lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 07 Jan 2010 14:44:04 +0000
From: mrx <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: iiscan results

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Thierry,

Thanks for the pointer...Done ;-)

regards mrx

Thierry Zoller wrote:
> Hi mrx,
> 
> POST  data is not included in apache logs perdefault, google about how
> to configure apache as to log more details (verbose)
> 
> m> -----BEGIN PGP SIGNED MESSAGE-----
> m> Hash: SHA1
> 
> m> Hi Thierry,
> 
> m> Could you please elucidate?
> m> Although not a complete newbie, I am a novice with regard to security and Apache.
> m> I would have though that all data in the POST request would be recorded in the Apache logs.
> 
> m> Is this the way Apache logging works?
> m> Or can an attacker craft a request in such a way as the changing
> m> posted data you mention is not visible?
> 
> m> A quick scroogle for "html post request spoofing" did not produce the desired results,
> m> so any link to subject matter covering this would be appreciated.
> 
> m> I respond to you directly, because you contacted me off list :)
> 
> m> Thank you
> m> regards mrx
> 
> 
> 
> 
> m> Thierry Zoller wrote:
>>> Hi mrx,
>>>
>>> Your logs don't show the posted data that actually changes ;)
>>>
>>> m> -----BEGIN PGP SIGNED MESSAGE-----
>>> m> Hash: SHA1
>>>
>>> m> Vincent,
>>>
>>> m> Although the actual results of the scan were displayed in English in the online html report,
>>> m> the suggested solutions were in fact in Chinese.
>>>
>>> m> Checking my access logs reveals multiple attempts of the same
>>> m> attack/probe, for example multiple identical POSTs to the same page:
>>>
>>> m> 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
>>> m> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows
>>> m> NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>>>
>>> m> There are around 100 entries identical to the above in my log. I
>>> m> don't know if this is by design or not but it does seem to be a little inefficient.
>>>
>>>
>>> m> I also noticed there were no attempts at information disclosure
>>> m> via the TRACE method, nor were any attempts made at SQL injection despite my
>>> m> selecting "all" in the scan options. Not that my site is vulnerable in any way ;-)
>>>
>>> m> Hope this helps
>>>
>>> m> regards
>>> m> mrx
>>>
>>>
>>>
>>> m> Vincent Chao wrote:
>>>>> Thank you for your analysis. It really helps me.
>>>>>
>>>>> And I also found the PDF report mail to us is in Chinese, in the website of
>>>>> iiScan, however, to see the report of html or PDF format is English (of
>>>>> course can change to Chinese).
>>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@...ts.grok.org.uk
>>>>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of mrx
>>>>> Sent: Wednesday, January 06, 2010 8:45 PM
>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>> Subject: [Full-disclosure] iiscan results
>>>>>
>>>>> Well, this scanner managed to find a couple of low level vulnerabilities on
>>>>> my site which were missed by both Nikto and Nessus.
>>>>>
>>>>> Two directories allowed a directory listing and a test.php file I created,
>>>>> an information disclosure vulnerability, was also detected. My dumb
>>>>> ass forgot to delete this "test.php" file after I finished testing the
>>>>> server.
>>>>>
>>>>> Possible sensitive directories were also listed, however browsing to these
>>>>> directories returned 403 errors, blank pages or a wordpress logon
>>>>> prompt, which is what I expected.
>>>>>
>>>>> So all in all this scanner seems to do it's job well. At least for a LAMP
>>>>> server running wordpress
>>>>>
>>>>> Of course I have addressed the vulnerabilities reported.
>>>>>
>>>>> My command of the Chinese language is limited to zero, so I cannot
>>>>> understand the pdf report emailed to me nor the information within the web
>>>>> based report. Hopefully the developers will address this language problem.
>>>>>
>>>>> regards
>>>>> mrx
>>>>>
>>>>>
>>> m> _______________________________________________
>>> m> Full-Disclosure - We believe in it.
>>> m> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> m> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>>
>>>
>>>
>>>
> 
> 
> 
> 
> 


- --
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBS0XzNLIvn8UFHWSmAQLfsAf8C9xFp/AZ9HXiYwc0aRDXjZ8ApcT+GOTL
+26/SSyTDaS3urSrAXZ/pn6BRAW+/VANfUlgyvEfdGi2JaHtSiFOR3ZI5IMlhKpL
RW+fTE6PWDSsuYihdrpwCTasnGU91+3P/P6UZe4aBfznXyJMYUoO/xzi06/uu2pF
DSyOrDceNy4chBnJSOha/DMAu9xl6Gr7ALtJ9BvgpP4K2RJd1uYp66nrOXIPqR+L
LLuUZEvVx06UwWS8zJCjr2Zy686a6HraCg6TqvuKmO5rYthvSAjt+nOeWlaymIba
IMxa2PzZ5YEb9hcEMSsJ2eaBmVHlRqLglphYr+bJbTmzt2rEikvPwQ==
=MTM8
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