http://securityratty.com/tag/digg Mon, 15 Sep 2008 17:32:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/56fd5d403c630cbec7e9ec62becaafc5 http://securityratty.com/article/56fd5d403c630cbec7e9ec62becaafc5 Mamma.com's got issues other than Mark Cuban's insider trading allegations. As a point of reference for this conversation, Mamma.com is ranked 4064 on Alexa as of today.
I won't profess to following Mr. Cuban's public life and the occasional antics. Obviously, he's a colorful and popular figure; certainly in Dallas, if not nationally.
What follows is not a judgment of Mr. Cuban or his pending legal challenges. I'm sure the process will play itself out accordingly.
A quick summary and some reference material:
The SEC has filed insider trading charges against Mr. Cuban. "According to the SEC, Cuban dumped 600,000 shares, or all of his 6.3% stake, in the search engine Mamma.com (The Mother of All Search Engines), in June 2004 after learning about private financing that the company was proposing. By selling, he avoided losing $750,000, the SEC alleges."
The whole issue for Mr. Cuban was PIPE financing because it's "dilutive to existing shareholders’ stakes."
That's the long and the short of the current issue, and again, not my real interest here, with the exception of the bet I made with myself regarding the probable web application security posture of mamma.com.
All this talk about a popular site immediately sets off the little bell in my head (I hear it a lot).
"What's wrong with the site?" is always the first question I ask myself.

I was not disappointed.

Mamma.com exhibits the following issues:
1) XSS vulnerability in the utfout variable.



2) XSS vulnerability in the qtype variable.



3) XSS vulnerability in their Mammajobs site at the pid variable. This one's weirder still; if you drop an IFRAME in, it simply redirects to any URL you include in the IFRAME string.



4) The prospect of CSRF (rather pointless here given that its just a search engine, but but still defies best practices) appears likely given that mamma.com blindly accepts updates via GET and POST with no sign of a formkey (canary) in sight.

I figured it best to stop there, and have submitted all these to Copernic (the Momma parent company).
I am however truly disappointed that an enterprise as ambitious and motivated as Momma/Copernic seems to have thrown the baby out with the bath water when it comes to web application security.
With regard to Mark Cuban dumping his shares: maybe he was afraid of getting pwned. ;-) All kidding aside, it's a shame that the whimsical and pessimistic thoughts regarding web site security that bounce around in my head inevitably bear themselves out.

del.icio.us | digg | Submit to Slashdot]]> Tue, 18 Nov 2008 06:55:00 +0000 mamma mark cuban cuban engine engine mamma xss vulnerability site insider web site security Mamma.com: Insider trading and XSS http://securityratty.com/article/231bdf97af3811aa73d852717e216a77 http://securityratty.com/article/231bdf97af3811aa73d852717e216a77 first and second in the series.
I don't know about you, but I enjoy occasionally watching offerings like the History Channel, AMC, or the Military Channel. I'm a 40ish, white male and as such I likely fit the general demographic as perceived by the marketing geniuses who buy the late evening advertising blocks on these channels.
That does NOT mean that I cheat of my taxes and thus need the services of a plethora of scam artists selling tax relief. Nor does it mean that I have any interest in "enhancement" opportunities like Enzyte or ExtenZe.
I just love people who choose to skip out on a primary obligation of citizenship that most of us choose to meet, and expect to magically turn $100,000 in tax debt into $999. Then there are the "businesses" who exploit these folks and willingly convince them of their "success" via the power of advertising, at which point my patience just snaps, as it did last night.
Thus, part one of this rant is a mighty bugger off to all the "tax relief" companies. To their patrons, may I suggest simply paying taxes like the rest of us?
Here's an XSS vulnerability in the Freedom Financial Network, "as seen on TV", designed to express precisely how I feel:

http://www.freedomfinancialnetwork.com/tax_debt.php?pid=ffn+go&key=%22%3E%3Cmarquee%3E%3Ch1%3ENOTHING_IS_FREE!%3C%2Fh1%3E%3C%2Fmarquee%3E

If and when they fix this issue, here's the video for posterity.

