New vulnerabilities in CMS SiteLogic
Hello Bugtraq! I want to warn you about Insufficient Anti-automation and Denial of Service vulnerabilities in CMS SiteLogic (in addition to those multiple vulnerabilities in CMS SiteLogic which I disclosed in 2009-2010). It's Ukrainian commercial CMS. SecurityVulns ID: 11258. - Affected products: - Vulnerable are all versions of CMS SiteLogic with corresponding functionality. -- Details: -- Insufficient Anti-automation (WASC-21): http://site/?mid=1 In contact form there is no protection from automated requests (captcha). DoS (WASC-10): Empty POST request at page http://site in field “Search at the site” shows all records from DB. DoS (WASC-10): http://site/?mid=1action=arhiv At the page of archive all records from DB are showing. Timeline: 2010.08.31 - announced at my site. 2010.09.01 - informed developers. 2010.11.17 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4487/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile Customization
vBulletin - XSS Filter Bypass within Profile Customization Versions Affected: 4.0.8 PL1 (3.8.* is not vulnerable.) Info: Content publishing, search, security, and more - vBulletin has it all. Whether it's available features, support, or ease-of-use, vBulletin offers the most for your money. Learn more about what makes vBulletin the choice for people who are serious about creating thriving online communities. External Links: http://www.vbulletin.com Credits: MaXe (@InterN0T) -:: The Advisory ::- vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the Profile Customization feature. If this feature is not enabled the vulnerability does not exist and the installation of vBulletin is thereby secure. Within the profile customization fields, it is possible to enter colour codes, rgb codes and even images. The image url() function does not sanitize user input in a sufficient way causing vBulletin to be vulnerable to XSS attacks. With the previous patch for vBulletin 4.0.8 PL1, most attacks were disabled however it is possible to bypass this filter and inject data which is then executed effectively against though not limited to Internet Explorer 6. Proof of Concept: url(vbscript:msgbox(X/SS)) -:: Solution ::- Update vBulletin to version: 4.0.8 PL2 Disclosure Information: - Vulnerability found and researched: 18th November 2010 - Disclosed to vendor (Internet Brands): 18th November - Patch from Vendor available: 19th November - Disclosed at: InterN0T, Full Disclosure, Bugtraq and Exploit: 20th November References: http://forum.intern0t.net/intern0t-advisories/3398-vbulletin-4-0-8-pl1-cross-site-scripting-filter-bypass-within-profile-customization.html http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-cross-site-scripting-via-profile-customization.html
Apple Safari for Windows (4.0.2-4.0.5, 5.0-5.0.2) Math.random() predictability
Hi list Earlier this year, Trusteer discovered a vulnerability in Apple Safari for Windows (versions 4.0.2-4.0.5 and 5.0-5.0.2). The issue is in the Javascript Math.random function, which is implemented in Safari via its WebKit core. Trusteer reported this vulnerability to Apple and to WebKit.org. Today Apple released a fix to this vulnerability - as Safari 5.0.3 (http://support.apple.com/kb/HT1222, http://support.apple.com/kb/HT4455). For more details, please read the full report: http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Safari_for_Windows.pdf Thanks, -Amit Amit Klein, CTO, Trusteer
'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298)
'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the 'Free Simple Software' download module which allows for a 'UNION SELECT' to easily expose the application administrator's plaintext password. II. TESTED VERSION --- 1.0 [Manual Install Version] III. PoC EXPLOIT --- http://site.com/index.php?page=downloadsrequest=download_nowdownloads_id=' UNION SELECT email_address as name, NULL, NULL, password as file_name, last_name as file_url from admin_users where id!='NULL IV. NOTES --- * User passwords for this web application are not encrypted or hashed which makes this exploit even more concerning. * The PoC assumes that the first user is the administrative user which is the default behavior for the application. * At least 1 download must already exist to enable this exploit. * Due to a previous vulnerability not being fixed 3-months after disclosure (CVE-2010-3307), it's assumable that this application is not being actively developed. V. SOLUTION --- Do not utilize the download module. No patch/upgrade is available at this time. VI. REFERENCES --- http://www.freesimplesoft.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4298 https://www.uncompiled.com/2010/11/free-simple-software-sql-injection-vulnerability-cve-2010-4298/ VII. TIMELINE --- 11/12/2010: Initial disclosure e-mail to the vendor 11/21/2010: Public disclosure
H2HC Cancun - Free Entrance!
