Next Page >>
themes
---------------------------------------------------------------------------
1. OVERVIEW
The recent release of Firefox 3.6 introduces support for browser "Personas"
-- lightweight image-based themes which alter the look and feel of the
browser chrome.
A malicious website can set a user's Persona to an arbitrary theme, disable
Undo functionality in the browser's information bar, and obfuscate the Persona
entry in the Themes pane of the Tools | Add-ons pane to make the detection and
http://code.google.com/p/smf2-review/issues/list
CSRF, RCE PHP Remote Code Execution SMF2 www.kernel32
CSRF CSRF theme change SMF2, SMF1 www.kernel32
CSRF Subforum Category Collapse CSRF SMF2, SMF1 www.kernel32
CSRF CSRF en el gestor de servidores de paquetes SMF2, SMF1 www.kernel32
XSS XSS in package server manager SMF2, SMF1 www.kernel32
CSRF CSRF package deletion and installed package disclosure SMF2 www.kernel32
CSRF, XSS Attached files configuration CSRF SMF2 www.kernel32
system (CMS) designed specifically with family's in mind.
Key features are: a message board, a photo gallery,
a blog-like "Family News" section, a calendar, an
address book and recipe sharing section.
Each family member has their own personal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
Spanish language Support....
II. DESCRIPTION
in the form of a zip file. To read arbitrary files on the server
vs reading admin credentials an attacker simply need to supply
the relative location of a file on the webserver in place of the
data in the first column of the union select above. It is also
worth mentioning that once an attacker has admin access, executing
arbitrary code is very much possible by updating the "theme_dir"
settings in the database to include an arbitrary path to an
uploaded image, that is terminated with a null byte.
// insert into database
$new_theme_dir = basename($_REQUEST["activate"]);
A severe security vulnerability affects any unix distribution running version 3.1.6 of the Horde webmail client included in most popular webhosting control panels. All previous versions are also affected and it is believed although not yet proven that Horde Groupware is also vulnerable.
Details are as follows:
David Collins and Patrick Pelanne along with the rest of the HostGator.com LLC support team discovered that Horde was not properly sanitizing POST variables for several options including it's themes. By maliciously modifying POST data sent to the client the attacker can modify the location of the theme variable and Horde will subsequently insert this information into it's database. By modifying this POST variable one can allow for directory traversal and file inclusion which can lead to full root privilege escalation.
Proof of concept:
Data injected through malicious tampering of POST data:
---[ Package Structure ]
The package consists of two main components: the crawler utility and a XUL-based GUI. To display the GUI, one can use the Firefox browser or a specialized application (e.g. xulrunner or prism).
The application root directory contains the utility binary files and the XUL configuration file (application.ini). The nested-directories structure is defined by the rules of formation of applications based on XUL. A user may be interested in the chrome/skin directory, which contains files describing the application appearance. The package offers several pre-installed themes. To change the appearance, it is sufficiently to replace the contents of the chrome/skin/classic directory with the chosen theme. A new theme can be created on the basis of an existing one or by modifying themes from the site http://jqueryui.com/themeroller/. The themes downloaded from this site should be supplemented with some images and CSS descriptions by analogy with the existing ones.
---[ ToDo ]
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.
1.1 Linked XSS vulnerabiliies found in index.php.
GET parameters "frontend", "set_frontend", "jz_path", "theme", "set_theme".
Example:
http://[server]/[installdir]/index.php?frontend=<IMG SRC="javascript:alert('DSecRG XSS')">
On Mar 8, 2008, at 1:22 PM, Ben Klang wrote:
> The Horde team has investigated this report and found it to be
> reproducible, though not exactly as reported. The SQL example in
> the original post does prevent the themes from appearing but does
> not execute the file in question. It is unclear based on their
> limited information whether they are using a modified version of
> Horde or if there were other factors that lead to the behavior
> reported. However if a null byte can be inserted into the theme
> name (for instance when using the LDAP preference backend which
Additional information (in Ukranian): http://websecurity.com.ua/1159/
Original message (in Russian): http://securityvulns.ru/Rdocument843.html
4. MustLive reports vulnerability in Sirius 1.0, Blix 0.9.1 and Blix
0.9.1 Rus, Pool 1.0.7 themes for WordPress and also WordPress Classic
1.5 theme, last one is already fixed in WordPress 2.1.3.
