Monday, April 28, 2008

Friday, April 25, 2008

[WEB SECURITY] A New Class of Vulnerability in Oracle: Lateral SQL Injection

Hey all,
I've just released some research that demonstrates a new class of
vulnerability in Oracle and how it can be exploited by an attacker. You can
grab the paper from here:

http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
http://www.davidlitchfield.com/blog

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

------------------------------
----------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Thursday, April 24, 2008

It takes two hands to clap

Clashed with my mum again today. Or rather, she said some things this morning, some of which were true, some of which were just unfounded and untrue. Chose not to fight with her because of time, and the fact that quarrelling with her brings no progress at all. But as a result, lost the chance to explain to her, and to reason with her.

What i really can't stand is the ingrained attitude shown (not just in her, but when seen in some people around sometimes), that only the people around her are wrong, and that she's perfectly right always.

I'm really really angry, not just at her, but at how things have downward spiraled into this state.

How should i be thinking about this? I can remember a few points:

  • Hypocrisy is out. Recognise and work on your own faults first before helping others with theirs. It's always easier to see and focus on others' wrong.

  • In doing what's right, we must be ready also to give up on our (legal &/or moral) rights. That's exactly the way Jesus walked. The way of the cross.

  • Do unto others as how you'd have others to do unto you. Not wait for others to do something as you'd like, then reciprocate.

  • Anger tantamounts to murder.

Remembering what i learnt so far is the first step. But i'd sure need help to obey God in this area.

Tuesday, April 22, 2008

Sometimes not knowing who is reading stops a person from writing in a blog. Sometimes knowing who might be reading stops a person from writing. Sometimes knowing who is reading stops a person from writing.

Question then, is why write what you/I write? If the objective was to reveal oneself in writing, then perhaps the writing should continue.
Slowly being choked to death. And I know I'm dying. Question then is: what am I going to do about it? I'm already bringing down along with me others who're around me also.

Saturday, April 19, 2008

The scourge of the Singaporean Christian's life would be busy-ness. It takes no prisoners, killing all who succumb to its attack.

Want to read, think and pray already so hard to do. But...still must think of something to fight this problem eh.

Thursday, April 17, 2008

I'm confused as to what to think of my mum. I think it would be easier to rethink of the entire situation as being my fault, for a few reasons. Benefit of doubt, assuming that the changes in her were brought about by hormonal changes, and more importantly, the tendency to recognise my own real wrongdoings, and to be repentant about it.

Wednesday, April 16, 2008

Google XSS

Billy Rios has published one that he found in Google. Pretty exciting eh (not in the wrong way!) =O

Netcraft has a shorter version of the details also. Quoted below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An interesting cross-site scripting (XSS) vulnerability found in the Google Spreadsheets service would have allowed attackers to gain unauthorised access to other Google services, including Gmail and Google Docs.

The vulnerability was discovered by security engineer Billy Rios, and takes advantage of nuances in the way Internet Explorer handles Content-Types for webpages.

Google Spreadsheets XSS

When a spreadsheet is saved and downloaded in CSV format, the Content-Type is set to "text/plain", thereby instructing the client's browser that the document should be treated as plain text. However, if HTML tags are entered into the first cell of the spreadsheet, Internet Explorer detects these tags near the start of the CSV document and instead deduces that it should be treated as HTML. This essentially allowed arbitrary HTML webpages to be served from spreadsheets.google.com, which in turn allowed JavaScript to be executed in the context of the spreadsheets.google.com site. A remote attacker could exploit this weakness by stealing the user's session cookies and hijacking their session.

Rios points out that Google cookies are valid for all google.com sub domains. This means that when a user logs in to Gmail, the Gmail cookie is also valid for other Google services, such as Google Code, Google Docs, Google Spreadsheets, and more. Cross-site scripting vulnerabilities in any of these sub domains can allow an attacker to hijack a user's session and access other Google services as if they were that user.

Google has fixed the vulnerability discovered by Rios and there have been no reports of the vulnerability being exploited by attackers.

