflex ( http://www.pldaniels.com/inflex/ ) for years to avoid this type of problem. This may sound like a plug for Paul Daniels' work, but since it's OSS, why not? inflex features pedantic scanning, wherein it will reject an email attachment if the file name matches a regex [OR] the attachment gets a hit by your AV scanner [OR] any number of other conditions. This finding certainly makes the case for layering security. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] vhost enumeration
Quoting unknown unknown [EMAIL PROTECTED]: I'm very interested in the idea of finding vhosts given an IP address. So far, the only way to do this is by querying open source facilities such as search engines and online statistic databases. I think a zone transfer would be the only authoritative resource. Anything else is some degree of guesswork and is bound to miss unlinked sites ,etc. there are still lots of older DNS servers out there which allow zone xfers, but the number is shrinking every day. Check all the secondary, tertiary, etc servers. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Nessus becoming closed. [was: Call to participate]
Some thoughts on Nessus becoming closed, Snort being bought, and the life cycle of OSS projects. soapbox I have heard this before that, No one contributes. This is absolute crap. Let me list some contributions: We showed your handiwork to hundreds of people so they could show others. In other words, we provided the seed capital for your marketing team. We figured out the best way to use the product, participated in feedback forums, and chatted in newsgroups (like FD). In other words, we provided a marketing and development steering comittee for your fledgling product. People in business know that valid customer feedback is truly priceless. We went out among the world's security users and tried this thing out in every concievable scenario. All feedback was forwarded directly to the development team. We installed it for our friends. We showed others how to install it at user group meetings, at 2600 meetings, at conerences, is bof breakout groups. They showed others how to install it. We liked your work and we decided to make your product the new hegemon, the de-facto standard. ?Not contributing?, my ass. We *made* you. That is enough on that vein. In a nutshell, We Made You. And we did it because we thought it was the right thing to do. We did it for free (rather than $200/hr for biz dev) because we knew that making your work shine like a diamond would make it even better product. And it did get better. We endured the problems and tried to provide feedback where it made sense to do so. In my own case I have contributed code, test cases, packet traces, etc to sendmail, horde, php, linux-kernel, snort, nessus, uw-imap, gfs, sara/saint, and others. Usually it gets rejected with an arrogant snub (any body ever correspond with Claus A. at sendmail? Yikes!). but sometimes I see my little contribution (with or without recognition) and I know I did the right thing. I am making the digital world a better place. And why not? I live and work in the digital world. But that is OSS, right? As poorly written as it was, The cathedral and the bazaar had a point here: when people work without expectation of personal gain, the masses can achieve things that corporate software development will never approach. What the cathedral document missed, was that people can change their minds. If the community develops something it should belong to the community but it doesn't. It belongs to the project lead person. Generally, we hope to see some enlightened leadership, and we can only trust the project lead to stick with us as we thick with him/her. No guarantees here, though. Let this be a warning to the community. If enough OSS projects become closed, people will stop contributing. Result: end of OSS. For example, who didn't see though that recen Post on FD about a 'contest' that ends up with everybody's work being in an online ezine with ads and such. Sounds like a scam to get free writing services for a new magazine. LOL. The digital community has become leery already of ?new projects? that are thinly veiled attempts to get a new commercial venture off the ground. This is our acchiles' heel. Trust for the future is what holds us together and makes OSS work. Lose that and OSS is gone. Let this be a warning to anyone who puts a project out as open source: the level of input you get from the community will be directly related to how much input you solicit from the community. Funny how that works. By their nature, people want to help out when they see an inkling of something great. To the developers of OSS projects, your only payback will be our praise, respect, adulation, and some fantastic stuff to put on your resume. Sorry, dude, that's all we have to give. But we will give it freely if your work is worthy. To anyone thinking of starting an OSS project: If you think you have a chance to make big bucks off your new idea, don't put it out as open source. The OSS community deals with closed source as a malfunction to be worked around. And work around it we shall. Frankly, Nessus was looking a little long in the tooth anyway. The old layer 2-4 attacks are passe. Nessus is so widely used that a pen tester who uses it will get stopped instantly. Every IDS and firewall knows about nessus and views the traffic as ?unauthorized recon?. I have our IDS set to shun (at the firewall) any source address what shows packets that I can clearly identify as nessus or nikto traffic. I know I am opening myself up to a possible DOS by rouge machines sending fake nessus packets, but I can deal with that. That fact is that for the last three years, nessus dev has not been 'accepting' of input from the community. Some of us cannot write a nessus plug-in, but we are willing to submit packet traces and participate in a discussion about the exploit in question. That is also support. Well that went much longer
