Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gareth Heyes:
Bypassing XSS Auditor
Feb 20, 2013 @ 17:21:29

Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it’s getting harder to bypass. Hmmm I don’t agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

tagged: bypass xssauditor browser xss protection proofofconcept poc

Link:

Milw0rm.com:
Exploit - PHP5 COM Object Security Bypass (Windows)
Oct 23, 2007 @ 14:31:00

An exploit for PHP's COM objects on the 5.x series has been reported by shinnai - an issue that allows for a bypass of safe_mode and disable_function settings.

The exploit has been published as a PHP file for easy testing on your Windows/PHP installation (it was tested on WinXP Pro SP2 on both the CLI and Apache). No additional modules are needed for this exploit - only the COM functions and a Windows system.

The issue comes from an overflow in the str_repeat function allowing for the execution of whatever applications the developer wants on the remote Windows machine (including the ability to create and remove files and directories). There is no path for this issue currently (should be corrected in the next minor PHP release).

tagged: com object security bypass safemode disablefunction overflow strrepeat com object security bypass safemode disablefunction overflow strrepeat

Link:

Milw0rm.com:
Exploit - PHP5 COM Object Security Bypass (Windows)
Oct 23, 2007 @ 14:31:00

An exploit for PHP's COM objects on the 5.x series has been reported by shinnai - an issue that allows for a bypass of safe_mode and disable_function settings.

The exploit has been published as a PHP file for easy testing on your Windows/PHP installation (it was tested on WinXP Pro SP2 on both the CLI and Apache). No additional modules are needed for this exploit - only the COM functions and a Windows system.

The issue comes from an overflow in the str_repeat function allowing for the execution of whatever applications the developer wants on the remote Windows machine (including the ability to create and remove files and directories). There is no path for this issue currently (should be corrected in the next minor PHP release).

tagged: com object security bypass safemode disablefunction overflow strrepeat com object security bypass safemode disablefunction overflow strrepeat

Link:

Secunia.com:
Ubuntu update for PHP
Jul 18, 2007 @ 14:36:00

Secunia.com has posted about the latest PHP package update for the Ubuntu linux distribution in a "highly critical" level update for relases 6.06, 6.10 and 7.04.

Ubuntu has issued an update for php. This fixes a vulnerability and a weakness, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a vulnerable system.

The post has links to all of the packages for every type of the distribution, including the architecture independent packages. Click on over and grab your update to bring your system up to date and safe.

tagged: secunia ubuntu package update security bypass secunia ubuntu package update security bypass

Link:

Secunia.com:
Ubuntu update for PHP
Jul 18, 2007 @ 14:36:00

Secunia.com has posted about the latest PHP package update for the Ubuntu linux distribution in a "highly critical" level update for relases 6.06, 6.10 and 7.04.

Ubuntu has issued an update for php. This fixes a vulnerability and a weakness, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a vulnerable system.

The post has links to all of the packages for every type of the distribution, including the architecture independent packages. Click on over and grab your update to bring your system up to date and safe.

tagged: secunia ubuntu package update security bypass secunia ubuntu package update security bypass

Link:

Secunia.com:
PHP "glob()" Code Execution Vulnerability
Jul 16, 2007 @ 18:52:38

As reported here on Secunia (as discovered by shinnai), there's a code execution vulnerability in PHP's glob function:

The vulnerability is caused due to an error in the handling of an uninitialized structure inside the "glob()" function. This can be exploited to execute arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed.

The vulnerability is confirmed in the 5.2.3 win32 installer. Other versions may also be affected.

The issue is marked as "less critical" and can be avoided easily by only allowing trusted users the correct permissions to execute PHP code on the server.

tagged: glob vulnerability execution bypass security glob vulnerability execution bypass security

Link:

Secunia.com:
PHP "glob()" Code Execution Vulnerability
Jul 16, 2007 @ 18:52:38

As reported here on Secunia (as discovered by shinnai), there's a code execution vulnerability in PHP's glob function:

The vulnerability is caused due to an error in the handling of an uninitialized structure inside the "glob()" function. This can be exploited to execute arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed.

The vulnerability is confirmed in the 5.2.3 win32 installer. Other versions may also be affected.

The issue is marked as "less critical" and can be avoided easily by only allowing trusted users the correct permissions to execute PHP code on the server.

tagged: glob vulnerability execution bypass security glob vulnerability execution bypass security

Link:

Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
Jun 01, 2007 @ 16:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

tagged: integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir

Link:

Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
Jun 01, 2007 @ 16:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

tagged: integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir

Link:

Secunia.com:
Mambo Unspecified Bypass Vulnerabilities
May 03, 2007 @ 14:38:00

Secunia.com has posted a new advisory today that Mambo users need to sit up and take notice of. There's a vulnerability that's been discovered that could allow the bypassing of security restrictions in the application.

A vulnerability is caused due to insufficient privilege checks in includes/pdf.php. No further information is currently available.

A vulnerability is caused due to insufficient privilege checks in MOStlyDB Admin. Successful exploitation requires valid administrator credentials. No further information is currently available.

If you're using Mambo version 4.6.1 or prior, it's recommended that you update as soon as possible to the latest release, version 4.6.2.

tagged: mambo security bypass vulnerability secunia mambo security bypass vulnerability secunia

Link:


Trending Topics: