A few friends and I are planning to organise an IT Security event, if you live in Australia, shoot me an email, and we’ll get talking.

Have a look that this source code:

// Lowercase via is used by open proxies/referrer spammers
// Exceptions: Clearswift uses lowercase via (refuses to fix;
// may be blocked again in the future)
if (array_key_exists(’via’, $package['headers']) &&
!strstr($package['headers']['via'],’Clearswift Web Policy Engine’)) {
return “9c9e4979″;
}

Hm….

4.2 Message Headers

   HTTP header fields, which include general-header (section 4.5),
   request-header (section 5.3), response-header (section 6.2), and
   entity-header (section 7.1) fields, follow the same generic format as
   that given in Section 3.1 of RFC 822 [9]. Each header field consists
   of a name followed by a colon (”:”) and the field value. Field names
   are case-insensitive. 

Well, it seems that: Clearswift, Coral CDN, etc are getting blocked because of this…

If you use Bad Behavior let me know you experiences with it, and if this is affecting you, you might want to contact them.

Ok, you’re on some channel on an IRC network… yada yada… so loser wants to hack you…

>Yeah, my IP is 127.0.0.1 go hack it…

Looks like they tried to…

There is your laugh for today…

I would of thought DShield would of filtered out bogus firewall logs…

Hm.. NULL even tried some hacking…

I wonder if 255.255.255.255 did?

Stefan Esser of the Hardened-PHP Project posted a security advisory of a flaw in ModSecurity regarding POST Data NULL Byte Rule Bypass.

The problem is that it is possible to bypass rules by adding NULL bytes to POST data with the application/x-www-form-urlencoded media type.

Now the funny part:

SOLUTION:
Do not rely solely on ModSecurity to block attacks.

ModSecurity isn’t a magical anti-hack solution, and the people who use it know that. Kinda stating a very obvious fix. How about “turn off scripting” :) [IE]

Steven.

The guys over at the Hardened-PHP Project have started a months of PHP Bugs. Whereby they set out to find vulnerabilities in the PHP Core (not any specific application). At the time of writing, they are up-to their 9th flaw. You can see all the action at php-security.org.

Yesterday I made a presentation at the Sydney PHP Group February Meeting.

For those who are interested my slides are in S5 format (xHTML + CSS + JScript).

Well, I finally made some time to go down the the testing centre. And I passed, becoming an Zend Certified Engineer!

TITLE:
TorrentFlux “action” Script Insertion

CRITICAL:
Not Critical
IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “action” variable is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
/admin.php
Line 336:

$output .= “<td><div class=\”tiny\”>”.htmlentities($action, ENT_QUOTES).”</div></td>”;

Line 398:

echo “<option value=\”".htmlentities($action, ENT_QUOTES).”\” “.$selected.”>”.htmlentities($action, ENT_QUOTES).”</option>”;

TITLE:
TorrentFlux “file” Script Insertion

CRITICAL:
Moderate

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “file” variable is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed. An example is attempting to login with an incorrect username or password. Where the username field of /login.php contains the arbitrary code.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:

Edit the source code to ensure that input is properly sanitised.

/admin.php

Line 338:

$output .= htmlentities($file, ENT_QUOTES);

TITLE:
TorrentFlux “startpop.php” “torrent” Script Insertion
CRITICAL:
Not Critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “torrent” field of a GET Request (/startpop.php?torrent=%22%3E%3Cscript%3Ealert(document.cookies);%3C/script%3E.torrent) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an user’s browser session in context of an affected site if a user clicks on a malicious link.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

/startpop.php

Line 36: Change to: $displayName = htmlentities($displayName, ENT_QUOTES);

(Line 36 is normally empty)

Grant only trusted users access to the application