Re: Statistical Attack Against Virtual Banks

On Wed, 9 Feb 2000, HC Security wrote: > > > >(...) Therefore, it is a wide spread > > >practice to use 4 or 6 digit PINs. Because of the small length of the PINs > > >an attacker can target a particular account and try all possibilities. In > > >order to defend against this class of attacks, ban

Re: 'cross site scripting' CERT advisory and MS

First of all, why'd you post this as HTML? :) Secondly... OE uses the Internet Explorer embedded ActiveX control in its m essage view window. There's nothing you can do about that. Thirdly, an "HTML TO TEXT" converter is damn simple, and it would be TRIVIAL for Microsoft to make a simple one

Re: Novell BorderManager 3.5 Remote Slow Death

The issue also affects BorderManager 3.0 (sp2) running on NetWare 4.11 sp6a. I was able to replicate the memory allocation error but have not had any luck with obtaining the high CPU utilisation. Again, csatpxy.nlm is loaded by default on this system and unloading it stopped the memory allocatio

Re: Evil Cookies.

On 2/8/00 at 4:24 PM Ari Gordon-Schlosberg wrote: >[Dylan Griffiths <[EMAIL PROTECTED]>] >> >> A better solution would be explicit (ie: finer grained) control of cookies. >> Not as finely grained as the prompt option of Lynx, but more specific than >> the current Netscape settings. > >Actually, t

Re: recent 'cross site scripting' CERT advisory

> "Henri" == Henri Torgemane <[EMAIL PROTECTED]> writes: Henri> But if it is done right (i.e.: you're explicitely specifying Henri> which files don't need a REFERRER check, rather than trying Henri> to keep a list of every script that needs it), I believe it Henri> can provide

Re: Statistical Attack Against Virtual Banks

On Wed, 9 Feb 2000, Swift Griggs wrote: > On Tue, 8 Feb 2000, Andre L. Dos Santos wrote: > > Many Virtual Banks rely on a fixed length personal identification > > number (PIN) to identify a user. Some banks, allow access to all of > > their online operations after a successful identification, ot

Re: recent 'cross site scripting' CERT advisory

At 9:59am Feb 8, 2000, Taneli Huuskonen wrote: > Ari Gordon-Schlosberg wrote: > > > [Bill Thompson <[EMAIL PROTECTED]>] > > > One form of protection from a truly *cross-site* attack that I didn't > > > see mentioned in the CERT advisory is the trusty "HTTP_REFERER" > > HTTP_REFERER is trivial to

Re: Novell BorderManager 3.5 Remote Slow Death

Hello, I experienced the same problem with several servers running NetWare 5.0 sp4 and BorderManager 3.0 (Enterprise Edition). I discovered this bug a few months ago when doing a NMAP scan. When opening a telnet session to TCP port 2000 and hitting enter, the NetWare server gives the same Short T

Re: recent 'cross site scripting' CERT advisory

Taneli Huuskonen wrote: > > Now, if trusted.com's > webserver refused to serve anything else but the index page unless the > Referer: field contained a trusted.com URL, this attack would be foiled. > > Now, is there a way to trick a browser into lying about the referrer? > According to http://www

Re: Tempfile vulnerabilities

> > /dev/random -- a world readable device -- should do the following: > > > > cat /dev/random > /dev/null & > > > > Crypto software which uses those devices should be doing some kind of > > checking to make sure that they are getting at least good entropy. I On linux at least, the above is

Re: Statistical Attack Against Virtual Banks

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 8 Feb 2000, Andre L. Dos Santos wrote: > Many Virtual Banks rely on a fixed length personal identification > number (PIN) to identify a user. Some banks, allow access to all of > their online operations after a successful identification, other

Re: Statistical Attack Against Virtual Banks

> > Here in Norway I don't know of _any_ "virtual bank" which doesn't _at > > least_ use one-time passwords, or so-called digipasses (the user types his > > PIN on an small, personal calculator-type device which returns a 6 digit > > code to use for authentication in the virtual bank - this code e

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

Not true, at least for the case of MS Sql Server 7. The following statement: insert into customer (name, primary_contact) values ('a', '4') succeeds where primary_contact is of type int (I also tried numeric just to be sure). I write code like this all of the time when I know the column names

Re: Statistical Attack Against Virtual Banks

> >(...) Therefore, it is a wide spread > >practice to use 4 or 6 digit PINs. Because of the small length of the PINs > >an attacker can target a particular account and try all possibilities. In > >order to defend against this class of attacks, banks usually lock out > >accounts after a certain nu

Remote access vulnerability in all MySQL server versions

- Forwarded message from Michael Widenius <[EMAIL PROTECTED]> - From: Michael Widenius <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Date: Wed, 9 Feb 2000 16:07:56 +0200 (EET) To: Elias Levy <[EMAIL PROTECTED]> Subject: Remote access vulnerability in all MySQL server versions X-Mail

Re: Tempfile vulnerabilities

On Sat, 5 Feb 2000, antirez wrote: > Sure but there is another problem, while evil user exec 'cat /dev/random > > /dev/null &' maybe that the following results in an infinite loop: > > while(there_are_enougt_entropy() == 0) > sleep(1); > /* race -- what if the evil user starts to deplate th

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

Just wanted to drop a few notes in regards to what some people just brought up.. Barclay Osborn wrote: > Maybe I'm reading this wrong, but I've never been able to piggyback > commands through mysql/DBI execute()'s, regardless of newlines, and even > when I have privs: No, you're correct. MySQ

[SAFER 000209.EXP.1.2] Zeus Web Server - obtaining source of CGI scripts

__ S.A.F.E.R. Security Bulletin 000209.EXP.1.2 __ TITLE: Zeus Web Server - obtaining source of CGI scripts DATE : February 09, 2000 NATURE : Remote user can obtain acc

Re: recent 'cross site scripting' CERT advisory

Hello alltogether, On Sat, 5 Feb 2000 10:52:11 -0700 Marc Slemko wrote: > 2. Do not use a mail reader that forces you to display HTML messages. > Using something like Outlook Express is very dangerous, since it > means that you can be exploited if an email message arrives in your > inbox and is d

Re: Evil Cookies.

[Dylan Griffiths <[EMAIL PROTECTED]>] > Thomas Reinke wrote: > > There is no easy patch to this problem. The only solution I > > can think of, which is not an easy one, would be to have browsers > > have intimate knowledge of what constitutes an organization's > > "domain of influence", and limit

Re: Fwd: CERT Advisory CA-2000-02

Byron Alley <[EMAIL PROTECTED]> wrote: > > Some web sites use an implementation based on this idea of a subset > of HTML. You don't even need to use real HTML - just take the most > useful functions, like bold, italics - and build a sub-language. > In at least one case I recall, a site used a for

don't run random "exploit" code

-BEGIN PGP SIGNED MESSAGE- Below is some code that I have seen a number of times, with some very slight variations, over the past few months. I have no idea how many people have been tricked by it. This does not exploit any hole in Apache, period. As a simple inspection shows you, it w

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

Despite MySQL's implicit conversion, many RDBMS do _not_ allow strings around numeric values: With Sybase 11.9.2 e.g. 1> create table strnum ( 2> col1 int 3> ) 4> go 1> insert into strnum values ('1') 2> go Msg 257, Level 16, State 1 , Line 1 Implicit conversion from datatype 'VARCHAR' to 'IN

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

Hello, I would like to make a comment on your statment about SQL Syntax and how you deal with numeric values. > If you're stating that you cannot enclose your numeric values in single > quotes in SQL query strings, it seems to be incorrect. I'm also using SQL as > my backend, and I've ALWAYS

Re: cookies - nothing new

Amazing what a simple search engine can reveal. http://homepages.paradise.net.nz/~glineham/cookiemonster.html .mark http://www.ntsecurity.net > More info used to be here: > > > > Does anyone know where it went?