Re: [Full-disclosure] [gif2png] long filename Buffer Overrun
lol... sadly that was not my intention and I basically had no idea about a bugreport a patched upstream version in debian as i am not a debian user. peace On Tue, Dec 15, 2009 at 1:29 AM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Mon, Dec 14, 2009 at 6:14 AM, Razuel Akaharnath raz...@gmail.comwrote: Oh I see, Funny... this needs to be brought in notice of the original creator to fix the upstream version. Posting other peoples bugs for fame! HAHAHAHAHAHAHA. Love your tekneeqz! -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Google Chrome ... DNS ... sent to the system's configured DNS cache. that is why #1 at top of big red WARNING box about using Tor properly says: https://www.torproject.org/download.html.en#Warning 1. Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension. the only way to avoid DNS leaks despite most application configuration is a transparent Tor proxy that intercepts all DNS and TCP at the network layer and performs a redirect to the Tor Tcp and DNS Ports. (see man page.) Bullshit. Tor proxies are a) not the best way b) many apps like firefox enable using proxy for dns as well as other connections. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [scip-Advisory 4063] PasswordManager Pro 6.1 Script Injection Vulnerability
PasswordManager Pro 6.1 Script Injection Vulnerability
scip AG Vulnerability ID 4063 (12/15/2009)
http://www.scip.ch/?vuldb.4063
I. INTRODUCTION
Password Manager Pro is a secure vault for storing and managing shared
sensitive information such as passwords, documents and digital
identities of enterprises.
More information is available on the official product web site at the
following URL[1]:
http://www.manageengine.com/products/passwordmanagerpro/
II. DESCRIPTION
Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.
The processing method for the search function fails to perform proper
input validation on the data that is being submitted via HTTP GET. The
parameter searchtext lacks validation and is therefore vulnerable to
script injection. While there is a basic input filterting method in
place, it fails to detect more advanced (e.g. encoded) payloads.
Other parts of the application might be affected too.
This vulnerability has been tested on version 6.1, other versions might
be affected as well.
III. EXPLOITATION
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
script, javascript, alert or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.
Exploitation can be performed using any medium, that is able to perform
a GET request. Under certain circumstances, it is even possible to
attack unauthenticated user, as the payload will be kept in the users
session until authentication data has been entered.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
IV. IMPACT
Impact of the vulnerability depends on the stored data. PMP is often
used for corporate password management and contains highly sensitive
information. Therefore, a high amount of damage might be caused by
successful exploitation and follow-up attacks.
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than () and greater-than () are required to propose a HTML tag.
In some cases single (') or double quotes () are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like script and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.
VI. SOLUTION
Move to version 6104 or after
http://forums.manageengine.com/#Topic/4903740390
VII. VENDOR RESPONSE
The issue is due to the filter applying case sensitive checks to the
attack strings and the situation of such a string with different cases
of characters was not handled. (09.12.2009; ManageEngine)
VIII. SOURCES
scip AG - Security Consulting Information Process (german)
http://www.scip.ch/
scip AG Vulnerability Database (german)
http://www.scip.ch/?vuldb.4063
IX. DISCLOSURE TIMELINE
2009/09/28 Identification of the vulnerability
2009/10/-- ManageEngine supplies hotfix for affected customer
2009/12/07 scip AG starts public disclosure process by informing
ManageEngine
2009/12/07 ManageEngine acknowledges vulnerability and disclosure
timeline
2009/12/09 ManageEngine announces patch within 5 days, sends official
vendor response statement
2009/12/15 ManageEngine releases official patch
2009/12/15 scip AG releases public advisory
X. CREDITS
The vulnerabilities were discovered by Stefan Friedli.
Stefan Friedli, scip AG, Zuerich, Switzerland
stfr-at-scip.ch
http://www.scip.ch/
A1. BIBLIOGRAPHY
[1] PMP Official Vendor Information, ManageEngine
http://www.manageengine.com/products/passwordmanagerpro/
[2] PMP Update
http://forums.manageengine.com/#Topic/4903740390
A2. LEGAL NOTICES
Copyright (c) 2002-2009 scip AG, Switzerland.
Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
[Full-disclosure] Trango Broadband Wireless Rogue SU Authentication Bug
-- Trango Broadband Wireless M5830 Series Rogue SU Authentication Bug Date : 15 December, 2009 By: Blair - jedibl...@gmail.com -- Background -- Trango Broadband (www.trangobroadband.com) produce a line of unlicensed 5.3/5.8 Ghz point-to-multipoint broadband wireless radios which are used by many wireless ISPs around the world to provide internet and private office services to hard-to-reach customers. Currently there is a flaw in the authentication mechanism of these radios which, if an attacker knows some details, can allow interception of ethernet packets broadcast from the Access Point to the Subscriber Unit and potentially allows injection into the communication from the Subscriber Unit to the Access Point. There are two parts to the 5830 series radio system, an Access Point, and a Subscriber Unit. Access Points are generally deployed at a radio tower or smaller repeater sites, and the Subscriber Units on a clients building. The radios are designed to be mounted externally, and have a single ethernet feed and integrated antenna. These radios are straight ethernet bridges, there is no routing functionality built in to the radio software which adds to the ease of exploitation. This attack focuses on the Subscriber Unit (SU) end, however, if one knows the correct information, one could potentially configure a rogue Access Point and MiTM a target as well, though this is not the topic of this advisory. The Problem --- The Access5830 series of radios contains a flaw in the authentication of subscriber units. This flaw has been fixed with the 900Mhz and 2.4Ghz products, whereby the APID and SUID system has changed significantly, and the SU units are assigned an ID when they connect, only if their MAC is in the SUDB. Trango has neglected to bring this functionality to the older 5800 series radios, nor have they introduced new hardware implementing this functionality in the 5.8Ghz spectrum. When a new subscriber is added, the MAC address of their SU device is entered into the Subscriber Database (SUDB) on the Access Point, and they are assigned an arbitrary numeric Subscriber ID or SUID in the range of 1-8190 by the Administrator. This SUID is configured on the SU device, along with the APID and BaseID of the Access Point. For most situations, the APID and BaseID are the same. The bug lies in the synchronization of any SU in the SUDB by the AP. Once an SU has been synchronized to the AP with the correct MAC address, any further attempts by another SU of the same SUID but with a different MAC address to synchronize will succeed. When configuring and mounting an SU, you can do a frequency scan (site survey) from the unit, which will display the available access points in the area, along with their APID and BaseID - this is the information you will need to exploit the Trango network in the area. The Exploit --- To carry out this exploit you need to have an SU which is capable of connecting to the 5800 or 5830 AP. This would generally be a 5800 or 5830 SU-I or SU-EXT, or one of the smaller FOX 5800 SU, or the newer FOX 5580M-FSU - these can be found readily either buying direct from Trango, or from a number of wireless systems resellers. Probably good if this is the same type of unit as the target, though not required. The information you need to enter into the SU is based on whatever you have found via the site survey information - apsearch and survey commands on the radio's CLI. The full command listing and user guide can be downloaded from the Trango website. To carry out the attack, you would need to find line-of-sight and have good signal strength (between -40 and -80 dBm) to the target AP, and have knowledge of an SUID which is already connected, or try random numbers until you find one which works - most providers have quite a number of subscribers per AP so this should not be hard. Many providers will physically mark their SUs with the SUID and APID with a permanant marker, so if you have physical access to a connected SU, finding this information is probably trivial. Once you have configured the SU with the BaseID, APID and SUID and verified signal strength, you simply turn opmode on, and your rogue SU will authenticate, regardless if it's MAC is in the SUDB or not. Once synchronized, you will start to receive traffic to the ethernet port of the radio as if it was the target unit. Because the unit is a simple bridge, you can look at this traffic with a packet capture utility such as wireshark or tcpdump. Depending on signal strength, the target may or may not notice any loss of service or packet loss. It may be possible to inject packets to the network from a computer behind the rogue SUID, depending on the configuration of the switching and/or routing at the far end. Vendor Response --- I contacted Trango
