Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
I was asking for your opinion. On Tue, Jan 1, 2013 at 7:31 PM, some one wrote: > If you reread what i posted you will see that i do not give my opinion on > the quality of his posts. I will keep that to myself, I just state that its > better than dudes (and your) troll posts. > > Regards > On Jan 1, 2013 3:04 PM, "Benji" wrote: > >> So you would say, that you find the things he posts "of interest"? >> >> Please expand on how and why anti automation bugs in unknown cms's are >> "of interest"? >> >> >> On Mon, Dec 31, 2012 at 11:58 PM, some one wrote: >> >>> If you do not like or find of interest what the guy posts is it not >>> easier to just press delete or filter him out rather than try to make fun >>> of him? >>> >>> Give the dude a break man, hes submitting more things of interest than >>> you are and you just make yourself sound bitter and twisted. >>> >>> Its new year man, go out and drink a beer or eat some fireworks >>> On Dec 31, 2012 5:17 PM, "Julius Kivimäki" >>> wrote: >>> Hello list! I want to warn you about multiple extremely severe vulnerabilities in websecurity.com.ua. These are Brute Force and Insufficient Anti-automation vulnerabilities in websecurity.com.ua. These vulnerability is very serious and could affect million of people. - Affected products: - Vulnerable are all versions of websecurity.com.ua. -- Details: -- Brute Force (WASC-11): In ftp server (websecurity.com.ua:21) there is no protection from Brute Force attacks. Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://websecurity.com.ua:21/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article "Attacks on unprotected login forms" ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html ). Insufficient Anti-automation (WASC-21): In login form there is no protection against automated request, which allow to picking up logins in automated way by attacking on login function. Timeline: 2012.06.28 - announced at my site about websecurity.com.ua. 2012.06.28 - informed developers about the first part of vulnerabilities in websecurity.com.ua. 2012.06.30 - informed developers about the second part of vulnerabilities in websecurity.com.ua. 2012.07.26 - announced at my site about websecurity.com.ua. 2012.07.28 - informed developers about vulnerabilities in websecurity.com.ua and reminded about previous two letters I had sent to them with carrier pigeons. 2012.07.28-2012.10.31 - multiple attempts to contact the owners of websecurity.com.ua were ignored by the owners. 2012.11.02 - developers responded "fuck off and kill urself irl!". 2012.12.31 - disclosed on the list Best wishes & regards, MustLive Security master extraordinaire, master sysadmin http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
So you would say, that you find the things he posts "of interest"? Please expand on how and why anti automation bugs in unknown cms's are "of interest"? On Mon, Dec 31, 2012 at 11:58 PM, some one wrote: > If you do not like or find of interest what the guy posts is it not easier > to just press delete or filter him out rather than try to make fun of him? > > Give the dude a break man, hes submitting more things of interest than you > are and you just make yourself sound bitter and twisted. > > Its new year man, go out and drink a beer or eat some fireworks > On Dec 31, 2012 5:17 PM, "Julius Kivimäki" > wrote: > >> Hello list! >> >> I want to warn you about multiple extremely severe vulnerabilities in >> websecurity.com.ua. >> >> These are Brute Force and Insufficient Anti-automation vulnerabilities >> in websecurity.com.ua. These vulnerability is very serious and could >> affect million of people. >> >> - >> Affected products: >> - >> >> Vulnerable are all versions of websecurity.com.ua. >> >> -- >> Details: >> -- >> >> Brute Force (WASC-11): >> >> In ftp server (websecurity.com.ua:21) there is no protection from Brute >> Force >> attacks. >> >> Cross-Site Request Forgery (WASC-09): >> >> Lack of captcha in login form (http://websecurity.com.ua:21/) can be >> used for >> different attacks - for CSRF-attack to login into account (remote login - >> to >> conduct attacks on vulnerabilities inside of account), for automated >> entering into account, for phishing and other automated attacks. Which you >> can read about in the article "Attacks on unprotected login forms" >> ( >> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html >> ). >> >> Insufficient Anti-automation (WASC-21): >> >> In login form there is no protection against automated request, which >> allow >> to picking up logins in automated way by attacking on login function. >> >> Timeline: >> >> >> 2012.06.28 - announced at my site about websecurity.com.ua. >> 2012.06.28 - informed developers about the first part of vulnerabilities >> in >> websecurity.com.ua. >> 2012.06.30 - informed developers about the second part of vulnerabilities >> in >> websecurity.com.ua. >> 2012.07.26 - announced at my site about websecurity.com.ua. >> 2012.07.28 - informed developers about vulnerabilities in >> websecurity.com.ua >> and reminded about previous two letters I had sent to them with carrier >> pigeons. >> 2012.07.28-2012.10.31 - multiple attempts to contact the owners of >> websecurity.com.ua >> were ignored by the owners. >> 2012.11.02 - developers responded "fuck off and kill urself irl!". >> 2012.12.31 - disclosed on the list >> >> Best wishes & regards, >> MustLive >> Security master extraordinaire, master sysadmin >> http://websecurity.com.ua >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