Insuficcient filtering of PHP_SELF variable leads to crossite
scripting with request like
> affected and it is believed although not yet proven that Horde
> Groupware is also vulnerable.
>
The Horde team has investigated this report and found it to be
reproducible, though not exactly as reported. The SQL example in the
original post does prevent the themes from appearing but does not
execute the file in question. It is unclear based on their limited
information whether they are using a modified version of Horde or if
there were other factors that lead to the behavior reported. However
if a null byte can be inserted into the theme name (for instance when
using the LDAP preference backend which stores preference values in
===========================================================
2. Technical Details
===========================================================
File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href property.
Line 25:
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
..snip..
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54:
TOORCON 12 CALL FOR PAPERS
It's that time of year again! ToorCon 12 is coming so get your code finished and submit a talk this time around. We're letting you decide if you want to be a part of our 50-minute talks on Saturday, 20-minute talks on Sunday, and 75-minute talks for our Deep Knowledge Seminars on Friday depending on how much time you need to present your new ideas and techniques. We evaluate our submissions in the order that they're received so submit your talk before time runs out! Track and time preference is always given to those who submit talks that fit the theme of the conference. If you haven't already figured out what the theme for ToorCon is this year, read this paragraph another time.
CFP SUBMISSION INFORMATION
Please send data to cfp@toorcon.org :
00. Name
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/stats.php" script to properly sanitize user-supplied input in "theme" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
1)
Save form in "http://host/user.php?op=chgtheme" page with replace "theme" parameter to this value:
Debian-specific: no
CVE Id(s) : CVE-2008-1284
Debian Bug : 470640
It was discovered that the Horde web application framework permits arbitrary
file inclusion by a remote attacker through the theme preference parameter.
The old stable distribution (sarge) this problem has been fixed in
version 3.0.4-4sarge7.
For the stable distribution (etch) this problem has been fixed in version
----[ RECORD ... ]
{
---IP ADDRESS sniffed ip address
---REFERER xssed theme
---COOKIES xssed cookies of forum member
---USER ID xssed user id of forum member
---ADMIN NAME admin username
---ADMIN PASS admin pass hash
---ADMIN SALT admin hash salt
The 5th European Conference on Computer Network Defence
will take place in November 2009 at the Politecnico di Milano technical
university in Milano, Italy.
The theme of the conference is the protection of computer networks. The
conference will draw participants from academia and industry in Europe
and beyond to discuss hot topics in applied network and systems
security.
EC2ND invites submissions presenting novel ideas at an early stage with
Adding a new page can result in HTML Injection too. (Parent & Child pages were fully tested.)
Affected Sites by HTML Injection: (there will most likely be a lot more.)
http://[HOST]/translucid/transLucid_175/?action=switchto_editmode
-- In the admin panel "> needs to be prepended most likely in order to execute the injection.
--=-- Switching the theme to Developer can result in HTML Injection if there is any injected.
-:: Solution ::-
Regular expression match and / or bad characters conversion rocks!
Conclusion:
The Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2007-3238
Cross-site scripting (XSS) vulnerability in functions.php in the default theme
in WordPress allows remote authenticated administrators to inject arbitrary web
script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php.
CVE-2007-2821
character sets no remedy is needed.
a. It is recommended to convert WordPress database to use character sets not
vulnerable to such SQL exploit. One such charset is UTF-8, which does not
use backslash ('\') as part of character and it supports various languages.
b. Alternatively, edit WordPress theme to remove search capability.
