ush.it - a beautiful place

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection

January 11, 2010 at 2:16 am - Filed under Hacks, Language EN - 2587 words, reading time ~8 minutes - Permalink - Comments

If you have read our previous article Jetty 6.x and 7.x Multiple Vulnerabilities your are already familiar to an attack vector called log escape sequence injection. It allows remote attackers to remotely exploit terminal emulator vulnerabilities that may happen when displaying in an unsafe manner files containing escape sequences. While the real issue belong to the terminals, programs that does not sanitize outputs make this vector relevant in the real world.

Jetty 6.x and 7.x Multiple Vulnerabilities

October 25, 2009 at 5:00 am - Filed under Hacks, Language EN - 2607 words, reading time ~8 minutes - Permalink - Comments

Jetty is a pure Java application server used by big players like Google (Google AppEngine, Google Web Toolkit) and many projects and products like Eclipse, Alfresco Developers, Bea WebLogic Business Connect and WebLogic Event Server, Cisco Subscriber Edge Services Manager, Sybase EAServer, Apache Geronimo, HP OpenView Interconnect Tools and HP Openview Self-Healing, JFox, Zimbra Desktop and others (here a more complete list http://docs.codehaus.org/display/JETTY/Jetty+Powered). Finding a bug in such a wildspread component is something definitely interesting as the exploitation scenarios are many. We were procrastinating a little too much on this advisory but a CORE advisory burned some of our research and this month we found the time to contact the vendor and follow our disclosure procedure. As always enjoy the reading!

Vtiger CRM 5.0.4 Multiple Vulnerabilities

August 18, 2009 at 3:55 pm - Filed under Hacks, Language EN - 1780 words, reading time ~5 minutes - Permalink - Comments

In our publication PHP filesystem attack vectors - Take Two we highlighted some issues that can occur in applications written in PHP that make use of filesystem operations. This advisory for the Vtiger CRM, version 5.0.4, application is an example on how such generic issues can impact the security of a real world application.

PHP filesystem attack vectors - Take Two

July 26, 2009 at 2:31 am - Filed under Hacks, Language EN - 2669 words, reading time ~8 minutes - Permalink - Comments

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

SugarCRM 5.2.0e Remote Code Execution

June 13, 2009 at 6:44 pm - Filed under Hacks, Language EN - 1524 words, reading time ~5 minutes - Permalink - Comments

FormMail 1.92 Multiple Vulnerabilities

May 12, 2009 at 4:19 am - Filed under Hacks, Language EN - 1928 words, reading time ~6 minutes - Permalink - Comments

Do you remember FormMail? I hope so. It's PERL code belonging to the past, the glorious 1995 Internet era. FromMail is a CGI script used to create contact forms, but not a common one, it's historical with millions of downloads and has a dedicated Wikipedia page (http://en.wikipedia.org/wiki/FormMail). By the way it's still used in both small and big deployments. FromMail development stopped in 1996, with the exception of security updates and the last security issue is from April 19, 2002. Now one could expect a software to be bugfree after 13 years of feature freeze and "stable" status. Well.. this is why we are here : ) Don't expect code execution, just enjoy the reading.

Zabbix 1.6.2 Frontend Multiple Vulnerabilities

March 3, 2009 at 9:10 pm - Filed under Hacks, Language EN - 1792 words, reading time ~5 minutes - Permalink - Comments

Multiple Vulnerabilities exist in Zabbix front end software ranging from Remote Code Execution (RCE), to Cross Site Request Forgery (CSRF) and Local File Inclusion (LFI).

PHP filesystem attack vectors

February 8, 2009 at 3:13 am - Filed under Hacks, Language EN - 6792 words, reading time ~22 minutes - Permalink - Comments

On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it "secret" [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable.

XSS Cheat Sheet: non repeating payloads

January 26, 2009 at 12:40 pm - Filed under Hacks, Language EN - 206 words, reading time ~0 minutes - Permalink - Comments

We always try to add something on topics discussed in old articles, if you liked XSS Cheat Sheet: the PLAINTEXT tag and XSS Cheat Sheet: two stage payloads perhaps you'll like this one. This article contains a more complete list of ways to avoid multiple execution of your payloads, it's a fast reading!

25C3 (CCC Congress 2008) Tricks: makes you smile

January 6, 2009 at 10:58 pm - Filed under Team, Hacks, Language EN - 969 words, reading time ~3 minutes - Permalink - Comments

Finally back from CCC Conference 2008, thanks Berlin you always provide heaps of fun!