Part two of this rant will get you more bang for your buck, and I'm not talking enhancement.
Thanks to my utter disdain for the endlessly annoying advertising I went to the ExtenZe site to see what might be broken which immediately led me to discover an entire platform vulnerability in the ColdFusion application built by Internet Direct Response (IDR), the wankers who proudly bring you Maxoderm, Vivaxa, Vazomyne, Smoke Away, and Hydroxydrene; all such reputable products, and all repetitively wearing me out via DirectTV. At the ExtenZe site I spotted a variable that seemed worthy of building a Googledork from, and I soon discovered that it was a consistent variable in most of the sites pimping this crap; specifically, microppcsite. You can follow all the search results back to our friends at IDR.
A little experimentation and I quickly discovered that the similar microppcterm variable was vulnerable to entertaining XSS exploitation so I started with:

http://www.extenzeforlife.com/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EToo_short,_Morningwood?%3C%2Fh1%3E%3C%2Fmarquee%3E&gclid=CJ3T2NXH8JYCFQQCagod7xyBrA

Pick your poison, it works on most IDR gems.

http://www.enzyte-male-enhancement.com/google/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EBob_just_wants_your_money.%3C%2Fh1%3E%3C%2Fmarquee%3E

Again, a video, should IDR choose to fix their app.

And now, the grand prize for pathetic: The ExtenZe site is McAfee Secure.

I couldn't make this stuff up if I tried.
You thought www stood for world wide web. Try wee willy wankers. *sigh*

del.icio.us | digg | Submit to Slashdot]]> Wed, 12 Nov 2008 13:52:00 +0000 idr idr choose extenze site extenze variable consistent variable wankers choose tax relief XSS Comedy III: Tax Cheats with Small Equipment http://securityratty.com/article/7953938c09c36aba1397daeec84ac8ab http://securityratty.com/article/7953938c09c36aba1397daeec84ac8ab I do, however, continue to seek opportunities to shed positive light as well, and recent responses from a number of vendor/developers warrant an opportunity to do just that.
In the last 30 days, I've discovered vulnerabilities in products from four different vendors, and advised them all immediately upon discovery. Usually, that's where the story ends, as sadly, my repeated requests for action are often ignored. The last 30 days have proven to be entirely different, with swift responses and action from ALL vendors to whom I reported vulnerabilities. In all cases I received replies within 24 hours or less, and patches/fixes/updates were typically released within 24-72 additional hours. These are exemplary responses, and reflect why I choose to conduct vulnerability research. I believe we, as web application professionals (both developers and security practitioners), are beholden to the greater public and must endeavor to protect the online safety of the Internet consumer.
To each of these vendors/developers I'd like to issue a hearty "well done" and issue public kudos for their diligence and security consciousness, on behalf of consumers and website operators.
To Lukas of PlanetLuc, Jasper and Eric of Infrae/Silva, Alexander of CompactCMS, and Peter from ActiveCampaign may I say that your efforts are greatly appreciated. Where too few choose to do the right thing, your responses leave us with the perception of caring and integrity.
Thank you.

del.icio.us | digg | Submit to Slashdot]]> Tue, 11 Nov 2008 17:10:00 +0000 responses swift responses exemplary responses issue public kudos public issue vendors vulnerabilities web application professionals Vulnerabilities quickly mitigated by security-conscious vendors http://securityratty.com/article/6f061166c9d2ed01f029ede10862d142 http://securityratty.com/article/6f061166c9d2ed01f029ede10862d142 PII being stolen because they forgot to perform proper due diligence via a web application security assessment on recent acquisition Paciolan?
Consider the following Google search results. The server referenced therein hosts an "integrated ticketing system that enables venues to manage their own tickets."
Rutgers, University of Washington, Army, Air Force, Navy, Baylor, Notre Dame, even the American Museum of Natural History; all sell their tickets online through the Ticketmaster/Paciolan offering.
And they're all vulnerable as a result.
I've made multiple attempts to notify these folks, and have been ignored, so time for a scolding as my Gran used to say.
It's been awhile since I've brought video to bear and while I've nothing against the Arkansas Razorbacks, I had to utilize someone's instance of this service to prove my point, so away we go.
By the way, I just love the Verisign Secured badge (it's not going to help here).
Here's the full URL:
http://ev12.evenue.net/cgi-bin/ncommerce3/SEGetEventList?groupCode=FB&linkID=arkansas&shopperContext=&caller=&appCode=&RSRC=TM&RDAT=FB08SPLASH
The shopperContext (how ironic) variable is the parameter with issues. Mind you, this holds true for any university or venue using this service.

