Multiplatform View State Tampering Vulnerabilities
Hrmmm… First CSPP from ShmooCon, tampering with the parameters in connection strings (primarily used for DBMS connectivity) and now what? VSTV or VSXSS, tampering with parameters in the __VIEWSTATE?
Is it real? This a question so far only answered with a pointer to this reference:
http://support.microsoft.com/kb/829743
as evidence that MS has known about this in ASP.NET for some time; and this video:
http://media.hacking-lab.com/movies/viewstate/
…on how it all supposedly works.
Dunno, it’s tough to see and my eyes are tired from producing this week’s episode. If this ISN’T a total hoax, it would seem 2010 might bring a string of these input validation type issues with configuration-type file-type goodies.
SpiderLabs has documented view state tampering vulnerabilities in three products from separate vendors. View states are used by some web application frameworks to store the state of HTML GUI controls. View states are typically stored in hidden client-side input fields, although server-side storage is widely supported. The affected vendors generally recommend that client-side view states are cryptographically signed and/or encrypted, but specific exploits have not been previously documented. These vulnerabilities show that unsigned client-side view states will ALWAYS result in a vulnerability in the affected products.
Posted: February 20th, 2010
at 4:53am by tan
Tagged with ASP.NET, CSPP, TWSL2010-001, View State Tampering, VSPT, VSXSS, __VIEWSTATE
Categories: Breaking News
Comments: No comments
HNNCast020510
Also on YouTube (for 3GP mobile or 720p true HD users):
PART 1: Lead Stories & News
PART 2: Quickies
HNNCast for the first week of February, 2010
Lead Stories
- Pushdo Pushing Poopoo, Google Bug Bounty, iPhone OTAP Flaw, House Probes GovTrends, Bogus Charges for Bogus MACs, NOTRAX – yea right
News
- Temp Dasvidanya to Dovaya, RX for HoRrors 2221, Blackhat DC Wrap-Up, Po-po Go Offline for Conficker
Quickies
- Taxes-Death-and-Maleware, Biometrics Beat (by a girl), Humbolt Hacked, Iowa Gaming Commission Gets Got, Twitter Gets Proactive, Navy Cyber C&C, StopBadware Goes Pro, Twitter Password Warning, Cons Call
Stack of Shame
- Count: 152
- Turning 2 This Week:
- ZDI-CAN-298 IBM , EMC High 2008-02-07, 727 days ago Discovered by: Sebastian Apelt (sebastian.apelt@siberas.de)
- ZDI-CAN-294 IBM High 2008-02-07, 727 days ago Discovered by: Sebastian Apelt (sebastian.apelt@siberas.de)
- ZDI-CAN-288 IBM High 2008-02-07, 727 days ago Discovered by: Anonymous
Posted: February 6th, 2010
at 11:37pm by tan
Tagged with "South Korea", 10th Fleet, amazon, Äôs Berkman Center for Internet and Society, biometric, Blackhat DC, botnet, Bug Bounty, bug market, cable modem modders, Cablehack.net, certificates, Chicago, China, Chromium, CIA, Conficker, Connection String Parameter Pollution, CSPP, Cyber Command, Data Accountability and Trust Act, DDoS, Defcon 18, Defcon.org, DerEngle, electron microscope, EMC, Esther Dyson, fingerprint scanning, Ft. Meade, Google, Greater Manchester Police, H.R.2221, Hacking the Cable Modem, Harvard University, Humbolt State University, IBM, IE, Infineon, Interior Ministry, Iowa Racing and Gaming Commission, iPhone, Japan, Kaspersky, maleware, Massmodz.com, Matthew Delory, Microsoft, Mozilla, Naval Cyber Command, Naval Network Warfare Command, Notrax, Novaya Gazeta, Oklahoma, OTAP, password, paypal, Pokercon, Pushdo, RSA, Ryan Harris, San Francisco, SDLC, SecureStar, Security B-Sides, ShmooCon, smartphone, SSL, stopbadware, TCN-ISO.NET, Thomas Swingler, Thotcon, Torrent, Trojan, Twitter, US Navy, Verizon, Vint Cerf, virus, Washington DC, wiimodder, ZDI
Comments: 1 comment