Remote Command Execution in Moodle

December 16, 2008 at 4:30 pm - Filed under Hacks, Language EN - 926 words, reading time ~3 minutes - Permalink - Comments

Last week we released on Bugtraq and FD an advisory about a remote command execution in Moodle 1.9.3. Unluckily the vendor refused to issue a security release to allow an easy fix of the problem since there are too many issues related to register_globals On in Moodle. We strongly advise end users to manually disable the vulnerable code removing the file "filter/tex/texed.php" ad exploits are emerging in the wild.

Collabtive 0.4.8 Multiple Vulnerabilities

November 11, 2008 at 1:42 pm - Filed under Hacks, Language EN - 913 words, reading time ~3 minutes - Permalink - Comments

Luckily sometimes there's the time to publish advisories and do the lengthy "responsible"-disclosure process. Antonio discovered multiple vulnerabilities in Collabtive, a project management software, ranging from a stored XSS, an authentication bypass that lead to the creation of additional administrative users to an arbitrary file upload vulnerability mixed with weak seeding. Have a good reading.

Shared hosting "file" handler PHP session dumper

September 9, 2008 at 6:02 pm - Filed under Hacks, Language EN - 519 words, reading time ~1 minutes - Permalink - Comments

[Note: safely skip the descriptive part and go directly to the tool if you already know how PHP does session handling.] Sessions are a great feature as they allow developers to store sensitive data for a limited amount of time (the session lifetime) without having to ping-pong the whole dataset to and from the client. A session mechanism can be implemented at the "user" level in the application code but most of the languages used to develop web applications provide various build-ins to accomplish the task. This is the case of PHP and its famous "session" module (Session Support in phpinfo()). The $_SESSION array can be used transparently and the session has just to be started with session_start() (or even automatically started at the configuration level with session.auto_start).

Google Chrome direct download link

September 2, 2008 at 10:52 pm - Filed under Reports, Language EN - 168 words, reading time ~0 minutes - Permalink - Comments

http://dl.google.com/update2/installers/ChromeSetup.exe (It's - naturally - just the loader.)

LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts

August 18, 2008 at 12:47 pm - Filed under Hacks, Language EN - 1388 words, reading time ~4 minutes - Permalink - Comments

Local File Inclusion (LFI) of session files to root escalation

July 9, 2008 at 3:11 pm - Filed under Insecurity, Language EN - 811 words, reading time ~2 minutes - Permalink - Comments

While writing with Kuza55 an article about local file inclusion advanced exploitation a very interesting code emerged on milw0rm that shows another technique that has advantages and disadvantages but is surely smart and not that well known (while documented on some papers and actually exploited in the past).

mod_negotiation: directory listing, filename bruteforcing

July 2, 2008 at 2:40 pm - Filed under Hacks, Language EN - 2259 words, reading time ~7 minutes - Permalink - Comments

As the first of a set of three this paper explains in detail how to abuse some functionalities exposed by mod_negotiation, an Apache module enable by default on many (most?) vanilla setups. Reference platform is a fresh installed Debian Etch system. The "Accept:" HTTP request header allows to optimize the number of requests to discover (bruteforce) filenames and extensions in absence of directory listing. Details follow, a good reading for an hot summer!

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

May 20, 2008 at 3:38 pm - Filed under Hacks, Language EN - 1568 words, reading time ~5 minutes - Permalink - Comments

Together with Antonio "s4tan" Parata we are glad to release a forced disclosure advisory "Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities" cause CVE were emerging about the same issues disclosed to the vendor. The advisory includes an XSS for return_dynamic_filters.php, a CSRF for manage_user_create.php that allow the creation of administrative accounts and code execution in adm_config_set.php.

WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities

April 11, 2008 at 4:27 pm - Filed under Hacks, Language EN - 782 words, reading time ~2 minutes - Permalink - Comments

We found multiple XSS issues in the sample code of the PHP Network client for WiKID, a Strong Authentication System. In detail identified reflected XSS were on the "login" page forms. Pretty standard issue from a technical standpoint: $PHP_SELF was not properly escaped and sanitized before being echoed back to the client, definitely a known scenario that still affect many different software.

