Next Page >>
posted
II - CROSS SITE SCRIPTING
When a guest add a comment, an HTTP packet is sent to
"comment_add_cgi.php". Before writing the comment into
a file, there is some conditions, the first condition is
that the IP sent with the POST method, must be the same
as the IP returned by the getIP() function. Let's see
the code:
88| if ($ok) {
89| // Verify that posted IP and actual IP matches.
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
> -ui: numeric value. Can be fixed to value "2" (default value) and is
> transmitted via GET.
> -view: string value. Can be fixed to string "ma" (default value) and
> is transmitted via GET.
> -map: numeric value. Can be fixed to value "2" (default value) and
> is transmitted via POST.
> -ma_email: email address of the account to be added. Would match to
> the victim email address and is transmitted via POST.
> -mapc: boolean value. Can be fixed to value "true" (default value)
> and is transmitted via POST.
> -mapp: numeric value. Can be fixed to value "1" (default value) and
>> -ui: numeric value. Can be fixed to value "2" (default value) and is
>> transmitted via GET.
>> -view: string value. Can be fixed to string "ma" (default value) and
>> is transmitted via GET.
>> -map: numeric value. Can be fixed to value "2" (default value) and
>> is transmitted via POST.
>> -ma_email: email address of the account to be added. Would match to
>> the victim email address and is transmitted via POST.
>> -mapc: boolean value. Can be fixed to value "true" (default value)
>> and is transmitted via POST.
>> -mapp: numeric value. Can be fixed to value "1" (default value) and
-ui: numeric value. Can be fixed to value "2" (default value) and is
transmitted via GET.
-view: string value. Can be fixed to string "ma" (default value) and
is transmitted via GET.
-map: numeric value. Can be fixed to value "2" (default value) and
is transmitted via POST.
-ma_email: email address of the account to be added. Would match to
the victim email address and is transmitted via POST.
-mapc: boolean value. Can be fixed to value "true" (default value)
and is transmitted via POST.
-mapp: numeric value. Can be fixed to value "1" (default value) and
Description
***********
Flyspray system has multiple security vulnerabilities:
1. SiXSS in POST
2. Stored XSS in POST
3. Login Error Messages Credential Enumeration
Details
in BlazeDS.
XML External Entity Injection – Local File Disclosure
PoC – BlazeDS – Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
expenses associated with helpdesk calls.
The security question mechanism used for password recovery can be
weakened by tampering the HTTP POST request containing the answers,
allowing an attacker to pass the security check by guessing just one of
the security answers. Additionally, the CAPTCHA mechanism can be
bypassed in the same manner, enabling the automation of the guessing
attempts.
info
———————————
Name : Post Revolution 0.8.0c Multiple Remote Vulnerabilities
Class: Design Error && Input Validation Error
CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
Remote: Yes
Local: No
Credit : Javier Bassi <javierbassi [at] gmail [dot] com>
Vulnerable : All versions prior to and including 0.8.0c are affected.
Vendor Hompeage : http://postrev.com.ar
$contents=@file_get_contents($tb_url);
if(!$contents)
trackback_response(1,
$main_smarty->get_config_vars('PLIGG_Visual_Trackback_BadURL'));
The $tb_url variable gets it's value directly from a post variable
as seen @ line 36, so, we can see how this can be easily used to
enumerate the existence of files on the web server both inside and
outside of the web accessible directories. If the file exists we will
get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
issue, an attacker may also include arbitrary files via a malformed
MODx system has multiple security vulnerabilities:
1. Linked XSS
2. Linked SiXSS
3. XSS in POST
4. Stored XSS in POST
5. Change User Password XSRF Vulnerability
"Fortinet's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that fulfill 3 factors:
1.- HTTP Requests are terminated by the CRLF characters.
2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.
3.- Finally, by Fragmenting the GET or POST requests
Analysis:
Fortinet's past vulnerability
(http://www.fortiguardcenter.com/advisory/FGA-2006-10.html) said:
eyeOS operates with special intermediate checksums in plaintext. Without its validation it is impossible to make new actions (to login, start new services). There is way to predict eyeOS checksum. If it is automated from hackers side, it will make local Denial Of Service atack or user password stealing.
1. GET / HTTP/1.1
>>>>>>> <body onload='sendMsg("758474843719")
2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
>>>>>>> HTTP/1.1 200 OK
Date: Mon, 27 Aug 2007 18:58:21 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
#!/usr/bin/perl
#
#-----------------------------------------------------------------------------------
#(Post Form --> 'cc') Blind (SQLi) EXPLOIT --Online Grades & Attendance v-3.2.6-->
#-----------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.onlinegrades.org/
#-->DOWNLOAD: http://www.onlinegrades.org/
BolinOS system has multiple security vulnerabilities:
1. Local File Include
2. Multiple Linked XSS vulnerabilities
3. Multiple XSS in POST
4. System information disclosure
Details
The following PoC code is available:
http://[host]/holding_queue.php?unlock=%27SQL_CODE_HERE
http://[host]/holding_queue.php?lock=%27SQL_CODE_HERE
10) Input passed via the "selected" POST parameter to holding_queue.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/holding_queue.php" method="post">
Bug Description :
BigACE Content Management System(version update : 2.7.5) is vulnerable to XSS.
