Re: [Full-disclosure] Geeklog = v1.6.0sr2 - Remote File Upload
Files with .jpg extensions can be uploaded, but these file can contain anything, like javascript or PHP code. Using FireFox you can upload any jpg extension and it will be accepted since FireFox sets the mime type based on file extension. Uploading usually requires that you first create a user account. Once an account is created, you can upload a user photo, which could take advantage of this vulnerability. Ok so this is not a remote file upload issue if you can only upload allowed files (not files with bad exts), this is just a feature that doesn't valid the mime type. This can help for another exploitation but you can't execute code directly at this point. Potential Abuse === Executable javascript can easily be uploaded. There are several XSS holes in many of the Geeklog plugins which could run the uploaded javascript. If a simple cookie stealing javascript were uploaded, it could be used to expose the Geeklog uid and password hash which is as good as having the actual password. So you just upload a JS file in order to help you with the XSS ? If you expose an administrative account, you have full access to the admin panel where you can set the staticpages.PHP permission to true, then create a static page that will run any PHP script you desire, potentially exposing the entire server. Ok so here you have a remote code execution in the admin panel. Successful exploitation requires the ability to execute the uploaded JavaScript. The Geeklog Forum program can be used as an attack vector since it does not properly validate many $_GET / $_POST variables. Could you give us some more details about these XSS vulnerabilities ? :) Cause all I see here is a RCE in the admin panel. You confirm that there are XSS but we don't have any details about them... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [EquipoFraude] Full Path Disclosure in most wordpress' plugins [?]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Victor Antonio Torre Villahoz wrote:
This not only happens in the plugins, all files in wp-admin/import/ have
errors like it.
I'm fix it using:
if ( defined('WP_ADMIN') or defined('WP_USE_THEMES') ){
;//coninue
}
else{
die();
}
I've received an email which contains a lot of files which are
vulnerables to FPD:
wp-admin/includes/admin.php
wp-admin/includes/class-ftp-pure.php
wp-admin/includes/class-ftp-sockets.php
wp-admin/includes/class-wp-filesystem-direct.php
wp-admin/includes/class-wp-filesystem-ftpext.php
wp-admin/includes/class-wp-filesystem-ftpsockets.php
wp-admin/includes/class-wp-filesystem-ssh2.php
wp-admin/includes/comment.php
wp-admin/includes/continents-cities.php
wp-admin/includes/file.php
wp-admin/includes/media.php
wp-admin/includes/misc.php
wp-admin/includes/plugin-install.php
wp-admin/includes/plugin.php
wp-admin/includes/schema.php
wp-admin/includes/template.php
wp-admin/includes/theme-install.php
wp-admin/includes/update.php
wp-admin/includes/upgrade.php
wp-admin/includes/user.php
Solution:
if ( defined('WP_ADMIN') or defined('WP_USE_THEMES') ){
;//coninue
}
else{
die(Oops! Don't run this script directly, n00b);
}
// or
if ( defined('ABSPATH')){
die(Oops! Don't run this script directly, n00b);
Fernando A. Lagos B. escribió:
Exists an call to add_action() without validate with function_exists().
When I run the php script directly, I get the full path of wp installation.
Example:
[+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
[+] http://www.marco2010.cl/wp-content/plugins/hello.php
Is a bug? Is a feature?