Cacti 0.8.7a Multiple Vulnerabilities

April 4, 2008 at 12:33 am - Filed under Hacks, Language EN - 1934 words, reading time ~6 minutes - Permalink - Comments

Together with my friend Antonio "s4tan" Parata we released this advisory affecting Cacti 0.8.7a. Found issues include XSS, SQL Injection, Path Disclosure and HTTP Response Splitting. Some bugs are logical flaws related to the use of $_REQUEST, in detail filters were applied to $_GET or $_POST but later $_REQUEST was used. Since $_REQUEST is build in an order defined in php.ini (normally GPC) it was possible to bypass the check and inject the malicious payload in POST or COOKIE for GET and COOKIE for POST.

Team/site updates for 2008

April 4, 2008 at 12:32 am - Filed under Team, Language EN - 535 words, reading time ~1 minutes - Permalink - Comments

As you probably noticed ush.it was pretty quiet in the last 5/6 months, this happened because there were cyclic dependencies in my todo list. Well now the situation is unblocked again and you can, perhaps, expect new posts! Just to reply to the "no more updates/why don't you post more/etc" sentences category i would remind that here we publish our research and naive contents and most likely we are not going to comment/bounce/mirror everything happening in this amazing world. A direct consequence is that ush.it will never have daily, regular or forced updates.

Detect NoScript POC

October 11, 2007 at 6:40 pm - Filed under Hacks, Language EN - 816 words, reading time ~2 minutes - Permalink - Comments

I was looking for a NoScript detector, something that could tell me if the user has JS disabled in the Firefox preferences or by the NoScript plugin written by Maone, and found nothing. To repair this i wrote this trivial POC that is able to accomplish the task, it performs fingerprinting based on the behavior of the browser under the different possible conditions and is really reliable from the measurements done until now.

Skype 1.4.118 for Linux = Panacea

October 7, 2007 at 4:01 pm - Filed under Insecurity, Language EN - 318 words, reading time ~1 minutes - Permalink - Comments

Few moments ago i was reading the Skype 1.4.118 for Linux changelog and noticed a new feature named "Auto-accept file transfers". Damn i thought, if it's by default an issue found accidentally some time ago is now fully weaponized: Skype 1.4.0.74 (probably also others) happily overwrites files without asking!

GreenSQL, a MySQL firewall, bypassed.

October 4, 2007 at 6:17 pm - Filed under Hacks, Language EN - 546 words, reading time ~1 minutes - Permalink - Comments

Today on the ml one of our pupils, remix, posted about GreenSQL, "an Open Source database firewall used to protect databases from SQL injection attacks". In other words something that stands to SQL as mod_security stands to HTTP.

Original Photo Gallery Remote Command Execution

October 2, 2007 at 9:54 pm - Filed under Hacks, Language EN - 666 words, reading time ~2 minutes - Permalink - Comments

We found a severe vulnerability in the Original script, a photo gallery software. Remote command (directly into an exec()) execution is possible with register globals on regardless the PHP version.

Scanning DMZ hosts with remote file opening

August 29, 2007 at 8:03 pm - Filed under Hacks, Language EN - 886 words, reading time ~2 minutes - Permalink - Comments

Today Stefano had a nice idea on how to (ab)use remote furl enabled functions that normally could lead to a mere DoS. Options are Drive By Pharming, Bruteforcing routers and http based authentications and Full Lan Scan. Sounds interesting? It is.

Architecture detection by PHP anomaly

August 22, 2007 at 1:09 am - Filed under Hacks, Language EN - 595 words, reading time ~1 minutes - Permalink - Comments

Sometimes it's right to enjoy a more relaxed entry.

Why the Skype 0day exploit is a fake

August 18, 2007 at 12:10 pm - Filed under Insecurity, Language EN - 1523 words, reading time ~5 minutes - Permalink - Comments

A lot of people contacted me about my post on FD. No, I have no clue of what's really going and I can happily live believing the official reports (http://heartbeat.skype.com/) on the issue. This is the complete message I posted to FD in reply to Valery Marchuk (http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065343.html):

Clientside security: Hardening Mozilla Firefox

July 25, 2007 at 9:55 pm - Filed under Reports, Language EN - 652 words, reading time ~2 minutes - Permalink - Comments

I'm sure you have already heard of the many external protocol handling vulnerabilities that hitted Firefox lately. Normally on this site you read about "in-security", this article is a little exception since it contains some tips that anybody can adopt to harden his preferred http/https client, also named Mozilla Firefox, thought the about:config interface.

