Next Page >>
url
<object id="GetActiveX"
classid="clsid:CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7"
codebase="http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab#Version=1,5,2,35"
type="application/x-oleobject" width="1" height="1">
<param name="Service-URL"
value="http://get.adobe.com/reader/webservices/dlm/" />
<param name="itemid" value="860;941" />
<param name="language" value="" />
<param name="os" value="" />
</object>
#############################################################
#
# Product: Outlook Web Access for Exchange 2003
# Vendor: Microsoft (www.microsoft.com)
# CVD ID: CVE-2008-1547
# Subject: URL Redirection Vulnerability
# Risk: Medium
# Effect: Remotely exploitable
# Author: Martin Suess <martin.suess@csnc.ch>
# Date: October 15th 2008
#
> #############################################################
> #
> # Product: Outlook Web Access for Exchange 2003
> # Vendor: Microsoft (www.microsoft.com)
> # CVD ID: CVE-2008-1547
> # Subject: URL Redirection Vulnerability
> # Risk: Medium
> # Effect: Remotely exploitable
> # Author: Martin Suess <martin.suess@csnc.ch>
> # Date: October 15th 2008
> #
Faille Discovered By TsukasaGenesis && Ajax
Sploit Coded By Ajax Site: http://www.r57shell.in
*/
if($argc<9){
print "---KwsPHP All Version / Remote Code Execution---\n\n";
print "usage: kwsphpsploit.php -url <url> -login <login> -pass <pass> -email <email> -file <file> [-id <id>]\n\n";
print "Url url of KwsPHP script : Ex : www.example.com/kwsphp/\n";
print "Login your account's login ( need to be allow to upload )\n";
print "Pass account's password\n";
print "Email account's email\n";
print "File PHP script upload and execute\n";
2) Browser Internals
---------------------
The Android browser's main activity, as defined in its manifest file, is
BrowserActivity. This is defined with the singleTask launch mode. The input
Intent for the activity may hold a URL, which is opened and then rendered by
the browser.
* The activity's onCreate member function, tries to restore the
browser's previous state. If it fails to do so, it creates a new tab, with the
input Intent's URL (if there is one), or else with the defined homepage.
* The activity's onNewIntent member function, has the following characteristic:
CrySyS Lab Security Advisory - secureURL.php design flaws
Affected Software: secureURL 2.0 by Nguyen Quoc Bao
URL e.g.
http://www.phpclasses.org/package/2556-PHP-Encrypt-the-parameters-passed-in-link-URLs.html
Product description:
secureURL encrypts URL parameters and additionally protects it by
checksum, thus an attacker
cannot see the 'real' GET parameters of the website and disables
topic "glFusion"
*/
$err[0]="[!] This script is intended to be launched from the cli!";
$err[1]="[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
findings, although I gave up investigation at after discovering so many
flaws in the application's architecture with respect to security.
Version Information Leakage:
By calling the URL http://target.tld/ppim/Readme.txt you can view the
version information of the installed version of pPIM.
Password Hash Disclosure:
By requesting the URL http://target.tld/ppim/password.dat the password
Opera browser is vulnerable to stored Cross Site
Scripting. A malicious attacker is able to inject
arbitrary browser content through the
websites visited with the Opera browser. The code
injection is rendered into the Opera History Search
page which displays URL and a short
description of the visited pages.
== Bug Analysis ==
Opera.exe imports Opera.dll which handles most of the
directly execute any SQL statement.
3. VULNERABILITY DESCRIPTION
Some URLs in phpMyAdmin do not properly escape user inputs that lead
to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').
Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability
1. OVERVIEW
The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL
Redirection when "Enable webuser@domain.com" access format, a new
feature introduced in Plesk 7.0, is enabled in user preferences.
clear text passwords inside the registry, so an attacker
can abuse this to gain certain credentials from the victim
browser. If you ask me, this is not acceptable.
This sample code extracts BIOS informations and
redirects to a specified url with this info
passed as parameters.
