What site do you want to break today?
at 2007-08-12 15:10:20
I just came back home and saw a very recent commit to PHP's session management. It is another attempt to fix the session cookie attribute injection that the PHP developers already tried to fix in PHP 5.2.3 without giving any credits. They still refuse to implement the correct fix that consists of just encoding the session id before sending it back through the cookie.
The amusing thing this time is that their new fix that consists of blacklisting a bunch of legal characters from the session id, will most probably result in hundreds or thousands of broken sites. What is even more funny is that the commit comes from a Zend employee that blacklists the ':' character from being used in the session id. The last time I audited the
BlogSecurity Interview
at 2007-08-12 15:10:20
Two days ago I was interviewed by the people of BlogSecurity about my thoughts about WordPress, their vulnerabilities and how they deal with them. The interview is meanwhile online.
About the CSRF Redirector
at 2007-08-12 15:10:20
You might have seen this post in Chris blog about a CSRF redirector he did. This is basically nothing more than a little script that turns a GET request into a hidden formular that is then posted via JavaScript. There have always been security issues with redirector scripts, and if you provide one open to anyone, you should care about what kind of redirects you actually allow.
Two major risks happen to exists with chris example:
- Malicious people could misuse them as bouncers to attack other sites
- Not every URL is a web page. Some can load plugins, display information and
some can execute JavaScript.
Here is an example URL:
http://shiflett.org/csrf.php?csrf=javascript:alert(/I_AM_A_SECURITY_EXPERT/)
More CSRF Redirectors
at 2007-08-12 15:10:20
Today I learned about another CSRF redirector by another group of people in web application security called GNUCITIZEN.
Similar to the previous CSRF redirector it contains the same XSS vulnerability through the javascript URI scheme.
Example:
http://www.gnucitizen.org/util/csrf?..._url=javascript:alert(/.../);
Update: The bug is fixed for now...
MOPB Exploits taken down
at 2007-08-12 15:10:20
Unfortunately I had to take down all the proof of concept exploits that were developed during the Month of PHP Bugs. The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in. This includes port scanners like nmap, security scanners like nessus and of course proof of concept exploits.
|