Michal Zalewski wrote:
I feel silly for reporting this, but I couldn't help but notice that
Apache and IIS both have a bizarro implementation of HTTP/1.1 Range
header functionality (as defined by RFC 2616). Their implementations allow
the same fragment of a file to be requested an arbitrary
CALL FOR PAPERS
RAID 2007
10th International Symposium on
Recent Advances in Intrusion Detection 2007
September 5-7, 2007
Crowne
Possibly no, but I was just sending this reference to the lists:
http://www.kb.cert.org/vuls/id/815960
According to public reports, this vulnerability is addressed in Adobe Acrobat
Reader 8.0.
Solution:
http://www.adobe.com/products/acrobat/readstep2.html
But it is worth of mentioning that
On Wed, 3 Jan 2007, William A. Rowe, Jr. wrote:
Seriously, HTTP pipelining can accomplish EXACTLY the same thing with minimal
pain.
No, it can't. Client-side pipelining using simultaneous sessions with
keep-alives is usually severely restricted on server-side (exactly for the
reason they can
Michal Zalewski wrote:
On Wed, 3 Jan 2007, William A. Rowe, Jr. wrote:
If you have an issue with this behavior, of HTTP, then you have an issue
with the behavior under FTP or a host of other protocols.
Not really; see above. These are typically well known, preventable by
configuring
On Thu, 4 Jan 2007, William A. Rowe, Jr. wrote:
On the matter of your 1GB window (which is, again, the real issue), you have
any examples of a kernel that permits that large a sliding window buffer by
default
No, I simply mentioned the hypothetical maximum; common configurations for
Thanks for the report.
The maintainer of the OSP module, Di-Shi Sun already applied a patch to fix
this issue.
The fix fix has been committed to 1.1.x (latest stable) and MAIN HEAD
(development) on 1/2/07.
Regards,
Bogdan
Thanks for report. I just applied an fix for both the latest stable version
(1.1.0) and the development version (1.2.0).
Not sure if code injection is possible as the maximum overflow is of 5 bytes,
guess not long enough to encode an instruction.
Regards,
Bogdan
A slashdot user suggested the following
One possible work around on the server side:
Direct your web server to serve .pdf files as mime type application/octet
That way the files will be saved to disk instead of opening in the browser plug
in.
URL:
I'm most worried about the CSRF vector.
XSS attacks are easily preventable via a web app firewall, input
validation and/or session ID rotation; and I see a lot of frameworks
(like Drupal 4.7.4+) protect against CSRF via Form Keys and/or rotating
sessions. But I do not see a lot of custom
Dear List,
Kevin Finistere and myself gave a Talk in Berlin 29th on Bluetooth
Hacking, we presented new implementation bugs as well as bugs/problems
deeply buried within the Protocol itself.
This mail to the list should represent a digest for those not able to
attend or able to view the stream.
No, that is incorrect. This is not visible by the application because
achor tags are not sent to the webserver. This is completely invisible
to web application firewalls. Btw, a user on http://sla.ckers.org/ made
this recommendation for fixing your own browsers:
MkPortal All Guests are Admin Exploit
Vulnerability discovered and exploited by: Demential
Web: http://headburn.altervista.org
E-mail: info[at]burnhead[dot]it
Mkportal website: http://www.mkportal.it
Start Macromedia Flash and create an swf file with this code:
var idg:Number = 9;
var
LS-20061102
LSsec has discovered a vulnerability in Business Objects Crystal Reports XI
Professional,
which could be exploited by an attacker in order to execute arbitrary code on
an affected system. Exploitation requires that the attacker coerce the target
user into opening a malicious .RPT
ahhh, fragment identifiers make sense to browsers only. they are not
send to the server
On 1/4/07, der wert [EMAIL PROTECTED] wrote:
The best solution I see would be to keep all pdf files in a non-web
accessible location on the web server, then have all the pdf files outputed
through a script
Michal Zalewski wrote:
2) Negotiate a high TCP window size for each of the connections (1 GB
should be doable),
Just zooming in on one detail of your e-mail. While you could set your
own TCP receive window to 1GB, you obviously can't set the sender's send
window to 1GB if it doesn't
[vuln.sg] Vulnerability Research Advisory
PowerArchiver PAISO.DLL Buffer Overflow Vulnerability
by Tan Chew Keong
Release Date: 2007-01-04
Summary
---
A vulnerability has been found in PowerArchiver. When exploited, the
vulnerability allows execution of arbitrary code when the user opens a
Hi,
As the server side solution, force rewriting fragment identifiers in URI by
redirecion responce can be considered.
