iBlog - Ilia Alshanetsky

The concept of doing network scanning via JavaScript is hardly new and is quite easy for anyone with even cursory knowledge of JavaScript. However, the assumption was that as long as you browse the web with JavaScript disabled you are safe from hostile sites from scanning your network. Alas, this was not to be, in a very interesting post Jeremiah Grossman shows how can this be done with plain HTML using no JavaScript what so ever.

His methodology relies on Firefox's quirk, whereby the page loading would wait for the <link> tag to be processed before rendering the rest of the page. This means you could use the link tag to reference local IPs and use a subsequent image to see how long did it take for the IP to respond. If the response was very quick, then you know the host has something listening on a given port and if it does not, well then the port is being blocked or filtered.

The problem with his approach is that to scan an entire network would be rather slow and require multiple iframes to perform the scan. Not to mention very noticeable, I decided to see if something can be done about this limitation. Continue reading "Network Scanning with HTTP without JavaScript"

There was a very interesting article posted on the Securiteam blog which talks about anonimizing code injection attacks. The approach is quite simple and yet rather ingenious, simply submit to Google the vulnerable application URL with the attack payload passed via the GET parameters. And within a short period of time Googlebot will dutifuly trying to index the URL, effectively executing the attack. Stefan had also explored this issue on his blog with some examples showing how to ensure more rapid indexing, so you wouldn't have to wait weeks for exploit to be triggered.

However, everybody seemed to have focus on Google, which maybe a bit unfair to them since other search engines suffer the same kind of problems. For example if we take MSN (Microsoft's Search) and run the "inurl:cmd.gif" query that SecuriTeam folks used to test Google, we find a fair number of results. Which tells us that hackers believe in equal opportunity and use MSN as much as Google to propagate their attacks.

But there are other ways too. For example an attack could post an anonymous message on a blog or a forum with an image embedded into where the image url is not an image but rather a URL vulnerable site with embed payload. Which means that when other people read their message their browsers in most cases will make requests to the given URL thus triggering the attack. This is hardly new though, this scam has been used for ages to inflate hit counter stats, etc... Another vector of attack could be to use application that retrieve content from a URL automatically, such as the w3c validator, that will instantly make a request to any given URL and more over return you the resulting HTML at the time obscuring the actual attacker's IP address.

It be interesting to know what other sites allow this kind of behavior where a user supplied URL is instantly retrieved hiding the original user's IP.

Damien is continuing his very handy phpinfo() research work, this time focusing on the popularity of the different PHP extensions people utilize with PHP and some interesting configuration directives such as disable_functions. You can find the graphs and summaries here and here.

A very interesting read to anyone writing or considering writing distributable applications that need to work in different PHP environments.

After an extremely long (IMO) release cycle the final version of PHP 5.2.0 was finally released yesterday morning. There are many new features, speed improvements and a fair number of security changes. You can read the official release announcement for a quick summary of the major changes and the specifics can be found in a very long and somewhat boring to read changelog

The bottom line is that all users of PHP 5.x should definitely upgrade and for 4.x users need to seriously start thinking about migrating as well, since we've finally got a 5 release that not only is feature complete but is also faster or at the minimum performs at the same speed as PHP 4.4.

Big thanks to all the contributors who made patches, reported bugs and ran tests to hopefully make a solid release.

The slides for the Caching Systems talk are now available online, they can be downloaded here.