Next Page >>
third parties
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to a KeyFax response
management system based site. Such code would run within the security
context of the target domain. This type of attack can result in
non-persistent defacement of the target site, or the redirection of
confidential information (i.e.: session IDs) to unauthorised third parties.
---------------------------------------------------------------------------------------------------------------
The following demonstrate the Information disclosure flaws (no
authentication needed)
2) http://10.0.2.177:8080/examples/jsp/checkbox/checkresult.jsp?fruit=<script>alert(1)</script>
3) http://10.0.2.177:8080/examples/jsp/cal/cal2.jsp?time=<script>alert(1)</script>
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Orion Application server site. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties.
Fix:
> should behave as a dup().
>
Paul, in authentic kernels /proc/<PID>/fd/<FD> are symlinks, not anything other.
There're no such publicly accessible file objects, as file descriptors, there're
only files (including special ones), directories and symlinks. But the above
words don't necessary relate to patched kernels like distributed by third parties.
--
Sincerely Your, Dan.
related consequences.
. 2008-04-17:
Core responds that the three bugs still have security related
consequences. The first two bugs can be abuse to execute denial of
service attacks by untrusted and unauthenticated third parties
specifically using public server as attack vector. Core considers bug
that allow unauthenticated third parties to be security vulnerabilities.
Core indicates that exploitation of null pointer de-reference bugs
cannot be ruled out generically, a statement which could be derived from
Rice's theorem.
> >
> Paul, in authentic kernels /proc/<PID>/fd/<FD> are symlinks, not
> anything other. There're no such publicly accessible file objects,
> as file descriptors, there're only files (including special ones),
> directories and symlinks. But the above words don't necessary relate
> to patched kernels like distributed by third parties.
Check your facts. Those symlinks are special.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
security advisory to Tuesday June 9th, 2009. This will give MSFT the
opportunity to ship an official patch for all vulnerable versions of IE
in the next available patch release cycle. Core also notifies this date
is final and that in absence of an official fix Core will nonetheless
publish the security advisory with all the technical details and
information necessary for third parties to understand the risk and
figure out and apply workarounds or mitigating measures.
. 2009-05-06:
MSRC indicates that it would like to set up a conference call to clarify
the concerns about workarounds and to discuss additional possible
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties.
2) Remedy Knowledge Management is vulnerable to authentication bypass
by using a built in default account. (user=Self%20Help)
https://target-domain.foo/rkm/index.jsp?user=Self%20Help
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to a Axis 2 website. Such
code would run within the security context of the target domain. This
type of attack can result in non-persistent defacement of the target
site, or the redirection of confidential information (i.e.: session IDs)
to unauthorised third parties.
Fix:
An attacker may be able to cause execution of malicious scripting code
in the browser of a victim user who clicks on a link to a CommonSpot server.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs or passwords) to unauthorised third parties.
Credits: found by Richard Brain & Jan Fry - ProCheckUp Ltd
(www.procheckup.com).
X. DISCLOSURE TIMELINE
-----------------------------
2010-11-22 - Vulnerability discovered
2010-xx-xx - Vulnerability rediscovered by third parties including ZDI
2011-01-25 - Novell fix released
Note: other versions might also be vulnerable.
Consequences:
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. session IDs) to unauthorised third parties provided that a web browser is tricked to submit a malformed HTTP method.
Workaround:
Disable Apache's default 413 error pages by adding 'ErrorDocument 413' statement to the Apache config file.
X. DISCLOSURE TIMELINE
-----------------------------
2010-05-15 - Vulnerability Discovered by VUPEN
2010-05-17 - VUPEN TPP customers informed
2010-xx-xx - Vulnerability rediscovered by third parties
2011-02-08 - Adobe security update released
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of an admin user. Such code would run within the security context of the target domain.
This type of attack can result in a persistent defacement of the target site, or the redirection of confidential information (i.e.: admin session IDs, passwords) to unauthorised third parties.
Since this XSS is of persistent nature, the admin user wouldn't have to be tricked to visit a specially-crafted URL, but rather simply visit the Aruba 800 login page at some point.
Severity: High
An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.
Proof of concept (PoC) URL:
in the browser of a user who clicks on a link to the target website, or
visits a malicious website that requests such link.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs) to unauthorised third parties.
