<< Previous Next >>
XSS attack
2. *Vulnerability Information*
Class: Protection Mechanism Failure [CWE-693], Authentication Issues
[CWE-287], Cross-Site Scripting (XSS) [CWE-79]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274
Vulnerable Version(s): 1.1.3 and probably prior
Tested Version: 1.1.3
Vendor Notification: 25 January 2012
Vendor Patch: 4 February 2012
Public Disclosure: 15 February 2012
Vulnerability Type: Local File Inclusion, SQL Injection, Cross Site Scripting (XSS)
Solution Status: Fixed by Vendor
Risk Level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
-----------------------------------------------------------------------------------------------
functionality.
The ASP.Net view state is typically stored in a hidden field
named "__VIEWSTATE". When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.
It is well documented that using an unsigned view state is
"bad", but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
Product: F5 FirePass
http://www.f5.com/products/firepass/
The F5 FirePass SSL VPN appliance provides rudimentary web request sanitization for resources exposed through the appliance via Portal Access. This Content Inspection feature can be configured and customized through the web management interface to optimize protection against cross-site scripting and SQL injection. The "XSS scripting" configuration page even prominently states the following:
"The FirePass can aid in preventing Cross Site Scripting attacks via vulnerable web servers. This is done by scanning URL arguments and form POST data sent by users through Web Applications, and blocking the request if it looks suspicious. Note that the FirePass user and admin console interfaces are already protected against Cross Site Scripting attacks."
Ironically these very pages contain cross-site scripting vulnerabilities. Specifically, parameter css_exceptions in page /vdesk/admincon/webyfiers.php and parameter sql_matchscope in page /vdesk/admincon/index.php are vulnerable due to incorrect handling of quotes. This allows an attacker to force premature termination of the parameter value and to inject an event handler script. This injection is permanent because it is embedded in the parameter value. At the same time it is possible to remove (also permanently) the "Update" button on the web form, which complicates the injection removal.
CVE Numbers: CVE-2008-0971
Vulnerabilities: Multiple Cross-Site Scripting (Persistent & Reflected)
Risk: Medium
Attack vector: From Remote
Vulnerabilities Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008
url, menu, sort, check[], edituser, edit, blog, cat.
Path Disclosure:
http://[HOST]/pivot/pivot/tb.php?tb_id=1&url='
Cross Site Scripting: (can only be triggered when One is not logged in).
http://[HOST]/pivot/pivot/index.php?menu="><script>alert(0)</script><br
Cross Site Scripting: (triggers on logged in administrators only) [low
or no impact due to session-key in url]
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&sort="><script>alert(0)</script>
(http://www.securityfocus.com/archive/1/505251/30/0/threaded). There I made
enough arguments why it's dangerous vulnerability and why Mozilla and
Michal are not right and so it's better to fix it. Read my message at
Bugtraq, maybe it'll change your mind on this issue ;-).
> The best way to defend against any Cross Site Scripting attacks is to
> sanitize all inputs and outputs properly on your website
XSS vulnerabilities must be fixed and when they are made at web sites, then
they must be fixed at web sites. But in this case browsers developers made
XSS holes (JavaScript execution) in redirectors, so they just from
---[ Severity Rating ]
Severity: Medium
Impact: Cross-Site Scripting, installation path disclosure
Attack Vector: Remote
CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
application that consists of several well known Kayako
products such as Kayako LiveResponse and Kayako eSupport.
Unfortunately there are several security issues in Kayako
SupportSuite that may allow for an attacker to gain access
to a staff account and then escalate their privileges to
administrator. These issues include Cross Site Scripting,
Script Injection, and SQL Injection. All of these issues
are resolved in Kayako SupportSuite 3.30 and users should
upgrade as soon as possible.
III. ANALYSIS
Summary:
A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting
A) Prelude to the vulnerabities
functionality.
The ASP.Net view state is typically stored in a hidden field
named "__VIEWSTATE". When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.
It is well documented that using an unsigned view state is
"bad", but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2733
functionality.
