Next Page >>
blogging
List of found vulnerabilities
===============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
3. *Vulnerability Description*
WordPress is a web application written in PHP that allows the easy
installation of a flexible weblog on any computer connected to the
Internet. WordPress 2.7 reached more than 6 million downloads during
June 2009 [9].
A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
SUBJECT: Microsoft SWI blog inaccuracies
Hello BugTraq
As you know, 3 weeks ago I published my paper, "Microsoft
Windows DNS Stub Resolver Cache Poisoning"
(http://www.trusteer.com/docs/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf),
simultaneously with Microsoft's release of MS08-020
(http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx).
- Severity: 6.8/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR08-13: Persistent Cross-site Scripting (XSS) on Moodle via blog entry
title
Vulnerability found: 20/06/2008
Vendor informed: 25/06/2008
I've found that funny result when i try to input some miscellaneous parameters in the query string.
When i try to click the HIGHLIGHTED POSTS in the blog but that entry had no longer exist.
Dear Yahoo,
I've found a bug on your site that i can list all the comments, all the entry belong to the public blog. When i try to click in the HighLighted post in a blog but this entry had no longer existed,
the page result is only the box for comment.
I look at the URL Address, it like this:
http://blog.360.yahoo.com/blog-(blog user encrypted ID)?cq=1&p=
I guest the string that encrypted in the query string is the blog user encrypted ID
Ok so now i try to input the query string paramter like this
http://blog.360.yahoo.com/blog-(blog user encrypted ID)?cq=2&p='
Neuron Blog Admin Permission Bypass and Remote File Upload Vulnerability
------------------------------------------------------------------------
Script : Neuron Blog
Version : 1.1
Site : http://dev.localhost.be/?q=detail-script&id=11
Founder : Rizgar
with each other and share information.
III. DESCRIPTION
-------------------------
Has been detected a insecure direct object reference vulnerability in
Tuenti.com, that allows the reading of any blog entry of any user,
thus accessing to private messages of Tuenti.com users.
The "blog_entry_id" parameter directly refer to a blog entry, so if a
user change the value of this parameter can access to arbitrary blog
entries.
[Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
1. General Information
OpenBlog is a free software for developing blogging platform. OpenBlog is
written on PHP language and available at http://www.open-blog.info. In
August 2010, Bkis Security discovered some XSS, CSRF vulnerabilities on this
software; especially, there is a vulnerability which might allow privilege
elevation on OpenBlog 1.2.1. Taking advantage of this vulnerability, hacker
might execute malicious code on user's browser or even get control of Blog.
During research on MySQL Column Truncation Vulnerabilities it was
discovered that the user registration system of Wordpress is not
protected against this kind of attack. Further research then
discovered that this vulnerability can be used to reset the passwords
of users to a random string when user registration is activated
in the blog.
In addition to this it was discovered that Wordpress uses mt_rand()
to create passwords and reset tokens, which is not secure enough
for cryptographic secrets. The use of mt_rand() allows predicting
the randomly generated passwords when the PRNG is freshly seeded
H - Security Labs
Eggblog v3.1.0 Security Advisory
ID : HSEC#20071111
General Information
--------------------------
Name : EggBlog v.3.1.0
Vendor HomePage :http://sourceforge.net/projects/eggblog/
Platforms : PHP && MySQL
Vulnerability Type : Input Validation Error
Secure Network - Security Research Advisory
Vuln name: Simple PHP Blog Multiple Vulnerabilities
Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous versions
Systems not affected: -
Severity: Medium
Local/Remote: Remote
Vendor URL: http://www.simplephpblog.com/
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Luca "Daath" De Fulgentis - daath@webapptest.org
Vendor disclosure: 14th September 2007
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION
-------------------------
Wordpress allows authorised users to add an attachment to a blog post.
******* Salvatore "drosophila" Fresta *******
[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/
[+] Bugs: [A] SQL Injection
[B] XSS Persistent
[+] Exploitation: Remote
Subject: FC2 BLOG Cross-Site Scripting Vulnerabilities
Application: FC2 BLOG
Vendor:BLOG.FC2.COM
Corporation: FC2, Inc.
DATE : 9 Oct 2008
Description: FC2 BLOG Cross-Site Scripting Vulnerabilities
Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
.OR.ID
ECHO_ADV_100$2008
-----------------------------------------------------------------------------------------
[ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability
-----------------------------------------------------------------------------------------
Author : M.Hasran Addahroni
Date : July, 14 th 2008
Location : Jakarta, Indonesia
BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability
JosS, Jose Luis Gngora Fernndez
Spanish Hackers Team
www.spanish-hackers.com
[+] Info:
[~] Software: bp blog
[~] HomePage: http://blog.betaparticle.com/
Microsoft has issued a patch to fix the vulnerability and a detailed
description of how to implement the workarounds on IE. It is available
as Security Bulletin http://go.microsoft.com/fwlink/?LinkID=150860.
Microsoft's Research and Defense blog has further discussion about the
vulnerability, workarounds and mitigations [3].
7. *Credits*
Product Information
-------------------
FlatPress is an open-source standard-compliant multi-lingual
extensible blogging engine written in PHP by Edoardo Vacchi.
Website: http://www.flatpress.org
Vulnerability Description
Additional Drawing
- ------------------
If you help us to spread the word about the Month of PHP Security
and the open CFP by writing a blog posting about it, you have the
chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate
you have to write a blog posting about the Month of PHP Security CFP
and send a link to your blog posting to drawing@php-security.org
The winners will be announced on May 1, 2010.
Additional Drawing
- ------------------
If you help us to spread the word about the Month of PHP Security
and the open CFP by writing a blog posting about it, you have the
chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate
you have to write a blog posting about the Month of PHP Security CFP
and send a link to your blog posting to drawing@php-security.org
The winners will be announced on May 1, 2010.
Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx
It is said that :
-----------------
"This means that in case a customer receives such a specially crafted
----------------------------------------------------------------------
(PT-2009-14) Positive Technologies Security Advisory
BLOG:CMS Cross-Site Scripting vulnerability
----------------------------------------------------------------------
---[ Affected Software ]
Hi All,
I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.
The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.
To create a simple function to test a verifier you simply need to do:
SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)
Hi All,
I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.
The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.
To create a simple function to test a verifier you simply need to do:
SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)
once the material has been analysed.
10.04.2009 - Sending another POC file (ZIP)
10.04.2009 - The third person ergo the "Cyber
Incident & Vulnerability Handling PM" is taking over coorindation
14.04.2009 - A comment was made to my blog that indicated IBM did
answer the Bugtraq posting and negate my findings, having
received no response from them personaly I ask
"Dear Peter, I was refered to this url in a comment posted to my blog:
http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5417
can you confirm this ?"
TZ> once the material has been analysed.
TZ> 10.04.2009 - Sending another POC file (ZIP)
TZ> 10.04.2009 - The third person ergo the "Cyber
TZ> Incident & Vulnerability Handling PM" is taking over coorindation
TZ> 14.04.2009 - A comment was made to my blog that indicated IBM did
TZ> answer the Bugtraq posting and negate my findings, having
TZ> received no response from them personaly I ask
TZ> "Dear Peter, I was refered to this url in a comment posted to my blog:
TZ> http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5417
TZ> can you confirm this ?"
>>
>> --
>> Gadi Evron,
>> ge@linuxbox.org.
>>
>> Blog: http://gevron.livejournal.com/
>
--
Gadi Evron,
> >>
> >> --
> >> Gadi Evron,
> >> ge@linuxbox.org.
> >>
> >> Blog: http://gevron.livejournal.com/
> >
>
>
> --
> Gadi Evron,
Okay, here is a good question after read the updated version of HD Moore Blog
post [1]:
(btw, that is the same question we are talking in twitter)
- Based on the blog post "Results of Investigation into Holyday ISS Claim"
(MSRC) [2], there is no vulnerability related to this case, right? BUT... If a
user has a weak password, a guessable password, you can GUESS the user's
password and get the user's access... Getting all the privileges he/she has.
Okay, I know that there are a lot of best practices floating around, describing
many, many ways to enforce the users to create a strong password instead... But
Next Page>>
|