For your viewing pleasure, the video.

Yes, they take your credit card information, and conduct the ticket purchase transaction. If you've read my blog, you know by now the risks inherent to cross-site scripting vulnerabilities under circumstances like these. Verisign SSL certs are nice, but won't help the consumer if the web app is vulnerable.

Thanks, but I'll buy my tickets at the stadium. ;-)

Should Ticketmaster/Paciolan fix this issue, I'll update the post accordingly.

del.icio.us | digg | Submit to Slashdot]]> Tue, 28 Oct 2008 17:30:00 +0000 tickets tickets online verisign ssl certs verisign credit card information ticket purchase transaction extra ticketmaster fees recent acquisition paciolan natural history Ticketmaster/Paciolan XSS: Thanks, but I'll buy at the stadium http://securityratty.com/article/2b11b1167225de8773bed54b38eba5fc http://securityratty.com/article/2b11b1167225de8773bed54b38eba5fc CVE (Common Vulnerabilities and Exposures), but perhaps you're less familiar with CWE (Common Weaknesses Enumeration). Both are significant efforts, international in scope, and the excellent products of The MITRE Corporation, sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
Approximately six months ago I was discussing open redirect vulnerabilities with Steven Christey of MITRE, who mentioned that that CWE entry for open redirects was sparse and dated, with little reference material. In particular, he pointed out the lack of defining papers. I accepted this information as a challenge and produced an article that was published in (IN)SECURE Issue 17. Soon after Issue 17 went live, I also took note of an excellent academic paper specific to the topic of open redirect vulnerabilities; Shue, Kalafut and Gupta's Exploitable Redirects on the Web: Identification, Prevalence, and Defense. Complete with these two papers as references, as well as two current CVE identifiers for popular web applications suffering from open redirect vulnerabilities (discovered by yours truly), CVE-2008-2052 & 2951, CWE-601: URL Redirection to Untrusted Site (aka 'Open Redirect') is now current and complete.
As open redirects are undoubtedly one of my biggest pet peeves, I am pleased to no end. Hopefully CWE-601 will help drive more application vendors and site operators to put an end to this easily mitigated vulnerability.

CWE:
"International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design."

del.icio.us | digg | Submit to Slashdot]]> Thu, 16 Oct 2008 10:58:00 +0000 redirects common weaknesses enumeration weaknesses redirect cwe redirect vulnerabilities cwe-601 software weaknesses cve Open Redirects and Common Weakness Enumeration http://securityratty.com/article/3bd8455fedce6ac873ea3b9f63cd7b90 http://securityratty.com/article/3bd8455fedce6ac873ea3b9f63cd7b90 Expanding Response: Deeper Analysis for Incident Handlers, now available in the SANS Reading Room. The premise was to further expand on the topics discussed in my Malware analysis tools post. This paper includes tools discussed at various times in my toolsmith column in the ISSA Journal, and includes details on Argus, HeX, NSM-Console, and NetworkMiner.