Disallow the directoly access to PDF on the server and return response such as:
--
Location: http://example.com/one-shot-url.pdf#top
--
As a result, fragment identifiers in
Michal Zalewski wrote:
1) Connect to the server (as many times as allowed by the remote party
or deemed appropriate for the purpose of this demonstration),
2) Negotiate a high TCP window size for each of the connections (1 GB
should be doable),
3) Send a partial request as
Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.
According to public reports, this vulnerability is addressed in Adobe
Acrobat Reader 8.0.
I've actually tested it. On Reader 8 Acrobat you get a messagebox that
says This operation is not allowed
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS
X 10.4.8.
- Juha-Matti
Larry Seltzer [EMAIL PROTECTED] wrote:
According to public reports, this vulnerability is addressed in Adobe
Acrobat Reader 8.0.
I've actually tested it. On Reader 8 Acrobat you get a
Dear List,
Did anybody mention this does not work in Adobe Acrobat Reader 8 ?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Dana:
The S in RSA stands for Adi Shamir, not Ravi Sethi. Ravi is the
author of the Dragon Book, however.
This one time, at band camp, Dana Hudes wrote:
Darren Reed wrote:
In functional programming languages (think 4GLs like prolog),
Prolog isn't a 4GL (it was invented in 1972 ). In Ravi
..comment has nothing to do with either.. - I'm addressing the
generalistic genuine security arguments offered in this discussion. I
have no contrary argument to the point that PHP in its current
incarnation is not designed to be secure; only that those who espouse
the idyllic language are in for
If I recall correctly from the Content-Disposition HTML attachment
handling vulnerabilities last year, Opera didn't reliably abide by the
Content-Disposition header.
Additionally, Content-Disposition support in IE, Firefox, Opera,
Safari and a few others was extremely inconsistent from version
On Wed, 3 Jan 2007, Darren Reed wrote:
The problem we have right now is that the language commonly used for
dynamic web pages on non-Microsoft platforms is PHP and that this has
not been engineered *for security*.
The goal of a language such as PHP should be to make it possible
to do what
I do not like to bother this mailing list with such requests, but as you
will see from below (SAP's response), I feel this is a last resort. I have
also phoned SAP leaving a voice mail but with no success.
So if anyone can assist with a contact email address at SAP, ideally an
individual,
On Jan 2, 2007, at 10:37 AM, Darren Reed wrote:
In some mail from Jim Harrison, sie said:
Again; I agree with and fully support the effort. What I'm trying to
point out is the literal impossibility of actually achieving genuine
security in either our code or the languages it's written in.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200701-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Be careful using either of those. REQUEST_URI can contain anything:
http://example.com/file.pdf?whatever#vectorgoeshere
For that example the request URI will be ..pathto..file.pdf?whatever
which does not match \.pdf$. Likewise the second one has issues,
including the fact that referrers are
Last night I came up with a proof of concept to exploit this locally:
http://ha.ckers.org/blog/20070103/pdf-xss-can-compromise-your-machine/
If you have Adobe 7.0 installed there is a at least one standard PDF
installed on the local drive. Ouch.
-RSnake
http://ha.ckers.org/
On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote:
Michal Zalewski wrote:
2) Negotiate a high TCP window size for each of the connections (1 GB
should be doable),
For instance, FreeBSD by default has TCP send buffers set to 32KB. It
does not (apart from recent work)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200701-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Only versions prior to OpenOffice 2.1.0 are vulnerable to the heap overflows
found by John.
