Next Page >>
XSS
CSRF, RCE PHP Remote Code Execution SMF2 www.kernel32
CSRF CSRF theme change SMF2, SMF1 www.kernel32
CSRF Subforum Category Collapse CSRF SMF2, SMF1 www.kernel32
CSRF CSRF en el gestor de servidores de paquetes SMF2, SMF1 www.kernel32
XSS XSS in package server manager SMF2, SMF1 www.kernel32
CSRF CSRF package deletion and installed package disclosure SMF2 www.kernel32
CSRF, XSS Attached files configuration CSRF SMF2 www.kernel32
XSS XSS in "Enable basic HTML in posts" SMF2 sirdarckcat
RFD Remote File Disclosure (solo en logs, y similares) SMF2 sirdarckcat
CSRF CSRF en Moderation Preferences SMF2 sirdarckcat
Application: IBM WebSphere Application Server
Versions Affected: 7.0 and 6.1
Vendor URL: http://www.ibm.com/websphere/
Bug: Multiple XSS Vulnerabilities
Exploits: YES
Reported: 01.11.2008
Vendor response: 02.11.2008
Solution: FP 6.1.0.23 and 7.0.0.3
Date of Public Advisory: 27.03.2009
Application: MODx CMS
Versions Affected: 0.9.6.1, 0.9.6.1p1
Vendor URL: http://modxcms.com/
Bugs: XSS, SiXSS, stored XSS, Change User Password XSRF Vulnerability.
Exploits: YES
Reported: 11.01.2008
Vendor response: 11.01.2008
Updated Report: 29.01.2008
Vendor response: none
2.3.1. Exploit:
Check the exploit section.
2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
2.4.1. Exploit:
Check the exploit section.
2.5. Cross Site Scripting (XSS) [in "showThumb.aspx"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).
2.5.1. Exploit:
Check the exploit section.
2.6. Cross Site Scripting (XSS), Failure to Restrict URL Access [in "process_send.asp"]. Redirect Reflected XSS Attack In "SB_redirect" parameter. Reflected XSS, Content Spoofing In "SB_feedback" parameter. Everyone can mailbomb others.
2.6.1. Exploit:
Check the exploit section.
Hello Thierry!
> Your saying above that this attack works if "Initialise and script
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
option to Enabled or Prompt (for Local intranet).
Application: Dokeos E-Learning System
Versions Affected: 1.8.4
Vendor URL: http://dokeos.com
Bugs: Multiple SQL Injections,Multiple Blind SQL Injections,Multiple XSS, etc.
Exploits: YES
Reported: 25.01.2008
Vendor response: 28.01.2008
Patch released: 12.02.2008
Date of Public Advisory: 19.02.2008
----------------------------------------------------------------
Cross Site Scripting Vulnerabilities :
All vulnerabilities work when register_globals set as on ,
XSS Vulnerability 1 : /data/inc/footer.php => http://Example.com/data/inc/footer.php?lang_footer=[Cross Site Scripting]
XSS Vulnerability 2 : /data/inc/header.php => http://Example.com/data/inc/header.php?pluck_version=[Cross Site Scripting]
XSS Vulnerability 3 : /data/inc/header.php => http://Example.com/data/inc/header.php?lang_install22=[Cross Site Scripting]
Application: Jinzora Media Jukebox
Versions Affected: 2.7.5
Vendor URL: http://www.jinzora.com/
Bugs: Multiple XSS Injections
Exploits: YES
Reported: 04.02.2008
Second report: 12.02.2008
Vendor response: NONE
Date of Public Advisory: 19.02.2008
(Affected versions: Any)
B) "FORM Authentication demo" information leak
(Affected versions: Any)
C) "JSP Dump" reflected XSS
(Affected versions: Any)
D) "Session Dump Servlet" stored XSS
(Affected versions: Any)
Aspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Release Date:
December 11, 2008
Date Reported:
October 5, 2008
Severity:
Medium-High (Execute scripts, Turning Protection Off, Transfer data Cross
First, it's not a site specific hole, it's browser specific. So issue in
browser and it'll be working at any site. And I used universal PoC (suitable
for most cases). For online testing and especially for attacking purposes
you can use any working web site (e.g. google.com).
http://www.google.com/webhp?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
The idea of putting XSS code to the parameter (i.e. after '?') is to avoid
redirection in case if particular site (which is using in the attack) is
configured in such way. So using of any holes is not needed, just any
working page of any working site. The XSS code will appear in html file
Application: BolinOS
Versions Affected: 4.6.1
Vendor URL: http://www.bolinos.com
Bugs: Local File Include,Multiple XSS, System information disclosure
Exploits: YES
Reported: 13.03.2008
Second report: 18.03.2008
Vendor response: none
Solution: none
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Thursday, August 20, 2009 2:18 AM
To: bugtraq@securityfocus.com
Subject: Bypassing OWASP ESAPI XSS Protection inside Javascript
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
Application: Rittal CMC-TC PU II Web management
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Cross Site Scripting (XSS). Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
2.3.1. Exploit:
Check the exploit/POC section.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Cross Site Scripting (XSS). Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
2.3.1. Exploit:
Check the exploit/POC section.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Cross Site Scripting (XSS). Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
2.3.1. Exploit:
Check the exploit/POC section.
The recent released version Drupal 7 is not vulnerable.
5. PROOF-OF-CONCEPT/EXPLOIT
=> XSS in Footer (parameter: site_footer, module: system, url:
admin/settings/site-information)
The 'site_footer' parameter is not properly sanitized at site
information page (admin/settings/site-information)
and XSS payload can be set as footer text.
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is
all about breaking things and features all the scenarios that can result in
XSS. To complement his efforts, there is an excellent XSS prevention cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far
as I have seen, this wiki page provides the most comprehensive information
on protecting yourself from XSS on the internet. It advises using the OWASP
======================================================================
Advisory : Exploit for vBulletin "obscure" XSS
Release Date : June 13th 2008
Application : vBulletin
Version : vBulletin 3.7.1 and lower, vBulletin 3.6.10 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com)
ProCheckUp Research
http://procheckup.com/procheckup-labs/pr11-07.aspx
PR11-07 Multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure flaws within CheckPoint/Sofaware firewalls
Vulnerability found: 3rd May 2011
Vendor informed: 20th July 2011
Hello Bugtraq!
Yesterday I wrote the article XSS vulnerabilities in 34 millions flash files
(http://websecurity.com.ua/3842/), and here is English version of it.
In December in my article XSS vulnerabilities in 8 millions flash files
(http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000
of flashes tagcloud.swf in Internet which are potentially vulnerable to XSS
attacks. Taking into account that people mostly didn't draw attention in
previous article to my mentioning about another 34 millions of vulnerable
----------------------------------------------------------------
Script : Maian Recipe v1.2
Type : Xss Vulnerabilities
----------------------------------------------------------------
Discovered by : Khashayar Fereidani Or Dr.Crash
Our Team : IRCRASH
----------------------------------------------------------------
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
----------------------------------------------------------------
Application: Txp CMS
Versions Affected: 4.0.5
Vendor URL: http://www.textpattern.com
Bugs: DOS, multiple XSS, etc.
Exploits: YES
Reported: 11.01.2008
Vendor response: 14.01.2008
Patch Released: 03.02.2008
Date of Public Advisory: 04.02.2008
535| $str = implode_with_keys( $save_data );
536|
537| // Save the file
538| $result = sb_write_file( $entryFile, $str );
The clean_post_text() function protect against XSS, it
also replace a string separator (by its html equivalent)
which is used when comment's data are extracted.
This function is in the file "scripts/sb_formatting.php":
13| function clean_post_text( $str ) {
I understand that this is a vain hope that bugtraq will start posting something useful.
Author:Michael Brooks (Rook)<br>
Application:OpenClassifieds 1.7.0.3<br>
download: http://open-classifieds.com/download/<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>
or default urls:<br>
[DSECRG-11-013] SAP NetWeaver Runtime - multiple XSS
SAP NetWeaver Integration Directory has linked XSS vulnerability.
Digital Security Research Group [DSecRG] Advisory DSecRG-11-013 (Internal DSecRG-00163)
Application: SAP NetWeaver Runtime
Versions Affected: SAP NetWeaver Runtime
Vendor URL: http://www.sap.com
Vulnerability title: Sonexis ConferenceManager Multiple Cross-site Scripting (XSS) Vulnerabilities
Solutionary ID: SERT-VDN-1005
Solutionary disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/Sonexis-XSS-Vulnerabilities.html
CVE ID: Pending
CVSS risk rating: 3.9
> First, you must have reported to the developer, but in what way?
I sent to the developer a complete advisory, including the exploit code.
> Confusing the XSS vulnerability with PHP code execution
> vulnerability is so funny. I can't help feeling that you told it
> sloppily.
I never confused the vulnerabilities. And I never said the bug was
patched... Maybe you should redirect this comment to Secunia instead?
[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin
===============================================================================
Author: Janek Vind "waraxe"
Date: 06. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-85.html
Next Page>>
|