More details posted in my blog:
http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/
(spanish)
cheers.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- --
Fernando A. Lagos Berardi - Zerial
Desarrollador y Programador Web
Seguridad Informatica
Linux User #382319
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zer...@jabberes.org
GTalk MSN: ferna...@zerial.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrHbjMACgkQIP17Kywx9JQzBwCfX/9P2TUFi2aoqhFuMHowJw7y
oQ8AnAjwkug/QmJuYHEYJuLWz0DTiAl3
=QuHM
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? Depends. IMHO Non exists the more secure browser, anyway (not exists the more secure software, never ) . But exists the more secure env on which the browser run. There are some difference if i run firefox in windows xp and if i run run firefox within a selinux guest account under Fedora. On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
I disagree. The usage of Alleged and Likelihood (sic) are qualifiers. Illegal criminal, however, is a double positive. I'd like to make a break in the conversation to say that Weev loves is a security risk not just to government but to businesses and people. Do the right thing. Submit all every last tidbit of information on weev to: http://tips.fbi.gov Not at all, I'm sure! On Sat, 03 Oct 2009 01:43:02 + dramacrat yirim...@gmail.com wrote: I wouldn't be too concerned if I was weev. A guy who uses phrases like *alleged suspect* and* likelihood chance* is after him! Oh dear, he must be going to accuse weev of being an *illegal criminal*! 2009/10/3 GOBBLES gobbles1...@safe-mail.net This is about fighting crime. Not about putting your stuff into the alleged suspect's mother. Please have some sense of courtesy and professionalism. *ISRAEL* Internet Sleuth, Richard Anderson, Electronic Lawyer Original Message From: BMF badmotherfs...@gmail.com To: GOBBLES gobbles1...@safe-mail.net Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] So weev... Date: Fri, 2 Oct 2009 17:08:40 -0700 On Fri, Oct 2, 2009 at 4:57 PM, GOBBLES gobbles1...@safe- mail.net wrote: There is a strong likelihood chance we can get Andrew into prison for his criminal activity. Sweet! I love to send people to Federal Pound me in the ass Prison! While Bubba is fudgin' this weev character I can be fudgin' his momma! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v banned from full-disclosure mailing list
TheLearner mrxisapl...@hush.com wrote: This will not stand. The Information Security community has absolutely no tolerance for censorship. where have you been for the last 10 months? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Weev, AKA Andrew Auernheimer [Fullinfo Doc(TM) revision #1]
Eyeballing Weev, An informative dossier. = By FeelTheBurn Udmncrmnl Version = Revision #1 Purpose = You can edit this document and submit it back as a new revision. An effort by community citizens to expose this person. If you have any helpful knowledge about weev (even general) and have something to add, please reply with any editions. Abstract = I noticed seclists.org was taking down information relating to the doxing of Andrew Auernheimer. - Original post http://seclists.org/fulldisclosure/2009/Oct/0013.html - Mirror (http://www.webcitation.org/5kD6O0OEd) Andrew is a troll in his early 20's who has hacked into various websites, harasses innocent people and companies, and actually dropped dox on this very list. Some of his victims (Which are on a list too long for even his associates to remember in entirity) consist of Rob Levin, Rich Kyanka's (lowtax) and Kathy Sierra's identity theft. Also, at the request of Girlvinyl (Sherrod DeGrippo) weev was able to nail Randi Harper (freebsdgirl) to the wall, still hocking up her name on google to this day. Andrew wants glory. He wants to be in the news. His remedy for distracting attention from his own flaws and ironies is the age-old blame it on the jews. For him, he doesn't try to use it in a sarcastic way, merely pointing out absurb anti-semitism exists, he uses in this way to say something so extreme any attempt of criticizing him stops. In general, a puppy that wants love, but apparently can't be fixed. A Michael Crook. Real Identity = - First name: Andrew - Last