Hello lists, hello Roger. It's me again.
Sorry for annoyance, but there is one more attack vector with pre-open
files I meant, but forgot to mention. It seems dangerous enough and need
to be investigated for different applications. It's theoretical attack
against application relying on
Hello,
PHP import_request_variables() arbitrary variable overwrite
Date 20060307
I believe all dates in the advisory contain the wrong year...
III. ANALYSIS
import_request_variables() is not new to vulnerabilities: consider this
change log entry for 24 Nov 2005, PHP 5.1.
Stefan Esser wrote:
Taking into account that the vulnerability you describe is fixed in
Hardened-PHP for years and that there is also a protection against this
in the Suhosin Extension you can be sure that this NOT a new
vulnerability (and that you are not the first one who found it...)
not
Hi Stefan,
first of all let me say i come in peace :)
Il giorno sab, 10/03/2007 alle 15.17 +0100, Stefan Esser ha scritto:
Hello,
PHP import_request_variables() arbitrary variable overwrite
Date #-1;#-1; 20060307
I believe all dates in the advisory contain the wrong year...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200703-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Hello Stefano,
first of all. I am not angry at you, although my mail might have sounded
so, but at the people that deserve it.
The fault of the PHP Security Response Team is not yours. They are the
ones that give credit to the wrong persons.
Luckily after 2.5 years they fixed that issue (or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 1265-1[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 10th, 2007
Two things regarding this ongoing (civil) flame war:
1. I was wrong about most versions of Linux having the same inheritance
behavior as Windows. Dead wrong. And several people have wrote to
correct me. Thank you. The search for truth is more important than my
ego. grin Before I wrote that
Hello all,
There is an undefined function in OWASP website's javascript code (wikibits.js)
called wgBreakFrames. This can cause potential damage to the site if used
maliciously.
http://www.owasp.org/skins/common/wikibits.js
start of code:
if (wgBreakFrames) {
// Un-trap us from framesets
if
if (wgBreakFrames) {
thats a variable, not a function; even if it were a function, i dont think
it would make any difference- im not a javascript/xss expert, but id think
youd have to inject js into the page to do anything with it, which would
make it a moot point. If you look at your js console
--On March 10, 2007 9:23:45 AM -0800 Scarlet Pimpernel
[EMAIL PROTECTED] wrote:
Hello all,
There is an undefined function in OWASP website's javascript code
(wikibits.js)
called wgBreakFrames. This can cause potential damage to the site if
used maliciously.
Dear Thor (Hammer of God),
You are wrong at least for Windows XP/2003. There is a common temporary
directory
%WINDIR%\Temp
It's used as a %TEMP% if application is launched without local logon,
e.g. system service.
For example, services launched with LocalSystem account will have this
On 10 Mar 07, at 09:23, Scarlet Pimpernel wrote:
Hello all,
There is an undefined function in OWASP website's javascript code
(wikibits.js)
called wgBreakFrames. This can cause potential damage to the site
if used maliciously.
...
if (wgBreakFrames) {
...
First of all, that's a
On Sat, 10 Mar 2007 15:15:54 CST, Paul Schmehl said:
Given the syntax of this function, wgBreakFrames can only have one of two
values: true or false.
I'd be interested to see some POC that would show how you would exploit
this.
The first thing to do is abuse the variable. In addition to
--On March 10, 2007 4:51:51 PM -0500 [EMAIL PROTECTED] wrote:
On Sat, 10 Mar 2007 15:15:54 CST, Paul Schmehl said:
Given the syntax of this function, wgBreakFrames can only have one of
two values: true or false.
I'd be interested to see some POC that would show how you would exploit
this.
3APA3A wrote:
And now is most exciting: Users have permission to create files in this
directory, that is pre-open attack is possible.
holy %[EMAIL PROTECTED] you're right:
D:\WINDOWS\security\templatesmore setup security.inf | findstr /r /i
\temp\
d:\windows\temp, 2,
Hey Andrew :)
Corrected the blog entry, Thanks for your email...
Also added jf at danglingpointers dot net ... since he was the first to reply.
I hope this is just a bug, probably something that could cause minimal damage
and not a vulnerability.
Cheers :)
Kish
Andrew Farmer [EMAIL
Sorry, I didn't mention this in my original reply, if you type the
variable name into google you'll get several hits from the wiki software
they use, appearantly it used to be considered a security hole by the
authors of the software if the wiki was embedded in another frame, so
thats what that
Hello List,
This is Kingcope. We now have our Exploit selling site
up and running. On www.com-winner.com you can purchase
quality advisories and exploits. Feel free to contact
our sales person for getting the latest Zero-Days.
Best Regards,
kingcope
com-winner.com Research Team
Immunity canvas and core impact could make alot from this selling site ;)
On 3/10/07, kingcope [EMAIL PROTECTED] wrote:
Hello List,
This is Kingcope. We now have our Exploit selling site
up and running. On www.com-winner.com you can purchase
quality advisories and exploits. Feel free to
On Sat, 10 Mar 2007 16:33:21 CST, Paul Schmehl said:
In addition to true and
false, try 3, 0 , -37, Cabbage, and maybe true) and
(my_evil_function())). See if you can force it to throw a syntax error
that creates a 404 page or something that contains *other* input you
control,
--On March 10, 2007 11:37:25 PM -0500 [EMAIL PROTECTED] wrote:
Yeah, a 404 page controlled by the server might just be too chatty and
give away info - but if you can control the input that creates the 404
page, it gets more interesting...
You can't be serious. I can control a server and force
Paul, if you find a way to get something to execute an eval() with data that
you control, and all you can get out of that is an information disclosure,
you *really* need to find a new line of work.
Valdis, its javascript, as in client side, if you want to eval()
something on your machine, use
Firefox suffers from a design flaw that can be used to confuse casual
users and evoke a false sense of authority when visiting a fraudulent
website. The flaw can be also used to bypass a fix for an old UI spoofing
bug that was thought to be addressed. This is a relatively minor issue,
but I
24 matches
Mail list logo
