New vulnerabilities in CMS SiteLogic

[MustLive]

Hello Bugtraq!

I want to warn you about Insufficient Anti-automation and Denial of Service
vulnerabilities in CMS SiteLogic (in addition to those multiple
vulnerabilities in CMS SiteLogic which I disclosed in 2009-2010). It's
Ukrainian commercial CMS.

SecurityVulns ID: 11258.

-
Affected products:
-

Vulnerable are all versions of CMS SiteLogic with corresponding
functionality.

--
Details:
--

Insufficient Anti-automation (WASC-21):

http://site/?mid=1

In contact form there is no protection from automated requests (captcha).

DoS (WASC-10):

Empty POST request at page http://site in field “Search at the site” shows
all records from DB.

DoS (WASC-10):

http://site/?mid=1action=arhiv

At the page of archive all records from DB are showing.


Timeline:


2010.08.31 - announced at my site.
2010.09.01 - informed developers.
2010.11.17 - disclosed at my site.

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/4487/).


Best wishes  regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile Customization

[advisories]

vBulletin - XSS Filter Bypass within Profile Customization


Versions Affected: 4.0.8 PL1 (3.8.* is not vulnerable.)

Info:
Content publishing, search, security, and more - vBulletin has it all.
Whether it's available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.

External Links:
http://www.vbulletin.com

Credits: MaXe (@InterN0T)


-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the
Profile Customization feature. If this feature is not enabled the vulnerability
does not exist and the installation of vBulletin is thereby secure.

Within the profile customization fields, it is possible to enter colour codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.

With the previous patch for vBulletin 4.0.8 PL1, most attacks were disabled
however it is possible to bypass this filter and inject data which is then 
executed
effectively against though not limited to Internet Explorer 6.

Proof of Concept:
url(vbscript:msgbox(X/SS))


-:: Solution ::-
Update vBulletin to version: 4.0.8 PL2


Disclosure Information:
- Vulnerability found and researched: 18th November 2010
- Disclosed to vendor (Internet Brands): 18th November
- Patch from Vendor available: 19th November
- Disclosed at: InterN0T, Full Disclosure, Bugtraq and Exploit: 20th November


References:
http://forum.intern0t.net/intern0t-advisories/3398-vbulletin-4-0-8-pl1-cross-site-scripting-filter-bypass-within-profile-customization.html
http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-cross-site-scripting-via-profile-customization.html

Apple Safari for Windows (4.0.2-4.0.5, 5.0-5.0.2) Math.random() predictability

[Amit Klein]

Hi list

Earlier this year, Trusteer discovered a vulnerability in Apple Safari for 
Windows (versions 4.0.2-4.0.5 and 5.0-5.0.2). The issue is in the Javascript 
Math.random function, which is implemented in Safari via its WebKit core. 
Trusteer reported this vulnerability to Apple and to WebKit.org. Today Apple 
released a fix to this vulnerability - as Safari 5.0.3 
(http://support.apple.com/kb/HT1222, http://support.apple.com/kb/HT4455). 

For more details, please read the full report:
http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Safari_for_Windows.pdf


Thanks,
-Amit
Amit Klein, CTO, Trusteer

'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298)

[Mark Stanislav]

'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298)
Mark Stanislav - mark.stanis...@gmail.com


I. DESCRIPTION
---
A vulnerability exists in the 'Free Simple Software' download module which 
allows for a 'UNION SELECT' to easily expose the application administrator's 
plaintext password.

 
II. TESTED VERSION
---
1.0 [Manual Install Version]


III. PoC EXPLOIT
---
http://site.com/index.php?page=downloadsrequest=download_nowdownloads_id=' 
UNION SELECT email_address as name, NULL, NULL, password as file_name, 
last_name as file_url from admin_users where id!='NULL


IV. NOTES 
---
* User passwords for this web application are not encrypted or hashed which 
makes this exploit even more concerning.
* The PoC assumes that the first user is the administrative user which is the 
default behavior for the application.
* At least 1 download must already exist to enable this exploit.
* Due to a previous vulnerability not being fixed 3-months after disclosure 
(CVE-2010-3307), it's assumable that this application is not being actively 
developed.


V. SOLUTION
---
Do not utilize the download module. No patch/upgrade is available at this time.


VI. REFERENCES
---
http://www.freesimplesoft.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4298
https://www.uncompiled.com/2010/11/free-simple-software-sql-injection-vulnerability-cve-2010-4298/


VII. TIMELINE
---
11/12/2010: Initial disclosure e-mail to the vendor
11/21/2010: Public disclosure

H2HC Cancun - Free Entrance!