If you do not like or find of interest what the guy posts is it not easier to just press delete or filter him out rather than try to make fun of him? Give the dude a break man, hes submitting more things of interest than you are and you just make yourself sound bitter and twisted. Its new year man, go out and drink a beer or eat some fireworks On Dec 31, 2012 5:17 PM, "Julius Kivimäki" wrote: > Hello list! > > I want to warn you about multiple extremely severe vulnerabilities in > websecurity.com.ua. > > These are Brute Force and Insufficient Anti-automation vulnerabilities in > websecurity.com.ua. These vulnerability is very serious and could affect > million of people. > > - > Affected products: > - > > Vulnerable are all versions of websecurity.com.ua. > > -- > Details: > -- > > Brute Force (WASC-11): > > In ftp server (websecurity.com.ua:21) there is no protection from Brute > Force > attacks. > > Cross-Site Request Forgery (WASC-09): > > Lack of captcha in login form (http://websecurity.com.ua:21/) can be used > for > different attacks - for CSRF-attack to login into account (remote login - > to > conduct attacks on vulnerabilities inside of account), for automated > entering into account, for phishing and other automated attacks. Which you > can read about in the article "Attacks on unprotected login forms" > ( > http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html > ). > > Insufficient Anti-automation (WASC-21): > > In login form there is no protection against automated request, which allow > to picking up logins in automated way by attacking on login function. > > Timeline: > > > 2012.06.28 - announced at my site about websecurity.com.ua. > 2012.06.28 - informed developers about the first part of vulnerabilities in > websecurity.com.ua. > 2012.06.30 - informed developers about the second part of vulnerabilities > in > websecurity.com.ua. > 2012.07.26 - announced at my site about websecurity.com.ua. > 2012.07.28 - informed developers about vulnerabilities in > websecurity.com.ua > and reminded about previous two letters I had sent to them with carrier > pigeons. > 2012.07.28-2012.10.31 - multiple attempts to contact the owners of > websecurity.com.ua > were ignored by the owners. > 2012.11.02 - developers responded "fuck off and kill urself irl!". > 2012.12.31 - disclosed on the list > > Best wishes & regards, > MustLive > Security master extraordinaire, master sysadmin > http://websecurity.com.ua > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 5.x | Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW CubeCart 5.x versions are vulnerable to Cross Site Scripting. 2. BACKGROUND CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 5.x 5. Affected URLs and Parameters /admin.php (report[date][from] parameter] /admin.php (report[date][to] parameter) /index.php (review[email] parameter) /index.php (review[name] parameter) /index.php (review[title] parameter) /admin.php (report[date][from] parameter) 6. SOLUTION The vendor has chosen not to fix the issue. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: Vulnerability disclosed 2012-12-24: The vendor replied that the fix would not be implemented. 2013-01-01: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5x%5D_xss CubeCart Home Page: http://cubecart.com/ #yehg [2013-01-01] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 5.x | Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW CubeCart 5.x versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 5.x versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 5.x 5. Proof-of-Concept http://localhost/admin.php?_g=documents&node=index&delete=1 (Delete file in Site Documents) http://localhost/admin.php?_g=filemanager&mode=digital&delete=1 (Delete file in File Manager) http://localhost/admin.php?_g=settings&node=admins&action=edit&admin_id=2 (Delete user) http://localhost/admin.php?_g=customers&sort%5Bregistered%5D=DESC&action=delete&customer_id=1 (Delete customer user) http://localhost/admin.php?_g=products&sort%5Bupdated%5D=DESC&delete=1 (Delete product) 6. SOLUTION The vendor has chosen not to fix the issue. Workaround is not to visit malicious sites during log-in. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: Vulnerability disclosed 2012-12-24: The vendor replied that the fix would not be implemented. 2013-01-01: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5x%5D_csrf CubeCart Home Page: http://cubecart.com/ #yehg [2013-01-01] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CubeCart 5.0.7 and lower versions | Insecure Backup File Handling
5.x only
On Sat, Dec 29, 2012 at 11:02 AM, Sean Jenkins wrote:
> Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or
> just 5.0.[0..6]?
