what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 21 of 21 RSS Feed

Files from Timothy D. Morgan

Email addresstmorgan at vsecurity.com
First Active2007-05-03
Last Active2017-02-24
Java / Python FTP URL Handling XXE / SSRF
Posted Feb 24, 2017
Authored by Timothy D. Morgan

Java and Python both have URL handling code that can be leveraged for XML external entity (XXE) injection and SSRF attacks.

tags | advisory, java, python, xxe
SHA-256 | 9f2a5aa311b233621706991238e47f4e31fc0b190ca89a1f42a16cfca5d09c4c
Python urllib HTTP Header Injection
Posted Jun 16, 2016
Authored by Timothy D. Morgan

Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x) is vulnerable to protocol stream injection attacks (a.k.a. "smuggling" attacks) via the http scheme.

tags | exploit, web, protocol, python
SHA-256 | 9fea0de30ead37c21a774ad8b50ab697e88f3e051112390e3be85d2e599d044f
XML Schema, DTD, And Entity Attacks
Posted May 22, 2014
Authored by Timothy D. Morgan | Site vsecurity.com

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. A core feature of XML is the ability to define and validate document structure using schemas and document type definitions (DTDs). When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well.

tags | paper, vulnerability
SHA-256 | 8e82def158ebfbe41cc7595829128a612d02d271dadd2f1c5596bfb75b802a36
PayPal Padding Oracle Flaw
Posted Sep 3, 2013
Authored by Timothy D. Morgan | Site vsecurity.com

The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery.

tags | advisory, web
SHA-256 | ba96e4f85c1954558a6465548df5a7c14c4b67362f6c526a4c2c191b176d6879
IBM WebSphere Commerce Padding Oracle Attacks
Posted Jun 19, 2013
Authored by George D. Gal, Timothy D. Morgan | Site vsecurity.com

In February 2013, VSR identified a vulnerability in the IBM WebSphere Commerce framework which could allow an attacker to tamper with values stored in the "krypto" URL parameter. This parameter is encrypted with a block cipher without any independent integrity protection. This, combined with observed application behavior, allows for padding oracle attacks which can be used to decrypt the krypto token and forge new tokens with arbitrary embedded parameters.

tags | advisory, arbitrary
advisories | CVE-2013-0523
SHA-256 | 5998d6a975a57dc3921286cababdc5aa780a65141183d9726f3d8938c1392707
Libraptor XXE In RDF/XML File Interpretation
Posted Mar 24, 2012
Authored by Timothy D. Morgan | Site vsecurity.com

VSR identified a vulnerability in multiple open source office products (including OpenOffice, LibreOffice, KOffice, and AbiWord) due to unsafe interpretation of XML files with custom entity declarations. Deeper analysis revealed that the vulnerability was caused by acceptance of external entities by the libraptor library, which is used by librdf and is in turn used by these office products.

tags | advisory
advisories | CVE-2012-0037
SHA-256 | c080c190d86a9fe75c277115920d4c554a70b66f10a4c4abc47cf7b1079c5232
OpenOffice.org Data Leakage
Posted Mar 23, 2012
Authored by Timothy D. Morgan | Site apache.org

An XML External Entity (XXE) attack is possible in OpenOffice.org versions 3.3 and 3.4 Beta. This vulnerability exploits the way in which external entities are processed in certain XML components of ODF documents.

tags | advisory, xxe
advisories | CVE-2012-0037
SHA-256 | 8eebd992aa35f4faf62775e9bf55d28de394b1f4f67b8928b0375d38ba17a838
RegLookup Registry Parser 1.0.0
Posted Jun 20, 2011
Authored by Timothy D. Morgan | Site projects.sentinelchicken.org

RegLookup is a small command line utility for parsing and searching registry files from Windows NT and later.

Changes: SK records and security descriptors are now accessible in pyregfi. Key caching was added to regfi, and SK caching was reintroduced. Minor API simplifications were made and documentation was improved. Numerous bugs were fixed.
tags | registry
systems | windows, unix
SHA-256 | c9123786bc1be1a714c59e2fabae693d434698ce4d3fc44847cb847bff26b686
RegLookup Registry Parser 0.99.0
Posted May 2, 2011
Authored by Timothy D. Morgan | Site projects.sentinelchicken.org

RegLookup is a small command line utility for parsing and searching registry files from Windows NT and later.

Changes: This 1.0 release candidate contains major improvements to regfi usability. regfi was made a proper library, and major improvements were made to the API. Python bindings (pyregfi) were added for regfi. The Make-based build system was replaced with a SCons-based one. Numerous improvements were made in regfi for multithreaded use and memory management. API documentation was improved.
tags | registry
systems | windows, unix
SHA-256 | b7ae9e5c13f949ef958da4cba741067516bbc4c2800e033ff0d6ad4506945406
WebLogic Plugin HTTP Injection Via Encoded URLs
Posted Jul 14, 2010
Authored by George D. Gal, Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - Over the last several years, VSR analysts had observed unusual behavior in multiple WebLogic deployments when certain special characters were URL encoded and appended to URLs. In late April, 2010 VSR began researching this more in depth and found that the issue could allow for HTTP header injection and HTTP request smuggling attacks.

tags | exploit, web
advisories | CVE-2010-2375
SHA-256 | 5d7636d4025d8667dd9edaf1762d3650f321ba8bf02999b83dd50d2261a56eff
Tandberg VCS Authentication Bypass
Posted Apr 12, 2010
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - On December 2nd, VSR identified an authentication bypass vulnerability in TANDBERG's Video Communication Server, firmware version x4.2.1. This vulnerability allows for the complete bypass of authentication in the administrative web console. Since this web interface can be used to execute arbitrary code on the appliance as root (via software updates), the severity is considered critical.

tags | advisory, web, arbitrary, root, bypass
advisories | CVE-2009-4509
SHA-256 | db51c425156ad6e9f3fa40fb9a1383e98edfded1cb0710c6c58c4a658f0b3a0b
Tandberg VCS Arbitrary File Retrieval
Posted Apr 12, 2010
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - On December 3rd, VSR identified a directory traversal and file retrieval vulnerability in the TANDBERG's Video Communication Server. This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the "nobody" system user.

tags | exploit, web
advisories | CVE-2009-4511
SHA-256 | ecd6138fe7cb748fda93151615a0f39b450b83fd760e7df84e7bd345e9f97124
Tandberg VCS Static SSH Host Keys
Posted Apr 12, 2010
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - On December 2nd, VSR identified a SSH service authentication weakness vulnerability in the TANDBERG's Video Communication Server. This issue would allow an attacker with privileged network access to conduct server impersonation and man-in-the-middle attacks on administrator SSH sessions. Successful attacks could yield shell access to vulnerable appliances.

tags | advisory, shell
advisories | CVE-2009-4510
SHA-256 | 5d59b48678f9f742a235347210d3b7f85ea422e15a8e88168874895fb1bf8af4
RegLookup Register Parser 0.12.0
Posted Mar 9, 2010
Authored by Timothy D. Morgan | Site projects.sentinelchicken.org

RegLookup is a small command line utility for parsing and searching registry files from Windows NT and later.

Changes: Big data support was improved and added to reglookup-recover. A -i option was added to reglookup for assisting with timeline generation. Unicode support was improved by correctly interpreting UTF-16LE key and value names. Data type interpretation was moved into regfi, and the regfi library interface was reorganized. regfi documentation was improved and Doxygen formatting was added.
tags | registry
systems | windows
SHA-256 | 2efcef5aae5418aac5d3ebe7af46e05349622d4e16ab73186e38b6c28762a94e
Chrome Password Manager Cross Origin Weakness
Posted Feb 16, 2010
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - In mid-January, VSR identified a vulnerability in Google Chrome which could be used in phishing attacks in specific types of web sites. This issue may make it much easier to convince a victim to submit web application credentials to the attacker's site.

tags | advisory, web
advisories | CVE-2010-0556
SHA-256 | f3601476eca991b5fbd55769dd6d77727430ebaa9cd28fc2bb03eb2fdff6501a
Weaning The Web Off Of Session Cookies
Posted Jan 27, 2010
Authored by Timothy D. Morgan | Site vsecurity.com

Whitepaper called Weaning The Web Off Of Session Cookies. It compares the security weaknesses and usability limitations of both cookie-based session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice.

tags | paper, web
SHA-256 | 8037409600569b8d43de2c78faf6df1c248608e53de405e52921675f233564e4
JWS-props.txt
Posted Dec 4, 2008
Authored by Timothy D. Morgan | Site vsecurity.com

VSR identified a vulnerability in Java Web Start related to the execution of privileged applications. This flaw could allow an attacker to execute arbitrary code on a victim system if a user could be convinced to visit a malicious web site.

tags | advisory, java, web, arbitrary
advisories | CVE-2008-2086
SHA-256 | 8ca3bf4453e1d97e1df8cb1777248b40098c96ebee21fac715d1bd6643e51396
afflib-overflows.txt
Posted May 3, 2007
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - Multiple buffer overflows exist in AFFLIB version 2.2.0. Earlier versions may also be affected.

tags | advisory, overflow
advisories | CVE-2007-2053
SHA-256 | 559b496c894460a6c954813164a9b04a3bee9aa0a0423d28cdfb43a930ac0ea6
afflib-toctou.txt
Posted May 3, 2007
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - A Time-of-Check-Time-of-Use file race condition exists in AFFLIB versions 2.2.0 through 2.2.8.

tags | advisory
advisories | CVE-2007-2056
SHA-256 | 198a217781a92be69e6ee7057a6ba2ab8414efcd5535a2834fc9fd680333a5e1
afflib-shellinject.txt
Posted May 3, 2007
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - Multiple shell metacharacter injection vulnerabilities exist in AFFLIB versions 2.2.0 through 2.2.8.

tags | advisory, shell, vulnerability
advisories | CVE-2007-2055
SHA-256 | 1b4c3f3ed71f7e73122c92241745552bde104cc387630e22fec3523c20c385af
afflib-fmtstr.txt
Posted May 3, 2007
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - Multiple format string injection vulnerabilities exist in AFFLIB versions 2.2.0 through 2.2.8.

tags | advisory, vulnerability
advisories | CVE-2007-2054
SHA-256 | 1ebfffd144ea043de56b7a47b8351819da202d7d00c1f818e3aa9b8b67cf0c04
Page 1 of 1
Back1Next

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close