Next Page >>
posts
II - CROSS SITE SCRIPTING
When a guest add a comment, an HTTP packet is sent to
"comment_add_cgi.php". Before writing the comment into
a file, there is some conditions, the first condition is
that the IP sent with the POST method, must be the same
as the IP returned by the getIP() function. Let's see
the code:
88| if ($ok) {
89| // Verify that posted IP and actual IP matches.
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
-ui: numeric value. Can be fixed to value "2" (default value) and is
transmitted via GET.
-view: string value. Can be fixed to string "ma" (default value) and
is transmitted via GET.
-map: numeric value. Can be fixed to value "2" (default value) and
is transmitted via POST.
-ma_email: email address of the account to be added. Would match to
the victim email address and is transmitted via POST.
-mapc: boolean value. Can be fixed to value "true" (default value)
and is transmitted via POST.
-mapp: numeric value. Can be fixed to value "1" (default value) and
> -ui: numeric value. Can be fixed to value "2" (default value) and is
> transmitted via GET.
> -view: string value. Can be fixed to string "ma" (default value) and
> is transmitted via GET.
> -map: numeric value. Can be fixed to value "2" (default value) and
> is transmitted via POST.
> -ma_email: email address of the account to be added. Would match to
> the victim email address and is transmitted via POST.
> -mapc: boolean value. Can be fixed to value "true" (default value)
> and is transmitted via POST.
> -mapp: numeric value. Can be fixed to value "1" (default value) and
>> -ui: numeric value. Can be fixed to value "2" (default value) and is
>> transmitted via GET.
>> -view: string value. Can be fixed to string "ma" (default value) and
>> is transmitted via GET.
>> -map: numeric value. Can be fixed to value "2" (default value) and
>> is transmitted via POST.
>> -ma_email: email address of the account to be added. Would match to
>> the victim email address and is transmitted via POST.
>> -mapc: boolean value. Can be fixed to value "true" (default value)
>> and is transmitted via POST.
>> -mapp: numeric value. Can be fixed to value "1" (default value) and
352 | static public function init()
353 | {
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
464 | IPSLib::cleanGlobals( $_COOKIE );
465 | IPSLib::cleanGlobals( $_REQUEST );
466 |
467 | # GET first
468 | $input = IPSLib::parseIncomingRecursively( $_GET, array() );
in BlazeDS.
XML External Entity Injection – Local File Disclosure
PoC – BlazeDS – Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
Description
***********
Flyspray system has multiple security vulnerabilities:
1. SiXSS in POST
2. Stored XSS in POST
3. Login Error Messages Credential Enumeration
Details
info
———————————
Name : Post Revolution 0.8.0c Multiple Remote Vulnerabilities
Class: Design Error && Input Validation Error
CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
Remote: Yes
Local: No
Credit : Javier Bassi <javierbassi [at] gmail [dot] com>
Vulnerable : All versions prior to and including 0.8.0c are affected.
Vendor Hompeage : http://postrev.com.ar
$contents=@file_get_contents($tb_url);
if(!$contents)
trackback_response(1,
$main_smarty->get_config_vars('PLIGG_Visual_Trackback_BadURL'));
The $tb_url variable gets it's value directly from a post variable
as seen @ line 36, so, we can see how this can be easily used to
enumerate the existence of files on the web server both inside and
outside of the web accessible directories. If the file exists we will
get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
issue, an attacker may also include arbitrary files via a malformed
"Fortinet's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that fulfill 3 factors:
1.- HTTP Requests are terminated by the CRLF characters.
2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.
3.- Finally, by Fragmenting the GET or POST requests
Analysis:
Fortinet's past vulnerability
(http://www.fortiguardcenter.com/advisory/FGA-2006-10.html) said:
eyeOS operates with special intermediate checksums in plaintext. Without its validation it is impossible to make new actions (to login, start new services). There is way to predict eyeOS checksum. If it is automated from hackers side, it will make local Denial Of Service atack or user password stealing.
1. GET / HTTP/1.1
>>>>>>> <body onload='sendMsg("758474843719")
2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
>>>>>>> HTTP/1.1 200 OK
Date: Mon, 27 Aug 2007 18:58:21 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
expenses associated with helpdesk calls.
The security question mechanism used for password recovery can be
weakened by tampering the HTTP POST request containing the answers,
allowing an attacker to pass the security check by guessing just one of
the security answers. Additionally, the CAPTCHA mechanism can be
bypassed in the same manner, enabling the automation of the guessing
attempts.
