Next Page >>
script
=============
Ignite-UX.MGMT-TOOLS,revision=C.7.0.212
- ->Ignite-UX.MGMT-TOOLS,revision=C.7.1.93
- ->Ignite-UX.MGMT-TOOLS,revision=C.7.2.94
Ignite-UX.MGMT-TOOLS,revision=C.7.3.144
action: use the script from the Resolution to work around the vulnerability
HP-UX B.11.23
HP-UX B.11.31
=============
DRD.DRD-RUN,revision=A.1.0.16.417
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
Locally Exploitable: Yes
Bugtraq ID: 33178
CVE Name: CVE-2009-1140
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
Debasis Mohanty wrote:
> No offence intended but if you take a little more effort of validating your
> work before posting publicly then you can save yourself from embarrassment.
>
> I don't see anything in the script that can bypass zone security and run
> successfully from internet zone. I am sure you have tested it locally and
> drawn conclusion that the script can execute from internet zone. To test the
> script from internet zone, you need to upload it to a webserver and try
> accessing via browser.
>
Cpanel File Manager XSS Vulnerability
Synopsis
-------------
Cpanel (www.cpanel.net) has two file manager application, standard and legacy one to manage files. Both of them are vulnerable to XSS attack. File name is presented unescaped so that an attacker can craft malicious file name to execute script on behalf of victims.
Version
-----------
this vulnerability was found on cpanel version 11.24.4-CURRENT
exploit here is already tested on: Firefox 3.0.7 and IE 8.0
Version : Tested with 7.1.314 and 6.4
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
2. Overview
Date of Public Advisory: 18.08.2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Freeway eCommerce system has multiple security vulnerabilities:
1. Multiple Remote/Local File Include
max_execution_time is *CPU EXECUTION* time and not
*WALL-CLOCK* time -- reread the definition from the PHP man pages.
Since you are doing sleep() in the script, which is suspending the
process (script), no CPU time is accruing for that process (script),
therefore you do not hit the max_execution_time. This is completely
working as intended and is consistent with a Unix/Posix model. Now,
if you want a wall-clock alarm/termination, that is a completely
different issue and should be handled via a different mechanism, don't
confuse the two.
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords:
1.1- http://[HC URL]/hosting/addreseller.asp?reseller=[USERNAME] -> for ex. [USERNAME]= resadmin
1.2- Now, to login without changing the password, attacker must run "ChangeDisplay.htm" then redirect to "main.asp"
~~~~~~~~~~~~~~~~1.2.1 ChangeDisplay.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/AdminSettings/displays.asp?DecideAction=1&ChangeSkin=1'
frmDisplay.action = window.document.all.URL.value + _action
return true;
}
[DSECRG-11-011] SAP Crystal Reports 2008 - Multiple XSS
SAP Crystal Report Server 2008 - multiple cross-site scripting vulnerabilities.
SAP Crystal Report Server 2008 - Multiple cross-site scripting vulnerabilities. [DSecRG-11-011] (Internal DSECRG-00147)
Multiple XSS vulnerabilities found in the module PerformanceManagement application SAP Crystal Report Server 2008. An attacker can intercept the cookie administrator or regular user of the system.
Application: SAP Crystal Report Server 2008
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
poc:
The underlying operating system contains the ADODB Connection
ActiveX control which is marked safe for initialization
and safe for scripting (implements the IObjectSafety interface)
which could allow a remote attacker to specify the
mentioned connection string.
The IE security settings do not allow to open a connection
from another domain but this can be used in conjuntion
> (http://websecurity.com.ua/articles/security_researches_and_legislation/eng/).
>
>
> It's because earlier I already disclosed details (at my site and to
> security
> lists) of vulnerabilities in CaptchaSecurityImages (a captcha script
> which
> is used in this CMS, as in many other CMS and web applications). So there
> were no reasons to not write details about these holes in advisory at my
> site, because all information is already public. So for all of these
> vulnerable webapps I used responsible full disclosure approach.
article "Hacking of web sites, security researches, disclosure and
legislation" in part 4 "Vulnerability disclosure"
(http://websecurity.com.ua/articles/security_researches_and_legislation/eng/).
