Some new methods of bypassing file uploaders protections have been discussed. As an example bypassing by using: trailing spaces and dots, “::$data.”, direct Null char, IIS semi-colon  bug, and so on.

Uploading files by using web applications is very common. However, there is always a high risk around this matter. In case of uploading a web-shell file which can be absolutely malicious, an attacker can get the same privilege of access as the web application to the server. In this paper, which is mostly around the Windows-based web applications, some general solutions for protecting against this type of attack have been suggested. Moreover, as a proof of concept, some of the most general protection methods and the way of bypassing them have been discussed.

This article is an educational article to improve the security of the web applications. And, the author of this article (“Soroush Dalili”) does not accept and has no responsibility about the content or usage of this article in any other way. Any other usage of this article except the legal ones is completely prohibited.

Please respect the copyright and mention the name of the author (“Soroush Dalili”) in case of using this article.

Download this article by clicking here. (http://soroush.secproject.com/downloadable/Improve File Uploaders’ Protections.pdf)

Cheers,
Soroush Dalili

The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC Threat Classification v2.0.

You can read more information from these links: http://projects.webappsec.org/Threat-Classification and http://projects.webappsec.org/f/WASC-TC-v2_0.pdf

Cheers,

Soroush

I’m writing this post as a response to the Microsoft security response in: “http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx”.

They said that “We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.”. Therefore, I realized that this is not a Microsoft IIS hole. So, it should be a feature of IIS 6.0! In my opinion it’s a good feature for the attackers to bypass the web uploaders protection. Now my question is: why have they removed this feature from IIS version 7 and 7.5 then? And why are the others so concerned about this feature and some people added it to their exploits collection?

I think it’s not even a critical bug for IIS, but it is highly critical for most of the web applications.

Besides, Microsoft is so wrong about the default configurations since they said “customers who are using IIS 6.0 in the default don’t need to worry about this issue”.  I think they should look at the shared servers default configurations as well as the dedicated ones.

Finally, I think Microsoft should fix this feature as soon as possible to eliminate its risks! And, it is up to the web security researchers and the web penetration testers to decide about the impact of this vulnerability on the web applications.

PS:

You can also look at these links:

-          http://www.darknet.org.uk/2009/12/microsoft-iis-semicolon-bug-leaves-servers-vulnerable/

-          http://www.esecurityplanet.com/trends/article.php/3855936/article.htm

-          http://www.securityfocus.com/bid/37460/references

<script>
function recursiveFunc(){setInterval(“recursiveFunc()”,1);}
recursiveFunc();
</script>

Just save it as an HTML file, and try to open it with your browsers. You can convert “1” to “0” to get better result in Mozilla Firefox and Chrome.
I reported it to Mozilla Firefox as a bug.
Good luck.

The result was too simple, but interesting! I need only a semicolon between the “.asp” and the “.jpg” to execute an ASP file. So, the answer was “myfilename.asp;,jpg”. I have written some information about this vulnerability in:

http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

I’ll try to update this PDF file if there was a need to add or change some information.

Description of this vulnerability from Secunia.com is:

Description:
Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.

The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by “;”, only one internal extension being equal to “.asp” (e.g. “file.asp;.jpg”). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.

The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected.

There are also several websites which wrote about this weakness:

1. Secunia Advisory: Microsoft IIS ASP Multiple Extensions Security Bypass

2. Securityfocus: Microsoft IIS Malformed Local Filename Security Bypass Vulnerability

3. The Register: Microsoft IIS vuln leaves users open to remote attack

4. VUPEN Security: Microsoft IIS File Extension Processing Security Bypass Vulnerability

5. Securitytracker: Microsoft Internet Information Services (IIS) Filename Extension Parsing Flaw May Let Users Bypass Security Controls

Google will (or already) know the users’ information!

News:

“Google pushes security with Public DNS” -> So, Google DNS can collect all the websites which is viewed by the users …

“Browsers use Google to detect web forgery -> So, a browser send a request to Google before openning a website for you! …

“The best search engine for all” -> So, Google can collect your keywords! …

“The best public mail service” -> So, Google can collect your emails …

“Google owned Youtube” -> So, Google can collect your videos …

“Google codes” -> So, Google can collect your source codes …

“Google documents” -> So, Google can collect your documents …

“Google photos” -> So, Google can collect your photos …

“Google messenger” -> So, Google can collect the messages …

“Most of the websites use Google web analyzer (tracker)” -> So, Google can track the websites’ information and also their customers! …

“Google Wave” -> So, Google can collect the blogs ,e-mails, instant messaging, FTPs, social networking’s, and so on’s information! …

“Google powerful translators” -> So, Google can understand why you are saying in other languages!

“Searchable images/sounds/videos by text or another object!” -> So, Google can search in users’ collected data …

“Chrome OS” -> So, Google can do anything with your computer …

AND etc (see http://www.google.co.uk/intl/en/options/ and http://www.googlelabs.com/)…

We are waiting for the most powerful shopping centre by Google!

However, we should trust Google in order to have happier and easier life!

Google = No Pain, No Gain!

Best wishes ;)

Soroush

I reported these two vulns. to its website just for having more security. And, I think these two vulnerabilities are fixed now.

However, I believe that still 70% of webistes are vulnerable against the OWASP TOP 10!

Also, I think you should read “Survey: Majority of Web sites vulnerable” as well.

Cheers,

Soroush

]]> http://soroush.secproject.com/blog/2009/11/my-belief-70-of-websites-are-vulnerable/feed/ 0 http://soroush.secproject.com/blog/2009/11/travian-game-vulnerabilities-in-progress/ http://soroush.secproject.com/blog/2009/11/travian-game-vulnerabilities-in-progress/#comments Sun, 29 Nov 2009 14:54:08 +0000 Soroush Dalili http://soroush.secproject.com/blog/?p=176 3 weeks ago, I sent an email about some small but effective vulnerabilities in Travian online game to its providers. By using these vulnerabilities a player can make several accounts by the same email address (because of a logical flaw), and also, he/she can login to other players’ accounts (by using an XSS vulnerability which is completely proved).

Now, I’m still waiting for their final response as I don’t want to be harmful for them!

So, how can we stop it if we could not remove its hardware from our computer or there is a danger of electromagnetic key-logger?

The first and the simplest idea is using an on-screen keyboard and click on it by using a mouse. However in order to get the best result, this on-screen keyboard should be dynamic in order to prevent a hardware key-logger for the mouse itself, which captures the mouse movements and its clicks. Another way is using encryption between the keyboard and its driver. For instance, there is no doubt that by using TPM and having strong encryption methods between keyboard and motherboard (or OS itself), the keyboard can encrypt the keystrokes before sending them to the computer. But, I want to be more initiative. Another idea can be using an optical-dynamic keyboard device which shows a keyboard on your desk or on your palm, and you can touch it in order to press a key (Fig. 3). There is also an application which claims that it can detect a hardware key-logger, but I have not tried it yet and I think it is still possible to hide a hardware key-logger completely from the OS.

Figure 3.

This text is completely based on my own idea, so please respect the copyright.

[2] http://www.google.co.uk/products?q=hardware+keylogger

[3] http://derek.chezmarcotte.ca/?page_id=24

I hope you enjoy :)

Click here to download this mini-article!

Cheers,

Soroush

Click here to download the PDF file.

This article is ready to download from these links:

http://soroush.secproject.com/downloadable/ASP_Security_Soroush_Dalili.pdf

or

http://rapidshare.com/files/273684865/ASP_Security_Soroush_Dalili.zip

Cheers

Soroush

I reported them to the computer support section, and all of them are solved now.
The vulnerabilities were:
1- File uploading attack (In WWW, attacker could upload a php file and execute it.)
2- Directory traversal (In WWW, attacker could see the files and directories of the server and download the web files via the browser)
3- Local file inclusion (In Supportweb, attacker could use LFI techniques to do some malicious works)
4- Critical XSS attack in Gate Keeper’s Login (In Both, attacker could steal all the usernames and passwords of the users by using some simple social engineering techniques.)

Most of these vulnerabilities were because of the old part of the website.

Cheers.

http://soroush.secproject.com/blog/domain4sale/

Creator: killerguppy101

Part1 (http://aria-security.persiangig.com/video/sqltut-Part1.rar)

——-

Part2.1 (http://aria-security.persiangig.com/video/sqltut-Part2.1.rar)

Part2.2 (http://aria-security.persiangig.com/video/sqltut-Part2.2.rar)

——-

Part3 (http://aria-security.persiangig.com/video/sqltut-Part3.rar)

Thanks from aria-security.com, Secr00t3r, ali_aria

Copy/Paste these links in your browser if they don’t work by clicking.

http://www.forcehacker.kit.net/videos.html

Facebook changed some forms and modules in its website in March 2009, so I updated my previous code to the new one:

At last I wrote the universal friend adder for the Facebook.com!

So, you can use this code to add your friends from your arbitrary wall such as Mobwars, Mafia Wars, Eleven Blood, Knighthood, and so on.

There are some important notes:

0- You must download and setup the iMacros first from here (http://www.iopus.com/download/).

1- You must bypass the CAPTCHA by adding more than 30 friends (maybe a bit less or more than this) manually.

2- You must find your application ID number by going to your application page and check the URL. There is always something like this:

http://www.facebook.com/apps/application.php?id=XXXXXXXXX

Which “XXXXXXXXX” is the application number which you must set it as “applicationIDNumber” in this code.

