Ryan Fox | 1 Mar 04:14 2003

web-erp 0.1.4 database access vulnerability

==================================
Security REPORT web-erp 0.1.4 and earlier
==================================
Product: web-erp 0.1.4 and earlier
Vulnerabilities: full database access
Vendor: Phil Daintree (http://web-erp.sourceforge.net/)
Vendor-Status: E-Mail to "p.daintree <at> xtra.co.nz" date: 27.02.2003
Vendor-Patch: Vendor reports problem fixed in new version 0.1.5 (27.02.2003)

Local: YES
Remote: YES

============
Introduction
============
From web site:
"WEB-ERP aims to provide a company with all the tools it needs to manage
multi-currency debtors, multi-location stocks, multi-currency creditors as
well as it's general accounting needs."

=====================
Vulnerability Details
=====================
1) FULL DATABASE ACCESS

http-requests to:

---*---
http://server/logicworks.ini
---*---
(Continue reading)

dev-null | 1 Mar 13:02 2003

cryptome.org hacked by bighawk of hackweiser

~~ th3 cryptome.org d3f4c3m3nt ~~
  th3 c0nsp1r4cy th30rist [PHC]

hi.  as you know already cryptome.org was defaced 2/26/03.  the
defacement stated:

   hacked by bighawk of hackweiser (bighawk <at> kryptology.org)

later this same bighawk sent email to the cryptome maintaner, denying
any involvement in the hack.  his initial (published) mail can be read
at:
	
	http://cryptome.org/cryptome-hack.htm
	
in it our hero (bighawk) states:

	"Since a few months, a few individuals have been constantly
	 trying to bring me into discredit.  I believe this was their
	 next step.  Until now these attempts were relatively innocent
	 and could be easily ignored.  criminal actions as these i did
	 not expect."

ok since most of the people reading this don't understand wtf bighawk
is talking about, let me elaborate.  for some time people have been
somewhat tolerant of this blowhard's egotistical ranting and criticism
of others (who are often much more technically skilled and much better
looking than the very unattractive Jogchem), until at some point people
got sick of him and told him he needed to shut up.  since this time, 
almost every statement made by bighawk on ircsnet has initiated brutal
verbal (well, at least typed) ownage of bighawk.
(Continue reading)

Rizwan Ali Khan | 2 Mar 10:08 2003
Picon

Penetration Testing or Vulnerability Scanning?

When usually we talk about penetration testing tools, people mosly refer to Vulnerability Scanners like iss, typhon, nessus, cybercop etc.

However penetration testing tools are those who penetrate as well, the above scanners do not do that.

One needs to have a working version of SSH exploit for the SSH vulnerability detected by the vulnerability scanner, so is it necessary for penetration tester to have access to the latest of underground exploit? or could all this be done in an ethical manner too?

please guide I am so confused between two of these methodologies.


Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more
Rizwan Ali Khan | 2 Mar 10:10 2003
Picon

Penetration Testing or Vulnerability Scanning?

When usually we talk about penetration testing tools,
people mosly 
refer to Vulnerability Scanners like iss, typhon,
nessus, cybercop etc.

However penetration testing tools are those who
penetrate as well, the 
above scanners do not do that.

One needs to have a working version of SSH exploit for
the SSH 
vulnerability detected by the vulnerability scanner,
so is it necessary for 
penetration tester to have access to the latest of
underground exploit? or 
could all this be done in an ethical manner too?

please guide I am so confused between two of these
methodologies.

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Knud Erik Højgaard | 2 Mar 14:18 2003
Picon

gid games via toppler

Attached file should be self-explainatory.

--
kokanin/dtors/knud
Attachment (DSR-toppler.pl): application/octet-stream, 640 bytes
Etaoin Shrdlu | 2 Mar 17:49 2003

Re: Penetration Testing or Vulnerability Scanning?

Well, in the spirit of "Full Disclosure," I'm about to use this poor
innocent as a launching point for something that continues to disturb me.

Rizwan Ali Khan wrote:
> 
> When usually we talk about penetration testing tools, people mosly
> refer to Vulnerability Scanners like iss, typhon, nessus, cybercop etc.

Well, these are indeed vulnerability scanners, but I don't think of them as
necessarily being part of a suite of tools for penetration testing. I
believe that having at least two different vulnerability assessment tools
(to offset the false positive and negative results from using just one,
such as ISS) is important for any organization that is attempting to be
secure.

If you are involved in penetration testing, and use these tools for
anything more than a beginning sweep of a new network or site, I am telling
you know that you are cheating your employer. Sure, you should know how to
use these, but you should also know how to write your own for the network
and packages you are looking at.

Part of penetration testing ought to be simple detective work, such as
reading Wall Street's opinions of the company. You might be looking for
email or usenet postings from current and past employees. Why do a
penetration test looking for vulnerabilities in a forward facing IIS
server, when their only DMZ entry is using Websphere on an AIX/Mainframe
combination?

> However penetration testing tools are those who penetrate as well, the
> above scanners do not do that.

There is good reason these scanners don't attempt to penetrate. This is
YOUR job, not Rene's. YOU find the vulnerability, and then YOU write (or
find) the exploit. If you are looking for a tool that attempts to exploit
various different possibilities, then you are looking in the wrong place.
They exist, I'm sure, but you won't find them on Security Focus.

> One needs to have a working version of SSH exploit for the SSH
> vulnerability detected by the vulnerability scanner, so is it necessary
> for penetration tester to have access to the latest of underground
> exploit? or could all this be done in an ethical manner too?

How on earth do you think this has anything to do with ethics? Either
you're attempting to break in, or you're not. Whether or not you have
permission, the technique remains the same. Why do you think that someone
in the "underground" is going to provide you tools? Ought you not to
provide those yourself? Do you truly think that anything you find is better
than rank amateur?

> please guide I am so confused between two of these methodologies.

In addition, I believe you are confused between penetration of networks or
computers for hire, and penetration testing of networks and computers for
hire. This is a subtle difference that many newcomers to the field seem to
miss. If you are working for someone who insists that a vulnerability is
not there until you show the exploit, explain that it is not your mission
to provide entertainment, but rather to help secure the network. A good pen
tester ought to be able to take pride in NOT breaking things. If you are
being paid to break in, that's another matter, but don't look for help
here.

In either case, WRITE your own plugins to Nessus if you want to go further
than identification, or ADD in a DoS to nmap. If you don't have the skill
to open things up, you don't have the skill to pen test in the first place.
Scanners such as ISS and Pandora simply point out problems. You need to
have the knowledge to understand that ISS appears to have a small buffer
overflow problem in TCP Predictability that causes it to misidentify BSD
stacks (being random) as being easily predictable, when in fact (as nmap
tells you), they are not.

--
This blackhat thing looks like a honeypot a little.
Or like a meeting of nuns and hookers to discuss sex.

           Georgi Guninski
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[SCSA-008] Cross Site Scripting & Script Injection Vulnerability in PY-Livredor

________________________________________________________________________

Security Corporation Security Advisory [SCSA-008]
________________________________________________________________________

PROGRAM: PY-Livredor
HOMEPAGE: http://www.py-scripts.com
                       http://www.scripts-php.com
VULNERABLE VERSIONS: v1.0
________________________________________________________________________

DESCRIPTION
________________________________________________________________________

PY-Livredor is an easy guestbook script using Php4 and MySql with
an administration which allow messages deletion.

DETAILS
________________________________________________________________________

A Cross-Site Scripting vulnerability have been found in PY-Livredor
which allow attackers to inject script codes into the guestbook and use
them on clients browser as if they were provided by the website.

This Cross-Site Scripting vulnerability are found in the page for
posting messages (index.php)

An attacker can input specially crafted links and/or other
malicious scripts.

EXPLOIT
________________________________________________________________________

A vulnerability was discovered in the page for posting messages,
at this adress :

http://[target]/livredor/index.php

The vulnerability is at the level of the interpretation of the "titre",
"Votre pseudo", "Votre e-mail", "Votre message" fields.

Indeed, the insertion of a hostile code script in this field makes it
possible to a malicious user to carry out this script on the navigator
of the visitors.

The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)

SOLUTIONS
________________________________________________________________________

No solution for the moment.

VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified.

LINKS
________________________________________________________________________

http://www.security-corp.org/index.php?ink=4-15-1

Version Française :

http://www.security-corp.org/advisories/SCSA-008-FR.txt

------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

aeonflux | 2 Mar 23:09 2003

Re: Penetration Testing or Vulnerability Scanning?


On Sunday 02 March 2003 12:49 pm, Etaoin Shrdlu wrote:
> Part of penetration testing ought to be simple detective work, such as
> reading Wall Street's opinions of the company. You might be looking for
> email or usenet postings from current and past employees. Why do a
> penetration test looking for vulnerabilities in a forward facing IIS
> server, when their only DMZ entry is using Websphere on an AIX/Mainframe
> combination?
I completely agree with this point, automated vuln testers can be very very 
stupid in the vulns they look for and report, I've often seen IIS vuln's 
reported in scans that I've done on apache/linux boxes.  Clearly it's a false 
positive, and it would be simple to code a check that would shut off 
scans/checks for services on certain platforms, that couldn't possibly offer 
that service.  For example, scanning for sendmail vulns against a microsoft 
exchange 2000 box is silly.

> There is good reason these scanners don't attempt to penetrate. This is
> YOUR job, not Rene's. YOU find the vulnerability, and then YOU write (or
> find) the exploit. If you are looking for a tool that attempts to exploit
> various different possibilities, then you are looking in the wrong place.
> They exist, I'm sure, but you won't find them on Security Focus.
I wouldn't expect the vast majority of consultants out there to be able to 
write exploits.  The vast majority of IT consultants can't code.  
Networking/Systems Engineering people are especially bad for this.  Exploit 
writting for the most part, isn't difficult, it however is specialized 
knowledge.  It's generally speaking not hard to find an exploit, rip it apart 
and figure out how it works, then write up some plug-in for nessus.   It is 
however unreasonable to expect that most consultants will bother to do this, 
or even have the ability.  There are the expectations of course... (like you 
wonderful people reading this).

