20 ans de sécurité informatique ...
... pour en arriver là.
Opera 9
Publiée le 15 septembre 2006
A flaw exists within Opera when parsing a tag that contains a URL. A heap buffer with a constant size of 256 bytes is allocated to store the URL, and the tag's URL is copied into this buffer without sufficient bounds checking of its length. The vulnerable code would look something like this in C/C++:
char *local_url = malloc(256);
strcpy(local_url, tag_url);
Note : ce bug a été introduit dans la version 9, il n'affecte pas la version 8 ...
Apache, mod_tcl
Publiée le 16 août 2006
Due to programmer error, user supplied data is passed as the format string specifier to several calls to an internally defined variable argument function. The function 'set_var' is declared as follows:
mod_tcl.h:117:void set_var(Tcl_Interp *interp, char *var1, char *var2, const char *fmt, ...);
Several insecure calls to this function are made through out the code, as seen below:
tcl_cmds.c:437: set_var(interp, nm_var, (char*) key, (char*) val);
tcl_cmds.c:2231: set_var(interp, nm_env, env[i], sptr + 1);
tcl_core.c:650: set_var(interp, namespc, vl[i].var2, vl[i].var3);
Cisco
Publiée le 12 octobre 2006
The Cisco Wireless Location Appliance software contains a default password for the 'root' administrative account. A user who logs in using this username has complete control of the device.
[...]
If the password has not previously been changed, the default username for the administrator login is "root" (without the quotes), and the default password is "password" (without the quotes).
Mambo
Publiée le 5 octobre 2006
Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function.
En résumé ...
Un strcpy() dans un buffer de 256 octets, une format string, un mot de passe root en dur, une injection SQL dans le champ password, ...
C'est bon, j'ai encore du boulot pour les 20 prochaines années :)
1 commentaire:
Tant mieux, ca me permettra encore de te lire pour les vingt prochaines années ;)
Enregistrer un commentaire