[FD] PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug
PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability Product: PhotoPost PHP Vendor: PhotoPost Vulnerable Versions: 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3 Tested Version: 4.8c vB3 Advisory Publication: July 25, 2015 Latest Update: July 28, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing) *Caution Details:* *(1) Vendor Product Description:* *Vendor:* PhotoPost *Product Vulnerable Versions:* PhotoPost PHP 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3 *Vendor URL Download:* Product can be obtained from here, http://www.photopost.com/featuresphp.html *Product Introduction Overview:* Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company's own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 dot updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That's because we designed PhotoPost from the beginning to integrate efficiently with a website's existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. *(2) Vulnerability Details:* PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations. *(2.1) *The code flaw occurs at |utmcct parameter in __utmz cookie. For example, if a victim clicks the link below. http://localhost/gallery/showphoto.php/photo/846/sort/ 'marqueeh1test/h1/marqueesvg/onload=prompt(/tetraph/) The content of __utmz cookie will be the following: __utma 194200300.1295483682.1438243020.1438243020.1438245659.2 __utmc 194200300 __utmz 194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com |utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral __qca P0-814178849-1438243024810 __utmb 194200300 bbsessionhash 1683dd3bd3edffbd8383db382f025eba bblastvisit 1438246612 So the malicious code can work in the user's browser for long time. *(2.2) Forum Integrations* PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community. With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum's look and feel, and with vBulletin 3.x we offer several additional enhancements. Forum Software User Login Stylesheets Enhanced* vBulletin 5.x vBulletin 4.x vBulletin 3.x Xenforo 1.x UBBThreads 6.X UBBThreads 7.X InvisionBoard 1.0 InvisionBoard 2.0 InvisionBoard 3.0 FusionBB MyBB 1.0 SMF 1.05 and up SMF 2.0 and up WowBB e107 PHPBB 2.0 PHPBB 3.0 Wordpress 3.x vBulletin 2.x DCForums + IkonBoard Nuke PostNuke Mambo XMB Forums (Src:
[FD] Symantec Endpoint Protection
Code White found several vulnerabilities in Symantec Endpoint Protection (SEP), affecting versions 12.1 prior to 12.1 RU6 MP1. SEP Manager (SEPM): * CVE-2015-1486: Authentication Bypass * CVE-2015-1487: Arbitrary File Write * CVE-2015-1488: Arbitrary File Read * CVE-2015-1489: Privilege Escalation * CVE-2015-1490: Path Traversal * CVE-2015-1491: SQL Injection SEP clients: * CVE-2015-1492: Binary Planting Official Symantec advisory SYM15-007: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=suid=20150730_00 An exploitation of these vulnerabilities effectively allow an unauthenticated remote attacker the full compromise of both the SEPM server as well as SEP clients running Windows. This can result in a full compromise of an enterprise Windows domain. Symantec provided the update 12.1 RU6 MP1 to address the issues. For a full disclosure of some of the vulnerabilities, see: http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html -- Markus Wulftange Senior Penetration Tester Code White GmbH Magirus-Deutz-Straße 18 89077 Ulm E-Mail markus.wulfta...@code-white.com PGPC6D6 C18B BAB9 0089 6942 213D 7772 8552 E9F8 6F39 http://www.code-white.com Code White GmbH Sitz und Registergericht/Domicile and Register Court: Stuttgart, HRB-Nr./Commercial Register No.: 749152 Geschäftsführung/Management: Dr. Helmut Mahler, Andreas Melzner, Lüder Sachse ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Symantec Endpoint Protection
Do you have example requests for the SQL injections? On Jul 31, 2015, at 7:40 AM, Markus Wulftange markus.wulfta...@code-white.com wrote: Code White found several vulnerabilities in Symantec Endpoint Protection (SEP), affecting versions 12.1 prior to 12.1 RU6 MP1. SEP Manager (SEPM): * CVE-2015-1486: Authentication Bypass * CVE-2015-1487: Arbitrary File Write * CVE-2015-1488: Arbitrary File Read * CVE-2015-1489: Privilege Escalation * CVE-2015-1490: Path Traversal * CVE-2015-1491: SQL Injection SEP clients: * CVE-2015-1492: Binary Planting Official Symantec advisory SYM15-007: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=suid=20150730_00 An exploitation of these vulnerabilities effectively allow an unauthenticated remote attacker the full compromise of both the SEPM server as well as SEP clients running Windows. This can result in a full compromise of an enterprise Windows domain. Symantec provided the update 12.1 RU6 MP1 to address the issues. For a full disclosure of some of the vulnerabilities, see: http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html -- Markus Wulftange Senior Penetration Tester Code White GmbH Magirus-Deutz-Straße 18 89077 Ulm E-Mail markus.wulfta...@code-white.com PGPC6D6 C18B BAB9 0089 6942 213D 7772 8552 E9F8 6F39 http://www.code-white.com Code White GmbH Sitz und Registergericht/Domicile and Register Court: Stuttgart, HRB-Nr./Commercial Register No.: 749152 Geschäftsführung/Management: Dr. Helmut Mahler, Andreas Melzner, Lüder Sachse ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ signature.asc Description: Message signed with OpenPGP using GPGMail ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Vulnerability in VirtueMart for Joomla
Hello list! This is Brute Force vulnerability in VirtueMart for Joomla. Which is at order details page. - Affected products: - Vulnerable are VirtueMart 3.0.9 for Joomla and previous versions. -- Details: -- Brute Force (WASC-11): http://site/index.php?option=com_virtuemartview=orderslayout=detailsorder_number=1order_pass=p_1 Weak password due to limit number of combinations - there are 1048576 combinations in total. If order number is present (which can be known in a result of information leakage or it can be picked up), it leads to leakage of information about order (item, price, name, surname, address and other personal information of client). Since 2007 I found a lot of such vulnerabilities with weak decimal or hexadecimal passwords in different webapps and web sites. Read about vulnerabilities in WordPress and in WP-DB-Backup plugin, which I found in 2007. About them I mentioned in my article Faulty using of MD5 in web applications (http://websecurity.com.ua/4459/). Timeline: 2015.05.21 - announced at my site. Later informed admin of the site, where I found this vulnerability, and developers of VirtueMart. 2015.07.29 - disclosed at my site (http://websecurity.com.ua/7770/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/