Abstract:
"The perspective embraced for this discussion is that of an analyst who is working a process to determine the exact nature of malicious software on his network. He is in receipt of the above mentioned .exe and .pcap files and seeks to further his understanding with the use of less typical tools. She begins the process with the network capture, and then takes a closer look at the binary to see what can be learned and what the impacts of an outbreak on her network might be."

del.icio.us | digg | Submit to Slashdot]]> Fri, 10 Oct 2008 04:38:00 +0000 network paper includes tools incident handlers network capture deeper analysis paper gcih gold includes details pcap files Expanding Response: Deeper Analysis for Incident Handlers http://securityratty.com/article/93a923291bb66872facd096a29cc894d http://securityratty.com/article/93a923291bb66872facd096a29cc894d I am in receipt of the McAfee Secure Standard, drafted to transparently describe the McAfee Secure service, as promised during my meeting with Joe Pierini and Kirk Lawrence of McAfee some weeks ago. I admit my attitude has soured since last I discussed it here, as the Standard is not yet ready for public release (I last said 2-3 weeks and that was five weeks ago), but bear with me. I can't publish exact quotes from the Standard, as I've promised not to, but let me give you insight on the upside, then the downside.

The upside includes all the transparency we'd hoped for. You'll read the McAfee Secure Standard and know exactly where they stand with regard as to what can be expected of the McAfee Secure Service. My discussions with Joe Pierini have been productive and respectful, he means well, and I believe he will try to drive the greater McAfee leadership to officially incorporate suggestions made in this blog.
I have even had the pleasure of reading a Researcher/Finder Policy that very succinctly describes what researchers can expect when they submit vulnerabilities found in McAfee Secure sites. That's all good stuff and to be applauded.

Now for the downside.

The McAfee Secure Standard will draw a clear distinction between "enterprise" customers and all the Ma & Pa websites who have so loved McAfee Secure / ScanAlert Hacker Safe for conversions.
The most glaring and painful distinction for me is this. While enterprise customers will have a clearly defined time line in which to remediate script injection vulnerabilities like XSS and open redirects, before losing their McAfee Secure badge, the Ma & Pa sites will have absolutely no requirement to fix their XSS issues. XSS vulnerabilities and the McAfee Secure badge will remain consistent on all those sites that care more about "convincing" their customers that they're secure with a McAfee Secure badge; a badge that, by its own pending standard, will contradict what we know to be truly secure.

My views are clear. I have made every effort to convince McAfee that this stance is counter intuitive to good web application security standards. I believe that, in their own way, they are listening. So here's your chance.
1) Is transparency enough?
2) Is holding only enterprise customers accountable acceptable?
3) Should ALL McAfee Secure customers be expected to fix their vulnerabilities, even if on different timelines?
4) What else do you want McAfee to hear, in the form of constructive feedback only?
I will publish all well written, thoughtful comments here. Let's keep it positive and see if we can help convince McAfee that script injection vulnerabilities and McAfee Secure can't exist in the same physical space. Like matter and anti-matter. ;-)
The floor is yours...

del.icio.us | digg | Submit to Slashdot]]> Tue, 07 Oct 2008 19:47:00 +0000 mcafee mcafee secure customers sites mcafee secure sites mcafee secure standard mcafee secure service mcafee secure loved mcafee secure convince mcafee The McAfee Secure Standard: Sort Of http://securityratty.com/article/856af459093a6fe1d8cb8a725ef66103 http://securityratty.com/article/856af459093a6fe1d8cb8a725ef66103 Troy Larson sent me a heads up on Bit9's FileAdvisor, a service they describe as "a comprehensive catalog of executables, drivers, and patches found in commercial Windows applications and software packages. Malware and other unauthorized software that affects Windows computers is also indexed."
I immediately checked the FileAdvisor db for malware results as well non-Windows binaries and was pleasantly surprised with immediate and comprehensive results. You do have to register, but I was further impressed with the fact that they offered the option for a short or full registration.
This appears to be worthy of a bookmark in your incident handler/malware researcher/forensic investigator toolkit.

del.icio.us | digg]]> Wed, 01 Oct 2008 10:34:00 +0000 software fileadvisor commercial windows applications malware malware results software packages affects windows computers comprehensive results incident handlermalware FileAdvisor: software file search engine http://securityratty.com/article/1fae85d8335f0c9fbe56b8858c8692c2 http://securityratty.com/article/1fae85d8335f0c9fbe56b8858c8692c2 cross-site framing, which largely couples the best of both above-mentioned vulnerabilities.
What then, if there's a cross-site framing vulnerability coupled with cross-site scripting in the content offered by the frame? All sorts of problems come to mind: phishing, malware, credential theft; all arguably twice removed from the attacker's source, tucked away in the context of two victim sites.
First, I'll discuss the original XSS issue that led to this finding.
Recently, I was investigating a flawed parameter in Openhire, a career posting vendor used by major companies like Crate&Barrel, Eileen Fisher, Enterprise, Benjamin Moore, Scottrade, and Getty Images.
Most of these sites simply link to the Openhire offering that hosts job postings on their behalf which, in turn, has been crafted to look like the referring site.
As an example, here's Scottrade's employment page hosted by Openhire.

