Full Disclosure

The need for Full, Partial, Responsible and Zero disclosure. Issues with reporting vulnerabilities to vendors.

Source Disclosure vulnerability in Joomla – the dreaded single quote

We have started receiving reports from Joomla users that our ScanMyServer service is picking up an unknown and undocumented vulnerability on their web site.

The scanner is showing that they have one or more source disclosure/path disclosure vulnerabilities. Since they were using the latest and most up to date version of Joomla their reports looked odd and we started to investigate the matter.

We found out that the vulnerability is “hard” to trigger, as Firefox and Internet Explorer will escape the single quote in a URL to its encoded form, while Chrome will not. So while sending it under Chrome will show something like:
Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Invalid URI detected.' in /home/content/41/9236541/html/libraries/joomla/environment/uri.php:194 Stack trace: #0 /home/content/41/9236541/html/libraries/joomla/application/application.php(248): JURI::getInstance() #1 /home/content/41/9236541/html/includes/application.php(135): JApplication->route() #2 /home/content/41/9236541/html/index.php(36): JSite->route() #3 {main} thrown in /home/content/41/9236541/html/libraries/joomla/environment/uri.php on line 194

The same URL under Firefox and Internet Explorer, will return:
404 - Article not found

Of course, the vulnerability is not in Chrome, but is a real issue caused by Joomla not properly escaping the URL.

The problem has been already spotted in a different section of Joomla, the search option, as can be seen by this post: http://joomlacode.org/gf/../?action=TrackerItemEdit&tracker_item_id=31036&start=0

So the problem isn’t just in the search, it also spans to other sections of the Joomla framework.

We will keep you posted when a fix is provided, or we have a workaround for this issue.

Review of “cloud drives” – Younited – pt 3

Yesterday I received an update for the Younited client–on the Win7 machine.  The XP machine didn’t update, nor was there any option to do so.

This morning Younited won’t accept the password on the Win7 machine: it won’t log on.  Actually, it seems to be randomly forgetting parts of the password.  As with most programs, it doesn’t show the password (nor is there any option to show it), the password is represented by dots for the characters.  But I’ll have seven characters entered (with seven dots showing), and, all of a sudden, only three dots will be showing.  Or I’ll have entered ten, and suddenly there are only two.

Review of “cloud drives” – Younited – pt 2

My major test of the Younited drive took a few days, but it finally seems to have completed.  In a less than satisfactory manner.

I “synched” a directory on my machine with the Younited drive.  As noted, the synching ran for at least two days.  (My mail and Web access was noticeably slow during that time.)  The original directory, with subdirectories, contained slightly under 7 Gigs of material (the quota for basic Younited drives is said to be 10 G) in slightly under 2,800 files.  The transfer progress now shows 5,899 files transferred, and I’m out of space.

A quick check shows that not all files are on the Younited drive.

Review of “cloud drives” – Younited – pt 1

I’m trying out various “cloud drives”–or “file transmission services” as my little brother likes to call them, so as not to sully the name of cloud storage–and thought I’d mention a few things about F-Secure’s Younited first.

The reasons it is first are because a) F-Secure is a highly respected antivirus firm and based beyond the reach of the NSA in Finland, b) they are promoting the heck out of the new service by making it practically invitation only and asking that people tweet and blog about it, and c) it is really starting to annoy me.

Supposedly you can access it via the Web or through apps you install on your computer or device.  I have been able to upload a few individual files onto it, and access them on other devices.  Except for the MacBook.  The app seemed to install fine, but then it wouldn’t open anymore.  On the theory that, like SkyDrive, it wouldn’t install on my copy of Snow Leopard (and at least SkyDrive had the decency to tell me that), I upgraded to Maverick (which has created its own problems).  That hasn’t fixed it.  Next step is probably to throw it in the trash and reinstall.

I decided to give it a bit of an acid test tonight, and upload a set of directories.  First off, it seemed to load everything, willy-nilly, into a standard set of folders for “Pictures,” “Videos,” “Music,” etc, regardless of the directories they came from.  At least, that what the app showed.  The Web browser, if you accidentally hit the right button (and I’m darned if I can find out how to get it back) showed the directories–but they were all empty.  A web browser on another machine shows nothing at all.

(A gauge of progress for uploads has been saying “Transferring 635/6475” for the last several hours, regardless of what else has gone on.)

I thought maybe I might have to create and populate a directory at a time.  That’s when I realized that I can’t make directories.  If you get past the initial level of “Help” FAQs (which don’t have a lot of helpful detail) you can find the “community.”  Do a search on “folders,” and a number of listings come up, included an article on how to organize your files.  This says that, in order

“To create a folder

  1. Go to the younited_folder.PNG younited folder.
  2. Select Create_folder.PNG Create folder.
  3. Type a name for the older and select OK.”

Only problem is, when you click on the younited icon, the “create folder” option or icon never appears.  Other entries are equally “helpful.”  (What is the icon for sarcasm?)

I will, undoubtedly, learn more about the system and how to use it, but, at the moment, it is frustrating in the extreme.

Howto: Phish HSBC credit card numbers

Like many other people, I try helping developing countries when I can. So to help boost GDP in Eastern Europe and Africa (or ‘redistribute the wealth’ if you will) here’s a quick tutorial that will help scammers get HSBC customers’ credit card numbers. All the steps below are done by the real HSBC, so you don’t even need to “fool” anyone.