Flash Player/Plugin Video file parsing Remote Code Execution

July 13, 2007 at 5:28 pm - Filed under Insecurity, Language EN - 216 words, reading time ~0 minutes - Permalink - Comments

Stefano Di Paola with contribution from Giorgio Fedon (both from a brand new security research company, MindedSecurity) and Elia Florio have just released the details about a Remote Code Execution flaw in Flash Plugin 9 independent from the OS. Parsing a flv with adobe flash player it's possible to trigger an exploitable integer overflow.

XSS Cheat Sheet: two stage payloads

June 27, 2007 at 12:34 am - Filed under Hacks, Language EN - 2093 words, reading time ~6 minutes - Permalink - Comments

When exploiting XSS holes often you find yourself working around size/length and characters limitations. To avoid this type of problems a technique called "two stage payloads" comes to help. It's generally used when exploiting memory management vulnerabilities but applies to the XSS world too. The very basic idea is to have the payload divided in two parts: one that has to be injected in the entry point (PAY_ENTRY) and one that contains the actual data (PAY_DATA).

XSS Cheat Sheet: the PLAINTEXT tag

June 10, 2007 at 10:21 pm - Filed under Hacks, Language EN - 775 words, reading time ~2 minutes - Permalink - Comments

When performing XSS attacks often happens that the payload is displayed, and executed, multiple times occurring in unwanted and unexpected behaviors. This can be avoided in many ways, for example using global variables in JS (eg: window['started'] = true;) and checking for the variable existence at the very beginning of the payload, but when the filters are crazy and every char requires a notable effort (or when you are just hurry) one cheat gets the job done: the <PLAINTEXT> tag.

Install Firefox XPI without whitelist

June 4, 2007 at 4:50 pm - Filed under Insecurity, Language EN - 824 words, reading time ~2 minutes - Permalink - Comments

Today I was reading Firefox XPI Install Prevention Bypass (http://www.0x000000.com/?i=329) and while it's not what it promised to be (there is no Install Prevention Bypass) it contained useful informations that helped me elaborate two distinct thoughts.

Firefox <= 2.0.0.3 DOM Keylogger (bypass same-origin policy)

June 3, 2007 at 9:20 pm - Filed under Hacks, Language EN - 542 words, reading time ~1 minutes - Permalink - Comments

On 30 May Mozilla Foundation announced in its MFSA (Mozilla Foundation Security Advisory) 2007-16 a bug discovered by moz_bug_r_a4 able to bypass the same-origin policy using the addEventListener helper. Needless to say you can do really nasty things by exploiting this hole, ranging from xss attacks to keystrokes logging, with no same origin limitation. If you are impatient jump directly to the demo DOM Event Keylogger.

Reflection on Stefano Di Paola

May 29, 2007 at 12:37 am - Filed under Team, Reports, Language EN - 728 words, reading time ~2 minutes - Permalink - Comments

Anurag Agarwal has published a reflection on our friend Stefano Di Paola. The interview contains a condensed auto-biography (nice reading, thanks Stefano!); integral text follows.

Shadowpage vulnerability: the page that doesn't exists (Multiple browsers affected)

May 7, 2007 at 12:15 pm - Filed under Hacks, Language EN - 179 words, reading time ~0 minutes - Permalink - Comments

Yesterday I (Francesco `ascii` Ongaro) found a low impact bug: basically it is possible to make the user visit a page that is not listed in the back/next button history. The fun happens when self.location.replace() is pointing to a page that issues an HTTP/1.x 302 Redirect + Location. Both initial and redirect page will not be listed.

Interview with Rain Forest Puppy

May 1, 2007 at 9:09 pm - Filed under Reports, Language EN - 3236 words, reading time ~10 minutes - Permalink - Comments

Antonio `s4tan` Parata, software security researcher and member of the ush team interviews Rain Forest Puppy, famous bug hunter, specialized in web application assessment. It's a pleasure for us to publish the full interview, in this case talk is not cheap.

Free Temporary and Anonymous email address providers

April 30, 2007 at 1:15 pm - Filed under Reports, Language EN - 186 words, reading time ~0 minutes - Permalink - Comments

IE 7 and Firefox Digest Authentication Request Splitting

April 25, 2007 at 4:50 pm - Filed under Insecurity, Language EN - 204 words, reading time ~0 minutes - Permalink - Comments

Stefano `wisec` Di Paola has just released a new advisory IE 7 and Firefox Browsers Digest Authentication Request Splitting, basically using the user field an attacker is able to split the request injecting arbitrary chars.