name: Auernheimer (mispelled as Aurenheimer sometimes) - Middle name: Alan Escher - Full name: Andrew Alan Escher Auernheimer DOB = We need this! Past schools = We need this! Known address = Family 2038 W Grace St Richmond, VA 23220 Criminal / 0day / Spam / Scam PO Box 61359 Sunnyvale, CA 94088 San Francisco, Los Angeles areas of California You can google his PO Box address (where he does biz from) and see complaints about fraud. Known Aliases = - Weev - Wbeelsoi - Uchiha Weevlos - Weevlar - Andrew wbeelsoi - Andrew weevlos - The iProhet - TheiProphet - The-iProphet Known Affiliations = - Bantown - Buttes - EFnet #down - SASS (Something Awful Sycophant Squad) - Encyclopedia Dramatica - SealPac Known Enemies = Organizations: - Something Awful - FBI - JDL - Possibly banks - Any law enforcement agency he knows him - Any jewish civil rights group that knows him (Know more? http://tips.fbi.gov) Name: - Dennis Fetcho - Kathy Sierra - Rob Levin - Richard Kyanka (lowtax) - FreeBSDGirl Known business affiliations = Sealpac. Richmond, VA Photo = - http://img.waffleimages.com/239fb622e4e5188627f39af8045575a70182f8c7 /569px-Internet_business.jpg / http://img8.imageshack.us/img8/7586/569pxinternetbusiness.jpg / http://imgur.com/V5hkG.jpg Known publicity stunts = - Toorcon2111, Cybercrime Full URL: http://video.google.com/videoplay?docid=- 5643217366887354926ei=iOzHSvzBOpbWrQKvlu2KDgq=andrew+wbeelsoi TinyURL: http://tinyurl.com/auernheimercrime - LiveJournal hacking - NYTimes Mawebulence Expose Full URL: http://www.nytimes.com/2008/08/03/magazine/03trolls- t.html?_r=1hporef=slogin Tiny URL: http://tinyurl.com/auernheimernytimes - He is also taking credit for Amazon hack of 2009. However this has not been confirmed - Corrupt: www.corrupt.org/act/interviews/weev - Public naming by JewishReview Full URL: http://www.jewishreview.org/local/Police-question- two-men-about-threats-to-Jewish-community TinyURL: http://tinyurl.com/auernheimer Archival: http://www.webcitation.org/5jnPBPyHG Family === Phone number: (804) 355-2889 Mother - Name: Catherine Auernheimer - Affiilations: Richmond PTA, Democratic Party - Alias: Alyse - Photograph: http://imgur.com/AQpSd.jpg / (http://img19.imageshack.us/img19/1967/aqpsd.jpg) / (http://img.waffleimages.com/41c1f9036d350871dbedf177ffd1109cf3bc6ab 8/aqpsd.jpg) / (http://hosting11.imagecross.com/image-hosting-th- 16/953aqpsd.jpg) / (http://www.freeimagehosting.net/uploads/af64fe986f.jpg) / (http://www.uploadgeek.com/thumb-CA81_4AC55843.jpg) / (http://www.imagehuge.com/out.php/t16155_aqpsd.jpg) / (http://images.imagenonline.com/img_a190867.jpg) / (http://www.desiupload.com/out.php/t325733_aqpsd.jpg) Father - Name: Mark Auernheimer - Affiliations: SealPac - Photograph: http://imgur.com/CEaNX.jpg /
Re: [Full-disclosure] Weev, AKA Andrew Auernheimer [ Fullinfo Doc(TM) revision #1]
Ah, pardon then. Didn't mean to insult the intelligence community. On Sun, 04 Oct 2009 01:53:43 + full-censors...@hushmail.com wrote: TheLearner mrxisapl...@hush.com wrote: Andrew is a troll in his early 20's who has hacked into various websites, harasses innocent people and companies Have you never had a parking ticket or a telling off by the school mistress for smoking pot behind the bike shed? There are criminals everywhere, who do *bad* things, you trying to appeal to the FBI on an international mailing list, where the main concern is *cyber terrorism* isn't the way to go. If you have a complaint about this stuff contact your local law enforcement office. Nobody gives a fuck here, we're all counter-terrorism folks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Yeah that's prrety obvious that there's one way or another to bypass DEP and ASLR but if you chose not to share it and don't have anything useful to say, it'll be better not to say anything. On Thu, Oct 1, 2009 at 12:55 PM, Berend-Jan Wever berendjanwe...@gmail.comwrote: FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Cheers, SkyLined Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v mentioned in a book?
if this guy is mentioned in a book and we banned him? http://f0rb1dd3n.com/links.php i'm calling for a serious review of whats going on with the ban list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
