erally!!! It is in
the public's best interest to make our findings accessible to vast
majority of people, simply because it is proven that the more people
know about a certain problem, the better.--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org http://www.hakiri.com
--
pdp (
e to work
> with someone else... who betters understands the big
> picture in security :-)
>
> CQ
>
> _______
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
t; situation: if you visit a remote page that happens to be malicious,
> > attackers can inject any commands they wish into your remote desktop
> > without any visible notice. No interaction is required. And the attack
> > is super generic btw, and probably 100% wormable.
>
> I looked at what you posted, but there is no info. And you say that you
> are "witholding the PoC" so there's no way I can begin to comment on
> what you say you can do. If you are saying that if I visit a site, you
> can inject whatever commands you want into an RDP session I have open
> (in regard to MSFT RDP, not Citrix) then I challenge you to post that
> information.
>
> Regardless, even in the presence of that type of attack, it still does
> nothing to degrade the value of security in depth; it only further
> illustrates the need.
>
> t
>
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
in any way,
> degrade the value of security in depth. In fact, it is a perfect
> example *for* security in depth in that regard: if this "attack"
> succeeds against anyone, it is not because security in depth does not
> exist, it is because security in depth was not prac
TED]> wrote:
> pdp (architect) wrote:
> > The attack is rather simple. All the bad guys have to do is to compose
> > a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
> > file and send it to the victim. The victim is persuaded to open the
> > file b
blended into a balanced mix which as you said, while under attack, it
does not give away the keys to the kingdom.
thanks
On 10/11/07, gboyce <[EMAIL PROTECTED]> wrote:
> On Thu, 11 Oct 2007, pdp (architect) wrote:
>
> > Thor, with no disrespect but you are wrong. Security in dep
CITRIX to react. Currently, I am not aware of any remedy
against the attack. Given CITRIX's popularity among corporations and
big organizations, it is highly recommended to take this warning with
extra caution.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
can follow. Hope that this is useful and at
the same time eye opening, not that it is something completely
amazing. But it does work and it works well.
cheers.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
ternet..I analyzed those PDF i
> didn't find any such thingDid you checked them? Are they related to any
> vulnerability?
>
> Regards,
> Taneja Vikas
> http://annysoft.wordpress.com
>
>
>
> On 9/20/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
> > >
; Is it a reverse attack by someone hurt :)
>
> --Through the Firewall,Out the Router,Down the T1,Across the Backbone,Bounced
> from Satellite Nothing but the Internet
>
> - Original Message
> From: pdp (architect) <[EMAIL PROTECTED]>
> To: bugtraq@securityfo
> My upcoming research feature everything regarding this and the issue you
> have
> already discussed.
really :).. which one... the one from last year?
On 9/20/07, Aditya K Sood <[EMAIL PROTECTED]> wrote:
> pdp (architect) wrote:
> > http://www.gnucitizen.org/blog/0day-pd
the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.
A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.
cheers
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
was tested on a plain/manila/vanilla version of XP SP2. All I did
> was update/upgrade to latest available from M$ Update.
>
> Sincerely,
> Aras Memisyazici
> IT/Security/Dev. Specialist
>
> Outreach Information Services
> Virginia Tech
>
> -Original Message
http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02.asx
On the other hand Media Player 11 (Vista by default) is not exposed to
these attacks.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
ly worthed? Attackers are after your money not your pictures or
school essays. Think about this for a second.
cheers
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
e for demonstration and more information how the
exploit works.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
t XSS.
I hope that you find the post useful.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
is
possible.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
when i visit google.com I get redirected to google.co.uk... which is
obviously a different domain :)
On 2/26/07, arman <[EMAIL PROTECTED]> wrote:
Ismail Dönmez wrote:
> On Friday 23 February 2007 16:29:35 Michael Silk wrote:
>
>> On 2/23/07, pdp (architect) <[EM
I have no idea. I have tested it on 2.0.0.1.