An HSBC customer who has gone through this process before won’t be able to distinguish between you and the real HSBC. Customer that has not been through this process certainly won’t know better anyway. In fact, you can do it to HSBC employees and they won’t know.

All you need is a toll-free number for them to call (feel free to forward it to Nigeria). The nice thing about HSBC is that the process below is identical to how the real HSBC asks customers for information. In other words: HSBC is training their customers to follow this path. I propose a new term for HSBC’s method of breeding phish: spowning (spawn+p0wn).

Step 1:

Prepare an email that looks like:

Dear :

As a service to our customers and in an effort to protect their HSBC Premier  MasterCard  account, we are attempting to confirm recent charge activity or changes to the account.

Please contact the HSBC Premier Fraud Servicing Center to validate the activity at 1-888-206-5963 within the Continental United States. If you are calling from outside the United States, please call us collect at 716-841-7755.

If the activity is unauthorized, we will be able to close the account and reissue both a new account number and cards. Please use the Subject Reference Number below, when calling.

At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority. We appreciate your business and regret any inconvenience this may have caused you.

Sincerely,

Security & Fraud Risk HSBC USA

Alert ID Number :  10917558

Note:  Emails sent to this repository will go unmonitored.  Please do not reply to this email. —————————————– ************************************************************** This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************** “SAVE PAPER – THINK BEFORE YOU PRINT!”

Step 2:

Replace the phone numbers with your own. The above are HSBC’s.

Don’t worry about the ‘alert ID’. Just make something up. Unlike other credit cards, the caller (me, in this case) can’t use the alert ID to confirm this is really HSBC.

Step 3:

Blast this email. You’re bound to reach plenty of HSBC card holders. The rest you don’t care about anyway.

Main perk: Before the customer gets to speak to a human they need to enter full credit card number and 4 digit SSN. So even the most lazy scammer can at least get those.

For the overachieving scammers, have a human answer and ask for  Card expiration and Full name on the card before agreeing to answer any other questions from the customer. This is all standard procedure at HSBC so customers shouldn’t be suspicious.

Oh, and if the customer who happens to be a security blogger tries to authenticate you back, tell them to hang up and call the number on the back of their card. That will shut them up.

At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority.

If it really was, you wouldn’t make me such an easy target for scammers. But thanks for playing.

 

Phecal photo phorensics

I suppose I really can’t let this one … pass …

Last weekend a young woman fell to her death while on a tandem hang glider ride with an experienced pilot.  The pilot, owner of a company that takes people on hang gliding rides for kicks, promises video of the event: the hang glider is equipped with some kind of boom-mounted camera pointed at the riders.

Somehow the police investigating the incident suspected that the pilot had swallowed the memory card from the video camera.  (Presumably the video was running, and presumably the pilot knew it would show something unfortunate.)  This was later confirmed by x-rays.

So, this week we have all been on “memory card movement” watch.

And it has cr… I mean, come out all right.

Easy login into Korean Point-of-Sale device

Some things are cross-culture it seems. Especially when it comes to trivial security mishaps.
So I’m at a PoS terminal in a large department store in Seoul and while I’m waiting for the register to ring up my order, I look at the touchscreen where I will be asked for my signature in a moment. I notice a little icon that looks like ‘settings’. How can I not click on it?

Initial PoS screen
Oh, it needs a password. Must be this PCI compliance thing everybody is raving about. And no, wiseass, 1-2-3-4-5 doesn’t work.

Asking for password

…But 1-2-3-4 does.

Password

Yup. Unlocked.
Now I need to polish up my Korean to figure out what to do next. Suggestions?

Menu Screen

Sorry for the full disclosure guys. And that includes all of you that now need to change your luggage combination.

The truth behind the Opera unpatched vulnerability

How hard is it to get facts straight? I don’t expect vendors to admit they sat on a vulnerability for months without patching: it’s human nature to blame someone else:

Opera […] claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Of course, when dealing with vendors, it’s always “the dog ate my homework” and “I swear we couldn’t reproduce it until it became public”
But I’m puzzled on why a technical reporter would just happily accept what’s being shoveled at him. For one, he could have contacted us and asked…

Here’s what really happened: We notified Opera about this vulnerability back in May. We gave them the Proof-of-Concept, disassembly, explanation and vulnerability analysis. So saying they did not have the full information is far from the truth. We didn’t ask for anything in return (we never do) but I admit we were skeptical based on previous experience with reporting vulnerabilities to Opera.
Then came the Million dollar question; we were asked if it worked on the latest version of Opera, and we said we don’t know. Since last time I checked, no one here worked for the Opera QA team, so we didn’t feel it was our job to check it. The response was typical:
“We only fix issues that are relevant to the latest version of Opera”

Followed by the all-too-common:”the items provided only cause crashes they have no intention to fix them”.

I guess they meant “we won’t fix them unless you drop a 0-day and we get a call from a computer magazine”.The Vendors-against-full-disclosure will continue, no doubt. Tech writers, get your spines refitted please: if you’re not a part of the solution, you’re a part of the problem.