Last year I reported a vulnerability in opera browser which leads users to be deceived and lets an attacker to show a fake website address to their victims.
PoC:
Today I accidentally found the vulnerability still there! Opera developing team did not fix it yet! Is it really as trivial as this that they don’t even try to fix?!
What do you think?
Recently heard on the Internet about hacking comodo by Iranian hackers.
three weeks ago I submitted a Significant number of vulnerabilities (including XSS. CRLF, full path disclosure, information leak) to comodo, and it’s Over a week that they didn’t fix any of them.
I didn’t send the vulnerabilities to have some credit or something from them but only to show the real face of iran and iranian people.
In my believe, it’s a mistake to steal digital certifications and use it against people As making stuxnet was.
If any person or government belives in freedom of expression and information , then violating of privacy of people will be meaningless. I expect to have a safe and private web surf as every user in america, italia, brazil, or egypt should have.
People around the world have a lot in common, So don’t try to place them against each other.
Although Comodo is a victim of this attack, but they still neglect about the problems, This is not a good point for a company like Comodo, and I’m sure these bugs will be fixed in the next few days.
Remember, Although an XSS vulnerability does not give the attacker a direct access to the server,
but it can be One of the main pillars of an attack.
Hoping for a safe Internet.
———————————-
Update 2011-12-02
Comodo fixed many of bugs
Path traversal vulnerabilities are very common in the process of programming web applications.
Bypass Methods:
1. Encoding Data
for example encode the name of your file with common encoding methods:
download.php?getfile=Y29uZmlnLnBocA==
in above example the file name is base64 encoded.
2. Encrypting Data
In this method you must use encrypting algorithms:
download.php?getfile=%63%6F%6E%66%69%67%2E%70%68%70%0A%09%09%09
3. Special Characters
In some web apps, it’s possible to use special chars (like ~/ ../) in file names. This can be used by attackersto changing current directiory to another one.
example: download.php?getfile =~/../ boot
4. File Extensions
Some web apps validate file’s extension before letting it to be downloaded. An attacker can bypass this using null byte! for example: “./../../../ boot.ini% 00.jpg”
This way web apps which use OS API will have this vulnerability because OS and web server have Different interpretations about null bytes. In this example ,the real file name will be cutted down using API System to “./../../../ boot.ini”. You may also use %20 ( ex: ../../../index.asp%20) .
5. Using HTTP Referrer
In This method the attacker directly edits HTTP Referrer value. Most web servers can’t validate these types of variables correctly and will trust them by default.
Sometimes there are restrictions about some sections. this restriction can be done by some special softwares.
Suppose the user is denied to use ‘\’ char. You can use “%tmp:~2,1%” to bypass the restriction as it’s shown in image below:
Some guys asked me “Is Parsing Vulnerability really dangerous?”
This is an example of what an attacker can do using this vulnerability:
Find a website which uses FCKeditor thats not configured properly.
Now upload an evil file with your own way, for example the most common way is to rename your file to ‘test.asp;test.jpg’ then try to upload it. you’ll see Dot character(.) in the file name will be renamed to underscore (_). (see figures 1,2,3)
(1)
(2)
(3)
Now let’s create a folder with .asa extension, as you see in figure 4 the folder will be created.
So we can upload our evil asp script with .jpg extension in the folder, and finally open it in browser. (figures 5,6)
(4)
(5)
(6)
You can find new ideas.
Introduction:
Using this vulnerability you can bypass some Security filters, for example a file with “.jpg” or “.rar” extension can be executed as an asp (Active Server Page) file.
Vulnerable:
It just works for asp files and works on Windows 2003 / IIS 6 (As I tested…).
The test failed on IIS 5.1 and IIS 7.
More information(description, solution):
http://pouya.securitylab.ir/dl/Microsoft-IIS6-parsing-directory-Vulnerability.pdf
I just read some topics about “Uploaders’ Protections – Bypass Methods” here, they where interesting to me.
I think some others may be usefull too.
Add these to bypassing methods:
Insert magic number
PNG signature
Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!
Microsoft Internet Explorer automatically converts “\” character (0x5c) to “/” (0x2f) . for example it converts “Securitylab.ir\blog” to “Securitylab.ir/blog” . This may be abused in fishing attacks to bypass some security checks.