--
Abel Cheung (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF
* Day 1: Training (Thursday 03 Jun 2010)
* Day 2: Sessions (Friday 04 Jun 2010)
AthCon is an annual, European two-day conference targeting particular
areas of information security. It’s aim: to bring leading information
security experts together, under the theme of twenty sessions and four
-intense- training courses. The first AthCon will be held from the 3rd
to the 4th of June 2010 in Athens, Greece.
Attacking techniques of exploitation and various forms of penetration
testing have become an important component of any organisation. This
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in theme variable.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
http://[host]/index.php?theme=../../../../../../../../../../../../../../../etc/passwd%00
-- About the program (by the author's page) --
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
-- Bug --
In order to exploit the arbitrary file upload vulnerability, a regular user should be authenticated. It should be noted that the latest versions of the application haven't multiple users support. Anyway, exploiting the XSS flaw is possible to steal the authentication token and then exploit the other vulnerability in order to execute arbitrary code (such a PHP shell).
*** VULNERABILITY DETAILS ***
(a) Cross Site Scripting (XSS)
Mutiple reflected XSS have been found in the "\themes\<themes name>\user_style.php" file.
Looking inside the application source code:
###### CUT HERE ######
<style type="text/css">
body {
The Call for Papers for the MEITSEC 2008 to be held in Dubai is now open.
MEITSEC 2008 will be held at the Etisalat Academy from 16 to 20
November 2008. The event will consist of three-day pre-conference
workshops, and a two-day conference and exhibition. Please visit
www.meitsec.ae for further details on paper submissions.
The submissions:
Session languages: We accept submissions in both English and Arabic
- Description:
####################
SphereCMS is a CMS which allow managing forum, archive posts, chat like
posts (named shoutbox), friend in the site and personal profile. It has
one theme, but a buty one.
It uses MySQL as its backend DBMS and is written in PHP language.
####################
- Vulnerability:
The vulnerability surfaces in a situation where a user visits a web page which
includes an embedded object, such as an image, from a third-party site. If an
attacker had control of the third-party web server, he could request credentials
from the user via HTTP authentication. This style of attack has been documented
in the past, and some of variations on this theme are explored in a recent paper
by VSR [5].
However, in the case of vulnerable versions of Google Chrome, the password
manager may pre-fill the authentication dialog box with credentials intended for
parent page's domain, leaving users one click away from account compromise.
We are PAYING for that type of crappy service.
>
> -------------------------------------------------
>
> This message is provided "AS IS" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of accuracy, correct grammar and spelling, lack of vulgarity or adult themes, correct references, absence of viruses and/or viral memes, originality, or fitness for any particular purpose.
>
> -------------------------------------------------
>
>
> --- On Tue, 7/1/08, Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
papers balancing benefits and drawbacks of open source and proprietary
tools in digital investigation. While the main focus of the workshop is
technical, papers dealing with legal and ethical issues will also be
evaluated.
As the workshop theme is FLOSS, all the papers must describe tools that
are publicly available under a free software or open source license. New
tools are welcome, but the authors must commit to make them available
under a suitable license before the paper revision process ends. Papers
not related to FLOSS are subject to immediate rejection.
papers balancing benefits and drawbacks of open source and proprietary
tools in digital investigation. While the main focus of the workshop is
technical, papers dealing with legal and ethical issues will also be
evaluated.
As the workshop theme is FLOSS, all the papers must describe tools that
are publicly available under a free software or open source license. New
tools are welcome, but the authors must commit to make them available
under a suitable license before the paper revision process ends. Papers
not related to FLOSS are subject to immediate rejection.
The 5th European Conference on Computer Network Defence
will take place in November 2009 at the Politecnico di Milano technical
university in Milano, Italy.
The theme of the conference is the protection of computer networks. The
conference will draw participants from academia and industry in Europe
and beyond to discuss hot topics in applied network and systems
security.
EC2ND invites submissions presenting novel ideas at an early stage with
Next Page>>
|