[Rodrigo Rubira Branco (BSDaemon)]

Dear All,

I'm proud to announce that the H2HC Cancun entrance is now free - Thanks
to our sponsors that helped us to make this happen: Microsoft, Nitro
Security, Trustwave and others!

As many of you already know, H2HC (Hackers to Hackers Conference) is
been held for the 7th year in São Paulo, but for the first year also in
Cancun.

The conference will be held in the luxurious Resort Hotel Melia ME
Cancun (http://www.me-cancun.com/) on the 3rd of december.

All the talks have simultaneous translation to Spanish and the speaker
lists is awesome (thanks to all of you who trusted us and submitted your
great material for the first year of our conference in Cancun) - check
it out:  http://www.h2hc.com.br/cancun/.


Best Regards and see you in this amazing city,


Rodrigo.

[eVuln.com] url XSS in Hot Links Lite

[bt]

New eVuln Advisory:

url XSS in Hot Links Lite

http://evuln.com/vulns/142/summary.html 



---Summary---

eVuln ID: EV0142

Software: Hot Links Lite

Vendor: Mrcgiguy

Version: 1.0

Critical Level: low

Type: Cross Site Scripting

Status: Unpatched. No reply from developer(s)

PoC: Available

Solution: Not available

Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )

Description

XSS vulnerability found in url parameter of process.cgi script. This can be 
used to insert any script code. Admin panel is vulnerable also.

PoC/Exploit

PoC code is available at http://evuln.com/vulns/142/exploit.html 

-Solution--

Not available

--Credit---

Vulnerability discovered by Aliaksandr Hartsuyeu

http://evuln.com/tool/xss-encoder.html - XSS String Encoder

[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

[Mark Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
  - Not affected in default configuration.
  - Affected if CSRF protection is disabled
  - Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
  - Affected in default configuration
  - Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
  - Not affected

Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.

Example:
GET
/manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Ensure the CSRF protection is enabled
  - Apply the patch 7.0.4 patch (see below)
  - Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Apply the patch for 6.0.29 (see below)
  - Update to 6.0.30 when released

No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.

Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a
result of reviewing the original issue.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html

Note: The patches The Apache Tomcat Security Team



Patch for 6.0.29


Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp   (working copy)
@@ -30,8 +30,10 @@
 % String path = (String) request.getAttribute(path);
Session currentSession =
(Session)request.getAttribute(currentSession);
HttpSession currentHttpSession = currentSession.getSession();
- -   String currentSessionId = currentSession.getId();
- -   String submitUrl =
((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(
+   ((HttpServletRequest)
pageContext.getRequest()).getRequestURI() +
+   ?path= + path);
 %
 head
 meta http-equiv=content-type content=text/html;
charset=iso-8859-1/
@@ -45,7 +47,7 @@
titleSessions Administration: details for %= currentSessionId
%/title
 /head
 body
- -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1
+h1Details for Session %= currentSessionId %/h1
  table style=text-align: left; border=0
   tr
@@ -54,7 +56,7 @@
   /tr
   tr
 thGuessed Locale/th
- -td%= JspHelper.guessDisplayLocaleFromSession(currentSession)
%/td
+td%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession))
%/td
   /tr
   tr
 thGuessed User/th
@@ -120,7 +122,7 @@
String attributeName = (String)
attributeNamesEnumeration.nextElement();
 %
tr
- - td align=centerform action=%= submitUrl 
%divinput
type=hidden name=path value=%= path % /input type=hidden
name=action value=removeSessionAttribute /input type=hidden
name=sessionId value=%= currentSessionId % /input type=hidden
name=attributeName value=%= attributeName % /input type=submit
value=Remove //div/form/td
+   td align=centerform action=%= submitUrl 
%divinput
type=hidden name=action value=removeSessionAttribute /input
type=hidden name=sessionId value=%= currentSessionId % /input
type=hidden name=attributeName value=%=
JspHelper.escapeXml(attributeName) % /input type=submit
value=Remove //div/form/td
td%= JspHelper.escapeXml(attributeName) %/td
td% Object attributeValue =
currentHttpSession.getAttribute(attributeName); %span title=%=
attributeValue == null ?  : attributeValue.getClass().toString()
%%= JspHelper.escapeXml(attributeValue) %/span/td
/tr
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp