Archive for September 15th, 2008
Media player exploits scare the crap out of me. The biggest reason that they scare me is because “end users don’t think before they click that link” (c) 2008 Web Insecurity. Now, when they normally get an e-mail, they would never click it if it was from their bank, but what happens if the link was from a co worker of theirs. Perhaps a peer in the professional industry, perhaps an e-mail from their doctors office, a friend or favorite department store mailing list with the details of a huge competition. The video form of media is very attractive to end users. Video’s always spread around the net and e-mail like wild fire, hence the name viral video. Now what happens when a media player vulnerability is not withheld like this new one: http://www.securityfocus.com/archive/1/496358? What happens when one of these gets added to MetaSploit, or perhaps in combination with XSS / XSRF maliciously linked in social networking sites?
I don’t have the answer, but I really don’t want to find out.
September 15th, 2008
Problems with Apache’s mod_proxy in Mandriva have been resolved with updated packages. A DOS in the regular module and an XSS in the ftp module.
Mandriva Linux Security Advisory MDVSA-2008:195
http://www.securityfocus.com/archive/1/496352
Problem Description:
A vulnerability was discovered in the mod_proxy module in Apache where
it did not limit the number of forwarded interim responses, allowing
remote HTTP servers to cause a denial of service (memory consumption)
via a large number of interim responses (CVE-2008-2364).
A cross-site scripting vulnerability was found in the mod_proxy_ftp
module in Apache that allowed remote attackers to inject arbitrary
web script or HTML via wildcards in a pathname in an FTP URI
(CVE-2008-2939).
The updated packages have been patched to prevent these issues.
September 15th, 2008
Here is a round up of the interesting SQL injections that were reported today. If you run any of these make sure you update. If you don’t run any of these then you lucked out this time, but there is still time for more to be reported today.
phsBlog “sql_cid” SQL Injection Vulnerability
http://secunia.com/Advisories/31815/
http://www.phsdev.com/phsblog.php
phsBlog is a well liked script on hot scripts. Too bad they didn’t properly sanitize all of their inputs properly. This one could potentially leave a lot of people with holes in their blog.
PSCRIPT Forum “showprofil.php” SQL Injection Vulnerability
http://secunia.com/Advisories/31872/
http://www.frsirt.com/english/advisories/2008/2559
http://milw0rm.com/exploits/6442
Reported under different names on frsirt and secunia, but essentially the same attack or exploit. This issue is caused by an validation of input error in the “showprofil.php” script when the “id” parameter is processed. We all know what happens next with SQL injections. Reported on milw0rm.
vbLOGIX Tutorials SQL Exploit
http://www.frsirt.com/english/advisories/2008/2563
http://secunia.com/Advisories/31829/
Product: http://www.vblogix.com/
There are so many open source “Tutorials” scripts out there that it seems silly to pay for one. vbLOGIX does have one you can pay for, and it just so happens that they now have a SQL injection. It does not disclose what information can be accessed via the SQL injection, but it could be anything, logins and passwords being the most dangerous or manipulations of data being minor (depending on your business).
Ruby on Rails “:limit” and “:offset” SQL Injection Vulnerabilities
http://www.frsirt.com/english/advisories/2008/2562
http://secunia.com/Advisories/31910/
Two vulnerabilities have been identified in Ruby on Rails, which could be exploited by remote attackers to execute arbitrary SQL queries. These issues are caused by input validation errors in ActiveRecord when processing the “:limit” and “:offset” parameters, which could be exploited by malicious people to conduct SQL injection attacks.
WebPortal “aid” Parameter Remote SQL Injection Vulnerability
http://www.frsirt.com/english/advisories/2008/2560
Summary: “download.php” script when processing the “aid” parameter
I don’t exactly know why this “WebPortal” is listed as a vulnerability. There is no additional information as to who makes this product. WebPortals are pretty common on the web these days and think that this advisory should be more specific. Props to StAkeR for finding it though.
iBoutique “cat” Parameter Remote SQL Injection Vulnerability
http://www.frsirt.com/english/advisories/2008/2561
http://www.netartmedia.net/iboutique/
iBoutique is an online “boutique” store, so naturally this should be given some credit. This one needs to be updated if you run it.
Vulnerability: A vulnerability has been identified in iBoutique, which could be exploited by attackers to manipulate and inject SQL queries. This issue is caused by an input validation error in the “index.php” script when processing the “cat” parameter while “mod” is set to “products”, which could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information.
September 15th, 2008
If you use phpMyAdmin you may not update as regularly as you should. It seems like every week they come out with an update. The thing about phpMyAdmin is they have updates because exploits are released, but when they update they add a bunch of features. These features, you may like or you may hate. Either way, your forced to update if you don’t want to be left exploited. Here is the “Fix list” for 2.11.9.1:
- bug #2031221 [auth] Links to version number on login screen
- bug #2032707 [core] PMA does not start if ini_set() is disabled
- bug #2004915 [bookmarks] Saved queries greater than 1000 chars
not displayed
- bug #2037381 [export] Export type “replace” does not work
- bug #2037375 [export] DROP PROCEDURE needs IF EXISTS
- bug #2045512 [export] Numbers in Excel export
+ [lang] Norwegian UTF-8 original file remerged
- bug #2074250 [parser] Undefined variable seen_from
- (2.11.9.1) [security] Code execution vulnerability
Now, I’ve removed the colors and formatting. They haven’t added any features in this one, its just a bug fix release. They put the [security] fix on the bottom, which to me is more important then any of the other “bugs”. The bugs are not in order, so I’m wondering why they put security at the bottom. Anyhow, a code execution vulnerability is not good, so update before you get owned.
September 15th, 2008
StingRay FTS Cross-Site Scripting Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064368.html
Secunia: http://secunia.com/Advisories/31645/
Product URL: http://www.porthale.co.uk/products/stingray/stingray.htm
As with a lot of XSS and web security advisories its not uncommon to never have heard of the product. The StingRay FTS is a File Transfer Server. You may be asking why I’m writing about XSS exploits since they are so petty. The reason is, this exploit happens to be on a File Server. Now, imagine if there was an XSS exploit on a corporate file server. How hard would it be to gain access? Your simple XSS exploit, and minor development overlook has opened up your file server for further information gathering, corporate espionage and further attacks. The StingRay FTS has earned some awards, so its worthy of a mention. If you’re have one and, patch it and make sure that the problem did get patched.
September 15th, 2008
It seems like the last post on web-insecurity was a bit in in-accurate. Me and Andrew really where meaning to start this website back up again, but never found the time to do it. So, even late 973 days later, web-insecurity.com is starting again. This time, I’m ready to roll and provide the latest in security news. Buckle your seat belts and subscribe to the RSS feed. It’s all down hill from here and its going to be a wild ride. Enjoy!
September 15th, 2008