3- Please configure your settings in this code before usage if you want to get the best result.

Note: Unfortunately in this fast revision, you must choose a “friend list” name for the new friends which stands before all the friend list names. For ex. this name can be look  like: “000000myfriendlist”

You can copy/paste it as Facebook_Wall_Add.js to your iMacros.

/********* FaceBook Automatic Friends Adder from Apllications' Walls (After Passing the CAPTCHA manually)*********/
/********* You can bypass the CAPTCHA by adding more than 30 friends manually at the first *********/
/********* By Soroush Dalili March-2009 Soroush.SecProject.Com *********/
/********* Begin Configuration - You can change these settings *********/
var startPage = 2; // You can change this value to your page number!
var mobInviteMessage = "Please invite me to your Mafia Wars!"; // You can add your message here
var mobFriendList = "000000myfriendlist"; // You can add your special friend list (you must made it before)
var showImages = "1"; // You can change it to "0" (for disabling) and to "1" (for enabling)
// Wall ID Number: Mobwars = 8743457343 /  Mafia Wars = 56556324950 /  Eleven Blood = 29886835263 / Knighthood = 5541055185
// Just goto your application page which is something like "http://www.facebook.com/apps/application.php?id=XXXXXXXXX". This "XXXXXXXXX" is your application number
var applicationIDNumber = "56556324950"; // Default = MobWars Wall = 8743457343
/********* End Configuration - You can change these settings *********/

/********* Begin Code *********/
// Replace <SP> instead of space character
mobInviteMessage = addImacrosSpace(mobInviteMessage);
mobFriendList = addImacrosSpace(mobFriendList);
var jsNewLine="\n";

/********* Begin Openning Mobwars Wall's Pages *********/
var FaceBook_AddFromWall_Pages_Code;
FaceBook_AddFromWall_Pages_Code = "CODE:";
FaceBook_AddFromWall_Pages_Code = FaceBook_AddFromWall_Pages_Code+"SET !ERRORIGNORE YES" + jsNewLine;
if(showImages == "0"){
// Disable images to have more speed
FaceBook_AddFromWall_Pages_Code = FaceBook_AddFromWall_Pages_Code+"FILTER TYPE=IMAGES STATUS=ON" + jsNewLine;
}
// Open mobwars wall
FaceBook_AddFromWall_Pages_Code = FaceBook_AddFromWall_Pages_Code+"URL GOTO=http://www.facebook.com/wall.php?id=" + applicationIDNumber + "&page={{PageNumber}}" + jsNewLine;
FaceBook_AddFromWall_Pages_Code = FaceBook_AddFromWall_Pages_Code+"FILTER TYPE=IMAGES STATUS=OFF" + jsNewLine;
FaceBook_AddFromWall_Pages_Code = FaceBook_AddFromWall_Pages_Code+"WAIT SECONDS=1";
/********* End Openning Mobwars Wall's Pages *********/

/********* Begin Openning Mobwars Wall's Links *********/
var FaceBook_AddFromWall_Links_Code;
FaceBook_AddFromWall_Links_Code = "CODE:";
FaceBook_AddFromWall_Links_Code = FaceBook_AddFromWall_Links_Code+"SET !ERRORIGNORE NO" + jsNewLine;
FaceBook_AddFromWall_Links_Code = FaceBook_AddFromWall_Links_Code+"SET !TIMEOUT 15" + jsNewLine;
if(showImages == "0"){
// Disable images to have more speed
FaceBook_AddFromWall_Links_Code = FaceBook_AddFromWall_Links_Code+"FILTER TYPE=IMAGES STATUS=ON" + jsNewLine;
}
FaceBook_AddFromWall_Links_Code = FaceBook_AddFromWall_Links_Code+"TAG POS={{LinkNumber}} TYPE=A ATTR=HREF:http://www.facebook.com/s.php?k=100000080*&&CLASS:profile_link" + jsNewLine;
FaceBook_AddFromWall_Links_Code = FaceBook_AddFromWall_Links_Code+"WAIT SECONDS=1";
/********* End Openning Mobwars Wall's Links *********/

