Archive for October, 2010

Sophos’s Safer web browsing in four steps paper

The web is now the cybercriminal’s favored means of attack, with a newly infected
website discovered every few seconds. Hijacked trusted sites, poisoned search
results, fake anti-virus software and phishing websites are a sample of the exploits
that hit users’ browsers every day. That leaves your business in a bind: Accessing
the web poses enormous risks, yet you can’t afford to be isolated from the
internet and its resources. This white paper examines the latest web threats, and
recommends four best practices and a layered approach that enables your users
while also protecting your organization’s endpoints, network and data.

Read on: sophos-safer-web-browsing-wpna.pdf

Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability

The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer overflow/memory corruption vulnerability when handling project files (.qprj). The issue is triggered because there is no boundry checking of some XML tag property values, ex: <Folder FolderName=”SQL” Type=”AAAAAAA…./>” (~1000 bytes). This can aid the attacker to execute arbitrary machine code in the context of an affected node (locally and remotely) via file crafting or computer-based social engineering.

Advisory ID: ZSL-2010-4971
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4971.php
Advisory TXT: http://www.zeroscience.mk/codes/dbspy_bof.txt

The ZSL² way.

Ref: http://liquidworm.deviantart.com/art/The-ZSL-way-182921604

eXV² Content Management System 2.10 Remote XSS Vulnerability

The CMS suffers from a remote reflected Cross-Site Scripting vulnerability when input passed thru “rssfeedURL” and “sumb” parameter in “archive.php”, “topics.php”, “example.php” and “index.php” is not sanitized, allowing the attacker to execute arbitrary HTML and script code in a user’s browser session and aid in phishing attacks.

Tested on: Microsoft Windows XP Pro (EN)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor status: [09.10.2010] Vulnerability discovered.
[10.10.2010] Contact with the vendor.
[14.10.2010] No reply from vendor.
[15.10.2010] Public advisory released.

Vulnerability discovered by: Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

Zero Science Lab Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4970.php

Exponent CMS v0.97 Multiple Vulnerabilities

Vendor: OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97

Summary: Open Source Content Management System (PHP+MySQL).

Desc: Exponent CMS suffers from multiple vulnerabilities:

#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability

(1) LFI/FD occurs when input passed thru the params:
– “action”
– “expid”
– “ajax_action”
– “printerfriendly”
– “section”
– “module”
– “controller”
– “int”
– “src”
– “template”
– “page”
– “_common”

to the scripts:
– “index.php”
– “login_redirect.php”
– “mod_preview.php”
– “podcast.php”
– “popup.php”
– “rss.php”

is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.

(2) AFU/E occurs due to an error in:
– “upload_fileuploadcontrol.php”
– “upload_standalone.php”
– “manifest.php”
– “delete.php”
– “edit.php”
– “manage.php”
– “rank_switch.php”
– “save.php”
– “view.php”
– “class.php”
– “deps.php”
– “delete_form.php”
– “delete_process.php”
– “search.php”
– “send_feedback.php”
– “viewday.php”
– “viewmonth.php”
– “viewweek.php”
– “testbot.php”
– “activate_bot.php”
– “deactivate_bot.php”
– “manage_bots.php”
– “run_bot.php”
– “class.php”
– “delete_board.php”
– “delete_post.php”
– “edit_board.php”
– “edit_post.php”
– “edit_rank.php”
– “monitor_all_boards.php”
– “monitor_board.php”
– “monitor_thread.php”
– “preview_post.php”
– “save_board.php”
– “save_post.php”
– “save_rank.php”
– “view_admin.php”
– “view_board.php”
– “view_rank.php”
– “view_thread.php”
– “banner_click.php”
– “ad_delete.php”
– “ad_edit.php”
– “ad_save.php”
– “af_delete.php”
– “af_edit.php”
– “af_save.php”
– “delete_article.php”
– “edit_article.php”
– “save_article.php”
– “save_submission.php”
– “submit_article.php”
– “view_article.php”
– “view_submissions.php”
– “coretasks.php”
– “htmlarea_tasks.php”
– “search_tasks.php”
– “clear_smarty_cache.php”
– “configuresite.php”
– “config_activate.php”
– “config_configuresite.php”
– “config_delete.php”
– “config_save.php”
– “examplecontent.php”
– “finish_install_extension.php”
– “gmgr_delete.php”
– “gmgr_editprofile.php”
– “gmgr_membership.php”
– “gmgr_savegroup.php”
– “gmgr_savemembers.php”

as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.

The uploaded files are stored in: [CMS_ROOT_HOST]\files

(3) XSS occurs when input passed to the params:
– “u”
– “expid”
– “ajax_action”
– “ss”
– “sm”
– “url”
– “rss_url”
– “lang”
– “toolbar”
– “section”
– “section_name”
– “src”

in scripts:
– “slideshow.js.php”
– “picked_source.php”
– “magpie_debug.php”
– “magpie_simple.php”
– “magpie_slashbox.php”
– “test.php”
– “fcktoolbarconfig.js.php”
– “section_linked.php”
– “index.php”

is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user’s browser session in context of an affected site.

Tested on: Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor status: [09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.

Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Vulnerabilities discovered by: Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Raw analysis (hi 5 John Leitch): Log_Exponent.txt (616 KB)

TomatoCart 1.0.1 (json.php) Remote Cross-Site Scripting Vulnerability

TomatoCart version 1.0.1 suffers from a XSS vulnerability because input passed via the “action” parameter to json.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor status:
[01.10.2010] Vulnerability discovered.
[02.10.2010] Vendor contacted.
[05.10.2010] No reply from vendor.
[06.10.2010] Public advisory released.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4968.php