Proof Of Concept :
1)language in /public/index.php , PoC:
POST http://192.168.10.211/public/index.php?cmd=application&id=-1_tauth_klogin_lde&PHPSESSID=ira7g0kjtlp6otttru0s78khk7
------------------------------------
UID=1&language="><SCRIPT>alert("demonalex");</SCRIPT>
2)UID in /public/index.php , PoC:
POST http://192.168.10.211/public/index.php?cmd=application&id=-1_tauth_klogin_lde&PHPSESSID=ira7g0kjtlp6otttru0s78khk7
On Sun, May 31, 2009 at 8:53 PM, <y3nh4ck3r (at) gmail (dot) com [email concealed]> wrote:
> #!/usr/bin/perl
> #-----------------------------------------------------------------------
--------------------------------------------
> #(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
> #-----------------------------------------------------------------------
--------------------------------------------
> #
> #CMS INFORMATION:
> #
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
4850| $this->clean_globals( $_REQUEST );
This function will replace special characters such as
the null byte one and "../" (this replacement can be
to give additional explanations. Also I'll point on some important things
for all readers of the list.
First of all, readers of both Bugtraq and Full-disclosure must understand,
that if you had no questions to my first advisory (from this series of
advisories (I posted three already) of vulnerabilities in browsers,
which belong to group of DoS via protocol handlers), then there must be no
questions for next advisories. Otherwise it'll be double standards (not
moaning on 1st advisory and moaning on 2nd and 3rd ones) and as I already
wrote to the lists, double standards are bad and better to not use them.
> already fixed this issue in our sourcetree
>
> as additional information. this is no dd-wrt specific issue. all other
> firmware like openwrt etc. would suffer from it too.
>
> in fact. just a plain POST to a authenticated dd-wrt session. without
> beeing logged in locally it would not have any effect
> -----------------------------------
>
> oh god - you dd-wrt people sucks so much. its unbelievable in which
> way you are handling security advisories. if you would be able to make
trigger this bug using other browsers?
On Sun, May 31, 2009 at 8:53 PM, <y3nh4ck3r@gmail.com> wrote:
> #!/usr/bin/perl
> #-------------------------------------------------------------------------------------------------------------------
> #(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
> #-------------------------------------------------------------------------------------------------------------------
> #
> #CMS INFORMATION:
> #
> #-->WEB: http://www.onlinegrades.org/
#!/usr/bin/perl
#-------------------------------------------------------------------------------------------------------------------
#(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
#-------------------------------------------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.onlinegrades.org/
#-->DOWNLOAD: http://www.onlinegrades.org/
#-->DEMO: http://www.onlinegrades.org/demo_info
Overview:
An attacker who has the rights to start a new thread or to reply
to an existing one, is able to include javascript code using the topic,
that is executed when other users use the quick reply button shown
for every post.
This point of injection is possible because the topic text is part
of an "onclick" event used for the quick reply function and the
software only escapes characters that are typical for HTML cross
site script attacks. In this case, the single quote character is not
3. *Vulnerability Description*
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request, resulting in a cross-site scripting vulnerability.
In order to be able to sucessfully make the attack, the Secure Desktop
application on the Cisco Appliance must be turned on.
functionality for users to store, for example, contact information,
notes, a journal or files. A search form can be used to search for such
stored items.
When users search, for example, for certain files, using the provided
search form, an HTTP POST request containing the search query in XML
form is sent from the browser to the PHP script at
https://example.com/webmail/server/webmail.php:
----- HTTP POST request ------------------------------------------------
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"
Textpattern system has multiple security vulnerabilities:
1. Parameter Value Overflow
2. Linked XSS
3. XSS in POST
4. Stored XSS
5. Insecure password changing algorithm
Details
ok, I am not questioning whether it is needed or not... anyway,
instead of mailing a huge chunk of text again and clogging everyones
email account, I decided to post my thoughts on the blog where they
should be anyway, here is the link:
http://www.gnucitizen.org/blog/clear
On 10/12/07, Thor (Hammer of God) <thor@hammerofgod.com> wrote:
> CIL:
>
A severe security vulnerability affects any unix distribution running version 3.1.6 of the Horde webmail client included in most popular webhosting control panels. All previous versions are also affected and it is believed although not yet proven that Horde Groupware is also vulnerable.
Details are as follows:
David Collins and Patrick Pelanne along with the rest of the HostGator.com LLC support team discovered that Horde was not properly sanitizing POST variables for several options including it's themes. By maliciously modifying POST data sent to the client the attacker can modify the location of the theme variable and Horde will subsequently insert this information into it's database. By modifying this POST variable one can allow for directory traversal and file inclusion which can lead to full root privilege escalation.
Proof of concept:
Data injected through malicious tampering of POST data:
* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header
When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
previously allocated heap buffer.
Vulnerable versions : up to 1.3.7
Next Page>>
|
