Posts Tagged ‘ информации ’
Anchor CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.
Dork: “intext:Powered by Anchor, version 0.6”
Advisory ID: ZSL-2012-5085
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5085.php
The vulnerability in Themida is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TMD file. Successful exploitation may allow execution of arbitrary code.
WinLicense is prone to an unspecified memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious XML file to execute arbitrary code and to cause denial-of-service conditions.
Advisories:
ZSL-2012-5079 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5079.php
ZSL-2012-5080 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5080.php
Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html
Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt
webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the ‘file’ parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
---------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
---------------------------
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php
Thanks to Michael Meyer, OpenVAS Project.
The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.
Discovered on 25.01.2012 included in Mindjet MindManager 2012 for Windows version 10.0.493.
COMRaider Output:
-----------
Exception Code: ACCESS_VIOLATION
Disasm: 7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] (KERNEL32.dll)
Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 41414141
Called From Returns To
--------------------------------------------------
KERNEL32.7C834D8F pdfxctrl.1001D8E7
pdfxctrl.1001D8E7 41414141
Registers:
--------------------------------------------------
EIP 7C834D8F -> Asc: SOFTWARE\Tracker Software\pdf
EAX 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBX 00000003
ECX 0000008C
EDX 00001815
EDI 0013FFFD -> 41000000
ESI 0013CD74 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B780 -> 0013EDE4
ESP 0013B75C -> 0000302A -> Uni: *0*0
Block Disassembly:
--------------------------------------------------
7C834D82 MOV CL,[EDI+1]
7C834D85 INC EDI
7C834D86 TEST CL,CL
7C834D88 JNZ SHORT 7C834D82
7C834D8A MOV ECX,EDX
7C834D8C SHR ECX,2
7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH
7C834D91 MOV ECX,EDX
7C834D93 AND ECX,3
7C834D96 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
7C834D98 OR DWORD PTR [EBP-4],FFFFFFFF
7C834D9C CALL 7C802511
7C834DA1 RETN 8
7C834DA4 NOP
7C834DA5 NOP
ArgDump:
--------------------------------------------------
EBP+8 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBP+12 0013B790 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 41414141
EBP+20 41414141
EBP+24 41414141
EBP+28 41414141
Stack Dump:
--------------------------------------------------
13B75C 2A 30 00 00 84 63 18 00 03 00 00 00 5C B7 13 00 [.....c......\...]
13B76C 2A 30 00 00 AC F1 13 00 C0 9A 83 7C A8 4D 83 7C [.............M..]
13B77C 00 00 00 00 E4 ED 13 00 E7 D8 01 10 E0 E9 13 00 [................]
13B78C 90 B7 13 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
13B79C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
-----------
CompanyName Tracker Software Products
FileDescription PDF Printer Preferences ActiveX
FileVersion 3.60.0128
InternalName pdfxctrl.dll
LegalCopyright Copyright © 2001-2006 by Tracker Software Products
OriginalFileName pdfxctrl.dll
ProductName Tracker Software Products pdfxctrl.PdfPrinterPreferences ActiveX
ProductVersion 3.60
Advisory ID: ZSL-2012-5067 (Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH))
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php
iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.
The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:
ZSL-2011-5046 – iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045 – iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044 – iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043 – iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042 – iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041 – iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability
The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS. Vendor issued a patch to address these issues.
Stored XSS (post-auth):
Param: reqName (POST)
Scripts: WorkOrder.do, Problems.cc, AddNewProblem.cc, ChangeDetails.cc (http://localhost:8080/common/UpdateField.jsp)
Params: reqName, description, level, priority, category, title, attach (POST)
Script: WorkOrder.do
Params: keywords, comments (POST)
Script: AddSolution.do
Params: supportDetails, contractName, comments (POST)
Script: ContractDef.do
Param: organizationName (POST)
Script: VendorDef.do
Param: COMMENTS (POST)
Script: MarkUnavailability.jsp (MySchedule.do)
Attack string: “><script>alert(1)</script>
–
HTTP Header XSS:
Elements: referer, accept-language
Scripts: HomePage.do, MySchedule.do, WorkOrder.do
————
GET /HomePage.do HTTP/1.0
Accept: */*
User-Agent: joxy-poxy
Host: localhost:8080
Cookie: JSESSIONID=AD4D28ADDB611A3DE6EAC2C6B4C8808E;JSESSIONIDSSO=B1F6034451E9457EEEF3DA09BA424247
Connection: Close
accept-language: 1<script>alert(1)</script>
Pragma: no-cache
————
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php
XSS: Input passed via the ‘subject’, ‘name’, ‘email’ and ‘body’ parameters to ‘contact_us.php’ script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
bSQLi: Input passed via the ‘lang_code’ GET parameter to index.php and login.php in ‘/www/core/language.class.php’, and ‘login’ POST parameter to login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Advisory: ZSL-2011-5027, ZSL-2011-5028
The Mercury Web Application suffers from multiple XSS vulnerabilities when parsing user input thru the GET parameter ‘this_url’ and the POST parameter ‘aa_sfunc’ in f_state.php, f_list.php, f_job.php and f_header.php scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5010.php
TaskFreak! suffers from multiple XSS vulnerabilities when parsing input to multiple parameters in different scripts. The vulnerable POST parameters are: ‘sContext’, ‘sort’, ‘dir’ and ‘show’ thru index.php. Also the GET parameters ‘dir’ and ‘show’ thru ‘print_list.php’ are vulnerable. Header variable ‘referer’ is vulnerable thru rss.php script. Attackers
can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990.php
IT.com.mk Exploit Database