Next Page >>
web content
Advisory: Meditate Web Content Editor 'username_input' SQL-Injection vulnerability
Advisory ID: SSCHADV2011-039
Author: Stefan Schurtz
Affected Software: Successfully tested on Meditate 1.2
Vendor URL: http://www.arlomedia.com/
Vendor Status: fixed
==========================
Vulnerability Description
==========================
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
* Chris Evans of the Google Security Team discovered multiple
unspecified vulnerabilities within the Java Runtime Environment Image
Parsing Library (CVE-2008-1193, CVE-2008-1194).
* Gregory Fleischer reported that web content fetched via the "jar:"
protocol was not subject to network access restrictions
(CVE-2008-1195).
* Chris Evans and Johannes Henkel of the Google Security Team
reported that the XML parsing code retrieves external entities even
###################################################################################
####################
1. Description:
####################
eLineStudio Site Composer is a 100% browser-based database-driven content management system that helps companies to better manage, update & share web content. eLineStudio Site Composer provides affordable & flexible licensing for end users & web developers.
####################
2. Vulnerabilities:
####################
2.1. Injection Flaws, Cross Site Scripting (XSS). SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
2.1.1. Exploit:
[Bug Summary]
- The lack of input validation on the sub-nick and textarea field for
- Ocultar texto das mensagens anteriores -
Windows Live Messenger allows attackers to bypass client-side security
mechanisms normally imposed on web content by modern browsers. An
attacker can gain elevated access privileges to sensitive
page-content, session cookies, and a variety of other information
maintained by the browser on behalf of the user.
[Impact]
Firefox for SSL Client Authentication allowed for users to be tracked
via their client certificate. The default has been changed to prompt
the user each time a website requests a client certificate.
(CVE-2007-4879)
Gregory Fleischer discovered that web content fetched via the jar
protocol could use Java LiveConnect to connect to arbitrary ports on
the user's machine due to improper parsing in the Java plugin. If a
user were tricked into opening malicious web content, an attacker may be
able to access services running on the user's machine. (CVE-2008-1195,
CVE-2008-1240)
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
###################################################################################
####################
1. Description:
####################
eLineStudio Site Composer is a 100% browser-based database-driven content management system that helps companies to better manage, update & share web content. eLineStudio Site Composer provides affordable & flexible licensing for end users & web developers.
####################
2. Vulnerabilities:
####################
2.1. Injection Flaws, Cross Site Scripting (XSS). SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
2.1.1. Exploit:
:
: ########################################################
:
: -=[Description]=-
:
: ar web content manager is a free web contemts management system (cms) built with php , mysql , css , javascript , css to allow you to manage your website easily and fast.
: it contains many main categories such as (videos, topics, sounds, photo gallery.
:
: ########################################################
:
: -=[VUln Code]=-
* Peter Brodersen and Alexander Klink reported that the browser
automatically selected and sent a client certificate when SSL Client
Authentication is requested by a server (CVE-2007-4879).
* Gregory Fleischer reported that web content fetched via the "jar:"
protocol was not subject to network access restrictions
(CVE-2008-1240).
The following vulnerabilities were reported in Firefox:
Exploitation of this vulnerability would require a user to open a
malicious media file, usually an AVI file; however, since the
vulnerability is in the streaming component of Microsoft Windows,
attacks can be launched from a malicious website or any application
that delivers Web content. In Windows Explorer, if the Web View Content
is enabled, which is the default setting, a single click will open the
malicious file in the preview pane and trigger the vulnerability. An
attacker can host a malicious AVI file and use social engineering
techniques to trick a user into visiting the site or to deliver the
hostile code to a user via e-mail, for example.
"Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II. DESCRIPTION
---------------------
"Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II. DESCRIPTION
---------------------
########################################################
Description:
DynPG is used to upload and manage dynamic web content similar to other content management systems.
DynPG however differs from other CMS, because it is embedded directly into websites.
The software was originally developed to realize designs that are created with Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any other graphics software.