The ASP.Net view state is typically stored in a hidden field
named "__VIEWSTATE". When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.
It is well documented that using an unsigned view state is
"bad", but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
=======
Two smaller issues in s9y, published here:
http://int21.de/cve/CVE-2008-1386-s9y.html
http://int21.de/cve/CVE-2008-1387-s9y.html
Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385
http://www.s9y.org/
Description
functionality.
The ASP.Net view state is typically stored in a hidden field
named "__VIEWSTATE". When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.
It is well documented that using an unsigned view state is
"bad", but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
Advisory: IceWarp WebMail Server: User-assisted Cross Site Scripting in
RSS Feed Reader
During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted Cross Site Scripting
attacks in its RSS feed reader. If attackers control or compromise an
RSS feed users are subscribed to, they can run arbitrary JavaScript code
in the users' browsers by embedding it within the feed.
C) "JSP Dump" reflected XSS
(Affected versions: Any)
It has been found that the demo "JSP Dump" feature is vulnerable to
reflected Cross Site Scripting attacks. This can be replicated by
issuing a GET request to the "/test/jsp/dump.jsp" page:
"/test/jsp/dump.jsp?%3Cscript%3Ealert(%22hello%20world%22)%3C/script%3E"
Any GET key and value that reach the remote is reflected unencoded.
Hello Bugtraq!
I want to warn you about new vulnerabilities in Invision Power Board.
These are Cross-Site Scripting vulnerabilities. Attack is going via
attachment (at click on the attachment in the post at forum or on the link
to this attachment). These are persistent XSS vulnerabilities.
I know for a long time about possibility of attacks via swf-files. So many
years ago I turned off support of swf-files in attachments (and in avatars
2.1. Information Leakage. Database information disclosure in
"/config/mysqlconnection.inc" and/or
"/config/mysqlconnection%20-%20Copy.inc" or "/admin/setup.php".
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Cross Site Scripting (XSS). Reflected XSS attack in "index.php"
in "sort" and "s" parameters.
2.2.1. Exploit:
Check the exploit/POC section.
2.2. Cross Site Scripting (XSS). Reflected XSS attack in "post.php"
in "id" parameter.
Privileged Access, Cross Site Scripting (XSS)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02247738
Version: 1
Two smaller issues in s9y, published here:
http://int21.de/cve/CVE-2008-1386-s9y.html
http://int21.de/cve/CVE-2008-1387-s9y.html
Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385
http://www.s9y.org/
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Onapsis Security Advisory 2010-006: SAP J2EE Web Services Navigator
Cross-Site Scripting
This advisory can be downloaded in PDF format from
http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you
will gain access to beforehand information on upcoming advisories,
really does have everything you need for web media gallery management.
The following web vulnerabilities were found in Zenphoto Version 1.3;
1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.
2. Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “from”.
3.Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “user”.
Technical details about each web vulnerability are below;
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
(http://websecurity.com.ua/2641/).
-------------------------
Affected products:
-------------------------
To: bugtraq@securityfocus.com
Subject: Saved XSS vulnerability in Internet Explorer
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
(http://websecurity.com.ua/2641/).
-------------------------
Affected products:
To: bugtraq@securityfocus.com
Subject: Saved XSS vulnerability in Internet Explorer
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
(http://websecurity.com.ua/2641/).
-------------------------
Affected products:
Title: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities
Risk (CVSS2 Base Score): Low (3.9)
Solutionary ID: SERT-VDN-1001
CVE ID: Pending
Solutionary disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-XSS-vulnerabilities.html
Product: ManageEngine EventLog Analyzer version 6.1
Application vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/
Date discovered: 9/15/2010
Advisory: Cross-Site Scripting vulnerability in Nagios
Advisory ID: SSCHADV2011-002
Author: Stefan Schurtz
Affected Software: Successfully tested on: nagios-3.2.0 / nagios-3.2.3
Vendor URL: http://www.nagios.org
Vendor Status: ID 0000207: Cross-Site Scripting vulnerability in Nagios
CVE-ID: -
==========================
Vulnerability Description:
<<Previous Next>>
|
