Posts

Showing posts from May, 2011

From Vulnerability to Exploit (Joomla! SQL Injection)

James from GulfTech Research and Development coded Joomla! SQL Injection Exploit in Metasploit from SQL Injection to Remote Code Execution



https://docs.google.com/leaf?id=0B5oxcQ53hliTNmZlNGJmODEtNmQ3MC00YWI2LThmMTAtZjUzMGU0OTcxOTNh&hl=en



It works for our previous disclosure of:

http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.6.0%5D_sql_injection

We thank James for his excellent working exploit that provides Proof-of-Concept for a vulnerability that Joomla! Core Developers think of as Information Disclosure Only.


http://developer.joomla.org/security/news/328-20110201-core-sql-injection-path-disclosure.html

ASP.Net __VIEWSTATE/__EVENTVALIDATION | Does it prevent from CSRF?

Myth:

Some web application developers  mistakenly assume ASP.Net __VIEWSTATE/__EVENTVALIDATION can thwart CSRF attacks.


Fact

As far as we know, Microsoft didn't state __VIEWSTATE/__EVENTVALIDATION as CSRF defense when ASP.Net was introduced.


Proof-of-Concept

You can craft a valid CSRF exploit by getting known __VIEWSTATE value and __EVENTVALIDATION value that you can know by simply viewing HTML source.  Unless web application processes __EVENTTARGET and __EVENTARGUMENT, you can skip these parameters.

Keywords: ASP.Net, Cross Site Request Forgery, CSRF, XSRF