#!/usr/bin/perl
#
#-----------------------------------------------------------------------------------
#(Post Form --> 'cc') Blind (SQLi) EXPLOIT --Online Grades & Attendance v-3.2.6-->
#-----------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.onlinegrades.org/
#-->DOWNLOAD: http://www.onlinegrades.org/
MODx system has multiple security vulnerabilities:
1. Linked XSS
2. Linked SiXSS
3. XSS in POST
4. Stored XSS in POST
5. Change User Password XSRF Vulnerability
The following PoC code is available:
http://[host]/holding_queue.php?unlock=%27SQL_CODE_HERE
http://[host]/holding_queue.php?lock=%27SQL_CODE_HERE
10) Input passed via the "selected" POST parameter to holding_queue.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/holding_queue.php" method="post">
Bug Description :
BigACE Content Management System(version update : 2.7.5) is vulnerable to XSS.
Proof Of Concept :
1)language in /public/index.php , PoC:
POST http://192.168.10.211/public/index.php?cmd=application&id=-1_tauth_klogin_lde&PHPSESSID=ira7g0kjtlp6otttru0s78khk7
------------------------------------
UID=1&language="><SCRIPT>alert("demonalex");</SCRIPT>
2)UID in /public/index.php , PoC:
POST http://192.168.10.211/public/index.php?cmd=application&id=-1_tauth_klogin_lde&PHPSESSID=ira7g0kjtlp6otttru0s78khk7
#!/usr/bin/perl
#-------------------------------------------------------------------------------------------------------------------
#(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
#-------------------------------------------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.onlinegrades.org/
#-->DOWNLOAD: http://www.onlinegrades.org/
#-->DEMO: http://www.onlinegrades.org/demo_info
trigger this bug using other browsers?
On Sun, May 31, 2009 at 8:53 PM, <y3nh4ck3r@gmail.com> wrote:
> #!/usr/bin/perl
> #-------------------------------------------------------------------------------------------------------------------
> #(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
> #-------------------------------------------------------------------------------------------------------------------
> #
> #CMS INFORMATION:
> #
> #-->WEB: http://www.onlinegrades.org/
functionality for users to store, for example, contact information,
notes, a journal or files. A search form can be used to search for such
stored items.
When users search, for example, for certain files, using the provided
search form, an HTTP POST request containing the search query in XML
form is sent from the browser to the PHP script at
https://example.com/webmail/server/webmail.php:
----- HTTP POST request ------------------------------------------------
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"
On Sun, May 31, 2009 at 8:53 PM, <y3nh4ck3r (at) gmail (dot) com [email concealed]> wrote:
> #!/usr/bin/perl
> #-----------------------------------------------------------------------
--------------------------------------------
> #(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
> #-----------------------------------------------------------------------
--------------------------------------------
> #
> #CMS INFORMATION:
> #
3. *Vulnerability Description*
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request, resulting in a cross-site scripting vulnerability.
In order to be able to sucessfully make the attack, the Secure Desktop
application on the Cisco Appliance must be turned on.
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
4850| $this->clean_globals( $_REQUEST );
This function will replace special characters such as
the null byte one and "../" (this replacement can be
Overview:
An attacker who has the rights to start a new thread or to reply
to an existing one, is able to include javascript code using the topic,
that is executed when other users use the quick reply button shown
for every post.
This point of injection is possible because the topic text is part
of an "onclick" event used for the quick reply function and the
software only escapes characters that are typical for HTML cross
site script attacks. In this case, the single quote character is not
BolinOS system has multiple security vulnerabilities:
1. Local File Include
2. Multiple Linked XSS vulnerabilities
3. Multiple XSS in POST
4. System information disclosure
Details
Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
OpenBlog's functions:
XSS holes are found on the following modules:
- Create a new post
- Edit a post
- Create a new page
Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
Hijacking Opera's Native Page using malicious RSS payloads
----------------------------------------------------------------------------
---------
For complete post (with images), please visit -
http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicio
us-rss-payloads/
Well, this one is a continuation of my previous post on Cross Site Scripting
issues relating to RSS feed readers. In that post, I mentioned Scenario (3),
but didn't discuss any details or PoC since Opera Team was actively fixing
* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header
When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
previously allocated heap buffer.
Vulnerable versions : up to 1.3.7
IV. PROOF OF CONCEPT
-------------------------
The affected code:
62 require_once('languages/' . $_POST[ 'blog_language1' ] .
'/strings.php');
Exploit:
#!/usr/bin/perl
Product Imnformation
--------------------
PhotoPost vBGallery is a popular commercial Image Gallery Add-on fr
vBulletin which is being developed by All Enthusiasts, Inc.
http://www.photopost.com
Description
-----------
PhotoPost vBGallery 2.5 allows the user to modify gallery settings for
his profile page if the function is enabeld and the user has permission
Next Page>>
|