The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or even as simple code.
After that, code snippets are placed at those points, where dynamically generated content (like articles, galleries, blogs or other dynamic content) shall be generated.
It provides a convenient way to extend existing websites with dynamic content. DynPG provides a template engine, but also supports existing CSS layouts.
########################################################
-=[Description]=-
ar web content manager is a free web contemts management system (cms) built with php , mysql , css , javascript , css to allow you to manage your website easily and fast.
it contains many main categories such as (videos, topics, sounds, photo gallery.
########################################################
-=[VUln Code]=-
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
administration backend.
2. BACKGROUND
Geeklog is a PHP/MySQL based application for managing dynamic web content.
"Out of the box", it is a blog engine, or a CMS with support for
comments, trackbacks,
multiple syndication formats, spam protection, and all the other vital
features of such a system.
transLucid - Cross Site Scripting and HTML Injection Vulnerabilities
Version Affected: 1.75 (newest)
Info: transLucidonline is the easy website publishing system with which anyone can create and maintain web content, in multiple languages and based on a growing list of ready-made, professional layouts.
Credits: InterN0T (macd3v and MaXe)
External Links:
http://www.pantha.net/
control.
Attacker-supplied HTML or JavaScript code could run in the context of
the affected site, potentially allowing an
attacker to steal cookie-based authentication credentials, control how
the site is rendered to the user, and
influence or misrepresent how web content is served, cached, or
interpreted. Other attacks are also possible.
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that appendChild did not correctly account for DOM objects
it operated upon and could be exploited to dereference an invalid
pointer (CVE-2011-2378).
Mozilla security researcher moz_bug_r_a4 reported that web content
could receive chrome privileges if it registered for drop events and a
browser tab element was dropped into the content area (CVE-2011-2984).
Security researcher Mitja Kolsek of Acros Security reported that
ThinkPadSensor::Startup could potentially be exploited to load a
"Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II. DESCRIPTION
---------------------
"Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II. DESCRIPTION
---------------------
2. PRODUCT DESCRIPTION
Adobe Flash Player is the standard for delivering high-impact, rich
Web content. Designs, animation, and application user interfaces are
deployed immediately across all browsers and platforms, attracting and
engaging users with a rich Web experience.
3. VULNERABILITY DESCRIPTION
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
both from web content as well as the smart location bar, was vulnerable
to theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
"Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II. DESCRIPTION
---------------------
Do not perform administrative access of security management consoles from computers exposed to the Internet through web browsing, email, and other applications. Lock down and heavily monitor systems used to perform administrative tasks such as accessing security management consoles.
Details
User-controllable input supplied by the “iaction” and “node” parameters to the “Login.jsp” page is not properly sanitized for invalid or malicious content prior to being returned to the user in dynamically generated web content. This condition may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.
SecureWorks Risk Scoring
Likelihood: 2 – Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 – Control over security appliances managed by the management console.
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
both from web content as well as the smart location bar, was vulnerable
to theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
. 2009-04-23:
Core also suggests some mitigation actions to prevent the exploitation
of this flaw. For example, by explicitly constraining 'file://127.0.0.1'
to a given zone (i.e. Intranet) and then disabling "Websites in less
privileged web content zone can navigate into this zone" for that zone.
. 2009-04-24:
MSRC notifies that it would be possible to bypass the suggested
workaround if a malicious site had its domain name resolve to 127.0.0.1
since Zone determination does not depend on name resolution.
using a certain non-Ubuntu font. If a user configured Firefox to use this
font, an attacker could exploit this to spoof the location bar, such as in
a phishing attack. (CVE-2009-3078)
It was discovered that the BrowserFeedWriter in Firefox could be subverted
to run JavaScript code from web content with elevated chrome privileges.
If a user were tricked into viewing a malicious website, an attacker could
exploit this to execute arbitrary code with the privileges of the user
invoking the program. (CVE-2009-3079)
Next Page>>
|