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
On Tue, 15 Dec 2009 10:14:31 +0100, Milan Berger said: the only way to avoid DNS leaks despite most application configuration is a transparent Tor proxy that intercepts all DNS and TCP at the network layer and performs a redirect to the Tor Tcp and DNS Ports. (see man page.) Bullshit. Tor proxies are a) not the best way b) many apps like firefox enable using proxy for dns as well as other connections. Not bullshit at all. Taking the points in reverse order: (b) Note that 'many apps means mostly avoid, not totally avoid. You run any app that's not DNS-proxy aware, you just leaked and whoever you're using Tor to avoid is now potentially pounding on your door. Sure, the difference doesn't matter if you're using Tor to be a cool wanker. But if you're using Tor because it *matters*, 98% of apps get it right themselves is a big *fail*. You really want to enforce 100% correctness whether the app is correct or not. (Stated in another way - sometimes DAC just doesn't cut it, and you really *do* want the added complication of MAC). (a) If you have a better way than a Tor proxy to avoid DNS leaks from programs that don't DNS-proxy themselves, feel free to actually *tell* us what it is, rather than just babble they aren't the best way. Given you got the *other* point totally wrong, we have no reason to believe a content-free 'not the best way' unless you actually have an evaluatable statement like 'XYZ is better'. pgpVnRgwGJXh1.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Hi Vlad, first at all, send to the list please not to me personally and list in cc. (a) If you have a better way than a Tor proxy to avoid DNS leaks from programs that don't DNS-proxy themselves, feel free to actually *tell* us what it is, rather than just babble they aren't the best way. Given you got the *other* point totally wrong, we have no reason to believe a content-free 'not the best way' unless you actually have an evaluatable statement like 'XYZ is better'. I think there are better ways than TOR this is what I actually said. 'not the best way' meant TOR. Hope this explains it much better. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
*first at all, send to the list please not to me personally and list in cc.* * * *Ignoring the grammar, that's exactly what you just did. And what I just did, because that's default client behavior on a Reply-To-All. * 2009/12/16 Milan Berger m.ber...@project-mindstorm.net Hi Vlad, first at all, send to the list please not to me personally and list in cc. (a) If you have a better way than a Tor proxy to avoid DNS leaks from programs that don't DNS-proxy themselves, feel free to actually *tell* us what it is, rather than just babble they aren't the best way. Given you got the *other* point totally wrong, we have no reason to believe a content-free 'not the best way' unless you actually have an evaluatable statement like 'XYZ is better'. I think there are better ways than TOR this is what I actually said. 'not the best way' meant TOR. Hope this explains it much better. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1951-1] New firefox-sage packages fix insufficient input sanitizing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1951-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 15, 2009 http://www.debian.org/security/faq - Package: firefox-sage Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-4102 Debian Bug : 559267 It was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitise the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack. For the stable distribution (lenny), this problem has been fixed in version 1.4.2-0.1+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.3.6-4etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.4.3-3. We recommend that you upgrade your firefox-sage packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.dsc Size/MD5 checksum: 607 d4175001caa8fc685f47452de46aaa03 http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6.orig.tar.gz Size/MD5 checksum: 135325 49c68a517b6611c7352feb6072be9567 http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.diff.gz Size/MD5 checksum:13123 a59b6403405d4c6214b569fdb068049f