Next Page >>
Session hijacking
When handling 'update' action, 'default_comment_display' is the only parameter that isn't sanitized with
mysql_real_escape_string(), this can be exploited to inject arbitrary SQL code. Because of this is a multiple
lines query and latest version of MySQL doesn't allow to start comment with /* no followed by a */, sometimes
It's impossible to alter the 'users' table content for e.g. changing the admin's password, but is still
possible to inject a subquery to fetch for e.g. the session id of admin for a Session Hijacking attack.
This is a proof of concept request:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
SecureWorks Security Advisory SWRX-2009-002
McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory Information
Title: McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory ID: SWRX-2009-002
* System affected => [ 'Apache Axis <= 1.5' ]
* Release date: => [ '24 June 2010' ]
* Impact => [ 'Successful exploitation of this vulnerability may
lead to remote administrative interface to accept a Session Hijacking' ]
Axis2 [1] claims to be a Web Services / SOAP / WSDL engine, the
successor to the widely used Apache Axis SOAP stack. Nowadays, there are
two implementations of the Apache Axis2 Web services engine - Apache
==========================================
2Wire Broadband Router Session Hijacking Vulnerability
==========================================
1. OVERVIEW
The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
which attackers can compromise the router administrator session.
Synopsis
========
Multiple vulnerabilities in Tomcat may lead to local file overwriting,
session hijacking or information disclosure.
Background
==========
Tomcat is the Apache Jakarta Project's official implementation of Java
Product link: http://www.orangehrm.com/
2. Vulnerability Information
Class: Cross site scripting, SQL injection, PHP code injection, Cross-site
request forgery
Impact: Session hijacking, unauthorized data access, privilege escalation,
user-assisted arbitrary command execution
Rating: Less critical
Remotely Exploitable: Yes
Locally Exploitable: No
2. Profile information (user, email, Real Name) is not filtered. For example a user could use something like "<script>alert(document.cookie)</script> " as a Real name and the script would execute everytime someone views that users profile or the members page.
However the number of characters allowed in Real name is limited so it's unlikely too much damage could be done.
If XSS is allowed, it could allow for Session Hijacking.
I found this bug using version 6.1 of NSSboard (the latest as of this writing), and it's likely that all earlier versions are also affected, but I didn't test them. I am using Debian Linux and lighttpd to host it.
The fix would be to make sure HTML tags are filtered regardless of BBcode being enabled, and to filter user profile input data.
Changelog: 2008/08/29
Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
Deep Recursion Protection Bypass
Code Execution
Miscellanious
Risk level: Medium / High
http://www-01.ibm.com/software/data/cognos/products/cognos-8-business-intell
igence/capabilities.html
2. Vulnerability Information
Class: Cross site scripting
Impact: Session hijacking
Rating: Less critical
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: N/A
The vulnerability allows an local low privileged user account to
inject/implement malicious persistent script codes on application
side.
Successful exploitation of the vulnerability can result in session
hijacking or content request manipulation.
Vulnerable Module(s): (Persistent)
[+] Userdata Form allows
[+] Group Administration & Track ID
[+] User Password CSRF + Reset
2. http://www.website.tld/achievo/dispatch.php?atknodetype=pim.pim&atkaction=<script>alert(document.cookie)</script>
Explained: The above has greater impact as it will survive a login. This is not filtered as well. This works only when One IS logged in.
Additional Information:
If: $config_session_regenerate = false; is set to 'true' in the config.inc.php then the session id's will be regenerated on each hit/click preventing session hijacking.
-:: Solution ::-
The most easy solution is to validate user input and strip or convert bad / html characters. Setting the above to true might solve the issue partially, however session hijacking is only one of the things you can do with cross site scripting.
Manager web applications allow remote authenticated users to inject
arbitrary web script or HTML (CVE-2007-2450).
Tomcat treated single quotes as delimiters in cookies, which could
cause sensitive information such as session IDs to be leaked and allow
remote attackers to conduct session hijacking attacks (CVE-2007-3382).
Tomcat did not properly handle the " character sequence in a cookie
value, which could cause sensitive information such as session IDs
to be leaked and allow remote attackers to conduct session hijacking
attacks (CVE-2007-3385).
========
A persistent Cross-Site Scripting vulnerability has been detected on C4B XPhone UC Web v4.1.890SR1 and versions below.
The bug allows an attacker to inject arbitrary script code on the application side (persistent) via for example
a connected groupware application like Microsoft Outlook or IBM Lotus Notes. The injected script code is
executed on every client who is searching for details of the manipulated user on the web application. Successful
exploitation of the vulnerability can therefor lead to session hijacking or stable (persistent) context manipulation.
Vulnerable Module(s):
[+] Work => Home/Work => Company Name (Input)
[+] Contact Phone Listing => Company Name Display Conversation (Output)
Details:
========
Multiple persistent input validation vulnerabilities are detected on GroupWares epesiBIM 1.2.1 web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action. The bug is located on the Description input
field of the application which allows to execute code out of the main application dashboard context.
Vulnerable Module(s):
http://victim/cgi/wrapper.plx?Destination=addequipment.htm&Title=<script>alert('XSS')</script>
this CGI Binary does require you to be logged in in order to work,
limiting its effectiveness.
3c. Session hijacking example - to change your session to another user's
currently logged in session, log into the server and intercept the Cookie
and change it to the value of another user, perhaps one intercepted with a
proxy or sniffer. For example, you might change your own session:
Set-Cookie: Access_Num=1.304931640625e%2B019%7C%7C; path=/; expires=Fri,
2.1
A persistent input validation vulnerabilities are detected on LandShops Web Application v0.9.2.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Create Object - Input/Output Name
Hi,
This TCP session hijacking technique might be of interest to some of you.
Abstract:
The paper demonstrates how traffic load of a shared packet queue can
be exploited as a side channel through which protected information
leaks to an off-path attacker. The attacker sends to a victim a
sequence of identical spoofed segments. The victim responds to each
segment in the sequence (the sequence is reflected by the victim) if
1.2
A persistent input validation vulnerabilities are detected in Game Website Script :: idev-GameSite 1.0
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Create Image - Title/Caption
========
1.1
Multiple persistent input validation vulnerabilities are detected on the famous Content Papst v2011.2 Content Management System.
The vulnerability allows an remote attacker or local low privileged cp user account to inject own malicious script codes on
application side (persistent) of the web service. Successful exploitation of the vulnerability can result in persistent module
content manipulation of vulnerable modules, phishing & session hijacking.
Vulnerable Module(s):
[+] Categorie => Titel/Beschreibung/Permalink
[+] Links => Titel/URL/Beschreibung
[+] Artikel-Categorie => Titel/Beschreibung/Permalink
Details:
========
Multiple persistent input validation vulnerabilities are detected in the Pritlog v0.821 Content Management System. The bugs
allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation
of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires
low user inter action. Attackers can inject malicious strings as author name to execute them when an admin is processing to preview, review
or manage the listing of users. The bug is located on application side & the execution is persistent out of the user management web
application context.
Vulnerable Module(s):
Kloxos LxCenter Server CP v6.1.10.
The bug allows remote attacker to implement malicious script code on the
application side (persistent).
Successful exploitation of the vulnerability allows an attacker to
manipulate modules/context (persistent) & can
lead to session hijacking (user/mod/admin).
Vulnerable Module(s):
[+] LocalHost {Command Center}
[+] Server > Information > Verbose Settings
Details:
========
Multiple refelctive cross site vulnerabilities are detected on the online banking software eBank-IT.
The bug allows remote attacker to implement malicious script code on the application side.
Successful exploitation of the vulnerability allows an attacker to manipulate specific modules & can
lead to session hijacking (user/mod/admin).
Vulnerable Module(s):
[+] login
[+] requestpw
1.2
A persistent input validation vulnerabilities are detected in Acc PHP eMail v1.1 The bugs allow remote attackers to
implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead
to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] index.php?action=email_modify&conf=0&id=57 - inject code in the mail box
Prado TJavaScript::encode() script injection vulnerability
Vulnerability severity : medium
Vulnerability type : cross-site script injection attack
cookie theft
session hijacking
stealing of sensitive information
Remotely exploitable : yes
Vulnerability discovery date : 2012/03/07
Details:
========
Multiple non-persistent and persistent input validation vulnerabilities are detected on Ilient
SysAid v8.5.05 and below. The bugs allow remote attackers to implement/inject malicious script
code on the application side (persistent) and temporarily on the user side (non-persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or
stable (persistent) context manipulation.
1.1
Vulnerable Module(s): (Persistent)
archive, applet, or Java Web Start application, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application. Furthermore, a remote attacker could cause a Denial of
Service affecting multiple services via several vectors, disclose
information and memory contents, write or execute local files, conduct
session hijacking attacks via GIFAR files, steal cookies, bypass the
same-origin policy, load untrusted JAR files, establish network
connections to arbitrary hosts and posts via several vectors, modify
the list of supported graphics configurations, bypass HMAC-based
authentication systems, escalate privileges via several vectors and
cause applet code to be executed with older, possibly vulnerable
Great find! However depending on the PHP version and proper osC configuration, session hijacking will not work. Credit goes to osC team.
Solution
http://forums.oscommerce.com/index.php?showtopic=333351
Details:
========
Multiple persistent input validation vulnerabilities are detected on eFronts Community++ application v3.6.10.
The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious
persistent script code. Successful exploitation with low required user inter action can result in session hijacking
or persistent context manipulations.
Vulnerable Module(s):
[+] Forums - Title Name
1.2
A persistent input validation vulnerabilities are detected in Flatnux CMS 2011 08.09.2.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Comment News - Title News > Name of Folders in Gallery
1.2
A persistent input validation vulnerabilities are detected in Opial v2 Content Management System. The bugs allow remote attackers
to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can
lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] /topsearches.php?genres_parent - inject any html code in the search and then go to top searches
[+] /admin/artistsedit.php?id=9 - artist name
[+] /admin/albumsedit.php?id=23 - album name
Next Page>>
|