Re: [Full-disclosure] Nessus becoming closed. [was: Call to participate]
Quoting Andrew Griffiths [EMAIL PROTECTED]: With regards to that, if you mean the pulltheplug competition / contest, the articles will be put up the on the pulltheplug website, and may end up in the uninformed ezine. Did you look @ either of those websites? Pulltheplug has been around since '98 or so, and provides many things to the community, such as wargames, competitions, a friendly environment where people can meet each, and learn off each other / share ideas. I stand corrected. I had not heard of pulltheplug, before. I did look at the contest website, and assumed it was a front for something else. My apologies for using PullThePlug as an example. I would suggest that my error on this account is an indicator of just how suspicious I have become about people using a newsgroup to ask for help from the community. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS05-039 spreading was: AV Reaction Times of the latest MS05-039-based Worm Attacks
Quoting Andreas Marx [EMAIL PROTECTED]: Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management. :-) This is sometimes hard to sit through. It is an access control problem. The rule of least access was violated by the IT staff of the infected organization. There was no valid business reason for end user X and end user Y to have access to one another's ports 135-445. Organizations that used some kind of NPAR technology to cut the network into zones sucessfully limited the spread of the worm from one machine to a few hundred machines. We routinely cut our networks into (up to) 4000 zones, putting (typically) one end user machine on each zone. The solution is not to patch more often (that is necessary but not sufficient). The solution is not to make LSA, DCOM, or whatever safe (can't be done and you are kidding yourself if you are waiting for that MS patch) The solution becomes apparent only after the network team decides to adopt the attitude of Windows cannot be made safe, and I cannot remove windows from my network, and all my laptop users are bringing worms in every day, and every idiot user out there is clicking on attachments that look interesting, and it's not going to get any better. It is an Access control problem. If anybody on this list has not heard the principle of 'first block everything, then allow only what's necessary' it would surprise me greatly. And yet we see IT organizations slapping in PCs by the boatload without thinking, maybe I have allowed too much access. I throw this out for discussion and flames. tc - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bypassing the new /GS protection in VC++ 7.1
Quoting [EMAIL PROTECTED]: On Fri, 19 Aug 2005 12:17:25 +0800, leaf said: Hey, Buffer overflows will be harder and harder. Maybe game is over. The game will never be over. The best you can hope for is to find a cost-effective way to raise the bar high enough to keep the likelyhood that you'll get hacked down to an acceptable level. There are a hundred (or more) ways to exploit a system. Even if /GS is 100% effective at preventing an executable stack segment, it simply means that one of the hundred openings is closed. Buffer overruns will probably exist in some other DLL on the system and that will become the new infection vector. I think it's a good thing, but its a very tiny step. I have been a systems programmer for more that 30 years, and I try to make my code as secure as possible. The code I wrote 15 years ago is probably completely exploitable by buffer overruns and who knows what else. The code I wrote last month would be much more difficult. Consider this: The program that has no buffer overrun vulnerabilities got that way because a programmer cared enough and was skilled enough to do it right. What the /GS suggests (I am not on V7 yet, so I dont have first hand experience here) is that any slacker can cobble together a poorly concieved interface with no input checking and super weak security-by-obscurity, bloated cookies loaded with personal info, and still sleep nights knowing that his app is invulnerable. Sounds good to me. By the way, if I do eventually upgrade to 7 I intend to figure out how to exploit the /GS, just cause I think it's cool. tc - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What is this
Quoting Armando Rogerio Brandão Guimaraes Junior [EMAIL PROTECTED]: Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php AntiVirus and SpyBot doesn´t detect!!! Armando Guimarães Jr It is an MS-EXE executable program. Anti virus doesn't find it because it is not an virus. Spybot for the same reason. To block these you need an smtp policy that does not allow executable attachments to incoming emails. What it does could be anything from typing hello world in a dialog box (unlikely) to creating a new Administrator account on your corporate AD server and posting the entire contents thereof to an IRC channel (somewhat more likely). But at first glance it looks like it is going to open a backdoor shell on the recipient's PC. tc This message was sent using IMP, the Internet Messaging Program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/