References:
http://www.procheckup.com/Vulnerabilities.php
X. DISCLOSURE TIMELINE
-----------------------------
2010-06-15 - Vulnerability Discovered by VUPEN
2010-06-17 - VUPEN TPP customers informed
2010-xx-xx - Vulnerability rediscovered by third parties
2011-02-08 - MS11-003 security update available
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.
Severity: Medium/High
Credits: Jan Fry [jan.fry [at] procheckup.com] and Adrian Pastor [adrian.pastor [at] procheckup.com] of ProCheckUp Ltd
Recommendation:
It is recommended to upgrade to the latest version of Horde
Application Framework which also fixes additional bugs reported by
third parties.
Grab your copy at:
http://ftp.horde.org/pub/horde/horde-3.2.5.tar.gz
</p></body></html>
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link or visits a malicious webpage. The malicious code would run in the security context of the vulnerable website.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties.
Fix:
No authentication is required to exploit this vulnerability
Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a polls management user who clicks on a link to a site managed by Absolute Poll Manager. Such code would run within the context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties.
XSS Proof of concept (PoC) URLs:
Alert box injection -
Adam Cecchetti - Nunchaku: Attack, Defense, and a lot of arm flailing
Dan Griffin - Hacking SharePoint
Zane Lackey & Luis Miras - Mobile Phone Messaging Anti-Forensics
Dan Hubbard - P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing
Tom Stracener - Advanced Cross-Site Scripting Scenarios, Filter Evasion and Browser Exploits
Thomas Ristenpart - Privacy-preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs
Dean Pierce - Seeds of Contempt
Zax - How did that Nigerian do that?! Artificial Intelligence and You
in the browser of a victim user who clicks on a link to a SAP Business
Object server.
-This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs or passwords) to unauthorised third parties.
Further information can be found on the following paper:
http://www.procheckup.com/vulnerability_manager/documents/document_1263821657/attachments/BusinessObj.pdf
Consequences:
An attacker may be able to cause the execution of malicious script code in the browser of a user who visits a specially-crafted Liferay Portal URL, or visits a page that submits a request to such URL. Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: usernames and passwords) to unauthorised third parties.
Proof of concept (PoC):
The provided XSS PoC URLs overwrite Liferay Portal login form's 'action' attribute. Thus, when the victim user clicks on the "Sign In" button, the credentials (username/password) are sent to a third-party site (procheckup.com in this case).
0001460 + Send submissions to
0001500 - cfp2011 @ recon.cx
0001520
0001540 + Speaker / attendee privacy
0001560 - Recon does not require speakers use their real names
0001600 - Recon does not provide attendee or speaker information to third-parties
0001620 (except where necessary for registration/payment)
* w0rd, n0w ph0r th3 g00dz..
* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC]
*
in the browser of a victim user who visits a malicious third-party page.
Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs, address books, emails) to unauthorised third parties.
Fix:
http://www.novell.com/support/search.do?usemicrosite=true&searchString=7002321
Authentication Agent login page. Such code would run within the context
of the target domain.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs or passwords) to unauthorised third parties.
Fix:
The vendor has stated that this issue was addressed in the RSA
in the browser of any user. Such code would run within the security
context of the target domain.
This type of attack can result in a persistent defacement of the target
site, or the redirection of confidential information (i.e.: session IDs,
address books, emails) to unauthorised third parties.
Since this XSS is of persistent nature, the user wouldn't have to be
tricked to visit a specially-crafted URL, but just read an e-mail.
Networks Secure Access site. Such code would run within the security
context of the target domain.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.: admin
session IDs) to unauthorised third parties.
Fix:
Juniper Networks was aware of this issue which they addressed on version
5.5R3. However, we decided to release this advisory due to lack of
• Wei Pan, MIT
• Muli Ben-Yehuda, Technion and IBM Research
• Jean-Pierre Seifert, Technical University of Berlin
• Bernhard Loehlein, Deutsche Telekom
NOTICE: This e-mail correspondence is subject to Public Records Law and may be disclosed to third parties.
Authentication Agent login page. Such code would run within the context
of the target domain.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs or passwords) to unauthorised third parties.
Fix:
The vendor has stated that this issue was addressed in the RSA
Next Page>>
|