Dear All, I'm proud to announce that the H2HC Cancun entrance is now free - Thanks to our sponsors that helped us to make this happen: Microsoft, Nitro Security, Trustwave and others! As many of you already know, H2HC (Hackers to Hackers Conference) is been held for the 7th year in São Paulo, but for the first year also in Cancun. The conference will be held in the luxurious Resort Hotel Melia ME Cancun (http://www.me-cancun.com/) on the 3rd of december. All the talks have simultaneous translation to Spanish and the speaker lists is awesome (thanks to all of you who trusted us and submitted your great material for the first year of our conference in Cancun) - check it out: http://www.h2hc.com.br/cancun/. Best Regards and see you in this amazing city, Rodrigo.
[eVuln.com] url XSS in Hot Links Lite
New eVuln Advisory: url XSS in Hot Links Lite http://evuln.com/vulns/142/summary.html ---Summary--- eVuln ID: EV0142 Software: Hot Links Lite Vendor: Mrcgiguy Version: 1.0 Critical Level: low Type: Cross Site Scripting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description XSS vulnerability found in url parameter of process.cgi script. This can be used to insert any script code. Admin panel is vulnerable also. PoC/Exploit PoC code is available at http://evuln.com/vulns/142/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/tool/xss-encoder.html - XSS String Encoder
[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.4 - Not affected in default configuration. - Affected if CSRF protection is disabled - Additional XSS issues if web applications are untrusted - - Tomcat 6.0.12 to 6.0.29 - Affected in default configuration - Additional XSS issues if web applications are untrusted - - Tomcat 5.5.x - Not affected Description: The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker. A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted. Example: GET /manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list Mitigation: Users of affected versions should apply one of the following mitigations - - Tomcat 7.0.0 to 7.0.4 - Remove the Manager application - Remove the sessionList.jsp and sessionDetail.jsp files - Ensure the CSRF protection is enabled - Apply the patch 7.0.4 patch (see below) - Update to 7.0.5 when released - - Tomcat 6.0.12 to 6.0.29 - Remove the Manager application - Remove the sessionList.jsp and sessionDetail.jsp files - Apply the patch for 6.0.29 (see below) - Update to 6.0.30 when released No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x releases. Credit: The original issue was discovered by Adam Muntner of Gotham Digital Science. Additional issues were identified by the Tomcat security team as a result of reviewing the original issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html Note: The patches The Apache Tomcat Security Team Patch for 6.0.29 Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp === - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769) +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy) @@ -30,8 +30,10 @@ % String path = (String) request.getAttribute(path); Session currentSession = (Session)request.getAttribute(currentSession); HttpSession currentHttpSession = currentSession.getSession(); - - String currentSessionId = currentSession.getId(); - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); + String submitUrl = JspHelper.escapeXml( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + ?path= + path); % head meta http-equiv=content-type content=text/html; charset=iso-8859-1/ @@ -45,7 +47,7 @@ titleSessions Administration: details for %= currentSessionId %/title /head body - -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1 +h1Details for Session %= currentSessionId %/h1 table style=text-align: left; border=0 tr @@ -54,7 +56,7 @@ /tr tr thGuessed Locale/th - -td%= JspHelper.guessDisplayLocaleFromSession(currentSession) %/td +td%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %/td /tr tr thGuessed User/th @@ -120,7 +122,7 @@ String attributeName = (String) attributeNamesEnumeration.nextElement(); % tr - - td align=centerform action=%= submitUrl %divinput type=hidden name=path value=%= path % /input type=hidden name=action value=removeSessionAttribute /input type=hidden name=sessionId value=%= currentSessionId % /input type=hidden name=attributeName value=%= attributeName % /input type=submit value=Remove //div/form/td + td align=centerform action=%= submitUrl %divinput type=hidden name=action value=removeSessionAttribute /input type=hidden name=sessionId value=%= currentSessionId % /input type=hidden name=attributeName value=%= JspHelper.escapeXml(attributeName) % /input type=submit value=Remove //div/form/td td%= JspHelper.escapeXml(attributeName) %/td td% Object attributeValue = currentHttpSession.getAttribute(attributeName); %span title=%= attributeValue == null ? : attributeValue.getClass().toString() %%= JspHelper.escapeXml(attributeValue) %/span/td /tr Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp