<< Previous Next >>
Web sites
|Description|
+-----------+
The Yoono Firefox extension provides an interface for
users to share objects with their friends on social
networks from any website. It allows users to select
images from a website to be shared, which publishes
that image to their friends.
Security-Assessment.com discovered that Yoono's share
function is vulnerable to DOM event handler injection.
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
e107 is a free content management system (CMS) written in PHP language
and is available at http://e107.org/news.php . In October 2009, Bkis
Security discovered a number of XSS and Blind SQL Injection
vulnerabilities on this system. Taking advantage of these holes, hackers
can insert arbitrary malicious codes onto users' browsers, then steal
private information or carry out requests to the website to gain
complete control of the website's database.
Details: http://blog.bkis.com/e107-multiple-vulnerabilities/
SVRT Advisory: Bkis-13-2009
Initial vendor notification: 10/28/09
shown in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#xtocid14
More information on configuring ACLs can be found on Cisco's public
website:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
The following is an example of a vty access-list:
+-----------+
|Description|
+-----------+
The ScribeFire Firefox extension provides an interface
for users to post to their blogs from any website. It
allows users to drag images from a website into the
editing pane, which publishes that image as part of
their blog post.
Security-Assessment.com discovered that ScribeFire is
AdPeeps Ad Rotator - XSS and HTML Injection Vulnerabilities
Version Affected: 8.5d1 (3-18-09) (newest)
Info: Ad Peeps is a banner rotator and text ad rotator - all in one that allows you to track, sell and manage banner ads, rich-media/flash ads and text ads on your website. Built using PHP/MYSQL, Ad Peeps provides you and your advertisers with highly detailed real-time statistics and is capable of delivering millions of impressions per day on a typical shared web server. - Plus, you can try it right now on your website with our 7 day trial.
Ad Peeps is so versatile that it can even show your text ads Yahoo! Style or Google AdWords Style. Unlike many other banner ad rotator programs, Ad Peeps was skillfully designed to use minimal server resources while maintaining speed and unparalleled performance. Built on a highly scalable and versatile database architecture, Ad Peeps works without fuss even on high traffic web sites and won't crash your high powered website..
Opinion: AdPeeps, along with many others should really hire people to audit their code.
Several flaws were discovered in the browser engine. These problems could allow
an attacker to crash the browser and possibly execute arbitrary code with user
privileges. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502)
It was discovered that Firefox did not properly handle persistent cookie data.
If a user were tricked into opening a malicious website, an attacker could
write persistent data in the user's browser and track the user across browsing
sessions. (CVE-2008-5505)
Marius Schilder discovered that Firefox did not properly handle redirects to
an outside domain when an XMLHttpRequest was made to a same-origin resource.
Application : HiveMaker Professional
version : <= 1.0.2
Vendor : http://www.hivemaker.com
Description :
Hivemaker is a website creation system written in PHP. Users can create websites without knowing any HTML in a fashion similar to GeoCities. Users can select modules and VERY easily create contact forms, web counters and a variety of other content! Included is a website directory that allows all your users websites to be viewable to the general public.
For administrators Hivemaker is easily upgradeable. Modules and templates can be installed as simply as uploading the new template. The content is then immediately ready to be used by your users. Full user administration functions are available as well as the ability to add banners to every user's website.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
Diigo Toolbar - Global XSS and Information Leakage in SSL URLs
== Global XSS ==
Diigo is (http://www.diigo.com/) a social bookmarking and sharing
application which allows users to see other users comments and notes
for every website. For this feature users should use Diigolet
bookmarklet or Diigo Toolbar - http://www.diigo.com/tools. These are
almost mandatory to use Diigo and almost all Diigo members have them
installed.
An attacker can do Cross-site Scripting in these public comments and
may result in the embedding of malicious code and/or scripts within a
UCP URL.
The malicious code is likely to be a script that is embedded in the
URL of a link. The malicious code may also be stored on the
vulnerable server or a malicious website. An attacker could try to
convince an unsuspecting user to follow a malicious link to a
vulnerable UCP application server that injects (reflects) the
malicious code back to the user's browser.
Software Versions and Fixes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Website META Language: Insecure temporary file usage
Date: March 15, 2008
Bugs: #209927
ID: 200803-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
request. The request will include the RFC2109 Cookie header, which could
then be used to steal credentials or interact with the affected service
as if they were the victim.
Another attack vector exists where a victim connects to a site from (or
via) a machine that hosts another website, any XSS-like flaw or
reflective web service on the hosted website can therefore be exploited
in the context of the misconfigured domain. This would also affect users
who connect via a shared caching http proxy machine, that also hosts an
http daemon.
Severity : Critical
Explanation :
The vulnerability persists in the popup blocker functioning to allow
specific websites to execute
popup in the running instance of Internet Explorer. An attacker can
easily exploits it by enabling
a browser to run a malicious script in the context of Internet Explorer.
The script manipulates the
registry entries for specific websites through Javascript. It adds fake
> Severity : Critical
>
> Explanation :
>
> The vulnerability persists in the popup blocker functioning to allow
> specific websites to execute
> popup in the running instance of Internet Explorer. An attacker can
> easily exploits it by enabling
> a browser to run a malicious script in the context of Internet Explorer.
> The script manipulates the
> registry entries for specific websites through Javascript. It adds fake
Severity : Critical
Explanation :
The vulnerability persists in the popup blocker functioning to allow
specific websites to execute
popup in the running instance of Internet Explorer. An attacker can
easily exploits it by enabling
a browser to run a malicious script in the context of Internet Explorer.
The script manipulates the
registry entries for specific websites through Javascript. It adds fake
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in miniblog, which can be exploited to perform cross-site scripting & cross-site request forgery attacks.
1) Input passed via the GET "post_list" parameter to /adm/list.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/adm/list.php?post_list=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
to a custom welcome
web page post authentication. A HTTP Response splitting vulnerability
was discovered that
could be exploited by an attacker to force authenticated captive
portal users to completely
bypass the custom welcome page and be redirected to a website of
attacker's choice. Attacker
might achieve this by sending a maliciously crafted URL to the user in
an email. When user
clicks on the link and authenticates successfully to the captive
portal, he/she might be
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Pretty Link WordPress Plugin, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the "min_date" GET parameter to /wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php?min_date=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Efront, which can be exploited to perform sql injection and cross-site scripting attacks.
1) Input passed via the "course" GET parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?ctg=lesson_info&lessons_ID=1&course=%27%20onmouseover%3dalert%28document.cookie%29%3E
http://[host]/gbook/?a=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")
2) Input passed via the "pid" GET parameter to /phpshop/admpanel/catalog/admin_cat_content.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/phpshop/admpanel/catalog/admin_cat_content.php?pid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
390
Introduction:
=============
It is a website Content Management System that is build with Codecharge Studio. There will also be a
commercial package, which contains all source code AND the Codecharge Studio project files.
More information on Codecharge Studio can be found on the website of Yessoftware.
Currently the CMS includes the following modules:
Successful exploitation of this vulnerability requires the attacker to be logged-in and have access to "Manage Albums" function.
3) Multiple XSS in ZENphoto: CVE-2012-0995
3.1 Input passed via the "msg" GET parameters to /zp-core/admin.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC is available:
http://[host]/zp-core/admin.php?action=external&error&msg=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
1) Multiple Cross-Site Scripting (XSS) in XOOPS: CVE-2012-0984
1.1 Input passed via the "to_userid" POST parameter to /modules/pm/pmlite.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
<form action='http://[host]/modules/pm/pmlite.php' method="post">
LI-Guestbook SQL Injection Vulnerability
http://www.security-news.ws/li-sql-injection/
--------------------Summary----------------
Vendor: LI-Scripts
Vendor's Web Site: http://www.liscripts.net
Software: LI-Guestbook
Sowtware's Web Site: http://www.liscripts.net/products.php#guestbook
Versions: 1.2
Critical Level: Moderate
Type: SQL Injection
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
Patches released by Microsoft after MS06-051 are covered by monthly Security Bulletins.
For the full archived list of Microsoft security updates applicable for Storage Management Appliance software v2.1, please refer to the following Security Bulletins available on the IT Resource Center (ITRC) Web site: http://www.itrc.hp.com/service/cki/secBullArchive.do
For patches released by Microsoft in 2003, MS03-001 to MS03-051 refer to Security Bulletin HPSBST02146
For patches released by Microsoft in 2004, MS04-001 to MS04-045 refer to Security Bulletin HPSBST02147
For patches released by Microsoft in 2005, MS05-001 to MS05-055 refer to Security Bulletin HPSBST02148
BACKGROUND
Patches released by Microsoft after MS06-051 are covered by monthly Security Bulletins
For the full archived list of Microsoft security updates applicable for Storage Management Appliance software v2.1, please refer to the following Security Bulletins available on the IT Resource Center (ITRC) Web site: http://www.itrc.hp.com/service/cki/secBullArchive.do
For patches released by Microsoft in 2003, MS03-001 to MS03-051 refer to Security Bulletin HPSBST02146
For patches released by Microsoft in 2004, MS04-001 to MS04-045 refer to Security Bulletin HPSBST02147
For patches released by Microsoft in 2005, MS05-001 to MS05-055 refer to Security Bulletin HPSBST02148
For patches released by Microsoft in 2006, MS06-001 to MS06-051 refer to Security Bulletin HPSBST02140
BACKGROUND
Patches released by Microsoft after MS06-051 are covered by monthly Security Bulletins
For the full archived list of Microsoft security updates applicable for Storage Management Appliance software v2.1, please refer to the following Security Bulletins available on the IT Resource Center (ITRC) Web site: http://www.itrc.hp.com/service/cki/secBullArchive.do
For patches released by Microsoft in 2003, MS03-001 to MS03-051 refer to Security Bulletin HPSBST02146
For patches released by Microsoft in 2004, MS04-001 to MS04-045 refer to Security Bulletin HPSBST02147
For patches released by Microsoft in 2005, MS05-001 to MS05-055 refer to Security Bulletin HPSBST02148
The program committee will review all papers and the author of each
paper will be notified of the result, by electronic means.
Abstract is up to 400 words. Submissions must be sent via the
http://www.hack.lu/ website.
Submissions should also include the following:
Ongaro are the ones who spent most hours on it with the precious help
of Alessandro "Jekil" Tanasi, Florin "Slippery" Iamandi and many other
friends.
Giovanni "evilaliv3" Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it
Antonio "s4tan" Parata
web site: http://www.ush.it/
mail: s4tan AT ush DOT it
<<Previous Next>>
|
