lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 7 Jan 2010 15:08:06 +0100
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: iiscan results

What you see is not an issue or error. It is, what the application is
supposed to do.

* As you can see, these requests are not the same.
* Thinking about muiltiple POST requests on WP-Login or your "logs" below,
you could have guessed in the first place that the app is either trying
multiple Login/Passwort combinations or (as seen below) some patterns to
detect Injection possibilities.

Regards

2010/1/7 p8x <l@....net>

> Hi Vincent,
>
> I also experied the same issue as mrx. I did see multiple get and post
> requests to the same page.
>
> As an example, I took a random page with a form on it, here are the totals:
>
>      2 /password.html
>      2 /password.html?key=88888&form_validated=12345&submit_form=88888
>      2 /password.html?key=88888&form_validated=12345&submit_form=88888'
>      2
>
> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
>      2
> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
>      2
>
> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
>      2 /password.html?key=88888&submit_form=88888&form_validated=12345
>      2 /password.html?key=88888&submit_form=88888&form_validated=12345'
>      2
>
> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
>      2
> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
>      2
>
> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
>      2 /password.html?submit_form=88888&form_validated=12345&key=88888
>      2 /password.html?submit_form=88888&form_validated=12345&key=88888'
>      2
>
> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
>      2
> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
>      2
>
> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
>      4
>
> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
>      4
> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
>      4
>
> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
>      4
>
> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
>      4
> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
>      4
>
> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
>      4
>
> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
>      4
> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
>      4
>
> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='
>
> Also, the contact forms on the websites I tested got hammered with
> emails (and they also seemed to have duplicate requests).
>
> p8x
>
> On 7/01/2010 8:00 PM, mrx wrote:
> > Vincent,
> >
> > Although the actual results of the scan were displayed in English in the
> online html report,
> > the suggested solutions were in fact in Chinese.
> >
> > Checking my access logs reveals multiple attempts of the same
> attack/probe, for example multiple identical POSTs to the same page:
> >
> > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible;
> MSIE 7.0; Windows
> > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
> >
> > There are around 100 entries identical to the above in my log. I don't
> know if this is by design or not but it does seem to be a little
> inefficient.
> >
> >
> > I also noticed there were no attempts at information disclosure via the
> TRACE method, nor were any attempts made at SQL injection despite my
> > selecting "all" in the scan options. Not that my site is vulnerable in
> any way ;-)
> >
> > Hope this helps
> >
> > regards
> > mrx
> >
> >
> >
> > Vincent Chao wrote:
> >> Thank you for your analysis. It really helps me.
> >
> >> And I also found the PDF report mail to us is in Chinese, in the website
> of
> >> iiScan, however, to see the report of html or PDF format is English (of
> >> course can change to Chinese).
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@...ts.grok.org.uk
> >> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of mrx
> >> Sent: Wednesday, January 06, 2010 8:45 PM
> >> To: full-disclosure@...ts.grok.org.uk
> >> Subject: [Full-disclosure] iiscan results
> >
> >> Well, this scanner managed to find a couple of low level vulnerabilities
> on
> >> my site which were missed by both Nikto and Nessus.
> >
> >> Two directories allowed a directory listing and a test.php file I
> created,
> >> an information disclosure vulnerability, was also detected. My dumb
> >> ass forgot to delete this "test.php" file after I finished testing the
> >> server.
> >
> >> Possible sensitive directories were also listed, however browsing to
> these
> >> directories returned 403 errors, blank pages or a wordpress logon
> >> prompt, which is what I expected.
> >
> >> So all in all this scanner seems to do it's job well. At least for a
> LAMP
> >> server running wordpress
> >
> >> Of course I have addressed the vulnerabilities reported.
> >
> >> My command of the Chinese language is limited to zero, so I cannot
> >> understand the pdf report emailed to me nor the information within the
> web
> >> based report. Hopefully the developers will address this language
> problem.
> >
> >> regards
> >> mrx
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