While exploring the depths of Metasploit capture modules, I came across auxiliary/server/capture/mssql which can be found here. The module can be used to capture Microsoft SQL Server logon credentials if a user or client authenticates with the module. What caught my attention is just how effective this module can be in retrieving plain text credentials. First a bit of background on SQL server authentication. Usually authenticat
Read More »Just a quick writeup today, recently I uncovered an issue in the Foomatic-RIP package. The bug can be found within the "filter/foomatic-rip/util.c" source and is due to the whitelist used within the following line
Read More »Recently during a review of Sharepoint, I came across a vulnerability discovered by the Fortinet team and published on their blog. The post contained information on what a successful exploit would look like, but provided no final exploit for verification or testing. After a bit of review, I found the following POC code which, when triggered, shows a simple alert dialog box
Read More »As many of you have probably seen, last year Context published research into spreadsheet applications such as Excel which render CSV files (and their embedded formula) when opened. If you haven't, I suggest stopping and reading http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ Many web applications provide a user with an option to export data to a CSV file format, and when the data can be influenced by an attacker (registration names, analytics etc), you are facing a pot
Read More »