Next Page >>
frontend
Original release: 2011-10-18
Last update: 2011-10-18
Topic: KDC denial of service vulnerabilities
CVE-2011-1527: null pointer dereference in KDC LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Original release: 2011-02-08
Last update: 2011-02-08
Topic: KDC denial of service attacks
CVE-2011-0281: KDC vulnerable to hang when using LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
High
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-3628
The Backend subcomponent allows remote authenticated users to
determine an encryption key via crafted input to a form field.
CVE-2009-3629
Multiple cross-site scripting (XSS) vulnerabilities in the
The first weakness affecting the Cisco CSS is that, in a typical client
certificate configuration, HTTP clients may confuse web applications by
injecting their own certificate headers. When utilizing the CSS to
terminate SSL communications, SSL client certificates are first
authenticated by the CSS. From there, the CSS will normally pass the
client's identity to the back-end web server in the form of several HTTP
headers as shown below:
ClientCert-Subject: XXX
ClientCert-Subject-CN: XXX
ClientCert-Fingerprint: XXX
Description:
Unauthenticated SQL Injection:
Client input is being used to generate queries passed to the backend
database server. This input is not sufficiently sanitized before being
passed to the backend database server. As a result, a malicious user may
be able to craft queries that will be run on the backend database server
without any authentication, leading to sensitive information such as
administrator passwords being retrieved.
====================
Vulnerability :
When used as a Server Load Balancer and/or SSL offloader it's possible
to do requests
to the backend without leaving any ip address in the http server logs.
it's possible
then to do any L7 http attacks anonymousely.
A Bug request has been opened at cisco TAC, it has been classified
"work as designed"
applications. Successful exploitation allows arbitrary code execution on the
server running the XML service.
The issue can be exploited with network access to the XML service interface.
But exploitation can also be performed with unauthenticated access to the
Citrix web frontend which is exposed to the Internet in many cases.
Description:
The Citrix XML Service (ctxxmls.exe) is installed on every server used for
sharing applications. This windows service listens by default on port 80 and
[DSECRG-11-014] SAP GUI (sapgui) - DLL hijacking
SAP Front End applications (SAPGui.exe) are vulnerable to DLL hijacking attacks. It makes possible to remote code execution
Digital Security Research Group [DSecRG] Advisory DSecRG-11-014 (Internal DSecRG-00183)
Application: SAP GUI
Versions Affected: 6.4 - 7.2
Vendor URL: http://www.sap.com
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.
Proper remediation should include referer checking (has proved to be
spoofable on the client side in the past so not a bulletproof
technique) and token checking (a random string or an hash generated
when the user requires the frontend, stored serverside - sessions are
okay -, included in the frontend form and sent to and verified by the
backend).
These two protections ensure that an action cannot, hopefully, be
CSRFed (at last in absence of an xss vuln that neutralize the same
origin policy again).
Advisory: SilverStripe 2.4.5 Multiple backend Cross-site scripting vulnerabilities
Advisory ID: SSCHADV2011-024
Author: Stefan Schurtz
Affected Software: Successfully tested on SilverStripe 2.4.5
Vendor URL: http://www.silverstripe.com/
Vendor Status: informed
CVE-ID: -
==========================
Vulnerability Description:
On Sat, Oct 08, 2011 at 08:22:12AM +0000, sschurtz@t-online.de wrote:
> Advisory: SilverStripe 2.4.5 Multiple backend Cross-site scripting vulnerabilities
> Advisory ID: SSCHADV2011-024
> Author: Stefan Schurtz
> Affected Software: Successfully tested on SilverStripe 2.4.5
> Vendor URL: http://www.silverstripe.com/
> Vendor Status: informed
> CVE-ID: -
>
> ==========================
http://url.foo/tr_status.php?compact=false&onlytrue=true&noactions=true&select=false&txt_select=&sort[%22.phpinfo().%22]=1
<http://url.foo/tr_status.php?compact=false&onlytrue=true&noactions=true&select=false&txt_select=&sort%5B%22.phpinfo%28%29.%22%5D=1>
<http://url.foo/tr_status.php?compact=false&onlytrue=true&noactions=true&select=false&txt_select=&sort%5B%22.phpinfo%28%29.%22%5D=1>
> Zabbix 1.6.2 Frontend Multiple Vulnerabilities
>
> Name Multiple Vulnerabilities in Zabbix Frontend
> Systems Affected Zabbix 1.6.2 and possibly earlier versions
> Severity High
> Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C)
Multiple vulnerabilities has been found and corrected in krb5:
The kdb_ldap plugin in the Key Distribution Center (KDC) in
MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP
back end is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via a kinit
operation with incorrect string case for the realm, related to the
is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal,
and process_as_req functions (CVE-2011-1527).
Zabbix 1.6.2 Frontend Multiple Vulnerabilities
Name Multiple Vulnerabilities in Zabbix Frontend
Systems Affected Zabbix 1.6.2 and possibly earlier versions
Severity High
Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C)
Vendor http://www.zabbix.com/
Advisory http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
1. OVERVIEW
The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection.
2. BACKGROUND
PHP-Nuke is a Web Portal System or content management system. The goal
Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an
unauthenticated attacker on the Internet to gain full control of a backend
Oracle database server via the front end web server.
Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
I. ABOUT THE APPLICATION
________________________
cg_Testimonial component is a tool for adding
testimonial by the user from frontend and managing and
publishing testimonials from backend.
This Joomla extension allows website user to submit a
testimonials form with several fields on one of your
site's page and enable adding testimonials by either
users or admin.
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.
1.1 Linked XSS vulnerabiliies found in index.php.
GET parameters "frontend", "set_frontend", "jz_path", "theme", "set_theme".
Example:
http://[server]/[installdir]/index.php?frontend=<IMG SRC="javascript:alert('DSecRG XSS')">
Introduction
------------------
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.
There exists 1 VBScript workflow file per feature. Those are:
* Login/Logout (common.tds)
3. VULNERABILITY DESCRIPTION
The 'site_footer', 'name', 'explanation' parameters are not properly
sanitized in administration backend of Drupal 5.x and 6.x versions,
which could allow attackers to conduct stored cross site scripting
attacks.
4. VERSIONS AFFECTED
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.
=> Best Practices
=> Scaling & Performance
=> Agile Development
=> Continuous Integration
=> Tools & Frameworks
=> Frontend Development
=> Database (NoSQL)
=> Cloud Technology
ALLE INFORMATIONEN IM BERBLICK:
scripts that can be executed by requests to this URL. Although access
to the URL /doc is restricted to connections from localhost, this still
creates security issues in two specific configurations:
- - If some front-end server on the same host forwards connections to an
apache2 backend server on the localhost address, or
- - if the machine running apache2 is also used for web browsing.
Systems not meeting one of these two conditions are not known to be
vulnerable. The actual security impact depends on which packages (and
CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482
http://int21.de/cve/CVE-2010-1482-cmsmadesimple-xss-backend.html
http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade/
Description
could lead to denial of service through crafted search requests.
CVE-2007-6698
It was discovered that a programming error in the interface to the
BDB storage backend could lead to denial of service through
crafted modify requests.
CVE-2008-0658
It was discovered that a programming error in the interface to the
ReadyNAS devices with RAIDiator 4.0, which disables the SSH-daemon
by default, and lets you change the root password when enabling it.
Overview:
The ReadyNAS is a Network-Attached-Storage (NAS) device based on Linux
2.4.20 and debian-sparc with a custom frontend for management. Out of
the box, the user cannot log in into a shell on the device. There are
two enabled users, one called "admin" (with the default password
"infrant1", which is documented), and another one, "root", which is not
documented. The user "admin" does not have a shell assigned, so it
cannot log in interactively. It is used only for the web frontend.
It was discovered that the Key Distribution Center (KDC) in Kerberos 5
crashes when processing certain crafted requests:
CVE-2011-1528
When the LDAP backend is used, remote users can trigger
a KDC daemon crash and denial of service.
CVE-2011-1529
When the LDAP or Berkeley DB backend is used, remote users
can trigger a NULL pointer dereference in the KDC daemon
==================
Technical Details:
==================
Backend - XSS
http://<target>/school/starnet/index.php?option=stats&suboption='"</style></script><script>alert(document.cookie)</script>
http://<target>/school/starnet/index.php?option=pagemanager&suboption=newsection&site='"</style></script><script>alert(document.cookie)</script>
http://<target>/school/starnet/index.php?option=modulemanager&modoption=edit&module_number="</style></script><script>alert(document.cookie)</script>
http://<target>/school/starnet/index.php?option=modulemanager&module='"</style></script><script>alert(document.cookie)</script>
Next Page>>
|
