Next Page >>
Editor
------------------------------------------------------------------------------------------------------------------------
Upgrade to Cute News UTF-8 version 8b.
Lucas Jacques, the maintaner of Cute News UTF-8 was very helpful.
7. Credits
------------------------------------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
010 Editor Multiple Buffer Overflow Vulnerabilities
1. General Information
010 Editor is a text editor and hex editor, with a lot of functions as
view and edit binary files, analyze and edit binary data, import and
export binary data in many different formats.
Bkis has just found many vulnerabilities in the software, related to the
processing of 010 Editor Binary Template files (“.bt”) and 010 Editor
# Exploit Title: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
# Google Dork: "inurl:"sites/all/modules/ckeditor" -drupalcode.org"
# Google Results: Approximately 379.000 results
# Date: 18th January 2012
# Author: MaXe @InterN0T (Found in a private Hatforce.com Penetration
Test)
# Software Link: http://ckeditor.com/ & http://drupal.org/node/1332022
# Version: 3.0 - Current 3.6.2 (Drupal module: 6.x-1.8)
# Screenshot: http://i.imgur.com/8TP6w.png
# Tested on: Windows + FireFox 8.0 & Internet Explorer 8.0
arbitrary code execution upon opening a crafted file.
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
Overview
========
A stored XSS vulnerability exists in Microsoft Windows SharePoint
Services 2.0 where a malicious user can bypass sanitization and inject
javascript into a web page they are editing. Under normal circumstances,
SharePoint does not permit users to include javascript in any submitted
content.
Impact
follows symbolic links and returns ENOENT when called on a symbolic link
pointing to a non-existent resource, this can be used to determine the existence of
files or directories in ways that violate directory search permissions.
The first of these instances, on line 436, is trivially exploitable. First,
invoke crontab with the -e flag to edit an existing cronjob. This will result
in crontab opening a text editor to edit the cronjob. While this editor is
open, simply remove the temporary file created by crontab (of the form
"/tmp/crontab.XXXXXXXXXX") and replace it with a symlink to a file whose
existence you wish to verify. On exiting the editor, crontab will print a
warning if the call to stat() on this symlink fails, confirming the
Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
OpenBlog's functions:
XSS holes are found on the following modules:
- Create a new post
- Edit a post
- Create a new page
Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
logins to his Blog and clicks the link, hacker's malicious code (JavaScript)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
- Quick statistics function (server status, game server status, online players)
- Statistics (login server status, game server status, players online, total accounts, total characters, total gm characters, total clans)
Administrator Features:
- (NEW) New administrator skin
- (NEW) New server settings (Edit server settings, server rates, specs etc)
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
Description of Vulnerability
=============================
According to Mathcad’s online help:
‘When distributing worksheets, you may wish to restrict user access to most regions. Rather than locking an area, you may opt instead to use worksheet protection.
The intent of file protection is to prevent other users from opening the worksheet in a text editor and editing its contents by hand. The allowed file formats are either binary (XMCDZ, MCD) or output-only (RTF, HTML). With file protection enabled, you can only alter the contents of a worksheet from Mathcad. You can create, edit, and delete regions within the worksheet with no restrictions.’
The XMCDZ file format is not a true binary format. It is the standard Mathcad .XMCD XML sheet, which has been GZIPPED. For this reason it is a simple matter to get the original plain text XML sheet out of the file, using an archive utility.
-######### [Saved] - [27-07-2008/13:10:02]
# .: Multiple Cross-Site Scripting Vulnerabilities in Web Wiz Rich Text Editor version 4.02
# .: [Author] CSDT
# .: [Affected versions] http://www.webwizguide.com/ - Web Wiz Rich Text Editor (RTE) 4.02
# .: [Credit] The disclosure of these issues has been credited to autehoker of CSDT
# _____________________________________________________________________________________________ˆ
# .: [Script Description]
# (Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in
# Web Wiz Rich Text Editor (RTE) 4.02 and earlier, and 3.x versions, allow remote attackers
# to inject arbitrary web scripting. This flaw exists because the application does not validate
language, Xalan-Java supports the creation and use of extension
elements and extension functions... Extensions written in Java are
directly supported by Xalan-Java."
Because Cascade Server does not restrict the kind of XSLT code users
are able to enter, any user with access to edit XSLT stylesheets can
cause Cascade Server to execute arbitrary Java code. Using the
java.lang.Runtime class, Java can run shell commands.
While the privilege level of the Cascade Server process may prevent
an attacker from gaining complete control of the host system, that
incomplete and erroneous but the idea was good and the bug was real and
disposable.
Later on Dec 24, 2008 on sla.ckers.org barbarianbob showed a path
truncation attack against PHP that is partially based on mine attack.
He discovered the bugs indipendently so he deserves full credits for
them and his findings were dissected partially by Pragmatk on [2] and
[3]. Sadly, or luckily, only the surface of these important issues has
been analyzed and that's why we at ush.it are releasing this article:
to bring complete light on them and present some additional juice.
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Check the exploit section.
Bkis <svrt@bkav.com.vn> wrote:
> Bkis has just found many vulnerabilities in the software, related to the
> processing of 010 Editor Binary Template files (“.bt”) and 010 Editor
> Script Files (“.1sc”). These vulnerabilities are very dangerous due to the
> fact that they allow hackers to execute malicious code on users’ systems.