/********* Begin Add  - Step1: Press "Add As Friend" *********/
var FaceBook_AddFromWall_Add_Step1_Code;
FaceBook_AddFromWall_Add_Step1_Code = "CODE:";
FaceBook_AddFromWall_Add_Step1_Code = FaceBook_AddFromWall_Add_Step1_Code+"SET !ERRORIGNORE NO" + jsNewLine;
FaceBook_AddFromWall_Add_Step1_Code = FaceBook_AddFromWall_Add_Step1_Code+"SET !TIMEOUT 15" + jsNewLine;
FaceBook_AddFromWall_Add_Step1_Code = FaceBook_AddFromWall_Add_Step1_Code+"TAG POS=1 TYPE=A ATTR=TXT:Add<SP>as<SP>Friend" + jsNewLine;
FaceBook_AddFromWall_Add_Step1_Code = FaceBook_AddFromWall_Add_Step1_Code+"FILTER TYPE=IMAGES STATUS=OFF" + jsNewLine;
FaceBook_AddFromWall_Add_Step1_Code = FaceBook_AddFromWall_Add_Step1_Code+"WAIT SECONDS=1";
/********* End Add  - Step1: Press "Add As Friend" *********/

/********* Begin Add  - Step2: Fill the forms *********/
var FaceBook_AddFromWall_Add_Step2_Code;
FaceBook_AddFromWall_Add_Step2_Code = "CODE:";
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"SET !ERRORIGNORE YES" + jsNewLine;
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"SET !TIMEOUT 15" + jsNewLine;
// Insert Message
if(mobInviteMessage!=""){
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=A ATTR=TXT:Add<SP>a<SP>personal<SP>message*" + jsNewLine;
//FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"WAIT SECONDS=1"+ jsNewLine;
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=TEXTAREA ATTR=ID:message CONTENT=" + mobInviteMessage + jsNewLine;
}
// Select Friendlist
if(mobFriendList!=""){
	//FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=SELECT FORM=NAME:NoFormName ATTR=ID:add_to_friend_list_widget_select_* CONTENT=$" + mobFriendList + jsNewLine;
	FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=SPAN ATTR=BINDPOINT:main&&CLASS:UIActionMenu_Main" + jsNewLine;
	FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=A ATTR=CLASS:UICheckList_Label CONTENT=" + mobFriendList + jsNewLine;
	//FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=INPUT:TEXT ATTR=CLASS:inputtext FriendAddingTool_CreateNewList CONTENT=" + mobFriendList + jsNewLine;
}
// Press Add Button
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"TAG POS=1 TYPE=INPUT:BUTTON ATTR=ID:dialog_button1" + jsNewLine;
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"FILTER TYPE=IMAGES STATUS=OFF" + jsNewLine;
FaceBook_AddFromWall_Add_Step2_Code = FaceBook_AddFromWall_Add_Step2_Code+"WAIT SECONDS=2";

/********* End Add - Step2: Fill the forms *********/

/********* Begin Close Box *********/
var FaceBook_AddFromWall_Close_Code;

FaceBook_AddFromWall_Close_Code = "CODE:";
FaceBook_AddFromWall_Close_Code = FaceBook_AddFromWall_Close_Code+"SET !ERRORIGNORE YES" + jsNewLine;
FaceBook_AddFromWall_Close_Code = FaceBook_AddFromWall_Close_Code+"SET !TIMEOUT 15" + jsNewLine;
FaceBook_AddFromWall_Close_Code = FaceBook_AddFromWall_Close_Code+"TAG POS=1 TYPE=INPUT:BUTTON ATTR=NAME:close&&VALUE:Close" + jsNewLine;
FaceBook_AddFromWall_Close_Code = FaceBook_AddFromWall_Close_Code+"FILTER TYPE=IMAGES STATUS=OFF" + jsNewLine;
FaceBook_AddFromWall_Close_Code = FaceBook_AddFromWall_Close_Code+"WAIT SECONDS=2";

/********* End Close Box *********/

/********* Begin Internal JavaScript Code *********/
var i1=0;
var i2=0;
var i3=0;
var i4=0;
var j=0;
var p=0;
for(p=startPage;p>=0;p--){
	iimSet ("-var_PageNumber", p);
	i1 = iimPlay(FaceBook_AddFromWall_Pages_Code);
	for(j=0;j<20;j++){
		iimSet ("-var_LinkNumber", j*2+1);
		i2 = iimPlay(FaceBook_AddFromWall_Links_Code);

		if (i2 >= 0) {
			iimSet ("-var_LinkNumber", j);
		    i3 = iimPlay(FaceBook_AddFromWall_Add_Step1_Code);
			if(i3 >= 0)
				i4 = iimPlay(FaceBook_AddFromWall_Add_Step2_Code);
		}else{
			break;
		}

	}
}

function addImacrosSpace(str){
	str = str.replace(/ /g, "<SP>");
	return str;
}
/********* End Internal JavaScript Code *********/
/********* End Code*********/
/********* By Soroush Dalili March-2009 Soroush.SecProject.Com *********/

Thanks from Inanis because of fast fix and also for this beautiful template.

You can see these in this link:

http://www.inanis.net/blog/index.php/downloads/inanis-glass-wordpress-theme/inanis-glass-readme/