On 2/23/07, Michael Silk <[EMAIL PROTECTED]> wrote:
On 2/23/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
> http://www.gnucitizen.org/projects/hscan-redux/
doesn't work, win 2k3, ff 1.5.0.9
-- mike
--
pdp (architect) |
ck to precisely detect whether you are logged into your
router management interface. They can use this hack to detect your
router type and version as well. Based on this information, they might
be able to compromise the integrity of your network.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
tracked as:
https://bugzilla.mozilla.org/show_bug.cgi?id=371179
/mz
http://lcamtuf.coredump.cx
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
well placed splog network can reach millions of users in a couple of hours.
On 2/22/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Thu, 22 Feb 2007, pdp (architect) wrote:
> This vulnerability is cute but not very useful mainly because a lot of
> social engineering is required.
could as well be quite high or at
least medium.
cheers
On 2/22/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Thu, 22 Feb 2007, pdp (architect) wrote:
> michal, is that a feature or a bug? maybe it is not obivous to me what
> you are doing but it i feel that it is almost like a
weird, firefox slowly dies out
t2.html
t1.html
location.hostname="blog.com";
On 2/15/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
the first one runs in about:blank which is restricted. the se
b 2007, pdp (architect) wrote:
> I wander whether we can execute code on about:config or about:cache.
Actually, there are several odd problems related to location updates and
location.hostname specifically, including one scenario that apparently
makes the script run with document.location
me-origin policy, can possibly tamper with the way these sites are
displayed or how they work.
Regards,
/mz
http://lcamtuf.coredump.cx/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and spo
believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
re-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
he he receives a complain that his input is
incorrect. The attacker repeats the process until all required
characters are entered into the FILE INPUT box.
simple.
On 2/11/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Sun, 11 Feb 2007, pdp (architect) wrote:
> here is an idea... we ca
what we want.
On 2/11/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
try this
setInterval(function () {
document.getElementById('foo').focus();
},1);
:) the address bar is disabled...
On 2/11/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
> phh :), I found someth
try this
setInterval(function () {
document.getElementById('foo').focus();
},1);
:) the address bar is disabled...
On 2/11/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
phh :), I found something very interesting when testing your IE
example... every time I try to type
checking your code to see what the hell is going on.
On 2/11/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Sun, 11 Feb 2007, pdp (architect) wrote:
> IE is vulnerable too, since I used to play around with this bug long
> time ago.
Possibly MS00-093, but that's long fixed. But yes
and executed with local file read privileges (in the
aforementioned example, the contents of BOOT.ini file would be
reported back to the victim).
(Ta-dah!)
/mz
_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
mostly usable and quite stable.
If you have a proposal, question, suggestion or correction, please contact us.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
rous
Hi all,
Another possible solution is to use the Apache mod_security to filter that
kind of urls.
bye
2007/1/4, pdp (architect) < [EMAIL PROTECTED]>:
ahhh, fragment identifiers make sense to browsers only. they are not
send to the server
On 1/4/07, der wert <[EMAIL PROTECTED]> wro
agebox that
> > says "This operation is not allowed"
> >
> > Larry Seltzer
> > eWEEK.com Security Center Editor
> > http://security.eweek.com/
> > http://blog.eweek.com/blogs/larry%5Fseltzer/
> > Contributing Editor, PC Magazine
> > [EMAIL PROTECTED]
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
-pdf-xss-after-party/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
ng with the URI.
D
Get free, personalized online radio with MSN Radio powered by Pandora. Try
it!
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
e, or directly access the following URL:
http://www.gnucitizen.org/backframe/application.htm?Y2hhbm5lbCgnY2FybmF2YWwnLCAnaHR0cDovL3d3dy5nbnVjaXRpemVuLm9yZy9jYXJuYXZhbC9jaGFubmVsJyk7CnBvcHVsYXRlX2NoYW5uZWxzKCk7
On 1/3/07, Amit Klein <[EMAIL PROTECTED]> wrote:
pdp (architect) wrote:
> Am
ROTECTED]> wrote:
Amit Klein wrote:
> pdp (architect) wrote:
>> I will be very quick and just point to links where you can read about
>> this issue.
>>
>> It seams that PDF documents can execute JavaScript code for no
>> apparent reason by using the following te
andis <[EMAIL PROTECTED]> wrote:
Why bother with the token handling? If the request URI is a PDF and it is a
POST or contains URL parameters, just 30x to the naked PDF. Otherwise it's
safe to serve.
-j
On 1/3/07, Amit Klein <[EMAIL PROTECTED]> wrote:
> Amit Klein wrote:
no worries, the vulnerability details presented on my blog post were
updated. good work.
On 1/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Quoting "pdp (architect)" <[EMAIL PROTECTED]>:
> This finding was originally mentioned by Sven Vetsch, on his blog.
> T
xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null);
More on the matter can be found here:
http://www.gnucitizen.org/blog/danger-danger-danger/
http://www.disenchant.ch/blog/hacking-wit
earn more about these types of worms and help other
online applications and communities protect themselves. This is much
better than just sitting in our comfy chairs and laughing at people's
mistakes.
Many thanks.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
ome latter. The demonstrations do not
outline all AttackAPI features so spend some time over the source
code. The documentation is on its way. Any code and doc contributions
will be greatly appreciated.
Check the SVN for more information:
http://www.gnucitizen.org/svn/attackapi
Cheers
--
pdp (archi
quite
obvious.
Suggestions and comments are greatly appreciated.
--
pdp (architect)
http://www.gnucitizen.org
t a data: link, even if
the typical dangerous characters (', ", <, >, etc) were handled.
Don't get me wrong... I really like the vector, and what you've brought
to the list. I just don't think it should be considered another class.
cheers,
tim
1. http://en.wikipedia.org/wiki/XSS
--
pdp (architect)
http://www.gnucitizen.org
basis. Unfortunately because of its flexibility QuickTime
seams to allow execution of malicious content in a form of JavaScript
from media files such as mp3, mp4, m4a and everything else that is
supported.
The article can be found at the link above.
--
pdp (architect)
http://www.gnucitizen.org
in the past and none of its full
potentials has been explored. The impact of this attack is much bigger
today and could affect many web applications.
--
pdp (architect)
http://www.gnucitizen.org
http://www.gnucitizen.org/blog/google-search-api-worms
The service that concerns me the most is Google AJAX Search API, the
new JavaScript powered search widget. In this article I cover the
potential problems with Google AJAX Search API and how it can be used
by web worms to propagate.
--
pdp
.
--
pdp (architect)
http://www.gnucitizen.org
l, this is it.
--
pdp (architect)
http://www.gnucitizen.org
be
possible to achieve similar result by invoking special ActionScript
methods from Flash.
POC can be found on the url above.
--
pdp (architect)
http://www.gnucitizen.org
ivates on
certain date mimicking typical time bomb. Given the right channels, an
attacker can easily make their own digital peace of art a desirable
free product which will be exchanged among pears too, increasing the
success rate of the attack.
--
pdp (architect)
http://www.gnucitizen.org
technologies
that are designed to run on the WEB. This is why, IMHO, they are quite
good platform for performing WEB/HTTP based attacks.
cheers
On 8/4/06, Thierry Zoller <[EMAIL PROTECTED]> wrote:
Dear pdp (architect),
pa> BTW, there are quite a lot cisco devices that have http open on
.
regards
BTW, there are quite a lot cisco devices that have http open on local
LAN vulnerable to IOS HTTP Authorization Vulnerability.
It has been always a matter of security vs. accessibility. This is way weak
On 8/4/06, Thierry Zoller <[EMAIL PROTECTED]> wrote:
Dear pdp (architect),
pa
n the
security level of the exploited device and open a worm hole.
It is quite simple and it is less complicated then it sounds.
--
pdp (architect)
http://www.gnucitizen.org
Inspired by SPI Dynamics - tiny JavaScript port scanner
http://www.gnucitizen.org/projects/javascript-port-scanner/
--
pdp (architect)
http://www.gnucitizen.org
59 matches
Mail list logo