Note: This article refers to an older version of Acunetix. Click here to download the latest version. The next version of Acunetix Web Vulnerability Scanner (version 7), will contain a much more improved HTTP stack. While testing, we wanted to test the new HTTP stack…
Author Archives Bogdan Calin
THE AUTHOR
Bogdan Calin
AcuSensor, curl and Zen Cart
Recently we’ve released a new build, build number 20091124. This build includes a new AcuSensor check named “curl_exec() url is controlled by user”. This new check will verify if the user can control the URL passed to curl_exec. In case you are not familiar with curl, below is…
PHP "multipart/form-data" denial of service
PHP version 5.3.1 was just released. This release contains a patch for a denial of service condition we’ve reported some time ago. The problem is related with PHP’s handling of RFC 1867 (Form-based File Upload in HTML). When you send a POST request to a…
CubeCart 4 session management bypass leads to administrator access
Release Date: 2009/10/29 Author: Bogdan Calin (bogdan [at] acunetix [dot] com) Severity: Critical Vendor Status: Vendor has released an updated version Release Date : 2009/10/29 Author : Bogdan Calin (bogdan [at] acunetix [dot] com) Severity : Critical Vendor Status : Vendor has released an updated…
Statistics from 10,000 leaked Hotmail passwords
An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords. First, my impression…
Security risks associated with utf8_decode and XSS filters
BlackHat USA 2009; Eduardo Vela Nava (sirdarckcat) and David Lindsay presented a paper entitled “Our Favorite XSS Filters and How to Attack Them”. Very interesting paper, you should definitely take a look at it. In this paper, besides other things, they presented a very interesting…
Drupal Local File Inclusion Vulnerability
I was testing our scanner (with AcuSensor enabled) on Drupal (http://www.drupal.org) and the scanner found a possible File Inclusion vulnerability. As you can see from the screenshot above, the GET variable q was set to start/../../xxx….end and it got partially sanitized. It reached the include…
AcuSensor and the pink blog
While testing our AcuSensor technology, I downloaded a small PHP blog application from the internet. The installation went smoothly. This particular application was not using a database but it was storing everything in text files. I added a sample blog post and I was ready…
The hidden dangers of XSLTProcessor – Remote XSL injection
Today I’m going to talk about a new vulnerability which I named Remote XSL Injection. I didn’t find any references on the internet about this vulnerability, which I found while auditing some PHP code for a friend. PHP supports XSL transformations using the XSLTProcessor class….