Archive for January, 2013

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation Vulnerability

The Aloaha Credential Provider Service is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full) for the ‘Everyone’ group, for the ‘AloahaCredentialProviderService.exe’ binary file. The service was shipped with Aloaha PDF Saver and possibly every SmartCard Software package from Aloaha. The files are installed in the ‘Wrocklage’ directory which has the Everyone group assigned to it with full permissions making every single file inside vulnerable to change by any user on the affected machine. After you replace the binary with your rootkit, on reboot you get SYSTEM privileges.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5124.php

phlyLabs phlyMail Lite 4.03.04 Multiple Vulnerabilities (XSS, PD, Open Redirect)

phlyMail suffers from multiple stored XSS vulnerabilities (post-auth) and Path Disclosure when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site and displaying the full webapp installation path.

Input passed via the ‘go’ parameter in ‘derefer.php’ script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Advisories:

[ZSL-2013-5123] phlyLabs phlyMail Lite 4.03.04 (go param) Open Redirect Vulnerability
[ZSL-2013-5122] phlyLabs phlyMail Lite 4.03.04 Path Disclosure and Stored XSS Vulnerabilities

Joomla Incapsula Component 1.4.6_b Reflected Cross-Site Scripting Vulnerability

The Joomla Incapsula component suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘token’ GET parameter in the ‘Security.php’ and ‘Performance.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

incapsula1xss

incapsula2xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5121.php