ush.it - a beautiful place

Zabbix 1.6.2 Frontend Multiple Vulnerabilities

March 3, 2009 at 9:10 pm - Filed under Hacks, Language EN - 1792 words, reading time ~5 minutes - Permalink - Comments

Multiple Vulnerabilities exist in Zabbix front end software ranging from Remote Code Execution (RCE), to Cross Site Request Forgery (CSRF) and Local File Inclusion (LFI).

PHP filesystem attack vectors

February 8, 2009 at 3:13 am - Filed under Hacks, Language EN - 6792 words, reading time ~22 minutes - Permalink - Comments

On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it "secret" [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable.

25C3 (CCC Congress 2008) Tricks: makes you smile

January 6, 2009 at 10:58 pm - Filed under Team, Hacks, Language EN - 969 words, reading time ~3 minutes - Permalink - Comments

Finally back from CCC Conference 2008, thanks Berlin you always provide heaps of fun!

Remote Command Execution in Moodle

December 16, 2008 at 4:30 pm - Filed under Hacks, Language EN - 926 words, reading time ~3 minutes - Permalink - Comments

Last week we released on Bugtraq and FD an advisory about a remote command execution in Moodle 1.9.3. Unluckily the vendor refused to issue a security release to allow an easy fix of the problem since there are too many issues related to register_globals On in Moodle. We strongly advise end users to manually disable the vulnerable code removing the file "filter/tex/texed.php" ad exploits are emerging in the wild.

Slides @System 2008 - Dipartimento di Informatica dell'Universita' di Pisa

December 16, 2008 at 3:58 pm - Filed under Team, Insecurity, Language IT - 397 words, reading time ~1 minutes - Permalink - Comments

@System ha organizzato il giorno 11 Dicembre 2008, presso il Dipartimento di Informatica dell'Universita' di Pisa, un workshop al quale abbiamo contribuito come relatori proponendo due diversi seminari. Di seguito potete trovare entrambe le presentazioni in formato PDF.

Collabtive 0.4.8 Multiple Vulnerabilities

November 11, 2008 at 1:42 pm - Filed under Hacks, Language EN - 913 words, reading time ~3 minutes - Permalink - Comments

Luckily sometimes there's the time to publish advisories and do the lengthy "responsible"-disclosure process. Antonio discovered multiple vulnerabilities in Collabtive, a project management software, ranging from a stored XSS, an authentication bypass that lead to the creation of additional administrative users to an arbitrary file upload vulnerability mixed with weak seeding. Have a good reading.

Shared hosting "file" handler PHP session dumper

September 9, 2008 at 6:02 pm - Filed under Hacks, Language EN - 519 words, reading time ~1 minutes - Permalink - Comments

[Note: safely skip the descriptive part and go directly to the tool if you already know how PHP does session handling.] Sessions are a great feature as they allow developers to store sensitive data for a limited amount of time (the session lifetime) without having to ping-pong the whole dataset to and from the client. A session mechanism can be implemented at the "user" level in the application code but most of the languages used to develop web applications provide various build-ins to accomplish the task. This is the case of PHP and its famous "session" module (Session Support in phpinfo()). The $_SESSION array can be used transparently and the session has just to be started with session_start() (or even automatically started at the configuration level with session.auto_start).

Google Chrome direct download link

September 2, 2008 at 10:52 pm - Filed under Reports, Language EN - 168 words, reading time ~0 minutes - Permalink - Comments

http://dl.google.com/update2/installers/ChromeSetup.exe (It's - naturally - just the loader.)

LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts

August 18, 2008 at 12:47 pm - Filed under Hacks, Language EN - 1388 words, reading time ~4 minutes - Permalink - Comments

Giornata europea "Liberta', non paura - fermiamo l'escalation della sorveglianza"

July 28, 2008 at 11:53 am - Filed under Team, Language IT - 126 words, reading time ~0 minutes - Permalink - Comments

Gli amici di Progetto Winston Smith segnalano la giornata europea "Liberta', non paura - fermiamo l'escalation della sorveglianza" (Sabato 11 Ottobre 2008 a Roma), una manifestazione di dissenso nei riguardi della sorveglianza di massa. L'iniziativa e' pensata in germania ma replicabile in ogni singolo stato membro, secondo desiderio.

Local File Inclusion (LFI) of session files to root escalation

July 9, 2008 at 3:11 pm - Filed under Insecurity, Language EN - 811 words, reading time ~2 minutes - Permalink - Comments

While writing with Kuza55 an article about local file inclusion advanced exploitation a very interesting code emerged on milw0rm that shows another technique that has advantages and disadvantages but is surely smart and not that well known (while documented on some papers and actually exploited in the past).

mod_negotiation: directory listing, filename bruteforcing

July 2, 2008 at 2:40 pm - Filed under Hacks, Language EN - 2259 words, reading time ~7 minutes - Permalink - Comments

As the first of a set of three this paper explains in detail how to abuse some functionalities exposed by mod_negotiation, an Apache module enable by default on many (most?) vanilla setups. Reference platform is a fresh installed Debian Etch system. The "Accept:" HTTP request header allows to optimize the number of requests to discover (bruteforce) filenames and extensions in absence of directory listing. Details follow, a good reading for an hot summer!

⌫ Previous entries
Next entries ⌦
THP USH Wisec DigitalBullets