Through some more programming efforts, you could dump a bigger
portion of the registry.
break;
case 'savepreferences':
savepreferences ($_POST);
$display .= COM_refresh ($_CONF['site_url']
. '/usersettings.php?mode=preferences&msg=6');
break;
...
all the $_POST[] variables are passed to the savepreferences() function
D-Link DIR-100 long url filter evasion
scip AG Vulnerability ID 3808 (09/08/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808
I. INTRODUCTION
D-Link DIR-100 is a small and cost-effective router and firewall device
for small offices and home users. More details are available at the
official product web site (German link):
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
Summary:
A buffer overflow condition can be triggered by setting URL filtering
for an overly long URL, leading to possible arbitrary code execution or
denial of service. Successful authentication is required in order to
exploit the vulnerability, but attackers can leverage other
vulnerabilities for achieving unauthenticated remote exploitation.
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managenews to exploit the vulnerability.
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> ----------------------------------------------------------------------------
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help documents
> directly via URLs by installing a protocol handler for the scheme "hcp",
> a typical example is provided in the Windows XP Command Line Reference,
> available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
>
> Using hcp:// URLs is intended to be safe, as when invoked via the registered
> protocol handler the command line parameter /fromhcp is passed to the help
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-100216.1
___________________________________________________________________
Name: Windows URL Handling Vulnerability
Released: 16 February 2010
Vendor Link:
http://www.microsoft.com/
RESOLUTION
HP has provided the following patches to resolve this vulnerability.
The patches are available from the following location
URL http://itrc.hp.com
HP-UX Release
Component from bundle
Patch ID
(BENCHMARK() cannot be used because commas are filtered by COM_applyFilter() function)
*/
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
---------------
|Multiple XSS |
---------------
a.Vulnerable URL: http://localhost/phpmychat/chat/deluser.php3
Parameter = LIMIT
POC =http://localhost/phpmychat/chat/config/start_page.css.php3?Charset=iso-8859-1&medium=10&FontName= >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Successfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>
b. Vulnerable URL: http://www.localhost/mychat/chat/deluser.php3
TZ> Sorry, Untrusted code from the internet ?
TZ> The user clicks on a mailto link, is that untrusted code?
TZ> Or the mailto link is clicked for him.
What URL is is defined by RFC 1738, what mailto: is is defined by RFC
2368. String in question is definetly _not_ URL because of %xx and ".
Double quote is URL delimiter and is not a part of URL, in this case
application incorrectly parses and highlights URL (it should stop before
"). %xx is invalid character encoding. And altogether it's, for sure,
not mailto: URL. Passing unchecked user input to function called
HP-UX B.11.23
HP-UX B.11.31
===========
OVO-CLT.OVO-UX11-CLT
action: install revision 3.10.040 or subsequent
URL: http://quixy.deu.hp.com/hotfix/d.php?P=lcore&N=SSRT061260+OpenView+Shared+Trace+Service&V=2.1
OVO-CLT.OVO-UXIA-CLT
action: install revision 3.10.040 or subsequent
URL: http://quixy.deu.hp.com/hotfix/d.php?P=lcore&N=SSRT061260+OpenView+Shared+Trace+Service&V=2.1
Possibly other ZLD-based products
Affected Versions: Firmware Releases before April 25, 2011
Fixed Versions: Firmware Releases from or after April 25, 2011
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: http://www.zyxel.com/
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
1. *Advisory Information*
Title: Multiple XSS in Apache OFBiz
Advisory ID: BONSAI-2010-0103
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
Date published: 2010-04-14
Vendors contacted: Apache Software Foundation
Release mode: Coordinated release
Usually, curl is used to connect and retrieve data from a remote URL
using the http protocol. However, curl supports a bunch of protocols.
One of these protocols is the file protocol. Using this protocol you can
read local files by using an URL like file:///etc/passwd. Therefore, if
the user can control the URL passed to curl_exec, in some cases (if the
content is echoed back) he can read local files.
While testing our AcuSensor technology on different applications, I’ve
found a real-life example of a vulnerable application. I’m talking
about Zen Cart.
- Severity: 4/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass
II. BACKGROUND
-------------------------
Cisco VPN SSL [1] is a module for Cisco ASA and Cisco Integrated
Services Routers to extend network resources to virtually any remote
Research by Hernan Pereira and associates.
No response from Speedy in the past 15 days.
Proceeding with disclosure.
A DoS vulnerability exists in NetCache proxies of at least some areas
of Speedy Argentina ISP (201.255.64/18), by which a URL could be rendered
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
Next Page>>
|