It's because earlier I already disclosed details (at my site and to security
lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which
is used in this CMS, as in many other CMS and web applications). So there
were no reasons to not write details about these holes in advisory at my
site, because all information is already public. So for all of these
vulnerable webapps I used responsible full disclosure approach.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
After the issue in CVE-2009-4211 was made public, the Unix SRR script
was removed from http://iase.disa.mil/stigs/SRR/unix.html with a note
saying:
?Due to a recently identified security issue, please do not run any
version of the UNIX SRR scripts until further notice. The UNIX SRR
scripts will be corrected and posted as soon as possible. Please check
Original URL:
http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009
I. DESCRIPTION
The Netgear DG632 router has a web interface which runs on port 80. This
allows an admin to login and administer the device's settings.
Authentication of
this web interface is handled by a script called "webcm" residing in
AMember - Multiple Vulnerabilities
Version Affected: 3.1.7 (Apr-10-2009) (newest)
Info: aMember is a flexible membership and subscription management PHP script. It has support for
PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling,
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.
Date Reported:
October 5, 2008
Severity:
Medium-High (Execute scripts, Turning Protection Off, Transfer data Cross
Domains)
Vendor:
Microsoft
Locally Exploitable: No
Bugtraq ID: 30585
CVE Name: CVE-2008-1448
*Vulnerability Description*
Internet Explorer introduces the concept of URL Security Zones, which
basically define a set of privileges for web applications (such as, for
example, accessing and/or modifying the local computer files) depending
on their level of trustworthiness.
It has assigned following CLSID:
62DDEB79-15B2-41E3-8834-D3B80493887A
and is by default included to "Safe for Scripting" OLE components group, that allows full execution
scripting access to the control methods from within the browser.
The default AX control installation path is
C:\Program Files\Hewlett-Packard\HP Info Center
=============
Ignite-UX.MGMT-TOOLS,revision=C.7.0.212
Ignite-UX.MGMT-TOOLS,revision=C.7.1.92
Ignite-UX.MGMT-TOOLS,revision=C.7.2.93
Ignite-UX.MGMT-TOOLS,revision=C.7.3.144
action: use the script from the Resolution to work around the vulnerability
HP-UX B.11.23
HP-UX B.11.31
=============
DRD.DRD-RUN,revision=A.1.0.16.417
Reference: http://www.htbridge.ch/advisory/xss_vulnerabilities_in_noah_s_classifieds.html
Product: Noah's Classifieds
Vendor: Noah's Classifieds ( http://www.noahsclassifieds.org/ )
Vulnerable Version: 5.0.4 and probably prior versions
Vendor Notification: 12 April 2011
Vulnerability Type: Stored XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
-----------------------------------------------------------------
(PT-2011-04) Positive Technologies Security Advisory
Cross-Site Scripting in Kayako Support Suite
-----------------------------------------------------------------
---[ Vulnerable software ]
Kayako Support Suite
Version: 3.70.02-stable and earlier
Malicious users can access and manage content of other users, relying on the
lack of access control in the page management interface. Attackers can use
parameter tampering techniques to directly access the resource identifiers
of pages owned by other users, and delete or modify their content.
3. Persistent Cross Site Scripting
----------------------------------
Certain web interfaces in the user's menu management interface enable
attackers to inject malicious scripts into user-specific content, causing
the scripts to be executed in the browser of any user viewing the infected
content (Persistent Cross Site Scripting).
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).
When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from the request. PHP will
CVE-number: ..
Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
Multiple XSS Vulnerabilities found in:
WAS Core System:
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Reference: http://www.htbridge.ch/advisory/multiple_xss_vulnerabilities_in_phpdug.html
Product: PHPDug
Vendor: Kubelabs.com ( http://www.kubelabs.com/ )
Vulnerable Version: 2.0.0 and probably prior versions
Vendor Notification: 21 April 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
Product: miniblog
Vendor: spyka Web Group ( http://www.spyka.net )
Vulnerable Version: 1.0.0 and probably prior
Tested on: 1.0.0
Vendor Notification: 25 May 2011
Vulnerability Type: XSS (Cross Site Scripting) , CSRF (Cross-Site Request Forgery)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in miniblog, which can be exploited to perform cross-site scripting & cross-site request forgery attacks.
Next Page>>
|
