lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AANLkTikFw0ZiaBtwcUnrN=7vpFr+U=wGLVUP54AevL=2@mail.gmail.com>
Date: Sun, 13 Mar 2011 18:51:39 +0100
From: Jimmy Bandit <jimmy.bandit.music@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Rails 3.0.5 - Logfile Injection poc

Hi,

i released a bug description on 16. feb about the X-Forwarded-For variable
not being sanitized, so one can mess with request.remote_ip  (only for
intranet-apps)

http://www.securityfocus.com/bid/46423/info
http://seclists.org/fulldisclosure/2011/Feb/338

as it still isnt fixed i wondered if it is possible to date back an attack
with a spoofed ip
and it worked for the request-log-analyzer with the production.log
the example dates the requests back to 2009
its also possible to inject binary data. probably not healthy for
logfile-analyzers

little poc-script + results
https://gist.github.com/868268

i wonder how splunk would behave

best regards
j
http://webservsec.blogspot.com/
http://jimmybandit.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