R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Wednesday, 24th September 2014 @ 03:24:03 GMT 
Reports | Security News sites in the spotlight
{3rd May 2003}
Hacker releases advisories regarding the "real state of web application security, with real world examples".

In a case of not practicing what you preach a number of security news sites, along with some of the bigger names have found themselves the target of recent "Mordred Security" notices.

---- // @(#)Mordred Labs security notice - exploring the hacking websites

Release date: May 5, 2003
Author: Sir Mordred (mordred@s-mail.com)

~~###~~

<quote>
Hack In The Box is designed to facilitate discussions on security related topics, create security awareness, and to try and provide a comprehensive database of security knowledge and resources to the public
</quote>

Rather interesting website, the nice thing about it is that HITB opened source code of certain parts of the website, i did not bother to look at their source though.

* ISSUE 1 - SQL injection in /memberlist.php page
http://www.hackinthebox.org/memberlist.php?letter=A&sortby=uname,
1064: You have an error in your SQL syntax.
Check the manual that corresponds to your MySQL server version for the right syntax to use near ' LIKE '%' ORDER BY uname,' at line 1

~~###~~

<quote>
eBCVG.com is a security portal dedicated to providing security professionals with the knowledge and resources needed to help protect all of their data applications ... etc...
It was developed by IT and security experts to facilitate discussion on security related topics, promote security awareness and to provide comprehensive and helpful database of security.
</quote>

* ISSUE 1 - Path disclosure in /articles.php page
http://www.ebcvg.com/articles.php?id='
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/1111146160/www/web/articles.php on line 37
Unabled to read from database.

* ISSUE 2 - SQL injection in /articles.php page
Visiting the url http://www.ebcvg.com/articles.php?id=126 gives us back the article "Copying Copy Protected CD's".
However, visiting the http://www.ebcvg.com/articles.php?id=12611 gives us the page with the error message "Unabled to read from database".
But the url http://www.ebcvg.com/articles.php?id=12611+or+id=126 gives us the above article.

* ISSUE 3 - Path disclosure in /download.php
http://www.ebcvg.com/download.php?id='
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/1111146160/www/web/download.php on line 7
Warning: Cannot add header information - headers already sent by (output started at /home/1111146160/www/web/download.php:7) in /home/1111146160/www/web/download.php on 12

* ISSUE 4 - SQL injection in /download.php
This is almost identical to the issue 2, only the url is http://www.ebcvg.com/download.php?id=<id number>


A spokesman for ‘BCVG Network Security' confirmed the previous existence of vulnerabilities in their articles.php script however pointed out "due to old backups our webmaster has uploaded the old version of download.php".  This is the second issue of late to be discovered on the ‘Hack In The Box' website, after the first by Adrian Lamo in March 2003.

---- // @(#)Mordred Labs security notice 0x0003

Name: Exploring the honeypot(s) in the wild
Release date: May 10, 2003
Author: Sir Mordred (mordred@s-mail.com)

~~###~~

[ www.iss.net, Internet Security Systems Inc. ]

* ISSUE 1 - Multiple CSS vulnerabilities
I will not describe all of the CSS (there are too many of them) vulnerabilities here, just one example.
http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode="><script>alert(1)</script><"

* ISSUE 2 - Path disclosure in /issEn/delivery/eventdetails.jsp
http://www.iss.net/issEn/delivery/eventdetails.jsp?BV_EngineID=ccccadchmgkkkjdcgencfhidglgdgij.0&oid=1
Script /opt/bvvar/english/scripts/delivery/eventdetails.jsp failed, reason: cnt.get has no properties

* ISSUE 3 - Path disclosure in /issEn/delivery/eventscalendar.jsp
http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=EM'
Script /opt/bvvar/english/scripts/delivery/eventscalendar.jsp failed, reason: eventlist has no properties

* ISSUE 4 - SQL injection in /issEn/MYISS/EditInfo.jhtml
https://www.iss.net/issEn/MYISS/EditInfo.jhtml?sid='
Received an exception: Error: SQLException java.sql.SQLException: ORA-01756: quoted string not properly terminated

* ISSUE 5 - SQL injection in /issEn/DLC/evalForm.jhtml
https://www.iss.net/issEn/DLC/evalForm.jhtml?sid='
Received an exception: Error: SQLException java.sql.SQLException: ORA-01756: quoted string not properly terminated

Other sites also mentioned in the advisories include progenic.com who maintain a list of links to "security / hacking resources", netegrity.com the "leading provider of security software solutions", ISS.net - Internet Security Systems Inc, and hackerscenter.com a resource for hackers / crackers (who coincidental just published an article entitled Hacking Database Servers).

The potential effects of SQL injection should not be taken lightly.  These range from viewing of supposedly secure data, to corruption of tables, and execution of arbitrary code.

"Mordred Security" group who's previous posts to the ‘Full Disclosure' mailing list concerned mainly overflows - buffer overflows and integer overflows do not contact those that are the subject of advisories beforehand.  The reason given being so that the reader can see "real world examples" and to stimulate thought along the lines of "these guys gonna teaching me security?" -- Sir Mordred.

Before considering that statement it should be remembered that the non commercial news sites mentioned are mostly run out of their webmasters own pockets as hobby sites, to benefit the security community at large by providing free impartial and up-to-date security information.  As for the commercial sites such as Computer Associates, and Internet Secure Systems Inc, they need to either invest more on staff training or weigh up the benefits against the potential PR disaster, their network of honeypots on live servers with publicly legitimate roles is causing.
 

Related Links:

Adrian Lamo helps fix HITB security bug, Hack In The Box
SQL Injection FAQ, SQL Security
SQL Injection Walkthrough, Securiteam
"How I hacked PacketStorm" - A look at hacking wwwthreads via SQL, RFP
SQL Injection: Modes of Attack, Defence, and Why It Matters, Government Security

Mordred Labs - web security notices?, Full Disclosure
Mordred Security Notice - exporing the hacking websites, Full Disclosure
Mordred Security Notice - exporing the hacking websites, Full Disclosure
Mordred Labs security notice - exploring the security companies, Full Disclosure
Mordred Labs security notice - exploring the honeypot(s) in the wild, Full Disclosure
What is better anyway?, Full Disclosure
free source code audit for opensourced products, Full Disclosure