Posts Tagged ‘ предупредување

NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability

The application suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the ‘id’ GET parameter in the ‘locdelete’ (JSP) script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

inventoria_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5167.php

BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the ‘message’ POST parameter thru the ‘Notification Center’ extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

boxbilling_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php

LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the ‘label_name’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Input passed to the ‘group_name’ POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

limesurvey-sql

Advisory [ZSL-2013-5161]:
LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Vendor patch:
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13491
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13494
http://www.limesurvey.org/en/stable-release

GLPI version 0.83.7 and 0.83.8 Multiple Vulnerabilities (SQLi/LFI)

GLPI suffers from a file inclusion vulnerability (LFI) when input passed thru the ‘filetype’ parameter to ‘common.tabs.php’ script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Input passed via the POST parameter ‘users_id_assign’ in ‘/ajax/ticketassigninformation.php’ script, POST parameter ‘filename’ in ‘/front/document.form.php’ script, and POST parameter ‘table’ in ‘/ajax/comments.php’ script is not properly sanitised before being used in SQL queries. This can be exploited by a malicious attacker to manipulate SQL queries by injecting arbitrary SQL code in the affected application.

There are several other parameters vulnerable to SQL Injection attacks. For your convenience, test logs: more_sqli-glpi

Advisory [ZSL-2013-5145]: GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit
Advisory [ZSL-2013-5146]: GLPI v0.83.8 Multiple Error-based SQL Injection Vulnerabilities

SAS Integration Technologies Client 9.31_M1 (SASspk.dll) Stack-based Overflow

SAS Integration Technologies provides you with software that enables you to build a secure client/server infrastructure on which to implement SAS distributed processing solutions. With SAS Integration Technologies, you can integrate SAS with other applications in your enterprise; provide proactive delivery of information from SAS throughout the enterprise; extend the capabilities of SAS to meet your organization’s specific needs; and develop your own distributed applications that leverage the analytic and reporting powers of SAS. The SAS Deployment Manager is used for post-installation configuration tasks such as configuring some products, applying hot fixes, updating metadata, and uninstalling SAS software.

The SASspk module (SASspk.dll) version 9.310.0.11307, has a function called ‘RetrieveBinaryFile()’ which has one parameter called ‘bstrFileName’ which takes arguments as strings as defined in the function itself as ISPKBinaryFile from the SASPackageRetrieve library. Stack-based buffer overflow was discovered in one of the fuzzing processes that could allow arbitrary code execution by an attacker when exploiting the non-sanitized ‘bstrFileName’ parameter.

SAS Stack-based Buffer Overflow Vulnerability

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5142.php
Vendor: http://support.sas.com/kb/49/961.html

Securimage 3.5 URI-based Cross-Site Scripting Vulnerability

Securimage suffers from a XSS issue in ‘example_form.php’ that uses the ‘REQUEST_URI’ variable. The vulnerability is present because there isn’t any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5139.php

securimage

Qool CMS v2.0 RC2 Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities

Qool CMS suffers from multiple persistent cross-site scripting vulnerabilities. The issues are triggered when input passed via several POST parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Also, Qool CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Qool CMS XSS

Advisory ZSL-2013-5133: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php
Advisory ZSL-2013-5134: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5134.php

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.


/install.php:
-------------

113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }



Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

Axis Commerce 0.8.7.2 Remote Script Insertion Vulnerabilities

Axis Commerce suffers from multiple stored XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5115.php

Oracle Identity Management 10g (username) XSS POST Injection Vulnerability

Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the ‘username’ parameter via POST method thru ‘/usermanagement/forgotpassword/index.jsp’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

HTTP Request Headers:
----------------------

POST /usermanagement/forgotpassword/index.jsp HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3
iTaN0Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; ORA_WX_SESSION="6F35B41473025957B17F02F62855B522D4E22D7B-1#2";
Location=external; portal=9.0.3+en-us+us+AMERICA+CACA1F130AE0024EE043996B1DDC024E+
4D3F611B686669BF0BEC9DC4267652AC337EA1C5259A2168CF43540DE72E3BD5E
F1F589B40A6CD4E7007EB4D085EBD0681A1B2515CB22B5BED14922088
923D86B742E69FDA5D716C437D416C5F5B26049DC71083712AA9EA;
MODPLSQL_TRC=ReqId:11a179::PID:856d5bb0

btnSubmit=SUBMIT
username="><script>alert('XSS');</script>

HTTP Response Headers:
-----------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: ORA_WX_SESSION="267FB4CAD2746E946102C01D527362A070E7D52C-1#2"; path=/
JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3iTaN0
Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; path=/usermanagement; secure
Location=external;path=/;
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.1 (N;ecid=216172960764121113,1)
Content-Length: 3198
Date: Fri, 28 Sep 2012 21:39:00 GMT

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5110.php