[VIM] It's the defacers, stupid

Steven M. Christey coley at linus.mitre.org
Tue Jun 6 02:51:25 EDT 2006


On Tue, 6 Jun 2006, security curmudgeon wrote:

> I can say that historically, back when the attrition mirror was running,
> this was not the case. Most defacers used precanned scripts that allowed
> for remote code execution. It was rare to see any defacer post to the
> regular disclosure type lists.

You don't need precanned scripts any more, though - as you point out, a
couple ' and <script> will quickly yield you something.

> Even now, I have doubts. Most of these crappy disclosures are cross-site
> scripting, and some SQL injection. I seriously doubt they are using XSS to
> do defacing.

There have been various disclosures that have specifically mentioned HTML
injection as a means of doing permanent defacement.  'course I can't think
of any right now, and maybe it was just one of the frequent disclosers
saying it again and again, but I'll keep my eye out for the next one.

And if all you wanna do is deface, then HTML injection is a very easy way
to do it, and PHP file inclusion isn't much more difficult, especially
with PHP "shellcode".

Here are a couple Bugtraq URLs that mention "deface" or "defaced" or
"defacement" - granted it's just a drop in the bucket of XSS :)

http://marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114463137921014&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=113570387800157&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=112439025327479&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114211516817244&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114945545127270&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114867449028870&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114867313724418&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114002455209729&w=2


- Steve


More information about the VIM mailing list