ajaypal.com

A mohali based company http://www.cyberix.in/ has an otherwise good Internet Management Software Product by the name Cyberix, is vulnerable to a very simple authentication bypass vulnerability (rather it is more of a software design issue).

Cyberix IMS when authenticating a user using, the web login via a popup window, sends the MD5 hash of the users password in the GET request. As all URLs, along with the GET variables and their values, are saved in the browser's history, thus any user who has access to the system, used by a previous user, can simply check the browser history and click on the login URL to login as the other user, without providing any password. Defeating the purpose of an IMS where different users may have different access levels as promised by Cyberix IMS.

These days I am having too much fun with XSS. It is no good wishing happy holi by manipulating other peoples websites, even though it is harmless. You never know when you will come across some crazy hippocrat who believes that its website has been defaced and then tries to grab the poor fun loving XSSer by neck.

Note to Self
Keep out of trouble and stop XSSing even if the other guy does not fix the website. Hey did I mention it is possible to move Lambi Assembly Constituency in Punjab to Haryana, now don't ask me how. A number of other funny permutations are also possible. Guess what am I talking about, or wait till these people say something...

The title for this post can be considered a misnomer. I think it should read:

Well if you do write perfect software you are kicking yourself in your er.. belly, and sitting on the branch side of the saw.

For any commercial company/ enterprise writing perfect and bug free software would mean:

• Happy and smiling Customers (hmm... that is a good)
• Satisfied customers (this is also good)
  

These days Full Disclosure mailing list is being dominated by XSS vulnerabilities. It is time I should put up my contribution too, for an XSS vulnerability I have known for around 7-8 months.
The site in question ptu.ac.in is of Punjab Technical University, Jalandhar. The URL http://ptujal.org used to refers to the same site.

SPAM, I sort of dislike it and prefer my mail box to be free of SPAM. Spam filters like spamassin are very much effective against it. But for around past three-four months I have been receiving a new form of SPAM, in the form of yahoo groups invitations. All sort of marriage alliance invitations, hey I am happily married, please stay away. If I block one another one pops out, even I am helpless.

This is the error log of httpd (apache) on one of the server machines that is about to be replaced very soon, interesting thing is to see how the script kiddy goes about locating vulnerable web applications:

My home computer has GNU/ Linux (FC4 to be precise) behind the IPTables firewall. The way it has been configured allows very limited incoming connections (port 80 only) and more or less no limit on outgoing connections.

Now this is something annoying (not interesting) some script kiddy, who may have either compromised 207.157.58.25 or maybe is some silly script kiddie student of http://www.wallace.edu attempted a PHP injection attack on this server.

The kid came from 207.157.58.25 and the kiddo has the scripts stored here. The store house of kiddo seems to be some server of ipower web inc a web hosting company. He has a load of cracking tools stored on the server. I will try to report this to ipower people. Hope they will listen.

One more thing, this service is an almost a regular, you will see this in your logs just before the attack is about to begin. Almost all kiddos use this before they start their dirty work.

Ok I am running ssh on this server, and there are plenty of script kiddies out there who are just too eager to run scripts, trying maybe a brute force attack, and after such an attempt I dont like the look of my system log.
What should I do?
The old trick of obfuscation still works, I know not a very good idea, someone suggested blocking the kiddo IP, but hey how many IP addresses should i block.
I have moved the service to some other **well known port**. Most of the kiddies would get confused, except for the dedicated ones.

Well here is some script kidddo acting funny on ajaypal.com:

Kiddo Orignating IP: 200.164.108.163 (maybe, if not a launching pad)
                              201.9.105.163 (maybe, if not a launching pad)
Attack Type: PHPBB CMD Vulnerability
From Where The Kiddo tried To Download the Crack: http://mi.verizon.net.do/carlos18/tool25.dot
Try downloading this file and renaming it to .txt and read

Some other exploits that were tried:

Kiddo Orignating IP: 200.164.108.163 (maybe)
Attack Type: xGallery Update Exploit
Script for the Kiddo: http://newton.100free.com/newcmd.gif?&cmd=id
Seems to have been removed from the server.

Kiddo Orignating IP: 200.164.108.163 (maybe)
                     201.9.105.163 (maybe)
Attack Type: My eGallery Display Catagory Exploit
Script for the Kiddo: http://pharoeste.net/x/out.gif?&cmd=id
Seems to have been removed from the server.

Get over it kid ;-(, do something usefull like patching the exploitable software.