ush.it - a beautiful place

Remote Command Execution in Moodle

December 16, 2008 at 4:30 pm - Filed under aa, bb - 926 words, reading time ~3 minutes - Permalink - Comments

Last week we released on Bugtraq and FD an advisory about a remote command execution in Moodle 1.9.3. Unluckily the vendor refused to issue a security release to allow an easy fix of the problem since there are too many issues related to register_globals On in Moodle. We strongly advise end users to manually disable the vulnerable code removing the file "filter/tex/texed.php" ad exploits are emerging in the wild.

Slides @System 2008 - Dipartimento di Informatica dell'Universita' di Pisa

December 16, 2008 at 3:58 pm - Filed under aa, bb - 397 words, reading time ~1 minutes - Permalink - Comments

@System ha organizzato il giorno 11 Dicembre 2008, presso il Dipartimento di Informatica dell'Universita' di Pisa, un workshop al quale abbiamo contribuito come relatori proponendo due diversi seminari. Di seguito potete trovare entrambe le presentazioni in formato PDF.

Collabtive 0.4.8 Multiple Vulnerabilities

November 11, 2008 at 1:42 pm - Filed under aa, bb - 913 words, reading time ~3 minutes - Permalink - Comments

Luckily sometimes there's the time to publish advisories and do the lengthy "responsible"-disclosure process. Antonio discovered multiple vulnerabilities in Collabtive, a project management software, ranging from a stored XSS, an authentication bypass that lead to the creation of additional administrative users to an arbitrary file upload vulnerability mixed with weak seeding. Have a good reading.

Shared hosting "file" handler PHP session dumper

September 9, 2008 at 6:02 pm - Filed under aa, bb - 519 words, reading time ~1 minutes - Permalink - Comments

[Note: safely skip the descriptive part and go directly to the tool if you already know how PHP does session handling.] Sessions are a great feature as they allow developers to store sensitive data for a limited amount of time (the session lifetime) without having to ping-pong the whole dataset to and from the client. A session mechanism can be implemented at the "user" level in the application code but most of the languages used to develop web applications provide various build-ins to accomplish the task. This is the case of PHP and its famous "session" module (Session Support in phpinfo()). The $_SESSION array can be used transparently and the session has just to be started with session_start() (or even automatically started at the configuration level with session.auto_start).

Google Chrome direct download link

September 2, 2008 at 10:52 pm - Filed under aa, bb - 168 words, reading time ~0 minutes - Permalink - Comments

http://dl.google.com/update2/installers/ChromeSetup.exe (It's - naturally - just the loader.)

LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts

August 18, 2008 at 12:47 pm - Filed under aa, bb - 1388 words, reading time ~4 minutes - Permalink - Comments

Giornata europea "Liberta', non paura - fermiamo l'escalation della sorveglianza"

July 28, 2008 at 11:53 am - Filed under aa, bb - 126 words, reading time ~0 minutes - Permalink - Comments

Gli amici di Progetto Winston Smith segnalano la giornata europea "Liberta', non paura - fermiamo l'escalation della sorveglianza" (Sabato 11 Ottobre 2008 a Roma), una manifestazione di dissenso nei riguardi della sorveglianza di massa. L'iniziativa e' pensata in germania ma replicabile in ogni singolo stato membro, secondo desiderio.

Local File Inclusion (LFI) of session files to root escalation

July 9, 2008 at 3:11 pm - Filed under aa, bb - 811 words, reading time ~2 minutes - Permalink - Comments

While writing with Kuza55 an article about local file inclusion advanced exploitation a very interesting code emerged on milw0rm that shows another technique that has advantages and disadvantages but is surely smart and not that well known (while documented on some papers and actually exploited in the past).

mod_negotiation: directory listing, filename bruteforcing

July 2, 2008 at 2:40 pm - Filed under aa, bb - 2259 words, reading time ~7 minutes - Permalink - Comments

As the first of a set of three this paper explains in detail how to abuse some functionalities exposed by mod_negotiation, an Apache module enable by default on many (most?) vanilla setups. Reference platform is a fresh installed Debian Etch system. The "Accept:" HTTP request header allows to optimize the number of requests to discover (bruteforce) filenames and extensions in absence of directory listing. Details follow, a good reading for an hot summer!

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

May 20, 2008 at 3:38 pm - Filed under aa, bb - 1568 words, reading time ~5 minutes - Permalink - Comments

Together with Antonio "s4tan" Parata we are glad to release a forced disclosure advisory "Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities" cause CVE were emerging about the same issues disclosed to the vendor. The advisory includes an XSS for return_dynamic_filters.php, a CSRF for manage_user_create.php that allow the creation of administrative accounts and code execution in adm_config_set.php.

WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities

April 11, 2008 at 4:27 pm - Filed under aa, bb - 782 words, reading time ~2 minutes - Permalink - Comments

We found multiple XSS issues in the sample code of the PHP Network client for WiKID, a Strong Authentication System. In detail identified reflected XSS were on the "login" page forms. Pretty standard issue from a technical standpoint: $PHP_SELF was not properly escaped and sanitized before being echoed back to the client, definitely a known scenario that still affect many different software.

Cacti 0.8.7a Multiple Vulnerabilities

April 4, 2008 at 12:33 am - Filed under aa, bb - 1934 words, reading time ~6 minutes - Permalink - Comments

Together with my friend Antonio "s4tan" Parata we released this advisory affecting Cacti 0.8.7a. Found issues include XSS, SQL Injection, Path Disclosure and HTTP Response Splitting. Some bugs are logical flaws related to the use of $_REQUEST, in detail filters were applied to $_GET or $_POST but later $_REQUEST was used. Since $_REQUEST is build in an order defined in php.ini (normally GPC) it was possible to bypass the check and inject the malicious payload in POST or COOKIE for GET and COOKIE for POST.

Team/site updates for 2008

April 4, 2008 at 12:32 am - Filed under aa, bb - 535 words, reading time ~1 minutes - Permalink - Comments

As you probably noticed ush.it was pretty quiet in the last 5/6 months, this happened because there were cyclic dependencies in my todo list. Well now the situation is unblocked again and you can, perhaps, expect new posts! Just to reply to the "no more updates/why don't you post more/etc" sentences category i would remind that here we publish our research and naive contents and most likely we are not going to comment/bounce/mirror everything happening in this amazing world. A direct consequence is that ush.it will never have daily, regular or forced updates.

Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network