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200701-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
* NGSSoftware Insight Security Research:
The vulnerabilities, three heap overflows, affect OpenOffice 2.1.0 and
http://download.openoffice.org/2.1.0/index.html
As far as I can tell, there is no version newer than 2.1.0 available
at the web site. According to uncorroborated, version 2.1.0 is
RSnake wrote:
No, that is incorrect. This is not visible by the application because
achor tags are not sent to the webserver. This is completely invisible
to web application firewalls. Btw, a user on http://sla.ckers.org/ made
this recommendation for fixing your own browsers:
Hi Florian,
* NGSSoftware Insight Security Research:
The vulnerabilities, three heap overflows, affect OpenOffice 2.1.0 and
http://download.openoffice.org/2.1.0/index.html
As far as I can tell, there is no version newer than 2.1.0 available
at the web site. According to uncorroborated,
That's correct. In doing some quick tests you can mitigate this if you
take the URL (let's say http://site.com/file.pdf) and 301 them to the
same file with an empty anchor tag: http://site.com/file.pdf#
Of course that would cause an infinite loop since the empty anchor tag
is not visible to
John Heasman of NGSSoftware has discovered several high risk vulnerabilities
in the handling of WMF and EMF graphics formats within the OpenOffice
StarOffice suite.
The vulnerabilities, three heap overflows, affect OpenOffice 2.1.0 and
StarOffice 6, 7 and 8. If an attacker can coax a user into
I've had a better look at this now, and there seems to be a generic
server side solution through the content-disposition header (at least
for the versions of Firefox and IE which I have tested). If it is
specified, the default installs of both products always produce a
download dialog and don't
A while ago, apparently angry with Larry Seltzer, I penned a quick
write-up on the possible issues with race conditions triggered by
asynchronous browser events (such as JavaScript timers) colliding with
synchronous content rendering:
http://seclists.org/vulnwatch/2006/q3/0023.html
This is in
DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com
Product: 'iLife 06 (?)'
References:
http://www.digitalmunition.com/DMA[2007-0104a].txt
http://www.apple.com/ilife/iphoto/features/photocasting.html
On Thu, 4 Jan 2007, Michal Zalewski wrote:
On Thu, 4 Jan 2007, William A. Rowe, Jr. wrote:
2) Theoretical window size limits and commonly implemented settings do
have a side effect of making such attacks more feasible for
attackers with a very limited bandwidth available. There's
I hope you're still not angry!
I just tried your demo on IE7. It took a while longer but does seem to
have locked up. Were you looking at IE6 or IE7, and is the behavior any
different?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
We need to force to the users do download the pdf files
And we can add to the httpd.conf or .htaccess the next code
SetEnvIf Request_URI \.pdf$ requested_pdf=pdf
Header add Content-Disposition Attachment env=requested_pdf
Other solution is protect our pdf files to external links (hotlinking)
===
Ubuntu Security Notice USN-398-3 January 04, 2007
firefox-themes-ubuntu regression
https://launchpad.net/bugs/76871
===
A security issue affects the following Ubuntu
= Abstract =
The Perforce client has a huge gapping security hole by design. It
totally trusts the Perforce server and does whatever the server tells
it, writing arbitrary files.
= Disclaimer =
This is so terribly obvious that I'd be surprised that this is news, but
I couldn't find
I note from http://www.sap.com/solutions/security/index.epx -
In addition, SAP follows a thorough security response process, which will
soon include a security bulletin to keep SAP customers up-to-date as new
security threats and vulnerabilities are uncovered and addressed
Guess they are still
YMMV, but in our own testing of server-side defenses for Apache, we had to
resort to the following to extract the anchor information:
# mod_rewrite defense
RewriteCond %{THE_REQUEST} .*\.pdf[^A-Za-z0-9._?%-]
RewriteRule (.*\.(pdf)) $1 [R,L]
# mod_security defense
SecRule REQUEST_URI_RAW:
# /||` \ | || \` / ||\ #
#/ || |\\| ||` \/` || \#
#\ || | \` || |\/| || /#
# \||_|` \_||_|` |_||/ #
# http://www.nanoy.org #
Hacker.: NanoyMaster
CMS: CMS Made Simple
Version: 1.0.2
[exploits--]
1) Search XSS
On Thursday 04 January 2007 21:00, David Litchfield wrote:
Hi Florian,
* NGSSoftware Insight Security Research:
The vulnerabilities, three heap overflows, affect OpenOffice 2.1.0 and
http://download.openoffice.org/2.1.0/index.html
As far as I can tell, there is no version newer than
On Thu, 4 Jan 2007, Larry Seltzer wrote:
I hope you're still not angry!
It took months of therapy, but I recovered ;)
I just tried your demo on IE7. It took a while longer but does seem to
have locked up. Were you looking at IE6 or IE7, and is the behavior any
different?
I tested several
54 matches
Mail list logo
