Welcome to Fogfighters Hungary!
 
  Login or Register
.week  
Time
 
 
 
Languages
Select Interface Language:

 
Google Translation
Translation
 
Traffic Report
 
Where are you from?
 
Map Random
Objective
Desert_Temple_Final
View Desert_Temple_Final
Allies have to fight their way to the axis temple and rob the gold crate from the sarcofage. Allied mission: Rob the gold crate in the axis temple! Axis mission: Stop the allies from stealing the gold in from the temple sar
Hits: 4
Total Maps: 85
 
Modules
· Home
· About Easter
· Büntetés kalkulátor
· Bible
· Biorythm
· Birds
· Black Gallery
· Cats
· Coppermine
· Dogs
· eCards
· ET Game manual
· ET Handbuch
· ET játékleírás
· ET Maps
· Fórumok
· FIFA World Cup 2006
· Fish
· Google Guide
· Googlemaps
· Hírküldés
· Help Desk
· Internet_TV
· Keresés
· Letöltések
· Members List
· Member_Map
· News
· Online Radios
· PHP-Nuke_HOWTO
· PHP-Nuke_Tools
· Private Messages
· Punkbuster
· Saját beállításaid
· Shout Box
· Statisztikák
· Szavazások
· Szerencsejáték
· Tagfelvétel
· Viccek
· Videó kollekció
· Web címek
· Web Development
 
MS-Analysis
Top-Ten Countries visiting Fogfighters Hungary

1 United States United States
2 China China
3 Viet nam Viet nam
4 Russian Federation Russian Federation
5 France France
6 Hungary Hungary
7 unknown unknown
8 Ukraine Ukraine
9 Canada Canada
10 United Kingdom United Kingdom
11 Germany Germany
12 Netherlands Netherlands
13 Poland Poland
14 Italy Italy
15 Taiwan, Province of China Taiwan, Province of China
16 Seychelles Seychelles
17 Australia Australia
18 Romania Romania
19 Indonesia Indonesia
20 India India
21 Thailand Thailand
22 Sweden Sweden
23 Brazil Brazil
24 Japan Japan
25 South Africa South Africa
26 Lithuania Lithuania
27 Argentina Argentina
28 Spain Spain
29 Iran, Islamic Republic of Iran, Islamic Republic of
30 Chile Chile
31 Luxembourg Luxembourg
32 Turkey Turkey
33 Moldova, Republic of Moldova, Republic of
34 Korea, Republic of Korea, Republic of
35 Belarus Belarus
36 Malaysia Malaysia
37 Venezuela Venezuela
38 Switzerland Switzerland
39 Singapore Singapore
40 Colombia Colombia
41 Hong Kong Hong Kong
42 Mexico Mexico
43 Mongolia Mongolia
44 Czech Republic Czech Republic
45 Belize Belize
46 Greece Greece
47 Honduras Honduras
48 Estonia Estonia
49 Latvia Latvia
50 Bulgaria Bulgaria

View MS-Analysis
 
Scrolling Links
Mods:































Community:




































Clans:






























































League:










Anticheat:












Other:

































 
Special days




Reggae Music Day


 
Képes Naptár
There is a problem right now with this block.
 
CPG Random Picture

A torony alsó ajtaja

 
Latest Videos


Last added videos

Orvosnál

Orvosnál

Last added videos

Funny

Funny Mortar

Last added videos

Shy

Shy Rose - I Cry For You
 
Cross-site tracing with PHP-Nuke

23.3.4. Cross-site tracing with PHP-Nuke

A new vulnerability has been found in Microsoft's Internet Information Server (IIS) which allows the reading of cookies. This is potentially possible also on Apache. Since PHP-Nuke relies on the cookie mechanism (Section 23.4.5) for user authentication, it is important to know the risks emanating from this type of vulnerability. Here is the way it works, according a CERT advisory (see Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method):

Microsoft IIS servers support the HTTP TRACK method. The HTTP TRACK method asks a web server to echo the contents of the request back to the client for debugging purposes. The TRACK request is not RFC compliant and not well documented.

The complete request, including HTTP headers, is returned in the entity-body of a TRACK response. This leads to a Cross-site Scripting attack. Using features that provide client-side HTTP protocol support, such as XMLHTTP ActiveX or XMLDOM scripting objects, a web site can cause browsers to issue TRACK requests. The site can read the TRACK response, including sensitive header information such as cookies or authentication data.

Because the TRACK method is similar to the TRACE method, when combined with cross-domain browser vulnerabilities (VU#244729, VU#711843, VU#728563), HTTP TRACK and client-side HTTP support can be leveraged by attackers to read sensitive header information from third-party domains. This technique has been termed "Cross-Site Tracing," or XST, in Cross-Site Tracing (XST), a report published by WhiteHat Security. Cross-site tracing is also described in a CERT advisory about Cross-Site-Tracing.

As noted in the report of WhiteHat, the technique can be used to bypass the HttpOnly cookie attribute introduced in Microsoft Internet Explorer 6.0 SP1. HttpOnly blocks script access to the cookie property (document.cookie), but does not prevent a scripting object from reading the cookie out of an HTTP TRACK response. In the White Paper of WhiteHat Security, this new method of Cross-Site-Scripting is explained in detail. The essence is that this technique

...is able not only to bypass the httpOnly mechanism present in i.e. 6 service pack 1, but in addition the ability to xss just about anything from just about anywhere. This technique allows client-side scripting languages, such as javascript, and possibly other client-side technologies like vbscript, flash, java, etc., the ability access http web authentication credentials, with the added bonus of achieving this result over ssl.

Normally, the cookie is sent back to the domain it belongs. But with this TRACE or TRACK HTTP method, it is possible to request a trace and the web server will send back all data, including the cookie! This is especially important for PHP-Nuke, since it relies on cookies for the authentication of its users.

To protect yourself, you should deactivate the TRACE HTTP method , if you are using Apache, and the TRACK HTTP method, if you are using IIS:

  • For Apache, you should put the following in the .htaccess file (Section 25.4) of your document root (or, for performance reasons, directly in the configuration file of Apache, if you have access to it):

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    

    Of course, this assumes that you have mod_rewrite (Section 25.2) installed.

  • For IIS, you should filter out the TRACE and TRACK methods with the URLScan filter. The only methods allowed should be GET, HEAD and POST.

There is nothing you can do in the code of PHP-Nuke to avoid this vulnerability, however you should bear in mind when we talk about cookies Section 23.4.5 that a Cross-Site Tracing attack may steal the cookies of your PHP-Nuke too. See also Cross-site tracing attack via HTTP TRACK / TRACE method.

Send all questions and comments to:
Webmaster
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest Fogfighters Hungary © 2007 - 2022

You can syndicate our news using the file backend.php or ultramode.txt

PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.36 Seconds

:: subBlack phpbb2 style by spectre :: PHP-Nuke theme by www.nukemods.com ::