>
> Sean Jenkins
> Sr. System Administrator
>
>
> On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
>>
>> 1. OVERVIEW
>>
>> CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
>> File Handling which leads to the disclosure of the application
>> configuration file.
>>
>>
>> 2. BACKGROUND
>>
>> CubeCart is an "out of the box" ecommerce shopping cart software
>> solution which has been written to run on servers that have PHP &
>> MySQL support. With CubeCart you can quickly setup a powerful online
>> store which can be used to sell digital or tangible products to new
>> and existing customers all over the world.
>>
>>
>> 3. VULNERABILITY DESCRIPTION
>>
>> CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
>> up the configuration file, "global.inc.php", upon new installation or
>> upgrade process. The name of backup configuration file is set to the
>> year, month, day, hour, minute that the process is performed. The
>> non-randomized nature of this backup scheme allows an attacker to
>> retrieve the file through brute-force method.
>>
>>
>> 4. VERSIONS AFFECTED
>>
>> 5.0.7 and lower versions
>>
>>
>> 5. Affected Files
>>
>> /setup/setup.install.php
>> /setup/setup.upgrade.php
>>
>> ///CODE //
>> ##Backup existing config file, if it exists
>> if (file_exists($global_file)) {
>> rename($global_file, $global_file.'-'.date('Ymdgi'));
>> }
>> /
>>
>> e.g.
>> http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \
>>
>>
>> 6. SOLUTION
>>
>> Upgrade to the latest CubeCart version - 5.x.
>>
>>
>> 7. VENDOR
>>
>> CubeCart Development Team
>> http://cubecart.com/
>>
>>
>> 8. CREDIT
>>
>> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>>
>>
>> 9. DISCLOSURE TIME-LINE
>>
>> 2012-03-24: Vulnerability reported
>> 2012-12-28: Vulnerability disclosed
>>
>>
>> 10. REFERENCES
>>
>> Original Advisory URL:
>> http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
>> CubeCart Home Page: http://cubecart.com/
>>
>> #yehg [2012-12-28]
>>
>> -
>> Best regards,
>> YGN Ethical Hacker Group
>> Yangon, Myanmar
>> http://yehg.net
>> Our Lab | http://yehg.net/lab
>> Our Directory | http://yehg.net/hwd
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Charybdis: Improper assumptions in the server handshake code may lead to a remote crash. (CAPAB module)
> > > > Access vector: network > Access complexity: low > Authentication requirement: none > > Confidentiality impact: none > Integrity impact: none > Availability impact: complete > > CVSSv2 temporal score: 6.4 > > Exploitability: functional exploit exists > Remediation level: official fix > Report confidence: confirmed > > Summary: > > All versions of Charybdis are vulnerable to a remotely-triggered crash bug > caused by code originating from ircd-ratbox 2.0. (Incidentally, this means > all > versions since ircd-ratbox 2.0 are also vulnerable.) > > The bug has to do with server capability negotiation. A malformed request > will > trigger a crash due to invalid assumptions. > > Mitigation: > > A patch for all affected versions of ircd-ratbox and charybdis is available > from > the charybdis GIT repository: > > https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch > > To apply the patch, go to your IRCd source tree and run the following > commands: > $ patch -p1 < /path/to/downloaded/patchfile.patch > $ make > $ make install > > Then you may hotfix the IRCd by running /MODRESTART as a server admin. > > Details: > > In ratbox-2, the following code was added to m_capab.c: > char *t = LOCAL_COPY(parv[i]); > > The other logic was then modified to make use of that stack-allocated buffer > rather > than the original. LOCAL_COPY() is a macro which expands to alloca() and > strlcpy(), > and the bug effectively is caused by this expansion calling strlen(NULL). > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