Architecture independent packages: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1_all.deb Size/MD5 checksum: 150172 57339ba6521e7611e4e27fce4f87df31 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.diff.gz Size/MD5 checksum:15552 c62acce299739cfe09c5ed671f0d310f http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2.orig.tar.gz Size/MD5 checksum: 169202 71f4d7379bc6e39640fc20016493f129 http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.dsc Size/MD5 checksum: 1039 f47c953cd90197453e1ce165f13cb701 Architecture independent packages: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1_all.deb Size/MD5 checksum: 171308 63a27b648f10e021b18acf9c8d8d24f0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksneJ0ACgkQ62zWxYk/rQeRnACgl5xAjdWg9H6/gvteFqVkY1bh w/kAnRzc6lGDWUAoe6H3pjfZdP1XhMDx =CsHJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1952-1] New asterisk packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1952-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 15, 2009 http://www.debian.org/security/faq - Package: asterisk Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE ID : CVE-2009-0041 CVE-2008-3903 CVE-2009-3727 CVE-2008-7220 CVE-2009-4055 CVE-2007-2383 Debian Bug : 513413 522528 554487 554486 559103 Several vulnerabilities have been discovered in asterisk, an Open Source PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0041 It is possible to determine valid login names via probing, due to the IAX2 response from asterisk (AST-2009-001). CVE-2008-3903 It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled (AST-2009-003). CVE-2009-3727 It is possible to determine a valid SIP username via multiple crafted REGISTER messages (AST-2009-008). CVE-2008-7220 CVE-2007-2383 It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk (AST-2009-009). CVE-2009-4055 It was discovered that it is possible to perform a denial of service attack via RTP comfort noise payload with a long data length (AST-2009-010). For the stable distribution (lenny), these problems have been fixed in version 1:1.4.21.2~dfsg-3+lenny1. The security support for asterisk in the oldstable distribution (etch) has been discontinued before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1:1.6.2.0~rc7-1. We recommend that you upgrade your asterisk packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg.orig.tar.gz Size/MD5 checksum: 5295205 f641d1140b964e71e38d27bf3b2a2d80 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc Size/MD5 checksum: 1984 69dcaf09361976f55a053512fb26d7b5 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz Size/MD5 checksum: 150880 ba6e81cd6ab443ef04467d57a1d954b3 Architecture independent packages: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 1897736 f0b7912d2ea0377bbb3c56cbc067d230 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 478858 b483c77c21df4ae9cea8a4277f96966a http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 32514900 8d959ce35cc61436ee1e09af475459d1 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 427650 fb8a7dd925c8d209f3007e2a7d6602d8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_alpha.deb Size/MD5 checksum: 13039044 3fdf468968472853a921817681130898 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_alpha.deb Size/MD5 checksum: 393068 f6360d4fee30fd4e915ce6f381dd5e81 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_alpha.deb Size/MD5 checksum: 2761948 017041bb2c755b0e404351134d40808a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_amd64.deb Size/MD5 checksum: 397512 6f2936b9f76618b89c7994d094c372cf
[Full-disclosure] Global warming - it's all about the money
http://www.wnd.com/index.php?fa=PAGE.viewpageId=118953 Businesses hold world hostage over carbon credits Even U.N. climate chief tied to new, 'green' extortion scam It was never about the climate. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-VI/2010 - Call for Papers/Speakers
InfoSec professionals, h4x0rs, script kidz, posers, and government spies: CarolinaCon is back yet again! Yes, for about the price of your average movie admission with popcorn and a drink, YOU are invited to join us for yet another intimate and informative weekend of technology education. What is this CarolinaCon? CarolinaCon is an annual Technology Conference whose mission/purpose is to; - Enhance local and global awareness of current technology issues and developments, - Provide affordable technology education sessions to the unwashed masses, - Deliver varied/informative/interesting presentations on a wide variety of InfoSec/hacking/technology/science topics, and - Mix in enough entertainment and side contests/challenges to make for a truly fun event When/Where is CarolinaCon? This year's event will be held on the weekend of March 19th-21st, 2010. The event will mostly occur at a Holiday Inn in Raleigh, NC. Raleigh is about 30 minutes from Durham, Chapel Hill, and Research Triangle Park. Who develops/delivers CarolinaCon? CarolinaCon is proudly brought to you by The CarolinaCon Group. The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various 2600 chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. What events will be at CarolinaCon? CarolinaCon is mainly about the talks/presentations/demos. Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years. Details on other events will be announced soon. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you're interested in presenting please send; - your name or handle, - the topic/presentation name, - estimated time-length of presentation, and - a brief topic abstract via e-mail to: speakers at carolinacon.org *NOTE: All submissions are due BY January 29, 2010! Please be timely in submission if you're committed to being part of the elite cadre of presenters. We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. Unfortunately as a non-profit dedicated to affordable education (our admission cost is still holding tight at $20), we've made very little profit each of the past years and are still trying to invest in the basic A-V gear needed to put on the event. So we can't afford to pay anyone to speak nor cover any related expenses yet (sorry). However if you do speak at the Con, you will receive; - free Con admission for you and one guest, - a free Con t-shirt, - minimal fame, glory, and possibly notoriety, and - mad props from our staff and attendees I'm excited and I want to present! What do I do know? If you're interested in speaking, send the 411 requested to: speakers at carolinacon.org (BY/BEFORE January 29th 2010) And if you're interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the dates on your calendar! Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:333 ] postgresql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:333 http://www.mandriva.com/security/ ___ Package : postgresql Date: December 15, 2009 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 3.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in postgresql: NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue (CVE-2009-4034). Privilege escalation via changing session state in an index function. This closes a corner case related to vulnerabilities CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136). Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides a solution to these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4136 http://www.postgresql.org/support/security ___ Updated Packages: Mandriva Linux 2008.0: 7a4134b7ab1675be4c53ff6b4922d7e0 2008.0/i586/libecpg5-8.2.15-0.1mdv2008.0.i586.rpm b8fe1351d19899fbca1a67929b0b4be7 2008.0/i586/libecpg-devel-8.2.15-0.1mdv2008.0.i586.rpm e86a98de348ba90bc6a1f16f02daa6e1 2008.0/i586/libpq5-8.2.15-0.1mdv2008.0.i586.rpm 551363cff118bee0b87dd827dddce669 2008.0/i586/libpq-devel-8.2.15-0.1mdv2008.0.i586.rpm ef3c1b9a831fedf1399f8b72cd65f748 2008.0/i586/postgresql-8.2.15-0.1mdv2008.0.i586.rpm d308631e61cd6236e40827b78c9c2951 2008.0/i586/postgresql8.2-8.2.15-0.1mdv2008.0.i586.rpm f8e97d697f69e43dc4bb2a96e64600cd 2008.0/i586/postgresql8.2-contrib-8.2.15-0.1mdv2008.0.i586.rpm 863015525b015c812f963a2af63fc7dd 2008.0/i586/postgresql8.2-devel-8.2.15-0.1mdv2008.0.i586.rpm 6340e0530e254732d654d8f6211d5198 2008.0/i586/postgresql8.2-docs-8.2.15-0.1mdv2008.0.i586.rpm e098dee5477edb0b7549b65ddb440cb5 2008.0/i586/postgresql8.2-pl-8.2.15-0.1mdv2008.0.i586.rpm 05cda82443737a12c7c8c3622e762618 2008.0/i586/postgresql8.2-plperl-8.2.15-0.1mdv2008.0.i586.rpm 6a66bc2cc80538a4db3e44ca97740a7f 2008.0/i586/postgresql8.2-plpgsql-8.2.15-0.1mdv2008.0.i586.rpm d01866d6fa8d18865e8f47744d0053bd 2008.0/i586/postgresql8.2-plpython-8.2.15-0.1mdv2008.0.i586.rpm 0e250c776673c8595ed4f57194ceff15 2008.0/i586/postgresql8.2-pltcl-8.2.15-0.1mdv2008.0.i586.rpm f69196c2af80f25abaae6cdb5273a985 2008.0/i586/postgresql8.2-server-8.2.15-0.1mdv2008.0.i586.rpm 5c96b2bdfdb5f4b23280de184d76bb4c 2008.0/i586/postgresql8.2-test-8.2.15-0.1mdv2008.0.i586.rpm 6c203c33bef69b8f676d1acd782d3526 2008.0/i586/postgresql-devel-8.2.15-0.1mdv2008.0.i586.rpm 37b86e7869ce8ef7621eb5f2fbeb9804 2008.0/SRPMS/postgresql8.2-8.2.15-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: ef654ee6768a32df7021cb7c1b95151d 2008.0/x86_64/lib64ecpg5-8.2.15-0.1mdv2008.0.x86_64.rpm 4272c2616fce89a650e102effb3e2427 2008.0/x86_64/lib64ecpg-devel-8.2.15-0.1mdv2008.0.x86_64.rpm a45cc8104b4758913384375c6f9d993b 2008.0/x86_64/lib64pq5-8.2.15-0.1mdv2008.0.x86_64.rpm a5beab729e5e4c04374f44b8ed0e7c0d 2008.0/x86_64/lib64pq-devel-8.2.15-0.1mdv2008.0.x86_64.rpm bc9a43e16b3fe38c26011f76e6e796ea 2008.0/x86_64/postgresql-8.2.15-0.1mdv2008.0.x86_64.rpm 632cc2bd4f2d099de6f18cc5a4ed28b9 2008.0/x86_64/postgresql8.2-8.2.15-0.1mdv2008.0.x86_64.rpm da76130aeaec4d962904ed0c2c566c63 2008.0/x86_64/postgresql8.2-contrib-8.2.15-0.1mdv2008.0.x86_64.rpm 9061e32e63cc8dfc68a393dc986b6b92 2008.0/x86_64/postgresql8.2-devel-8.2.15-0.1mdv2008.0.x86_64.rpm 2d88f5b268d6661771fd76eccbca7f82 2008.0/x86_64/postgresql8.2-docs-8.2.15-0.1mdv2008.0.x86_64.rpm 46a1f1beb87d1a3618470b5a1427b53d 2008.0/x86_64/postgresql8.2-pl-8.2.15-0.1mdv2008.0.x86_64.rpm a8126282c514a3b22736c6bf2d3ca570 2008.0/x86_64/postgresql8.2-plperl-8.2.15-0.1mdv2008.0.x86_64.rpm 5aada115ff9cd3c44cd9032d88bd93c4 2008.0/x86_64/postgresql8.2-plpgsql-8.2.15-0.1mdv2008.0.x86_64.rpm 4c9433b70a16300a304ee04b3aeb7abe 2008.0/x86_64/postgresql8.2-plpython-8.2.15-0.1mdv2008.0.x86_64.rpm cf01e27ebed1d7541c7dfe9fe7eaec20 2008.0/x86_64/postgresql8.2-pltcl-8.2.15-0.1mdv2008.0.x86_64.rpm 16fe157d591066b6c7bd12ef79c78972 2008.0/x86_64/postgresql8.2-server-8.2.15-0.1mdv2008.0.x86_64.rpm
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
The point is besides the fact that you can configure Chrome to proxy through Tor or anything else, Chrome is not supposed to leak DNS - it's a bug that Firefox currently does not have for instance. Many users use proxies to avoid corporate and other firewalls, and to prevent leakage of information a suppressive government will throw them in jail for - China for instance. Tor just makes a good example. IT IS IMPORTANT FOR UNWITTING USERS TO KNOW ABOUT THIS BUG. They may be thinking that Chrome is safe for proxies. The other OT issue about Chrome is of course even despite you using a proxy the right way all the real information about you will be found on Google's servers anyway because Chrome has a lot of hidden information collecting eggs that Google won't talk about. The company has decided that privacy does not matter long time ago. And if it does matter for you - well according to Google then you are a criminal. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Nix, Proxies are not a security technology in the way you think they are. Way back in the day, NAT didn't exist. In order for large numbers of users to share small number of IP addresses, application layer gateways -- proxies -- needed to be written such that a backend client could ask for connectivity through the one host on the network that had direct Internet access. Some of these proxies were protocol specific (HTTP, FTP, Gopher), and some were more generic (SOCKS4/5). While there were toolkits that allowed transparent proxying to be loaded into any network application -- so called socksifiers -- they were always a little unstable and obtuse. So any application that wanted to function in a corporate environment eventually got proxy support built right into the UI. This wasn't for security. It was the 90's, nobody did *anything* for security. It was just for connectivity. There are some implications to this. While the UI declares proxies MAY be used, it doesn't actually mean they MUST be used. More protocols than HTTP are accessible via the web browser. Do you think SMB uses the browser configured proxies? What about Flash and Java sockets? And even if they did use the proxies, SOCKS4 didn't even support remote DNS in its first incarnation; that supported was added unofficially in SOCKS4a and officially in SOCKS5. To this day, Firefox can't turn remote DNS on by default, because so many of the proxies have buggy implementations of it. The TOR guys are aware of all of this, of course. The approach they've been working on has been to virtualize the entire network stack of the Windows instance behind a Linux VM. That's the only real way to prevent leaks. Playing whack-a-mole at the application layer is ultimately pointless. If you want to prevent network traffic from leaking, you really need full access to all traffic. --Dan On Tue, Dec 15, 2009 at 1:01 PM, nixlists nixmli...@gmail.com wrote: The point is besides the fact that you can configure Chrome to proxy through Tor or anything else, Chrome is not supposed to leak DNS - it's a bug that Firefox currently does not have for instance. Many users use proxies to avoid corporate and other firewalls, and to prevent leakage of information a suppressive government will throw them in jail for - China for instance. Tor just makes a good example. IT IS IMPORTANT FOR UNWITTING USERS TO KNOW ABOUT THIS BUG. They may be thinking that Chrome is safe for proxies. The other OT issue about Chrome is of course even despite you using a proxy the right way all the real information about you will be found on Google's servers anyway because Chrome has a lot of hidden information collecting eggs that Google won't talk about. The company has decided that privacy does not matter long time ago. And if it does matter for you - well according to Google then you are a criminal. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
On Tue, Dec 15, 2009 at 9:39 PM, Dan Kaminsky d...@doxpara.com wrote: Nix, Proxies are not a security technology in the way you think they are. They're not, but many still use the browsers' proxy features hoping for more anonymity and avoidance of data sniffing. Most users are not security experts. They are not able or are not allowed to use VPNs and such. leaks. Playing whack-a-mole at the application layer is ultimately pointless. If you want to prevent network traffic from leaking, you really need full access to all traffic. It's pointless from the viewpoint of a security expert, not an everyday computer user that uses these features thinking it's harder to sniff traffic. Application bugs like this still need to be disclosed and fixed. No? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
File Access Vulnerability in Easy File Sharing Web Server Discovered by: Timothy Thor Mullen Testing by Steve Raging Haggis Moffat, Hammer of God, Bermuda Labs Product:Easy File Sharing Web Server, current versions, default installation Vendor: http://www.sharing-file.com/ Vendor Notification and Disclosure: 08/22/09: EFSW support notified of issue. 08/22/09: EFSW said it is not an issue because you can turn off direct file access. 08/23/09: EFSW support notified that FILES.SDB file can be directly accessed. 08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can. 12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix. About: Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years. It is a fast, easy to use commercial, standalone all-in-one file-sharing web server. Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access).Users log in, and are presented with a menu of files that have been published and that are made available for download. EFSWS uses the MGH Software myDB database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at: http://www.mghsoft.com/ Please see vendor site and db engine site for more details. Vulnerability details: By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to: https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file. In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name FILES.SDB to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication: https://www.SiteRunningEFSWS.com/files.sdb This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this: V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe D:\anotherdir\music\crystalmethod\boom.mp3 One can now access files directly by removing the drive letter and top directory as follows: https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3 With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL. Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher. This will show the (typically) unique file vfolder.gph results, where you can retrieve the full company URL from, including portnumber. This too can be scripted. I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet. Vulnerable Versions: The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing. Summary: Many companies use EFSWS to securely publish files for access to employees, vendors, and customers via SSL controlled by credential logon. By default, files published may be accesses anonymously if the full file name is used. Full filename details can be anonymously downloaded by accessing the FILES.SDB file, thus immediately allowing anonymous access to any file an attacker wants. Note that other system files (such as logs) can also be accessed. A googledork allows for searching against systems running EFSWS, thus providing a fully scriptable attack against all servers running this product for an anonymous attacker to download all files from all servers over SSL. Work-arounds: Ensure that all file access requires logon.
Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
Wow. Very nice find. One question: all the cited tools are Windows executables. Has there been any attempt to run the database viewer in Linux via Wine? I'm wondering if I'm going to have to set up a VM to try to confirm this, or if I can try to do this via Wine. Although the n3td3v drama is entertaining, its finds like this which keep me subscribed to this list. Thanks again, Rohit Patnaik On Tue, Dec 15, 2009 at 6:16 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: File Access Vulnerability in Easy File Sharing Web Server Discovered by: Timothy Thor Mullen Testing by Steve Raging Haggis Moffat, Hammer of God, Bermuda Labs Product:Easy File Sharing Web Server, current versions, default installation Vendor: http://www.sharing-file.com/ Vendor Notification and Disclosure: 08/22/09: EFSW support notified of issue. 08/22/09: EFSW said it is not an issue because you can turn off direct file access. 08/23/09: EFSW support notified that FILES.SDB file can be directly accessed. 08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can. 12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix. About: Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years. It is a fast, easy to use commercial, standalone all-in-one file-sharing web server. Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access).Users log in, and are presented with a menu of files that have been published and that are made available for download. EFSWS uses the MGH Software myDB database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at: http://www.mghsoft.com/ Please see vendor site and db engine site for more details. Vulnerability details: By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to: https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file. In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name FILES.SDB to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication: https://www.SiteRunningEFSWS.com/files.sdb This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this: V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe D:\anotherdir\music\crystalmethod\boom.mp3 One can now access files directly by removing the drive letter and top directory as follows: https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3 With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL. Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher. This will show the (typically) unique file vfolder.gph results, where you can retrieve the full company URL from, including portnumber. This too can be scripted. I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet. Vulnerable Versions: The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing. Summary: Many companies use EFSWS to securely publish files for access to employees, vendors, and customers via SSL controlled by credential logon. By default, files published may be accesses anonymously if the full file name is used.
Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM. t From: Rohit Patnaik [mailto:quanti...@gmail.com] Sent: Tuesday, December 15, 2009 6:29 PM To: Thor (Hammer of God) Cc: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server Wow. Very nice find. One question: all the cited tools are Windows executables. Has there been any attempt to run the database viewer in Linux via Wine? I'm wondering if I'm going to have to set up a VM to try to confirm this, or if I can try to do this via Wine. Although the n3td3v drama is entertaining, its finds like this which keep me subscribed to this list. Thanks again, Rohit Patnaik On Tue, Dec 15, 2009 at 6:16 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: File Access Vulnerability in Easy File Sharing Web Server Discovered by: Timothy Thor Mullen Testing by Steve Raging Haggis Moffat, Hammer of God, Bermuda Labs Product:Easy File Sharing Web Server, current versions, default installation Vendor: http://www.sharing-file.com/ Vendor Notification and Disclosure: 08/22/09: EFSW support notified of issue. 08/22/09: EFSW said it is not an issue because you can turn off direct file access. 08/23/09: EFSW support notified that FILES.SDB file can be directly accessed. 08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can. 12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix. About: Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years. It is a fast, easy to use commercial, standalone all-in-one file-sharing web server. Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access).Users log in, and are presented with a menu of files that have been published and that are made available for download. EFSWS uses the MGH Software myDB database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at: http://www.mghsoft.com/ Please see vendor site and db engine site for more details. Vulnerability details: By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to: https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file. In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name FILES.SDB to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication: https://www.SiteRunningEFSWS.com/files.sdb This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this: V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe D:\anotherdir\music\crystalmethod\boom.mp3 One can now access files directly by removing the drive letter and top directory as follows: https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3 With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL. Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher. This will show the (typically) unique file vfolder.gph results, where you can retrieve the full company URL from, including portnumber. This too can be scripted. I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all
