Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Netware ichain

from [Eyal Udassin] Network Security [Permanent Link]
Subject: RE: Netware ichain
Date: Thu, 7 Oct 2004 12:55:55 +0200 
Hello,

I audited 3 iChain servers of different clients this year.
Until the last release, the server sends it's exact version and build in the
server HTTP header, which will make your life easier if this is a black box
test.

Following are known vulnerabilities from the last year - some are not
detailed as they where submitted by Novell:
http://www.securityfocus.com/bid/11061
http://www.securityfocus.com/bid/8732 - OpenSSL ASN.1 Buffer overflow
http://www.securityfocus.com/bid/10767
http://www.securityfocus.com/bid/10576
http://www.securityfocus.com/bid/9412

Other than that, I didn't find any additional application level
vulnerabilities, yet this was not the focus of my assessments... 

Regards,

Eyal Udassin
Swift Coders


-----Original Message-----
From: Taki Waki [mailto:iskooler@gmail.com] 
Sent: Wednesday, October 06, 2004 4:25 AM
To: webappsec@securityfocus.com
Subject: Netware ichain


Hi List,

Was wondering anyone done any penetration testing on Netware iChains before.
Are there any default scripts or instalations that can be exploited via the
Internet? Thanks.




On Wed, 6 Oct 2004 14:41:51 +1300, Mike Allison <mike.allison@asbbank.co.nz>
wrote:

Hi Benoni,

Three rules that I live by that relate to these issues:
1. Client side (Jscript) filtering has nothing to do with security (it 
is trivial to bypass it). It is used merely to inform the user what 
data is acceptable in order to prevent wasted posts back to the 
server. In terms of security, it's irrelevant whether or not users 
look at your Jscript; all input must also be filtered on the server. 
2. Never send server generated or ASP generated or SQL generated 
errors back to the client; identify these errors in your code then 
send back your own user-friendly message to the client. 3. I never let 
user input anywhere near my database unless I know exactly what is in 
it. I check the user input in my .asp code (using regular 
expressions), and if it doesn't conform to what I expect, I send back 
a friendly message to the client.

Hope this helps,
Mike.

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
Sent: Wednesday, October 06, 2004 1:26 AM
To: webappsec@securityfocus.com
Subject: Web Forms filtered with SQL constraints

Hi list !

I was wondering how to solve the 2 following problems: I have ASP (not
ASP.NET) formulaires people have to fill in. To avoid SQ injection 
attacks and other tricks, I have set up some Jscript filtering on each 
field (i.e. for instance a name can just be alphabet's characters and 
no figures :) ), and I am planning to do the same on my Database 
(setting up constraints).

But I have 2 questions:
       - How can I hide my Jscript filtering from the user ? When I 
want to see the source, everything is diaplayed, quite normal :( ... 
Maybe it's not so good to tell people what I have done to filter them 
:) I saw some sites where it is impossible to see the source, 
impossible to "hoover the site", impossible even to print ... But I 
have not been able to find on the net how to do this :(

       - How can I deal with possible SQL errors within an ASP page ? 
I mean, if a field has been filled in, bypass my Jscript filtering (no 
matter how), and gets to the database but is then "stopped" by an SQL 
onstraint, how do I raise this error on an ASP page without diplaying 
an explicit error (giving the user the name of my database for 
instance) ?

Cheers for any clue, I am lost on this topic :( 
======================================================================
==================
This email message and attachments are confidential to our organisation

and subject to legal privilege.  If you have received this email in error,
please advise the sender immediately and destroy the message and any
attachments. If you are not the intended recipient you are notified that any
use, distribution, amendment, copying or any action taken or omitted to be
taken in reliance of this message or attachments is prohibited.  You can
read our Privacy Policy here:
<http://www.asbbank.co.nz/privacystatement.stm>



============================================================================
=============
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RSS Feed List, saphyr
Next by Date:  RE: Of the three expensive vulnerability scanners, Joe Basirico
Previous by Thread:  Netware ichain, Taki Waki
Next by Thread:  Re: Web Forms filtered with SQL constraints, Tom Stowell
Indexes:  [Date] [Thread] [Top] [All Lists]