> > One needs to have a working version of SSH exploit for the SSH
> > vulnerability detected by the vulnerability scanner, so is it necessary
> > for penetration tester to have access to the latest of underground
> > exploit? or could all this be done in an ethical manner too?
>
> How on earth do you think this has anything to do with ethics? Either
> you're attempting to break in, or you're not. Whether or not you have
> permission, the technique remains the same. Why do you think that someone
> in the "underground" is going to provide you tools? Ought you not to
> provide those yourself? Do you truly think that anything you find is better
> than rank amateur?
There are many cases I can cite, where a company wanted me to see what was 
vuln, but to NOT actually gain access to their systems.

>
> > please guide I am so confused between two of these methodologies.
>
> In addition, I believe you are confused between penetration of networks or
> computers for hire, and penetration testing of networks and computers for
> hire. This is a subtle difference that many newcomers to the field seem to
> miss. If you are working for someone who insists that a vulnerability is
> not there until you show the exploit, explain that it is not your mission
> to provide entertainment, but rather to help secure the network. A good pen
> tester ought to be able to take pride in NOT breaking things. If you are
> being paid to break in, that's another matter, but don't look for help
> here.
Case and point, many times I need to test if a particular dos WILL crash a 
winNT 4.0 server remotely, and there is no other way to tell, short of 
launching that particular exploit against the server.  I've seen a great many 
production servers die cause simple udp frag attacks like "bonk".  Sometimes 
penetration testing and security scanning can be very destructive, especially 
if we need to test if the vuln is not a false positive.

> In either case, WRITE your own plugins to Nessus if you want to go further
> than identification, or ADD in a DoS to nmap. If you don't have the skill
> to open things up, you don't have the skill to pen test in the first place.
> Scanners such as ISS and Pandora simply point out problems. You need to
> have the knowledge to understand that ISS appears to have a small buffer
> overflow problem in TCP Predictability that causes it to misidentify BSD
> stacks (being random) as being easily predictable, when in fact (as nmap
> tells you), they are not.
I agree in theory, but in practice most consultants will not have the ability 
to write their own nessus plugins.  Besides in my experience, I found adding 
the dos attack to nessus was much better then adding it to nmap.....  almost 
always easier too.

Pavel Machek | 2 Mar 21:50 2003
Picon

Re: Terminal Emulator Security Issues

Hi!

> TERMINAL EMULATOR SECURITY ISSUES
> Copyright  2003 Digital Defense Incorporated

I played related joke on my friends,
telling them to 

telnet host 1234

and login with

secret
#r_f#_m -r _g_/

(of coursed it set terminal to black/black
and disconnected after printing "Password:".)

Not permiting black-on-black-type
color combinations should help this.

Also terminals have various answerback
sentences. On localhost it is easy to
exploit any such thing.

(Create README file and xtermls executable
in some directory. Make README ask
xterm for answerback and hope user
will do ls after cat-ing README. Ouch.)
				Pavel 

--

-- 
				Pavel
Written on sharp zaurus, because my Velo1 broke. If you have Velo you don't need...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

hellNbak | 3 Mar 06:21 2003

Re: Penetration Testing or Vulnerability Scanning?

Typical methodologies include the footprinting process which is basically
gathering information on the target hosts be that a Nmap scan or simple
information gathering from ARIN records.  Then a vuln scan is usually done
using Nessus or whatever.  From this step is where you seperate the real
"pen-testers" vs. the script kiddies in suits.  Some will take their
scanner reports slap their logo on it and call it a day while others will
have the abilities to use exploits be that borrowed from other sources or
created in house.  I guess it depends on what the customer wants and the
skill level of the team doing the work is............ but don't get me
started...........

On Sun, 2 Mar 2003, Rizwan Ali Khan wrote:

> Date: Sun, 2 Mar 2003 01:08:26 -0800 (PST)
> From: Rizwan Ali Khan <rizwanalikhan74 <at> yahoo.com>
> To: pen-test <at> securityfocus.com
> Cc: full-disclosure <at> lists.netsys.com
> Subject: [Full-Disclosure] Penetration Testing or Vulnerability Scanning?
>
>
> When usually we talk about penetration testing tools, people mosly refer to Vulnerability Scanners like
iss, typhon, nessus, cybercop etc.
>
> However penetration testing tools are those who penetrate as well, the above scanners do not do that.
>
> One needs to have a working version of SSH exploit for the SSH vulnerability detected by the vulnerability
scanner, so is it necessary for penetration tester to have access to the latest of underground exploit? or
could all this be done in an ethical manner too?
>
> please guide I am so confused between two of these methodologies.
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, and more

--

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak <at> nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Gmane