Profilactic Mashup - fm

Bookmarks: The HTML Editor - a viewing and editing control and component for C# or any .Net language

Mon, 12 May 2008 06:10:12 GMT

Tags: .net COM interop Dilemma mshtml

Posted by: fmavituna

Bookmarks: Shadowserver Foundation - Main - HomePage

Sun, 11 May 2008 22:33:04 GMT

Tags: ddos botnet

Posted by: fmavituna

twitter: another good botnet case : http://tinyurl.com/5csyyp

Sun, 11 May 2008 22:25:48 GMT

fmavituna: another good botnet case : http://tinyurl.com/5csyyp

Bookmarks: I Was A Teenage Bot Master [printer-friendly] | The Register

Sun, 11 May 2008 22:15:04 GMT

Tags: no_tag

Posted by: fmavituna

Bookmarks: RFC 2616 (rfc2616) - Hypertext Transfer Protocol -- HTTP/1.1

Sun, 11 May 2008 21:42:46 GMT

Tags: no_tag

Posted by: fmavituna

Bookmarks: The Art of Software Security Assessment » Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF

Sun, 11 May 2008 21:25:02 GMT

Tags: same origin policy chart js

Posted by: fmavituna

twitter: olay su:paradise lost olup muzigin goturdugu yere gidip eski tayfadan tekme mi yiyecegiz? yoksa dinozor bir heavy metal grubu mu olacagiz?

Sun, 11 May 2008 21:12:31 GMT

fmavituna: olay su:paradise lost olup muzigin goturdugu yere gidip eski tayfadan tekme mi yiyecegiz? yoksa dinozor bir heavy metal grubu mu olacagiz?

twitter: SSL Implementation Security FAQ is almost ready to release, yay!

Sun, 11 May 2008 21:10:02 GMT

fmavituna: SSL Implementation Security FAQ is almost ready to release, yay!

twitter: listening pointless pop music and fixing stuff in the blog,

Sun, 11 May 2008 21:08:57 GMT

fmavituna: listening pointless pop music and fixing stuff in the blog,

Bookmarks: Crash Course: Analyze Crashes to Find Security Vulnerabilities in Your Apps

Sun, 11 May 2008 20:07:33 GMT

Tags: exploitation RCE

Posted by: fmavituna

Google Reader: Apache mod_status.

Sun, 11 May 2008 20:01:39 GMT

This is the kind of reconnaissance that is often forgotten about. It's simple and effective. Apache has a module called mod_status, which let administrators generate a screen with server information, like requests, CPU usage, uptime and various other bits of information. Obviously such page must be protected and only accessible from 127.0.0.1 or some other intranet address. Now, call me curious but just a moment I wondered if Apache.org had installed this very same module. That is the kind of thinking I like, you expect not but try anyway. And to my amazement, they have it running in the way that you can view the server-status page remotely.

http://www.apache.org/server-status?refresh=5

The output is something like this:



Apache Server Status for www.apache.org



Server Version: Apache/2.2.8 (Unix)

Server Built: Jan 11 2008 03:41:24



Current Time: Sunday, 11-May-2008 17:41:18 GMT

Restart Time: Sunday, 27-Apr-2008 14:20:46 GMT

Parent Server Generation: 35

Server uptime: 14 days 3 hours 20 minutes 32 seconds

Total accesses: 20168279 - Total Traffic: 12463.1 GB

CPU Usage: u4793.84 s22050.7 cu0 cs0 - 2.2% CPU load

16.5 requests/sec - 10.4 MB/second - 0.6 MB/request

13 requests currently being processed, 87 idle workers



And then a full list of all requests being made on the WHOLE server:



0-35	3696	0/274/131693	_ 	1275.36	0	43	0.0	18.63	68052.16 	74.64.97.135	mail-archives.apache.org	GET /mod_mbox/incubator-heraldry-dev/?format=atom HTTP/1.1

0-35	3696	0/331/133789	_ 	1260.89	45	7	0.0	35.06	67714.56 	74.6.21.221	mail-archives.apache.org	GET /mod_mbox/httpd-cvs/199912.mbox/%3c19991224211227.29151.qma

0-35	3696	0/325/132987	_ 	1261.21	37	1	0.0	14.95	64226.60 	221.155.117.50	www.apache.org	GET /images/asf-logo.gif HTTP/1.1

0-35	3696	0/381/132079	_ 	1275.31	2	1	0.0	26.66	66800.09 	59.94.105.135	www.apache.org	GET /favicon.ico HTTP/1.1

0-35	3696	0/352/131973	_ 	1260.16	60	2	0.0	6.48	67252.40 	124.182.29.39	www.apache.org	GET /style/compressed.css HTTP/1.1

0-35	3696	0/272/133733	_ 	1258.50	66	429	0.0	2.02	66097.19 	66.249.73.69	mail-archives.apache.org	GET /mod_mbox/geronimo-servicemix-commits/200612.mbox/%3C200612

