| Real Name | Amit Klein |
|---|---|
| Email address | private |
| First Active | 2004-03-04 |
| Last Active | 2016-02-11 |
Node.js suffers from an HTTP response splitting vulnerability. Node.js versions 5.6.0, 4.3.0, 0.12.10, and 0.10.42 contain a fix for this vulnerability.
4f718c9b8672df70ac27014b0f740610b9cdf5c24f5679eba0497c68bcbe2612In three browser families researched (Edge, Internet Explorer and Firefox - all on Windows 7 or above), it is possible to extract the frequency of the Windows performance counter, using standard HTML and Javascript. With the Windows performance counter frequency, it is possible to remotely detect some virtual machines and to coarse-grain fingerprint physical machines.
4f09956b0c7e913f4113cbe7b3f586ad32231df3ccaeb159c817f171faf1bba0The IE9 (platform preview) Javascript Math.random implementation is vulnerable to seed reconstruction. The seed reveals the computer's boot time (and on Windows 7 - also CPU clock speed). These can be used to finger-print computers and track users within the same Windows session even if they close and open their IE9 (platform preview) browser multiple times. Interestingly enough, this technique also provides some information regarding the client hardware (namely clock source and possibly CPU clock speed), and may be used to detect virtualized machines "over the web". Additionally, the Math.random implementation is flawed in such way that it returns non-uniform values (this holds for IE9 beta as well).
45918005ee9131a6395034c2c491000f1e0689d1286fb59db5508b9831387adaApple Safari versions 4.02 through 4.05 and Windows versions 5.0 through 5.0.2 suffer from cross-domain information leakage and temporary user tracking vulnerabilities.
abdbde57161cf20c6337e6e980249edada439d02a2ac99f79b10fb57b97e16f8Firefox versions 3.6.4 through 3.6.8, 3.5.10 through 3.5.11 and 4.0 Beta1 suffer from a cross-domain information leakage vulnerability.
3f9728ea182855f9cdd648fafeb76095e6c17c0b99f95b7f9e956505654788c8The revised Google Chrome Math.random algorithm (included in version 3.0 of Google Chrome) is predictable. This paper describes how Google Chrome 3.0 Math.random's internal state can be reconstructed, and how it can be rolled forward and backward, and how (in Windows) the exact seeding time can be extracted.
7b9c83dd2e7273c2190b761a57b11ae0110031308ec5b9aabd23733fed32ae97Whitepaper called Temporary user tracking in major browsers and Cross-domain information leakage and attacks.
c853b91a5b34d26501020b3c0cf23e98641c0e342533f5eaa6fa67b926ba5effAddress Bar Spoofing Attacks Against Microsoft Internet Explorer 6. Due to formatting issues when sent , additional notes regarding the attacks are appended.
0b50cac4814209cbe847736d64513cecbda9d1d2abe27507f6bcd18601973ba7It appears that Microsoft may have incorrectly stated a few things regarding MS08-020 on their blog and are reluctant to fix it.
73f9756867890024835effe6ee25eb6c221b87724ce661a953eed30c6217d1e5This paper shows that Windows DNS stub resolver queries are predictable - i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.
fcbad979678328d35c5f23e8e94a9efb78263e2ea3c4b81d3d339f74542d6222PowerDNS Recursor versions 3.0 through 3.1.4 suffer form a DNS cache poisoning vulnerability.
8824d748ef2aaa9c0293a00da6abf363dbb510dbe88dfd97be4f16a4f3450ecfThe paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs.
f4d5a9167d760de1ba2fee62eca09913ff2bc2b3ccd64974ce7df7c989bc49c5The paper shows that Microsoft Windows DNS Server outgoing queries are predictable, allowing for cache poisoning attacks.
e6bf106c2809b9fc55bd7e40137aa82ae7c1d6097a707860f8585ff0ea7fd84dThe paper shows that BIND 8 DNS queries are predictable, allowing for cache poisoning attacks.
bc6ae89b00e4483608728ec54c75abdcb5ec809af078ff38205099b0e7edc9b7A new weakness has been discovered in the BIND 9 DNS server that allows for DNS forgery pharming.
44a3e16c3aabb202dfe70436a689534e57f1ee76da12e5cc5fc8211474d8919dFormal write up discussing how arbitrary HTTP requests can be crafted using Flash 7/8 with Internet Explorer.
255a3d2253e2f6988647d919e94f2316e545debac79aa3bd39fd8c4906113f23By forging HTTP request headers with flash, virtual hosted systems can be susceptible to cookie theft using IE.
154ef9bc8fad418a9c6a3409d1cca920cb706549ce6104aa5e4796e74b18ed4aWhitepaper titled "Forging HTTP Request Headers With Flash".
ea05b3536fe449fc3fedd3dda363fbd5f77eefea62b709a6e4e00a23c016c940Whitepaper entitled "HTTP Response Smuggling". It discusses evasion techniques to bypass anti-HTTP response splitting strategies.
ee3a42dce4b4f8bc8c2ae652525c238be609475a31e10db164e4648e1e6a3f2fWhitepaper entitled "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more."
f9a2ac7567ed51e0a9e6e4ff4008bf10f202d346e42b74a07fdaa5b5d39e055fThis technical note describes a detection/prevention technique that works in many cases both with HTTP Response Splitting and with HTTP Request Smuggling.
5ea1e8c04c45276464698ca627370626105e043dcb550f659141545d10bf8160Interesting write up regarding the faulty logic of using NTLM HTTP authentication and how it does not mix well with HTTP proxies.
90db90511248bba22320ddbf235e0b421d6f0157a947a904209428ca1f742295This paper describes several techniques for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files. Therein lies the security breach.
95d07a72940beb4eb7d8ef7e8dce89e68ae8dd623e9569d62e531063c6e241f1Microsoft IIS 5.x and 6.0 suffer from a denial of service vulnerability regarding the WebDAV XML parser. An attacker can craft a malicious WebDAV PROPFIND request, which uses XML attributes in a way that inflicts a denial of service condition on the target machine (IIS web server). The result of this attack is that the XML parser consumes all the CPU resources for a long period of time (from seconds to minutes, depending on the size of the payload).
86be4f9097197602acfd076c6401bace0c652dc337ac4d228bd232c9ba16c4cbXerces-C++ versions below 2.6.0 allow an attacker to craft a malicious XML document using XML attributes in a way that inflicts a denial of service condition on the target machine.
c9012b95fb7dbde14a8dac46c6c782e48b7bfc674febf57fecf7c257ea6f7e13
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed