[FD] Major Internet Explorer Vulnerability - NOT Patched

2015-01-31 Thread David Leo

Deusen just published code and description here:
which demonstrates the serious security issue.

An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.

How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into 

Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject anything 
into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7

If you like it, please reply "nice".

Kind Regards,

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

2015-01-31 Thread Jing Wang
CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a  1.0b1  1.0b2
Tested Version: 0.5.2a  1.0b1  1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

Advisory Details:

(1) Vendor & Product Description


Product & Version:

Vendor URL & Download:

Product Description:
"SnipSnap is a user friendly content management system with features such
as wiki and weblog. "

(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.

(2.1) The vulnerability occurs at "snipsnap-search?" page with "query"


Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Banner Effect Header Security Advisory - XSS Vulnerability - CVE-2015-1384

2015-01-31 Thread Onur Yilmaz

Advisory by Netsparker.
Name: XSS Vulnerability in Banner Effect Header
Affected Software : Banner Effect Header
Affected Versions: 1.2.7 and possibly below
Vendor Homepage : https://wordpress.org/plugins/banner-effect-header/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1384
Netsparker Advisory Reference : NS-15-002

By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details
Proof of Concept URLs for XSS in Banner Effect Header:

URL: /wp-admin/options-general.php?page=BannerEffectOptions
Parameter Name: banner_effect_divid
Parameter Type: Post
Attack Pattern: " onclick=alert(1) "

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -

Advisory Timeline

21/01/2015 - First Contact
29/01/2015 - Vulnerability fixed
29/01/2015 - Advisory released


Download version 1.2.8 which includes fix for this vulnerability.

Credits & Authors
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner  -

About Netsparker

Netsparker finds and reports security flaws and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allow it to be dead accurate in reporting vulnerabilities,
hence it is the first and only False Positive Free web application
security scanner. For more information visit our website on

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 27): the command line you get differs from the command line I use to call you

2015-01-31 Thread Stefan Kanthak
Hi @ll,

on Windows, the command line an application receives can differ
from the command line the calling application supplies to

The documentation of GetCommandLine()

| Note  The name of the executable in the command line that
| the operating system provides to a process is not necessarily
| identical to that in the command line that the calling process
| gives to the CreateProcess function. The operating system may
| prepend a fully qualified path to an executable name that is
| provided without a fully qualified path.

This is not the whole truth, another "Note" is missing there:
when CreateProcess*() is called using a command line with an
UNQUOTED "long" filename/pathname containing spaces (a well-known
it uses try&error to guess the pathname of the executable.

The documentation of CreateProcess()

| [...] the module name must be the first white space-delimited
| token in the lpCommandLine string. If you are using a long file
| name that contains a space, use quoted strings to indicate where
| the file name ends and the arguments begin; otherwise, the file
| name is ambiguous. For example, consider the string
| "c:\program files\sub dir\program name".
| This string can be interpreted in a number of ways. The system
| tries to interpret the possibilities in the following order:
|c:\program.exe files\sub dir\program name
|c:\program files\sub.exe dir\program name
|c:\program files\sub dir\program.exe name
|c:\program files\sub dir\program name.exe

In the latter 3 cases the command line is but modified too:
Windows adds quotes around the part of the command line which
forms the result of this "interpretation" and yields the path
to the executable if this part contains a space.

The 4 command lines shown above are transformed into:

c:\program.exe files\sub dir\program name
"c:\program files\sub.exe" dir\program name
"c:\program files\sub dir\program.exe" name
"c:\program files\sub dir\program name.exe"

JFTR: without this transformation splitting of the command line
  into the "argv" vector would give wrong results ... in
  presense of CreateProcess*() braindead behaviour!

Stay tuned!

Stefan Kanthak

PS: the documentation of CommandLineToArgvW()

contains a "funny" and surprising remark:

| This function accepts command lines that contain a program name;
| the program name can be enclosed in quotation marks or not.

This does but NOT mean that CommandLineToArgvW() tries to
guess like CreateProcess()!
It treats c:\program files\sub dir\program name
as "c:\program" "files\sub" "dir\program" "name".

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SQL injection vulnerabilities in zerocms <= v.1.3.3

2015-01-31 Thread Steffen Rösemann
Advisory: SQL injection vulnerabilities in zerocms <= v.1.3.3
Advisory ID: SROEADV-2015-13
Author: Steffen Rösemann
Affected Software: zerocms <= v.1.3.3 (released 23rd-Jan-2015)
Vendor URL: http://aas9.in/zerocms/
Vendor Status: platform will be moving to Rails4

Vulnerability Description:

Content management system Zerocms v. 1.3.3 suffers from SQL injection

Technical Details:

The article_id-parameter used in zero_view_article.php is vulnerable to SQL
injection. It is located here in a common Zerocms-installation and can be
exploited even by unregistered users:




A Blind SQL injection vulnerability can be found the file
zero_user_transact.php. The parameter user_id is vulnerable to SQL
injection. See the following example POST-request which serves as

POST /views/zero_transact_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

name=user&email=user%40user.de&access_level=1&user_id=2 AND

The Blind SQL injection vulnerability can be exploited on the
administrative backend of Zerocms.

The vulnerabilities described above have been tested on the following
versions of Zerocms:

- v. 1.3.2
- v. 1.3.3


Vendor seems not to provide a patch for this vulnerabilities as version
1.3.3 is the last release for this PHP-based platform. It will be developed
on the Rails4-platform in future releases (see Github repository, release

Disclosure Timeline:

23-Jan-2015 – found the vulnerabilities in v.1.3.2
23-Jan-2015 - informed the developers (see [3])
23-Jan-2015 – release date of this security advisory [without technical
23-Jan-2015 - forked the vulnerable version to keep it available for other
researchers (see [4])
23-Jan-2015 - developer released v.1.3.3 of zerocms
24-Jan-2015 - vulnerabilities can also be found in v.1.3.3
29-Jan-2015 - as vendor will move the platform to Rails4, it seems that
there will be no patch provided (see [5])
29-Jan-2015 - release date of this security advisory
29-Jan-2015 - send to FullDisclosure


Vulnerability found and advisory written by Steffen Rösemann.


[1] http://aas9.in/zerocms/
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html
[3] https://github.com/perezkarjee/zerocms/issues/3
[4] https://github.com/sroesemann/zerocms
[5] https://twitter.com/sroesemann/status/559273548691546113

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] iTunes 12.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

2015-01-31 Thread Stefan Kanthak
Hi @ll,

See ,
 for the

The just released iTunes 12.1 for Windows comes again with
outdated and VULNERABLE 3rd party libraries.

In AppleMobileDeviceSupport.msi:

* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05

  The current version is 0.9.8ze and has 21 security fixes
  which are missing in 0.9.8za; see 

  At last, these DLLs are no more 7 years old as before, but
  "only" 7 months old.

* libcurl.dll 7.16.2

  is almost EIGHT years old and has at least 22 unfixed CVEs!

  The current version is 7.40.0; for the fixed vulnerabilities

In AppleApplicationSupport.msi:

* msvcr100.dll and msvcp100.dll 10.0.40219.1 from 2011-02-20

  These are the runtime DLLs for Visual C++ 2010 RTM.

  The current version is but 10.0.40219.325; see

Additionally the following VULNERABLE[*] command lines with unquoted
pathnames containing spaces are registered.

By AppleApplicationSupport.msi:




For beginners: the value of the unnamed registry entry is a COMMAND
LINE and has to be quoted properly!


| To help provide system security, use quoted strings in the path to
| indicate where the executable filename ends and the arguments begin. 

As of Windows 2003 developers who are NOT completely unaware of
Microsofts documentation might want to use the "ServerExecutable"
registry entry described there too.
But 12 years are surely way too short for Apple's developers, QA and
management to learn about such "new" features which help improve safety
and security.

By iTunes.msi:

@="[#iTunes.exe] /url \"%1\""

@="[#iTunes.exe] /url \"%1\""

@="[#iTunes.exe] /url \"%1\""

@="[#iTunes.exe] /url \"%1\""

@="[#iTunes.exe] /url \"%1\""

@="[#iTunes.exe] /url \"%1\""


@="[#iTunes.exe] /url \"%1\""

@="[#iTunes.exe] /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

@="[INSTALLDIR]iTunes.exe /url \"%1\""

>From :

| If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if
| the element contains a space, it will not parse correctly.

See  if you want to
detect software with this 20+ year old vulnerability[*] without
dissecting its *.MSI files.

Until Apple's developers, their QA and their managers start to
develop a sense for their customers safety and security:
stay away from Apple's (Windows) software!

stay tuned
Stefan Kanthak

You'll read more about it soon!

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/