PHP import_request_variables() arbitrary variable overwrite

March 9, 2007 at 3:29 am - Filed under Hacks, Language EN - 1401 words, reading time ~4 minutes - Permalink - Comments

My friend Stefano di Paola and I have discovered that a PHP function used to emulate register_globals on is able to overwrite any variable (also $_SESSION and $_SERVER) with the exception of $GLOBALS. Naturally during the Month of PHP bugs :)

Php Nuke wild POST XSS

March 9, 2007 at 12:47 am - Filed under Hacks, Language EN - 1530 words, reading time ~5 minutes - Permalink - Comments

To demonstrate the import_request_variables() bug i've exploited a XSS flaw in PHP NUKE 8.0 that has an anti-CSRF routine. The import_request_variables() vulnerability will permit you to exploit a wide range of vectors (XSS, remote file inclusion, remote code execution, SQL injections, etc.) on software that makes use of it.

Bad url redirections (AKA: Many thanks to our partners!)

January 30, 2007 at 1:36 am - Filed under Hacks, Language EN - 724 words, reading time ~2 minutes - Permalink - Comments

This story is mostly funsec, if you can't handle funsec stop reading :) You have just developed you brand new application, it's name is EVIL.EXE. It's a very good application but nobody will install it without good partners.. You need somebody trusted from users that is willing to distribuite it. So.. Let's go! Find out some good partners.

Pseudo threading with BASH

January 27, 2007 at 7:17 pm - Filed under Hacks, Language EN - 567 words, reading time ~1 minutes - Permalink - Comments

This night i was in the process of mirroring all the tmbo.org daily pics for fast viewing. Their site has to be hosted on an ADSL link (like ush.it, hey this site is on a 200kbs/300kbs link, very unprofessional but no one can raid [stupid wordpress plug-in, this is not RAID in the sense of Redundant Disk Array but raid the verb] our server without our knowledge, think about the autistici/inventati aruba raid for example).

Adobe Acrobat Reader Plugin: Multiple Vulnerabilities

January 4, 2007 at 3:09 am - Filed under Insecurity, Language EN - 262 words, reading time ~0 minutes - Permalink - Comments

From 23 to 31 December i was in Berlin for the CCC congress with other Italian security researchers and friends. We had good time enjoying Berlin, drinking beer and exchanging informations. Also Stefano Di Paola and Giorgio Fedon disclosed some Adobe Acrobat Reader bugs in a larger talk titled Subverting AJAX.

Adobe Acrobat Reader Plugin: Multiple Vulnerabilities

January 4, 2007 at 1:56 am - Filed under Insecurity, Language EN - 993 words, reading time ~3 minutes - Permalink - Comments

At CCC my friends Stefano Di Paola and Giorgio Fedon releades some of their latest findings, note that this is a translation in italiano of the original advisory aviable on wisec.it (http://www.wisec.it/vulns.php?page=9) that of course is in english. The advisory is focused on some specific bugs, one of these is called UXSS (Universal Cross Site Scripting) in PDF files.

HttpOnly Cookies Reference

December 22, 2006 at 5:20 am - Filed under Reports, Insecurity, Language EN - 1274 words, reading time ~4 minutes - Permalink - Comments

This is a collection of resources on the topic. Some of these methods are not bullet proof but will help you develop some proactive security when writing new web applications and when hardening the existing ones.

IE7 ping back home, MS and your browsing history

December 20, 2006 at 9:15 pm - Filed under Insecurity, Language EN - 299 words, reading time ~0 minutes - Permalink - Comments

Is seems that Microsoft Internet Explorer 7 with the phishing filter active ping back home for every URL requested. This could be the default in many environments.

HttpOnly Cookies and Mozilla Firefox

July 28, 2006 at 12:04 am - Filed under Hacks, Language EN - 800 words, reading time ~2 minutes - Permalink - Comments

This is an english translation of "HttpOnly e Firefox" a whitepaper of my friend Stefano Di Paola written in italian.
Versione originale italiana: http://www.wisec.it/sectou.php

Pratical XSS n1

April 14, 2006 at 3:06 am - Filed under Hacks, Language EN - 503 words, reading time ~1 minutes - Permalink - Comments

This is a short email i wrote in reply to v9 AT fakehalo.us on vuln-dev@securityfocus.com focused on how to exploit XSS vulnerabilities in the real world.

Milkeyway Captive Portal Multiple Vulnerabilities

March 16, 2006 at 3:31 am - Filed under Hacks, Language EN - 560 words, reading time ~1 minutes - Permalink - Comments

Milkeyway is a software for the management and administration of internet access within public structures and frameworks, where the service supplying must be submitted to a scrupulous inspection. Nearly all SQL queries are vulnerable to SQL injection vulnerabilities. There are also some XSS vulnerabilities.

