Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference

nticated customer to view or change other cloud user's rules via Direct Object Reference. E.g. https://us.emailsec.trendmicro.com/editRule.imss?ruleid=44281 https://us.emailsec.trendmicro.com/editRule.imss?ruleid=44282 https://us.emailsec.trendmicro.com/editRule.imss?ruleid=44283 etc Credit:

Moodle URL Manipulation Remote Account Information Disclosure

uot;. Voilà! The account name is "Admin User" Effective on university websites which have 1+ million end users. Credit: Discovered by Patrick Webster Disclosure timeline: 29-May-2014 - Discovered during audit, reported to tracker. 11-Jul-2014 - Fix committed MDL-45760. 14-Jul-2014 - Patch r

iPlatinum iOneView Multiple Parameter Reflected XSS

]/ioneview/admin/main.pl?_username=";>alert(document.cookie) http://[target]/ioneview/admin/main.pl?_password=";>alert(document.cookie) http://[target]/scdata/ioneview/cgi/restricted/ioneview.pl?mid=alert(document.cookie) Credit: Discovered by Patrick Webster Disclosure timeline: 17-Sep-2

Kaseya information disclosure vulnerability

aid an attacker. Credit: Discovered by Patrick Webster Disclosure timeline: 05-Jan-2016 - Discovered and reported to vendor. 08-May-2016 - Vendor response. Queued to be fixed. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security

AcoraCMS browser redirect and Cross-site scripting vulnerabilities

taccess.aspx [cmFields parameter] Credit: Discovered by Patrick Webster Disclosure timeline: 14-Jul-2015 - Discovered during audit. 01-Sep-2015 - Reported to vendor. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security auditing and consul

SmartJobBoard - Cross-site scripting, personal information disclosure and PHPMailer package

33-and-CVE-2016-10045-vulnerabilities Credit: Discovered by Patrick Webster Disclosure timeline: 01-Feb-2017 - Discovered during audit. Reported to vendor. Vendor reports working on patch. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and compute

SilverStripe CMS - Path Disclosure

https://www.silverstripe.org/download/security-releases/ss-2015-001/ Credit: Discovered by Patrick Webster Disclosure timeline: 07-Nov-2015 - Discovered during audit and reported to developer. Developer response. 05-Feb-2016 - Follow up. Patch released https://github.com/silverstripe/silverstripe

Tweek!DM Document Management Authentication bypass, SQL injection

interacting with the HTML content. 2) There is a SQL injection in the user edit form e.g https://[target]/admin/users/edit.php?id=1 (which is accessible as an "administrator" - exploit unauthenticated as per above). Credit: Discovered by Patrick Webster Disclosure timeline: 03-Mar-2015 -

Computer Associates API Gateway CRLF Response Splitting, Directory Traversal vulnerabilities

ontent-Length: 18991 http://java.sun.com/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; version="3.0"> Layer7 Secure Span Gateway

Lantern CMS Path Disclosure, SQL Injection, Reflected XSS

;alert(document.cookie) http://[target]/www/html/X-login.asp?intPassedLocationID=";>alert(document.cookie) Credit: Discovered by Patrick Webster Disclosure timeline: 27-Nov-2008 - Discovered during audit. Reported to vendor. 28-Nov-2008 - Vendor response. Unknown if fixed. 04-Apr-2017 - Pub

Manhattan Software IWMS (Integrated Workplace Management System) XML External Entity (XXE) Injection File Disclosure

Filter.doFilter(XFrameFilter.java:38) Credit: Discovered by Patrick Webster Disclosure timeline: 11-Oct-2014 - Discovered during audit. 14-Oct-2014 - Reported to vendor. 18-Feb-2015 - Vendor released patch. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent netwo

AirWatch Self Service Portal Username Parameter LDAP Injection

ntire LDAP directory. Other normal (or syntax invalid LDAP) requests are answered within seconds. Credit: Discovered by Patrick Webster Disclosure timeline: 20-Aug-2013 - Discovered during audit. 23-Aug-2013 - Reported to vendor. 26-Aug-2013 - Vendor acknowledged report. 09-Sep-2013 - Vendor confirmed. 1

Avaya Radvision SCOPIA Desktop dlg_loginownerid.jsp ownerid SQL Injection

0-Feb-2014 - Vendor patch released. 04-Apr-2017 - Public disclosure. Credit: Discovered by Patrick Webster OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability

Lotus Protector for Mail Security remote code execution

://www.exploit-db.com/exploits/35588/ Credit: Discovered by Patrick Webster Disclosure timeline: 09-Nov-2012 - Exploit released. 04-Apr-2017 - Public advisory. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We

Kaseya VSA 6.5 Parameter Reflected XSS, Enumeration and Bruteforce Weakness

es: https://[target]/access/accessRoot.asp?page=http://www.osisecurity.com.au/ https://[target]/access/accessRoot.asp?page=javascript:alert(document.cookie);/ References: http://help.kaseya.com/webhelp/EN/RN/index.asp#30773.htm Credit: Vulnerability discovered by Patrick Webster Disclosure timelin

Ultra Electronics / AEP Networks - SSL VPN (Netilla / Series A / Ultra Protect) Vulnerabilities

m=../../../../bin/ Error mkdir /tmp/netilla-cache/C11N_get_messages/../../../../bin: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Netilla/CONDA/Cache/Manager.pm line 43 Back The portal requires authentication to access "protected" areas but once you are authenticated, you can HTT

OSI Security: CheckPoint Firewall VPN - Information Disclosure

t this time. Workaround: N/A. Credit: This vulnerability was disclosed by Patrick Webster. Exploit: A metasploit module is available here: http://www.metasploit.com/modules/auxiliary/gather/checkpoint_hostname Disclosure timeline: 14-Dec-2011 - Discovered during audit. 21-Dec-2011 - Added aux

OSI Security: Elitecore Cyberoam UTM - Authenticated Cross-Site Scripting Vulnerability

be used to inject arbitrary data. Example: http://[target]/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?srcip=alert(document.cookie) Recommendation: Upgrade to version 10.01.0 Build 0739 or later. Workaround: N/A. Credit: This vulnerability was discovered by Patrick Webster. Disclosu

JFreeChart - Path Disclosure vulnerability

source code to prevent this: DisplayChart.java line 116: // Check the file exists File file = new File(System.getProperty("java.io.tmpdir"), filename); if (!file.exists()) { throw new ServletException("File '" + file.getAbsolutePath() + "' does not exist&qu

Squiz Matrix - Cross-Site Scripting Vulnerability

Squiz Matrix - Cross-Site Scripting Vulnerability http://www.osisecurity.com.au/advisories/squiz-matrix-cross-site-scripting Release Date: 06-Jun-2011 Software: Squiz - Matrix http://www.squiz.net/ "Squiz Matrix delivers highly flexible and robust business integration engine and application deve

OSI Security: Civica Spydus Library Management System (LMS) - Cross-Site Scripting Vulnerability

se a WAF / IDS etc. Credit: This vulnerability was discovered by Patrick Webster. Disclosure timeline: 09-Oct-2009 - Discovered during audit. 12-Oct-2009 - Notified vendor. No response. 04-May-2011 - Disclosure. About OSI Security: OSI Security is an independent network and computer security audit

OSI Security: LANSA aXes Web Terminal (TN5250) Cross-Site Scripting Vulnerability

respond. Workaround: Disable JavaScript, use a WAF / IDS etc. Credit: This vulnerability was discovered by Patrick Webster. Disclosure timeline: 18-Sep-2010 - Discovered during audit. 23-Sep-2010 - Notified vendor. Received automated support ticket. 30-Apr-2011 - Disclosure. About OS

Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue

nsubscribe the user 1 from mailing list 1. References: aushack.com advisory http://www.aushack.com/201006-ignitionsuite.txt Credit: Patrick Webster ( patr...@aushack.com ) Disclosure timeline: 16-Jan-2009 - Discovered during audit. 18-Jan-2009 - Notified vendor. 08-Jun-2010 - No response. Disclosure. EOF

Paessler - PRTG Traffic Grapher XSS

http://www.aushack.com/201006-prtg.txt Credit: Patrick Webster ( patr...@aushack.com ) Disclosure timeline: 05-Jan-2009 - Discovered during audit. 06-Jan-2009 - Notified vendor. 08-Jan-2009 - Vendor releases update 6.2.1.963/964. 08-Jun-2010 - Disclosure. EOF

Re: Millions of PDF invisibly embedded with your internal disk paths

I agree. Discovering the local path may be considered a risk, but in most cases the risk is nil. Consider compiled binaries. They also leak paths of the developer's compile environment (mainly PDB - http://support.microsoft.com/kb/121366). E.g. My firefox.exe is: e:\builds\moz2_slave\win32_build\