0-35	3696	0/372/132626	_ 	1207.56	64	0	0.0	8.71	67412.13 	79.67.251.89	mail-archives.apache.org	GET /archives/asf_logo_simple.png HTTP/1.1

0-35	3696	0/282/131652	_ 	1275.12	4	77	0.0	22.17	66882.72 	65.55.235.139	mail-archives.apache.org	GET /mod_mbox/httpd-cvs/200204.mbox/author HTTP/1.0

0-35	3696	0/360/132699	_ 	1271.84	10	16	0.0	3.39	65580.91 	66.249.73.69	www.apache.org	GET /dist/commons/transaction/source/?C=S;O=A HTTP/1.1

0-35	3696	0/255/132419	_ 	1253.20	71	77	0.0	16.80	65998.16 	66.249.73.69	mail-archives.apache.org	GET /mod_mbox/ofbiz-user/200609.mbox/%3C966739BB-704E-492D-93D5

0-35	3696	0/294/134198	_ 	1260.12	62	16	0.0	7.58	66850.80 	66.249.73.69	mail-archives.apache.org	GET /mod_mbox/tomcat-users/200406.mbox/%3CDFC0AAB1-B915-11D8-AB

0-35	3696	0/379/132988	_ 	1260.72	51	1	0.0	13.80	65103.83 	212.251.168.234	www.apache.org	GET /ads/ApacheCon/2007-europe-125x125.png HTTP/1.1

0-35	3696	0/334/134733	_ 	1275.05	8	271	0.0	14.26	68360.50 	192.248.8.100	www.apache.org	GET /dyn/closer.cgi/httpd/binaries/win32/ HTTP/1.0

0-35	3696	0/398/134066	_ 	1269.44	13	1	0.0	44.18	66286.38 	58.16.104.191	www.apache.org	GET /images/feather-small.gif HTTP/1.1



etc...

Now what is wrong with this picture I ask you? The answer is very simple. If I can reach this page, I can set an interval of 1 second, parse all requests remotely and grep or regex patterns out that disclose sensitive information. Since the whole server can be monitored by default, it means that somewhere sometime someone will access a protected hidden directory which we can't locate through Google. One thought further, is hardcoded sessions, tokens or passwords into a GET request which we can store for further analysis, or just real-time abuse it with CSRF or session stealing. Apache has provided a method for that as well, which let us grab the status in a machine readable format:

http://www.apache.org/server-status?auto

Another concern is information disclosure or a privacy risk for people that access the domain configured with mod_status and being indexed by Google.

Overall, it is a bad idea to leave this unprotected.

Bookmarks: Software Downloads // iDefense Labs

Sun, 11 May 2008 19:39:59 GMT

Tags: tools tool idefense com RCE

Posted by: fmavituna

Bookmarks: Open Source URL Rewriter for .NET / IIS / ASP.NET » Home

Sun, 11 May 2008 17:23:24 GMT

Tags: urlrewrite htaccess asp.net

Posted by: fmavituna

twitter: going out for a drint and a bit shopping

Sun, 11 May 2008 13:30:37 GMT

fmavituna: going out for a drint and a bit shopping

Bookmarks: Blog yazarlarıyla röportaj: Ferruh Mavituna

Sun, 11 May 2008 13:28:41 GMT

Tags: me blog interview roportaj

Posted by: fmavituna

twitter: what a shame!Gaming is so dead, because of fuck** consoles killed PC gaming! I've just played GTA4 and it simply sucks.Last hope is Fallout3

Sun, 11 May 2008 10:22:26 GMT

fmavituna: what a shame!Gaming is so dead, because of fuck** consoles killed PC gaming! I've just played GTA4 and it simply sucks.Last hope is Fallout3

twitter: feci formdayim, Allah nazarlardan saklasin :) 2 tane yeni yazi yayinladim

Sun, 11 May 2008 10:13:54 GMT

fmavituna: feci formdayim, Allah nazarlardan saklasin :) 2 tane yeni yazi yayinladim

Google Reader: Focus on Maltego Version 2.0 : The Datamining framework

Sun, 11 May 2008 09:21:47 GMT

Maltego is a program that can be used to determine the relationships and real world links between: People, Groups of people (social networks), Companies, Organizations, Web sites, Internet infrastructure such as:
Domains
DNS names
Netblocks
and much more
This new release of Maltego comes with a bunch of new features. The core engine has been completely rewritten, the search options and transforms has been enhanced. With Maltego, we can say that we deal with the best Intelligency (...) - Security Tools / Footprinting, Information Gathering, Data Mining, Maltego

twitter: internet is amazing, increasing blood flow by warming my arm helped the pain, and now gonna sleep

Sat, 10 May 2008 23:54:53 GMT

fmavituna: internet is amazing, increasing blood flow by warming my arm helped the pain, and now gonna sleep

Bookmarks: Zoundry Raven: Think - Write - Publish

Sat, 10 May 2008 20:37:29 GMT

Tags: blog editor wyiwyg

Posted by: fmavituna