ush.it - a beautiful place

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

May 20, 2008 at 3:38 pm - Filed under Hacks, Language EN - 1568 words, reading time ~5 minutes - Permalink - Comments

Together with Antonio "s4tan" Parata we are glad to release a forced disclosure advisory "Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities" cause CVE were emerging about the same issues disclosed to the vendor. The advisory includes an XSS for return_dynamic_filters.php, a CSRF for manage_user_create.php that allow the creation of administrative accounts and code execution in adm_config_set.php.

WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities

April 11, 2008 at 4:27 pm - Filed under Hacks, Language EN - 782 words, reading time ~2 minutes - Permalink - Comments

We found multiple XSS issues in the sample code of the PHP Network client for WiKID, a Strong Authentication System. In detail identified reflected XSS were on the "login" page forms. Pretty standard issue from a technical standpoint: $PHP_SELF was not properly escaped and sanitized before being echoed back to the client, definitely a known scenario that still affect many different software.

Cacti 0.8.7a Multiple Vulnerabilities

April 4, 2008 at 12:33 am - Filed under Hacks, Language EN - 1934 words, reading time ~6 minutes - Permalink - Comments

Together with my friend Antonio "s4tan" Parata we released this advisory affecting Cacti 0.8.7a. Found issues include XSS, SQL Injection, Path Disclosure and HTTP Response Splitting. Some bugs are logical flaws related to the use of $_REQUEST, in detail filters were applied to $_GET or $_POST but later $_REQUEST was used. Since $_REQUEST is build in an order defined in php.ini (normally GPC) it was possible to bypass the check and inject the malicious payload in POST or COOKIE for GET and COOKIE for POST.

Team/site updates for 2008

April 4, 2008 at 12:32 am - Filed under Team, Language EN - 535 words, reading time ~1 minutes - Permalink - Comments

As you probably noticed ush.it was pretty quiet in the last 5/6 months, this happened because there were cyclic dependencies in my todo list. Well now the situation is unblocked again and you can, perhaps, expect new posts! Just to reply to the "no more updates/why don't you post more/etc" sentences category i would remind that here we publish our research and naive contents and most likely we are not going to comment/bounce/mirror everything happening in this amazing world. A direct consequence is that ush.it will never have daily, regular or forced updates.

Skype 1.4.118 for Linux = Panacea

October 7, 2007 at 4:01 pm - Filed under Insecurity, Language EN - 318 words, reading time ~1 minutes - Permalink - Comments

Few moments ago i was reading the Skype 1.4.118 for Linux changelog and noticed a new feature named "Auto-accept file transfers". Damn i thought, if it's by default an issue found accidentally some time ago is now fully weaponized: Skype 1.4.0.74 (probably also others) happily overwrites files without asking!

Detect NoScript POC

October 11, 2007 at 6:40 pm - Filed under Hacks, Language EN - 816 words, reading time ~2 minutes - Permalink - Comments

I was looking for a NoScript detector, something that could tell me if the user has JS disabled in the Firefox preferences or by the NoScript plugin written by Maone, and found nothing. To repair this i wrote this trivial POC that is able to accomplish the task, it performs fingerprinting based on the behavior of the browser under the different possible conditions and is really reliable from the measurements done until now.

GreenSQL, a MySQL firewall, bypassed.

October 4, 2007 at 6:17 pm - Filed under Hacks, Language EN - 546 words, reading time ~1 minutes - Permalink - Comments

Today on the ml one of our pupils, remix, posted about GreenSQL, "an Open Source database firewall used to protect databases from SQL injection attacks". In other words something that stands to SQL as mod_security stands to HTTP.

Original Photo Gallery Remote Command Execution

October 2, 2007 at 9:54 pm - Filed under Hacks, Language EN - 666 words, reading time ~2 minutes - Permalink - Comments

We found a severe vulnerability in the Original script, a photo gallery software. Remote command (directly into an exec()) execution is possible with register globals on regardless the PHP version.

Scanning DMZ hosts with remote file opening

August 29, 2007 at 8:03 pm - Filed under Hacks, Language EN - 886 words, reading time ~2 minutes - Permalink - Comments

Today Stefano had a nice idea on how to (ab)use remote furl enabled functions that normally could lead to a mere DoS. Options are Drive By Pharming, Bruteforcing routers and http based authentications and Full Lan Scan. Sounds interesting? It is.

Architecture detection by PHP anomaly

August 22, 2007 at 1:09 am - Filed under Hacks, Language EN - 595 words, reading time ~1 minutes - Permalink - Comments

Sometimes it's right to enjoy a more relaxed entry.

Why the Skype 0day exploit is a fake

August 18, 2007 at 12:10 pm - Filed under Insecurity, Language EN - 1523 words, reading time ~5 minutes - Permalink - Comments

A lot of people contacted me about my post on FD. No, I have no clue of what's really going and I can happily live believing the official reports (http://heartbeat.skype.com/) on the issue. This is the complete message I posted to FD in reply to Valery Marchuk (http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065343.html):

Clientside security: Hardening Mozilla Firefox

July 25, 2007 at 9:55 pm - Filed under Reports, Language EN - 652 words, reading time ~2 minutes - Permalink - Comments

I'm sure you have already heard of the many external protocol handling vulnerabilities that hitted Firefox lately. Normally on this site you read about "in-security", this article is a little exception since it contains some tips that anybody can adopt to harden his preferred http/https client, also named Mozilla Firefox, thought the about:config interface.

⌫ Previous entries
Next entries ⌦
THP USH Wisec DigitalBullets