ITN News Gadget – Script Injection Vulnerability
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.
The ITN News Sidebar gadget provides users with the ability to view the latest world, money, sports, showbiz and weather news. Allowing users to read and watch videos news on the flyout panel. These information is requested by the ITN News gadget from a web server, which responds to the gadget with the latest news stories. An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user.
Popularity: 3% [?]
sql injection: inference attack (part 2)
In the previous article of this series (sql injection: inference attack) we saw an in introduction to the concept of SQL inference attacks. On security advisory: Plogger Photo Gallery SQL Injection we saw that the Plogger Photo Gallery SQL injection vulnerability was an ideal scenario to study SQL inference attacks.
Now it's time to see a hands on example on how to exploit a SQL injection vulnerability using this technique. Please note that the intended audience of this article are security researchers that want to gain a deeper knowledge on the nature and internals of SQL inference attacks.
Popularity: 3% [?]
Meridio Embedded Cross Site Scripting
Meridio Document and Records Management is an enterprise content management system (Enterprise Document and Records Management - eDRM).
Meridio has been identified as being vulnerable to an embedded Cross Site Scripting vulnerability in the ‘Title’ field when uploading a document (name="subGeneralProps:dmpvDocTitle:PROP_W_title") and when creating a container (name="subGeneralProps:dmpvContainerTitle:PROP_W_title") and also within the uploaded document.
Consequently, a malicious user could permanently inject JavaScript into the application. This malicious code could be made publicly accessible for other users of the Meridio application and would be executed within the context of the user's browser accessing the embedded script.
This vulnerability could be exploited in large number of ways; such as session hijacking, key logging or social enginering, the main limitation would be the creativity of the person performing the attack.
It should be noted that for this vulnerability to be exploited an attacker would need to be a user of the application or to have compromised a user account.
Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.
The full security advisory can be found here: [1]
Popularity: 3% [?]
security advisory: Plogger Photo Gallery SQL Injection
Plogger is an open source PHP photo gallery with over two years of development and more than 50,000 downloads. The Plogger web site (http://www.plogger.org), describes the application as a fully featured photo sharing package with an attractive and easy to use administrative interface.
It was found that insufficient validation was applied to the input parameters of the script that generates Plogger's RSS feeds. As a result, SQL code could be injected into Plogger database queries (read the security advisory - mirror #1, mirror #2).
update: this vulnerability has been assigned the following CVE number: CVE-2007-6587.
Popularity: 3% [?]
xmitm: xml man in the middle
This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport).
The only way we could think of getting our hands on the communication was to write a small set of scripts to trick the client and encapsulate the communication inside HTTP requests that we could then manipulate using standard proxy tools such as burp.
Although the information and scripts described in this post are focussed on intercepting a XML communication, the same principles apply to man in the middle any ASCII protocol such as smtp, ftp or pop.
update: slides available here
Popularity: 7% [?]
dradis
dradis is a tool for sharing information during a pentest. If you are part of a team of testers working against the same set of targets, you will need to comunicate with each other. The most efficient this communication the more chances of a successful breach you will have.
Popularity: 4% [?]
yl18.net: the chinese menace
This is the story of an attack I had to investigate for a client. The synthoms: mass defacement of web pages in the server, the only tool: roughly 1GB of web server log files.
Popularity: 4% [?]
sql injection: inference attack
SQL Injection is the process of injecting SQL commands into strings processed by an application. This is possible when there is insufficient validation of user input before it is executed in dynamic SQL queries.
Different types of attack exist and not all of them are suitable for every situation.
Popularity: 3% [?]
check for robots.txt
Some times it is useful to check if a given HTTP server has a robots.txt file in it. If it exist it may disclose interesting information, useful for a pentest 
Popularity: 4% [?]
Sidebar Gadgets Attacks
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript. They can be very flexible in design and function.
Gadgets are easy to install, to use and can be easily developed by any Vista user. They can enhance efficiency; they can be fun and can look good on a desktop. Windows Vista includes various gadgets by default, such as a calendar, calculator and currency converter. In addition, a large number of organisations have gadgets for download and use, such as London Underground, Amazon, ebay, etc.
Gadgets can be perceived by users as fun and harmless; but their characteristics can make of Gadgets a potential risk for Vista users. They run with the permissions of the logged on user and operate outside of IE’s Protected Mode. Additionally, gadgets will usually communicate with a remote server to obtain information and a rich gadget API which contains some potentially dangerous methods is available.
At the present time there are two main classes of gadget attacks: -
Popularity: 3% [?]