Sunday, April 13, 2008

Finally... We got our flat keys proper! :-)

Saturday, April 12, 2008

Chinese Compo


I wish I could write like this... =D

Friday, April 11, 2008

Love (for her)

Goes way beyond the emotional high that comes at the beginning or from time to time. It extends to the appreciation of and the commitment to take care of her. It's to face the future (in this world, till death, or Christ's return) together.

That's how the "for better or for worse" can be fulfilled. That's how I'd wish things to be, God willing.

Love you dear. Happy 2.5 year's anniversary ;-)


(Dated 090408)

WireShark 1.0.0 is out

Get it here!

[Link to PortableApps WireShark package]

Reviewing Practical PHP Exploitation Techniques

Good presentation here, for those who'd want to know. How some security vulnerabilities occur in (PHP) code.
PHP Code Analysis - Real World Examples

Taken from GNUCITIZEN.

Tuesday, April 08, 2008

File Download Injection

Taken from this mailing list post.

  • From: "Jeff Williams"
  • Subject: [WEB SECURITY] Attack Technique: File Download Injection
  • Date: Mon, 7 Apr 2008 15:22:15 -0400

File Download Injection
=======================

Affects most web application platforms, including Java, .NET, PHP, Cold
Fusion.

This attack involves the use of header injection, particularly the
Content-Disposition header, to subvert HTTP responses from trusted
domains. Attackers can use this technique to inject a malicious file
download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
.vbs, etc...) and arbitrary file content. Since the attack subverts an
existing HTTP request, both the URL and the downloaded file use a
trusted domain.

Some variants of the attack are surprisingly simple:

http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad

When the response for this attack arrives at the victim's browser, the
malicious file is named "attack.bat" and contains the command "wordpad"
inside. The injected file is opened as if it was a legitimate download
from the trusted domain. The attacker can inject any filename (.exe,
.bat, .html, .pdf, .sh, etc...) with any file content, and the browser
just opens it as it normally would - sometimes with a "run", "save",
"cancel" dialog and sometimes not.

Susceptible header injection vulnerabilities are frequently found in
file download pages, but could be anywhere a web application uses
untrusted input in a response header. This type of vulnerability can
exist in virtually any web application environment, including Java, .NET
and PHP.

This research builds on previous work in header injection and malicious
file execution, and adds the ability to make the attack come from
trusted domains. Although file download injection attacks are sent
through the vulnerable application on their way to the browser for
execution, they go beyond cross site scripting (XSS) as any file type
can be injected. The attack is also different from HTTP response
splitting as no second response is generated. Instead, the content of
the original response is replaced.

The paper examines various aspects of the attack, including both stored
and hidden variants and issues related to Content-Length. Some advanced
techniques for bypassing naive defenses are discussed. Finally, the
requirements for a strong defense are presented. Organizations are
encouraged to find and eliminate header injection vulnerabilities based
on the severity of this attack.

Full details in the white paper here:
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf

--Jeff

Jeff Williams
Aspect Security

Monday, April 07, 2008

Setting environment variables in Vista's user account

Chanced upon this by accident.

In XP, we usually set our environment variables using the advanced system settings dialog box, which can be found in Vista also.

The problem comes when we're running in user mode, and we need to change the environment variables. Vista's UAC would kick in, and we end up changing environment variables for the administrator account instead.

The solution to this would be to go to Control Panel -> User Accounts. There, click on the link to change the environment variables for the user account, and edit away!

Sunday, April 06, 2008

Baby Tigger Present

Cute right?! Cute right?! =D
Thanks dear =)

Intel unveils new remote lock-out technology for stolen laptops

[From TechRepublic blogs]

Interesting technology to have, but I wonder how long before someone manages to use it for a DOS attack?

Tuesday, April 01, 2008

Chickenfoot for Firefox

Chickenfoot is a Firefox extension that puts a programming environment in the browser's sidebar so you can write scripts to manipulate web pages and automate web browsing. In Chickenfoot, scripts are written in a superset of Javascript that includes special functions specific to web tasks.