Arin.net XSS

March 3, 2006 at 8:55 pm - Filed under Insecurity, Language EN - 128 words, reading time ~0 minutes - Permalink - Comments

J u a n wrote:
> On 3/3/06, Alexander Hristov <joffer@gmail.com> wrote:
>> Just tested : http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22
>> javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>> it still works for me
> works for me on internet explorer, didn't work with firefox 1.5

PmWiki remote file inclusion exploit

February 1, 2006 at 3:59 am - Filed under Hacks, Language EN - 881 words, reading time ~2 minutes - Permalink - Comments

The purpose of this article is to make easily understandable the impact of some vulns exposed in the PmWiki Multiple Vulnerabilities and PHP5 Globals Vulnerability advisories.

Port scanning with online services

January 29, 2006 at 3:12 am - Filed under Hacks, Insecurity, Language EN - 45 words, reading time ~0 minutes - Permalink - Comments

Some service misuse examples.

PHP5 Globals Vulnerability

January 25, 2006 at 9:30 pm - Filed under Hacks, Language EN - 769 words, reading time ~2 minutes - Permalink - Comments

PHP5 Globals Vulnerability: with ?GLOBALS[foobar] you can set the value of the un-initialized $foobar variable.

PmWiki Multiple Vulnerabilities

January 24, 2006 at 7:23 pm - Filed under Hacks, Language EN - 1063 words, reading time ~3 minutes - Permalink - Comments

This is both a PmWiki and PHP advisory, and works only with register_globals on. I totally missed the PHP GLOBALS[] GPC injection vulnerability and rediscovered that by my own (if just few month before! arg!). Basically in the worst scenario we are in front of two separate vulnerabilities: one regarding arbitrary remote file inclusion and code execution in PmWiki on PHP 5.x with globals on and the other about the reintroduction of a bug that should have been fixed in 5.0.5 but work (at last) on the 2 most recent version of PHP5.

Port scanner with dnsstuff

January 14, 2006 at 6:47 pm - Filed under Hacks, Insecurity, Language EN - 805 words, reading time ~2 minutes - Permalink - Comments

Dnsstuff is a great service often integrated in browser, widget and extension. They offer a number of tests (DNS Report, DNS Timing, WHOIS Lookup, Abuse Lookup, Domain Info, Spam database lookup, Reverse DNS lookup, IPWHOIS Lookup, City From IP, IP Routing Lookup, DNS lookup, Traceroute, Ping, ISP cached DNS lookup) and other conversion/math tools (URL deobfuscator, Free E-mail Lookup, CIDR/Netmask, E-mail Test, CSE HTML Validator, Decimal IPs). When applicable the tool is both ipv4 and ipv6 capable.

WebCalendar Multiple Vulnerabilities

November 28, 2005 at 2:05 pm - Filed under Hacks, Language EN - 1131 words, reading time ~3 minutes - Permalink - Comments

WebCalendar is vulnerable to four SQL Injection (files activity_log.php, admin_handler.php, edit_template.php and export_handler.php) and one local file overwrite (export_handler.php), input validation will fix.

Free Web Stat Multiple XSS Vulnerabilities

November 25, 2005 at 2:15 am - Filed under Hacks, Language EN - 1095 words, reading time ~3 minutes - Permalink - Comments

FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent.

Php Web Statistik Multiple Vulnerabilities

November 19, 2005 at 5:19 pm - Filed under Hacks, Language EN - 596 words, reading time ~1 minutes - Permalink - Comments

Php Web Statistik is vulnerable to javascript and html injection using the unchecked lastnumber variable, proper input validation will fix. Just place an intval() at the right row. Other vulnerabilities has been discovered later.

Password discovery su 30gigs.com

November 16, 2005 at 2:40 pm - Filed under Insecurity, Language EN - 246 words, reading time ~0 minutes - Permalink - Comments

E' stata trovata da cumhur onat una sql injection che permette di trovare la password di un utente arbitrario tramite la pagina di login del servizio mail 30gigs.com.

PHP iCalendar XSS

October 24, 2005 at 11:33 pm - Filed under Hacks, Language EN - 1203 words, reading time ~4 minutes - Permalink - Comments

PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong input validation in index.php and will include an arbitrary file ending with .php.

THP USH Wisec DigitalBullets