SonicWALL SSL-VPN Appliance Format String Vulnerability

ou are trying to reach is unavailable at this time. Please try again later." References: aushack.com advisory http://www.aushack.com/200905-sonicwall.txt Credit: Patrick Webster ( patr...@aushack.com ) Disclosure timeline: 12-Jan-2009 - Discovered during audit. 09-Feb-2009 - 1st email se

ContentKeeper - Remote command execution and privilege escalation

shack.com/200904-contentkeeper.txt Credit: Patrick Webster (patr...@aushack.com) Disclosure timeline: 10-Apr-2008 - Discovered during audit. 18-Jul-2008 - Vendor notified. 18-Jul-2008 - Vendor response. 25-Feb-2009 - Vendor confirmed patched version. 03-Apr-2009 - Public disclosure. EOF

Q2 Solutions ConnX - SQL Injection Vulnerability

s and protect behind corporate firewalls, SSL-VPN, web application firewall etc. References: aushack.com advisory http://www.aushack.com/200904-q2solutions.txt Credit: Patrick Webster ( patr...@aushack.com ) Disclosure timeline: 30-Oct-2008 - Discovered during audit. 05-Nov-2008 - Notified vendo

Asbru Web Content Management Vulnerabilities

ND 1=1 <-- main page (true) XSS in the 'url' parameter of 'login.asp': Example: http://[victim]/webadmin/login.asp?url=";>alert(document.cookie) References: aushack.com advisory http://www.aushack.com/200904-asbru.txt Credit: Patrick Webster ( patr.

Windows Installer msiexec GUID Buffer Overflow

nformation: By specifying an overly long Globally Uniquie Identifier (GUID), it is possible to overwrite the stack and SE Handler. Example: msiexec.exe /x {} References: aushack.com advisory http://www.aushack.com/200806-msiexec.txt Credit: Patrick Webster ( [EMAIL PROTECTED] ) Disclosur

Tumbleweed SecureTransport FileTransfer ActiveX Control Buffer Overflow

, false, 80, false, true, true, 420) Additionally, a Metasploit Framework Module has been written to demonstrate the vulnerability. References: aushack.com advisory http://www.aushack.com/200708-tumbleweed.txt Credit: Patrick Webster ( [EMAIL PROTECTED] ) Disclosure timeline: 13-Aug

webMethods Glue Management Console Directory Traversal

ontents of the 'boot.ini' file. Note that 'c:\boot.ini' is also valid. It may be possible (but untested) to traverse other volumes. References: aushack.com advisory http://www.aushack.com/advisories/200704-webmethods.txt Credit: Patrick Webster ( [EMAIL PROTECTED] ) Di

Google Mini Search Applicance Path Disclosure

le to break out, but not yet found. Fuzz anyone? References: aushack.com advisory http://www.aushack.com/advisories/200609-googlemini.txt Credit: Patrick Webster ( [EMAIL PROTECTED] ) Disclosure timeline: 22-Sep-2006 - Disclosure. EOF

Squiz MySource Matrix Unauthorised Proxy and Cross Site Scripting

his does not necessarily mean that whitelists are used. Future releases may be proxied via: http://www.mysource-example.com.au/$page? sq_content_src=aHR0cDovL3d3dy5nb29nbGUuY29tLmF1 References: aushack.com advisory http://www.aushack.com/advisories/200607-mysourcematrix.txt Credit: Patrick Webster (

ContentKeeper Authenticated Access Password Disclosure

et, do not reuse passwords. Future versions may hash the value. References: aushack.com advisory http://www.aushack.com/advisories/200606-contentkeeper.txt Credit: Patrick Webster ([EMAIL PROTECTED]) Disclosure timeline: 15-Mar-2006 - Discovered during quick audit - common design flaw. 08-Jun-2006 - Sen

RE: Computer Associates eTrust Security Command Center Multiple Vulnerabilities

m/public/eTrust/eTrust_scc/downloads/eTrustscc_updates.asp 3) No solution - use perimeter based firewalls. References: aushack.com advisory http://www.aushack.com/advisories/200608-computerassociates.txt Credit: Patrick Webster ( [EMAIL PROTECTED] ) Thanks to the CA Security team for their quick respo

RE: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039

il is talking about the W32.Magistr.24876@mm virus. By the way, I scanned it (a copy of the self-replacating virus was sent to our mail server) with a 2 week old NAV signature, so you might want to actually update yours. Patrick Webster, IT Security Engineer SafeComs.com ...the Safety in your .com