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?version=1&company_id=15624

Standard stuff, looks nicely like the Scottrade site, so everything's cool, right?
Wrong? What if someone hosting a service on your behalf suffers a security gap?
You're only as strong as your weakest link!
Here's the posting for an Application Security Engineer (funny, eh?) at Scottrade as hosted on their behalf by Openhire:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=976367&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters%3B%3B%3BInformation%20Technology%3B%3B%3BSecurity&startflag=3&CFID=66851845&CFTOKEN=29a95-d12594d4-47d9-49e8-9067-1091bdf68e80

Now here the same job posting spewing massive cookie data:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

Screen shot offered below, as the code above will likely be repaired very soon by Openhire. I notified them this past Thursday.



It's bad enough when there's an application security hole in code someone else is hosting on your behalf, but what if your method of displaying said code is also at risk? Enter the Getty Images Jobs page.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=careeropps&startflag=0&company_id=15531&version=2&CFID=12265212&CFTOKEN=60213778

Watch what happens when you pull the Openhire code. Can you say self-replicating frame loop from hell (in Firefox)? Trust me your browser will crash if you leave this running too long. This will likely be fixed soon, so if the URL doesn't work, the screen shot exemplifies the issue.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html



What if, instead of Openhire's Getty Images page, or nothing at all (which obviously creates its own issue), we drop in an arbitrary URL?
Yep, you guessed it.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://www.xssed.com/news/26/Cross-site_framed/



Now, bringing it all home for double the pleasure, double the fun, what if we coupled the original Openhire cross-site scripting vuln with Getty Images cross-site frame vuln?

It hurts twice as much, in my book.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3



The lessons learned:
1) Ensure your partners are writing secure code on you behalf.
2) Ensure that the code you utilize to incorporate said partner's code is also well written. ;-)

Double the headache, double the dumb.

del.icio.us | digg]]> Sun, 21 Sep 2008 17:00:00 +0000 openhire code openhire original openhire cross-site scottrade site scottrade cross-site site secure code code XSF & XSS: Double your pleasure, double your fun http://securityratty.com/article/8490240982532919695d5c4c9231e15f http://securityratty.com/article/8490240982532919695d5c4c9231e15f take on the topic, or search Emergingthreats to come up to speed.
Yesterday, EstDomains posted the most inept, ridiculous response ever issued to the endless and worthy criticism, largely leveled by Brian Krebs at the Washington Post.
Not only can't these morons from EstDomains write, they're either so deeply clueless or flagrantly malicious (likely both), it's beyond laughable. This section sums it up best:
"The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance."
What? Really?
Again, aside from the absolute butchery of the language, did they just say "The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality."? SIGH...yes, they did.

Allow me to exemplify just how ridiculous a claim that is.
Following is content from a packet capture I took during a recent Storm worm analysis.

Using the ip2asn module included in NSM-console availabe in HeX, we find:
27595 | 216.255.189.211 | INTERCAGE - InterCage, Inc.

Using Etherape, also included in HeX, we see:



Using Eric Hjelmvik's NetworkMiner, we see:



See the recurring theme? Intercage, EstDomain's "reliable ally in its battle against malware".
Nice work, guys...keep it up.

I'm submitting this to The Daily WTF as we speak.

del.icio.us | digg]]> Mon, 15 Sep 2008 17:32:00 +0000 intercage estdomains malware malware presence intercage data center track malware issues reliable ally management services malware vehicles EstDomains & Intercage: A Perfect Couple in Crime