-
MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Microsoft has just published a remote vulnerability in the windows TCP/IP stack. "This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices…
-
Article: Bypassing DBMS_ASSERT in certain situations
David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protectagainst SQL injection attacks[1]. In [2] Alex Kornbrust showed that there are…
-
WordPress Admin Password Reset Vulnerability
"Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password…
-
Firefox 3.5 0Day published
"The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of the problem is…
-
Months later, more products identified using exploitable transparent proxy architecture
It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable. Still Vulnerable Squid http://www.squid-cache.org/ Astaro http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html QBik Wingate http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 Tiny Proxy? https://packetprotector.org/forum/viewtopic.php?id=4018 Smoothwall, SchoolGuardian, and NetworkGuardian http://www.kb.cert.org/vuls/id/MAPG-7M6SM7 Products with fixes…
-
WASC Threat Classification 2.0 Sneak Peek
Here is a sneak peek at the WASC Threat Classification v2.0. We’ve been working on this for more than a year and it’s been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement “The Threat Classification v2.0 outlines the attacks…
-
Three Web Application Firewall Advisories, Whitepaper Published
Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service)http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on management interface)http://www.h4ck1nb3rg.at/wafs/advisory_radware_appwall_200907.txt They have also…
-
Google Chrome Fixes Buffer Overflow Vulnerability
"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could crash the browser and possibly…
-
Session Attacks and ASP.NET – Part 1
Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t looked at 4.0 beta…
-
Article: ‘Setting the appropriate security defect handling expectations in development and QA
I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather difficult task. As…
-
New paper by Amit Klein (Trusteer) – Temporary user tracking in major browsers and Cross-domain information leakage and attacks
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross domain attacks are…
-
Understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV Vulnerability
Steve Friedl posted the following to bugtraq this afternoon. "There has been a fair amount written on the vulnerability itself, butthere's a large cohort who has no idea if their systems are at risk("What is WebDAV, and how do I know if I have or need it???"). So I've written a paper that lets one…
-
Compromising web content served over SSL via malicious proxies
Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs ion combination with…
-
OpenSSH Protocol Pwned
"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG). An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead professor Kenny Patterson told…
-
Java Flaw still not fixed in Mac OS X
"According to Julien Tinnes in the CR0 Blog, it appears that Apple's recent security update failed to fix a Java flaw that was reported to Sun back in August 2008 and patched by Sun way back in December 2008. The upshot: according to the blog (and I've yet to be able to independently confirm it)…
-
IIS6.0 WebDav Unicode Remote Auth Bypass
Update: Microsoft has posted some additional information in multiple entries. A new unicode bug in IIS has been discovered which allows an attacker access to resources behind password protected sites. This issue only seems to affect IIS 6 (5 and 7 seem immune) and no fix has been issued at this time. Advisory: http://seclists.org/fulldisclosure/2009/May/att-0134/IIS_Advisory_pdfOverview: http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
-
Apple releases OS X 10.5.7 security updates
"Apple released an update to its Leopard operating system yesterday that comes loaded with a host of security and bug fixes as well as added hardware support. The Cupertino-based firm said OS X 10.5.7 patches several security loopholes related to PHP, CoreGraphics, Apache Web server and the company’s browser Safari. Three separate vulns that could…
-
Thousands of Vulnerabilities Detected In FAA’s Air Traffic Control Apps
"A government audit (PDF) has pinpointed more than 3,800 vulnerabilities — 763 of which are high-risk — in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk. The U.S. Department of Transportation report, with the help of auditors from KPMG, determined that the ATC's…
-
JavaScript flaw reported in Adobe Reader
"The United States' Computer Emergency Readiness Team (US-CERT) warned users of the ubiquitous Adobe Reader to disable the program's use of Javascript after Adobe warned on Monday that a possible flaw had been found. In a post to its product security blog, the company said it was investigating reports of a serious flaw in Adobe…
-
Google Chrome Universal XSS Vulnerability
"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser – Google Chrome. These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. Using a vulnerability in the ChromeHTML URL handler,…
-
OAuth Session Fixation Security Flaw Discovered
From the advisory "The attack starts with the attacker logging into an account he owns at the (honest) Consumer site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request Token). Later, the attacker…
-
Microsoft April patch tuesday addresses 8 security issues
"MS09-010Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Office Word. Do…
-
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass…
-
Google Docs suffers serious security lapse
"Google confessed to a serious bug in its Docs sharing system over the weekend, but downplayed the security cockup by claiming only a tiny number of users had been affected. The internet search kingpin said that less than 0.05 per cent of Google Docs accounts were hit by a privacy breach after documents were shared…
-
Twitter SMS spoofing
"A fix against an SMS spoofing flaw involving micro-blogging service Twitter offers only partial protection. Tests by Heise Security found that providing a user knew the number of a phone associated with a Twitter account, it would be possible to use an SMS sender faking service to post fake status updates that appeared under a…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack