| New User, Welcome! Login |
Next Page >>
cross site request forgery
You can review the list of the published vulnerabilities in:
http://code.google.com/p/smf2-review/issues/list
CSRF, RCE PHP Remote Code Execution SMF2 www.kernel32
CSRF CSRF theme change SMF2, SMF1 www.kernel32
CSRF Subforum Category Collapse CSRF SMF2, SMF1 www.kernel32
CSRF CSRF en el gestor de servidores de paquetes SMF2, SMF1 www.kernel32
XSS XSS in package server manager SMF2, SMF1 www.kernel32
CSRF CSRF package deletion and installed package disclosure SMF2 www.kernel32
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
IBM WebSphere Application Server Cross-Site Request Forgery
1. *Advisory Information*
Title: IBM WebSphere Application Server Cross-Site Request Forgery
I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. If the request fails to provide any token or provide a token with incorrect value, then the request is rejected. This prevents CSRF or any cross domain unauthorized function execution.
Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server.
The reasons being:
1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.
I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Cross Site Request Forgery (CSRF) Vulnerabilities
C) Local File Inclusion (LFI) Vulnerability
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
Phorum released some important fixes for the Cross-Site Scripting vulnerabilities [1]
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
Phorum [2] suffers from a series of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
vulnerabilities, trough the admin panel and the "file uploading" section (with an XML file but it only works
if you are using Mozilla Firefox as browser and a crafted XUL file). Some other vulnerabilities:
[*] Cross-Site Scripting (XSS):
Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery
(CSRF) Vulnerability
1. OVERVIEW
The Advanced Electron Forums (AEF) 1.0.9 <= versions are vulnerable
to Cross Site Request Forgery (CSRF).
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
Multiple vulnerabilities were found on the package net2ftp [1], version 0.98 and below. Two types of
vulnerabilities were found: Cross-Site Scripting and Cross-Site Request Forgery.
[*] Cross-Site Scripting (XSS):
This vulnerability it's produced by a "typo" in the function validateGeneriInput(), where the
extraction of characters < and > fails because the regular expression in charge of the extraction
PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass
Vulnerability
1. OVERVIEW
The PHP-Nuke version 8.x and lower versions are vulnerable to Cross
Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer
Check) is found to be broken.
http://www.example.com/mantis/return_dynamic_filters.php?filter_target=
<script>alert(document.cookie);</script>
B) CSRF Vulnerabilities
There is a Cross Site Request Forgery vulnerability in the software. If a
logged in user with administrator privileges clicks on the following url:
http://www.example.com/mantis/manage_user_create.php?username=foo&realn
ame=aa&password=aa&password_verify=aa&email=foo@attacker.com&access_lev
el=90&protected=0&enabled=1
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
##
#
# ID: COMPASS-2012-002
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor: OpenKM http://www.openkm.com/
# Subject: Cross-site Request Forgery based OS Command Execution
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: January 2nd 2012
#
path disclosure vulnerabilities in WordPress
------------------------------
URL: http://websecurity.com.ua/4420/
------------------------------
These are Cross-Site Request Forgery vulnerability which I found at
05.06.2007, Information Leakage which I found at 02.08.2009, and Full path
disclosure which I found at 29.07.2010.
------------------------------
1. Cross-Site Request Forgery.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02282377
Version: 1
HPSBMA02550 SSRT100170 rev.1 - HP Insight Software Installer for Windows, Local Unauthorized Access to Data, Remote Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-07-12
Last Updated: 2010-07-12
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01800059
Version: 1
HPSBMA02442 SSRT090108 rev.1 - HP Business Availability Center Running Apache, Remote Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-05-25
Last Updated: 2010-05-25
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02282377
Version: 2
HPSBMA02550 SSRT100170 rev.2 - HP Insight Software Installer for Windows, Local Unauthorized Access to Data, Remote Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-07-12
Last Updated: 2010-07-14
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01820968
Version: 1
HPSBMA02447 SSRT090062 rev.1 - Insight Control Suite For Linux (ICE-LX) Cross Site Request Forgery (CSRF) , Remote Execution of Arbitrary Code, Denial of Service (DoS), and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-08-12
Last Updated: 2009-08-12
====================================================
Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability
====================================================
1. OVERVIEW
The Zikula 1.2.4 and lower versions were vulnerable to Cross Site
Request Forgery (CSRF).
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02282388
Version: 1
HPSBMA02553 SSRT100184 rev.1 - HP Insight Control Server Migration for Windows, Local and Remote Unauthorized Access to Data, Remote Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-07-12
Last Updated: 2010-07-12
####################
- Vulnerability:
####################
+--> CSRF (Cross-Site Request Forgery)
The password changing page is vulnerable to CSRF attack. This vulnerability
can be used to change the password of the victim. For details of this
process see "Exploits/PoCs" section.
+--> Stored XSS Vulnerability
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02563642
Version: 1
HPSBMA02602 SSRT100317 rev.1 - HP Insight Control Performance Management for Windows, Remote Cross Site Scripting (XSS), Privilege Escalation, Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-28
Last Updated: 2010-10-28
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02027185
Version: 1
HPSBMA02525 SSRT100083 rev.1 - HP System Insight Manager Running on HP-UX, Linux, and Windows , Remote Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Privilege Elevation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-04-27
Last Updated: 2010-04-27
get basic information about the hosts in the Resource Pools, information about
the VMs and also connect to the console of the VMs.
Due to poor validation of some user controlled inputs, a variety of attacks
against the application and the underlying server are possible.
Cross-site scripting, cross-site request forgery, SQL injection and remote
command execution attack vectors were identified as well.
XSS and CSRF attacks can be performed on the virtual appliance itself, while
the others require the PHP parameter magic_quotes_gpc to be off on the web
server.
===============================================================
Scientific Atlanta DPC2100 Cable Modem
Cross-Site Request Forgery and Insufficient Authentication
May 24, 2010
CVE-2010-2025, CVE-2010-2026
===============================================================
==Description==
Scientific Atlanta, a Cisco company (www.cisco.com), produces the WebSTAR line
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 1
HPSBMA02598 SSRT100314 rev.1 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Privilege Escalation, Cross Site Request Forgery (CSRF).
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-25
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02564294
Version: 1
HPSBMA02603 SSRT100319 rev.1 - HP Insight Control Power Management for Windows, Remote Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-25
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02738731
Version: 1
HPSBMA02663 SSRT100428 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-04-19
Last Updated: 2011-04-19
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.2 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-12
Advisory Information
Advisory ID: NGENUITY-2010-006
Date published: Aug. 7, 2010
Class: Cross-Site Request Forgery (CSRF)
Software Description
Nagios XI is the commercial / enterprise version of the open source
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 2
HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-28
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
Next Page>>
|
|
|
