Posts Tagged ‘ ранливости

MTP Scripts Multiple Products Multiple Stored XSS Vulnerabilities

MTP Scripts offers three products: MTP Image Gallery, MTP Guestbook and MTP Poll. All of the products suffer from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability
MTP Guestbook 1.0 Multiple Remote Script Insertion Vulnerabilities
MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities

Spiceworks 6.0.00993 Multiple Script Injection Vulnerabilities

Spiceworks suffers from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. List of parameters and modules that are affected:

————————————————————————————————————–
# * Parameter * * Module / Component *
————————————————————————————————————–

1. agreement[account] ……………………………….. agreements
2. article[new_references][][url] …………………….. xbb/knowledge_base
3. asset[device_type] ……………………………….. asset
4. asset[mac_address] ……………………………….. asset
5. asset[name] ……………………………………… asset
6. category[name] …………………………………… settings/categories
7. international[global_date_abbrev_format] ……………. settings/advanced/save_international_settings
8. international[global_date_format] ………………….. settings/advanced/save_international_settings
9. international[global_date_time_format] ……………… settings/advanced/save_international_settings
10. international[global_date_simple_format] ……………. settings/advanced/save_international_settings
11. international[global_time_format] ………………….. settings/advanced/save_international_settings
12. navigation[name] …………………………………. my_tools
13. purchase[name] …………………………………… purchases
14. purchase[price] ………………………………….. purchases
15. purchase[purchased_for_name] ………………………. purchases
16. report[description] ………………………………. reports/create
17. vendor[name] …………………………………….. agreements
18. vendor[website] ………………………………….. agreements

————————————————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5107.php

Multiple vulnerabilities in multiple web applications

ZSL-2012-5097SiNG cms 2.9.0 (email) Remote XSS POST Injection Vulnerability
ZSL-2012-5098web@all CMS 2.0 Multiple Remote XSS Vulnerabilities
ZSL-2012-5099web@all CMS 2.0 (_order) SQL Injection Vulnerability
ZSL-2012-5100KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability
ZSL-2012-5101Monstra 1.2.1 Multiple HTML Injection Vulnerabilities
ZSL-2012-5102xt:Commerce v4.0.15 (products_name_de) Script Insertion Vulnerability

The applications suffer from multiple stored and reflected XSS vulnerabilities including an SQL Injection.

BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities

BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: footer: “powered by BGS CMS”

Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php

Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities

Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html

Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt

ManageEngine ADManager Plus 5.2 Multiple XSS Vulnerabilities

ADManager Plus suffers from multiple XSS vulnerabilities when parsing user input to the ‘domainName’ parameter in the ‘/jsp/AddDC.jsp’ script via GET method and ‘operation’ parameter in the ‘/DomainConfig.do’ script via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

PoC(s):

#1

– GET http://localhost:8080/jsp/AddDC.jsp?domainName=”><script>alert(‘zsl’)</script> HTTP/1.1

#2

– POST http://localhost:8080/DomainConfig.do?methodToCall=save HTTP/1.1

– DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation=”><script>alert(‘zsl’)</script>&reset=

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5070.php

Infoproject Biznis Heroj Multiple Vulnerabilities

Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities

Input passed via the parameters ‘filter’ in ‘widget.dokumenti_lista.php’ and ‘fin_nalog_id’ in ‘nalozi_naslov.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘config’ in ‘nalozi_naslov.php’ and ‘widget.dokumenti_lista.php’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability

The vulnerability is caused due to an error in the logon authentication script (login.php) and can be exploited to bypass the login procedure by defining the ‘username’ and ‘password’ POST parameters with an SQL Injection attack, gaining admin privileges.

Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities

Input passed via the parameters ‘redirect.php’ in ‘message.php’ and ‘w’ and ‘d’ in ‘index.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Path disclosure resides in the ‘sq’ parameter in ‘/plugins/search/search.php’ script.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5051.php

net4visions.com Multiple Products Multiple Vulnerabilities

iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.

The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:

ZSL-2011-5046iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability

ManageEngine ServiceDesk Plus 8.0 Multiple Stored XSS Vulnerabilities

The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS. Vendor issued a patch to address these issues.

Stored XSS (post-auth):

Param: reqName (POST)
Scripts: WorkOrder.do, Problems.cc, AddNewProblem.cc, ChangeDetails.cc (http://localhost:8080/common/UpdateField.jsp)

Params: reqName, description, level, priority, category, title, attach (POST)
Script: WorkOrder.do

Params: keywords, comments (POST)
Script: AddSolution.do

Params: supportDetails, contractName, comments (POST)
Script: ContractDef.do

Param: organizationName (POST)
Script: VendorDef.do

Param: COMMENTS (POST)
Script: MarkUnavailability.jsp (MySchedule.do)

Attack string: “><script>alert(1)</script>

HTTP Header XSS:

Elements: referer, accept-language
Scripts: HomePage.do, MySchedule.do, WorkOrder.do

————
GET /HomePage.do HTTP/1.0
Accept: */*
User-Agent: joxy-poxy
Host: localhost:8080
Cookie: JSESSIONID=AD4D28ADDB611A3DE6EAC2C6B4C8808E;JSESSIONIDSSO=B1F6034451E9457EEEF3DA09BA424247
Connection: Close
accept-language: 1<script>alert(1)</script>
Pragma: no-cache
————

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php