More Cisco, “more” vulnerability

Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.A possible security flaw was detected because of privileged command restrictions, in particular – \”more\” command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements. If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, … Continue reading More Cisco, “more” vulnerability

Asterisk DoS Vulnerabilities

One of the latest internal project included heavy use of Asterisk PBX, which is the most popular open source VOIP solution nowadays.Positive Research decided to check Asterisk\’s implementation of SIP protocol from security perspective. First things first and we used PROTOS test suite specifically developed for SIP testing. Test base includes checks for overflows, format strings, utf processing and more – you can check the … Continue reading Asterisk DoS Vulnerabilities

PHP features in Windows operating system

Vladimir Vorontsov (aka d0znpp) has published rather interesting research about features in PHP interaction with Windows. It started as the equivalence between the following methods of file access was noticed: any.phP any.php<> Let’s consider a real situation to clearly understand the value of this method. Please, try to assume that we have a web application with a lot of holes and flaws like … Continue reading PHP features in Windows operating system

Web application vulnerability statistics 2009

Many years’ assessment practice of the PT Research analytic center and the experience of the Positive Technologies company in penetration testing and information security auditing show that errors in web application protection still are among the most common information security shortcomings. Moreover, web application vulnerabilities represent one of the most widespread ways for attackers to penetrate into enterprise information systems; there is a great number … Continue reading Web application vulnerability statistics 2009

WASC WSTCv2 Mapping Proposal

While completing vulnerability statistics about Russian web applications in 2009 (it\’s issued date is too late this year) [1,2,3 in Russian], I suddenly realize that there\’s no comparison between WASC WSTCv2 and SANS/CWE Top 25 2010 vulnerability titles. As there\’s No such comparison on the official resource [4], I suggest my own version. Rank Score CWE ID CWE/SANS NAME WASC NAME WASC ID [1] 346 … Continue reading WASC WSTCv2 Mapping Proposal

(non) blind SQL Injection

Introduction SQL Injection is a method to attack a database bypassing firewalls. In this method, parameters transmitted to the database via web applications are modified so that the executable SQL query changes. To conduct an SQL Injection attack, every possible way to interact with the application (GET, POST, COOKIE, etc.) is used. Attacks can be conducted for the following purposes: 1. Access data that is … Continue reading (non) blind SQL Injection

Another fine method to exploit SQL Injection and bypass WAF

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. MySQL servers allow one to use comments of the following type: /*!sql-code*/ and /*!12345sql-code*/ As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that … Continue reading Another fine method to exploit SQL Injection and bypass WAF