social network
'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation (CVE-2010-4333)
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the 'Pointter PHP Micro-Blogging Social Network' authentication system which allows for administrative privileges by crafting two specific cookies with arbitrary values.
II. TESTED VERSION
This can leverage to access private/sensitive information of
tuenti.com users.
VI. SYSTEMS AFFECTED
-------------------------
Tuenti.com Social network.
VII. SOLUTION
-------------------------
Tuenti already corrected this issue.
************************
http://www.HACKATTACK.at/
http://www.HACKATTACK.eu/
Introduction
************************
SocialEngine is a PHP-based social network platform that lets you create a social network on your website.
More Details
************************
1. SQL Injection:
---------------------
iPhone SMS Fuzzing and Exploitation - Charlie Miller, Independent Security Evaluators
The Microsoft View of the 2008 Threat Landscape - Tony Lee, Microsoft
Cloud Defense in the Post-BotWar Era - Ikuo Takahashi
The Android Security Story: Challenges and Solutions for Secure Open Systems - Rich Cannings & Alex Stamos, Google, iSec Partners
Stealthy Rootkit : How malware fools live memory forensics - Tsukasa Ooi, Livegrid
Defending a Social Network - Alex Rice, Facebook
Museum of API Obfuscation on Win32 - Masaki Suenaga, Symantec
!exploitable and Effective Fuzzing Strategies as a Regular Part of Test - Jason Shirk, Microsoft
Analyzing Word and Excel Document Encryption - Eric Filiol, ESIEA - Operational cryptology and Virology Lab
English Dojo: Auditing Java Security, Marc Schoenefeld
Japanese Dojo: Assembler Programming and Reverse Engineering Malware, Yuji Ukai, fourteenforty
Hi,
A new type of vulnerability is described in which publicly available
information from social network sites obtained out of context, can be
used to identify a user in cases where anonymity is taken for granted.
This attack (dubbed Cross Site Identification, or CSID) assumes the
following scenario: A user that is currently logged on to her social
network account visits a 3rd party site, supposedly anonymously, in
another browser tab. The 3rd party site causes her browser to contact
(IE7/XP full patched)
by rgod, site: http://retrogod.altervista.org/
software site: http://www.imesh.com
"iMesh is a file sharing and online social network. It uses a proprietary,
centralized, P2P protocol. iMesh is owned by an American company iMesh,
Inc. and maintains a development center in Israel.
iMesh was the first company to introduce "swarming" - the ability to download
one file from multiple sources, increasing download speed."
Overview: SocialURL is a social community platform enabling you to organize your online identities. Connnect to all your social network sites with one URL.
SocialURL fails to sufficiently sanitize user-supplied input data via login box.
Class: Input Validation Error
Example:
1.<script>alert('xss')</script>
2.<iframe>
Discovered by: Joshua Morin
Application : BusinessSpace
version : <= 1.2
Vendor : http://www.business-space.org
Description :
BusinessSpace - Social Networking in a Box
BusinessSpace is an enterprise collaboration software designed to stand up to and keep in pace with today’s ever-evolving, rapidly-growing world of online business and entrepreneurship. Enterprise community software has been taken up to another lever by the developers of BusinessSpace separating itself from regular social networking software and community software. BusinessSpace is not just a social network CMS, not just a LinkedIn clone: it’s more than that. BusinessSpace was developed by business people, just like you. This means that this business networking software is laced with the features that a businessman, employer, employee or entrepreneur needs. No fancy community software applications, no fancy profiles: it’s simply strictly business. Because that’s what BusinessSpace enterprise social networking software is all about – business.
Vulnerability:
~~~~~~~~~~~~
SYSTEM INFORMATION:
-->WEB: http://www.tuenti.com/
-->DOWNLOAD: No there.
-->DEMO: N/A
-->CATEGORY: Social Networking
-->DESCRIPTION: Tuenti is the biggest and most popular social network in Spain.
SYSTEM VULNERABILITY:
-->TESTED ON: firefox 3 and Internet Explorer 6.0
We're going to lay the room out for 'standing room only', so get there
early to guarantee your squatting rights...
***
"Exposing Interesting, 'Hidden' & Dark Social Network Relationships
with Maltego " by @l0sthighway & @TheSuggmeister
This talk highlights how you can extend the powerful data visualisation
tool, Maltego, to data mine virtually anything with an API or that you
can 'screen scrape'. We will focus specifically on Facebook and Twitter,
I. ABOUT THE APPLICATION
iScripts SocialWare is an award-winning, easy to use
social networking software that enables you to create
your own social network like MySpace, Orkut, Friendster,
Linkedin, Facebook, Hi5, etc.
II. DESCRIPTION
http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-006.pdf
We've got loads of awesome content lined up as always including a
feature article/interview with Joe Sullivan, Chief Security Officer at
social network behemoth Facebook and keynoter at the 2nd annual
HITBSecConf in Europe. Along side Joe, we also sat down with Chris Evans
who participated in the keynote panel discussion on the Economics of
Vulnerabilities to talk about Google's Vulnerability Rewards program.
While we're on the subject of our 2nd annual HITBSecConf, HITB2011AMS,
|