>
I think you're confused, these scripts can execute programs, create and
modify files, modify running processes, and so on. Perhaps you're confusing
the concept of "modelines" with editor automation (modelines are hints to
my ($host, $path, $action) = @ARGV ;
unless($ARGV[2]) {
print "Usage: perl $0 <host> <path> <action>\n";
print "\tex: perl $0 http://site.com /etc/ list\n";
print "\tex: perl $0 http://site.com /etc/passwd edit\n";
print "Actions:\n";
print " list:\n";
print " edit:\n\n";
exit 1;
}
-
- Website : http://phpnuke.org/
-
- Download: http://www.weblord.it/downloads/nuke65/addons/MS_TopSites_ITA.zip
-
- Problem : Edit Exploit And Html Injection
-
- Summary: The var $uname in the sql_query in edit.php is not bugged but it's simply taked with $_POST['uname'],
let us change our "user", and modify as another one what we want.
Sometimes we can do either permanent html injections in "title" that appears in index. In these cases we
are able to change the index content of the site. :D-
Description: SAP Netweaver have a web interface for accesing filesystem of the portal, users can make "feedbacks" of
files, input passed to the content of these feedbacks is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site
Solution: This issue can be solved activating "Secure Editing" in Portal
(System Configuration -> System Configuration -> Knowledge management (in detailed Navigation) -> Utilities -> Editing -> HTML Editing)
Hence this issue can be solved via configuration - for more details see
http://help.sap.com/saphelp_nw70/helpdata/EN/44/4cd511c6233f8ee10000000a1553f7/frameset.htm
/***************************************************************\
* WinSoftMagic Photo Editor .PNG File Buffer Overflow *
* *
* This sploit runs calc.exe or bind to port 4444. *
* Tested On Win XP SP2 & Win VisTa 2008 *
* Code & Discovered By: eidelweiss *
* *
* This Made For Educational purpose only *
* Author will not responsible for any damage *
* *
Could this be due to the fact that Mozilla stops supporting, and issuing
updates for old versions just a few months after the release of a new
one?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer@ziffdavisenterprise.com
Kind of like Vista???
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer@ziffdavisenterprise.com
>
KAHROLSUN ISRAEL
-Register Site
-Login
-Open Exploit
-Edit: User Email , User Password
-Submit Form
*******************************************************************************
<form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp">
Optionally verify the SHA-1 sum:
b48f-27e1-15c4-a7ab-d64e-ff65-caf3-543a-dece-16bd OMW60_srcvw4.dll
Install the new version of srcvw4.dl
1. Stop the Operations Manager for Windows console and its additional binaries, such as node editor.
2. From a command prompt, backup %OvInstallDir%\bin\srcvw4.dll
3. From a command prompt, copy OMW60_srcvw4.dll into %OvInstallDir%\bin\srcvw4.dll
4. Verify that %OvInstallDir%\bin\srcvw4.dll is now v4.0.1.2
Note: Steps 2 and 3 above must be performed from the Windows command line, not from Windows Explorer.
Aug 11, 2009
I. BACKGROUND
Office Web Components is a group of ActiveX controls that can be used to
view and edit Microsoft Office files such as spreadsheets and charts. It
is commonly used to allow a user to edit a spreadsheet in the browser.
The controls are installed with a default installation of Microsoft
Office. More information can be found at the vendor's website at the
following address.
``$VIMRUNTIME/autoload/tar.vim''.
2. BACKGROUND
``Vim is an almost compatible version of the UNIX editor Vi. Many new
features have been added: multi-level undo, syntax highlighting,
command line history, on-line help, spell checking, filename
completion, block operations, etc.''
-- Vim README.txt
vulnerable. Patch 7.2c.002 fixes the vulnerability.
2. BACKGROUND
``Vim is an almost compatible version of the UNIX editor Vi. Many new
features have been added: multi-level undo, syntax highlighting,
command line history, on-line help, spell checking, filename
completion, block operations, etc.''
-- Vim README.txt
5106| $val = str_replace( "'", "'" , $val );
....|
5121| return $val;
5122| }
The "txt_stripslashes()" function is also called, it will
reverse the effect of the magic_quotes_gpc directive
(if set to On):
3104| function txt_stripslashes($t)
3105| {
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR08-16: CSRF (Cross-site Request Forgery) on Moodle edit profile page
Vulnerability found: 25/06/2008
Vendor informed: 28/06/2008
Vulnerability fixed: 16/07/2008
1. Write Tabs - You can post title, contents and upload files. In Upload section, You can upload php script such as r57,c99,etc. into systems
and upload's file will appear in http://[target]/wp-content/uploads/[year]/[month]/file.php
2. If you can't upload your php script: Found message "File type does not meet security guidelines. Try another"
Dont Worry, Move to "plugins" Tabs and choose some plugins (Akismet, Hello Dolly) to EDIT it. Now you can add php script (r57/c99) into plugins edit section.
Finished it and Back to Plugins Tabs -> Click Active plugins then Get your SHELL....
Let's Fun...
Platforms Affected:
All versions (7.x and lower)
Description: Combining XSS and some conditions already exists in Blackboard system.
Attacker can login and do everything (change grades, edit online test’s content…) with instructors’ identity.
Vulnerable paths:
1/
http://site.edu/webapps/blackboard/execute/viewCatalog?type=Course&searchText=”><script>alert(‘xss’)</script>
Next Page>>
|
