Posts Tagged ‘ advisory

AbanteCart 1.1.3 (index.php) Multiple Reflected XSS Vulnerabilities

AbanteCart suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to ‘index.php’ script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5125.php

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation Vulnerability

The Aloaha Credential Provider Service is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full) for the ‘Everyone’ group, for the ‘AloahaCredentialProviderService.exe’ binary file. The service was shipped with Aloaha PDF Saver and possibly every SmartCard Software package from Aloaha. The files are installed in the ‘Wrocklage’ directory which has the Everyone group assigned to it with full permissions making every single file inside vulnerable to change by any user on the affected machine. After you replace the binary with your rootkit, on reboot you get SYSTEM privileges.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5124.php

phlyLabs phlyMail Lite 4.03.04 Multiple Vulnerabilities (XSS, PD, Open Redirect)

phlyMail suffers from multiple stored XSS vulnerabilities (post-auth) and Path Disclosure when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site and displaying the full webapp installation path.

Input passed via the ‘go’ parameter in ‘derefer.php’ script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Advisories:

[ZSL-2013-5123] phlyLabs phlyMail Lite 4.03.04 (go param) Open Redirect Vulnerability
[ZSL-2013-5122] phlyLabs phlyMail Lite 4.03.04 Path Disclosure and Stored XSS Vulnerabilities

Joomla Incapsula Component 1.4.6_b Reflected Cross-Site Scripting Vulnerability

The Joomla Incapsula component suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘token’ GET parameter in the ‘Security.php’ and ‘Performance.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

incapsula1xss

incapsula2xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5121.php

Sony PC Companion Multiple Stack-based Buffer Overflow Vulnerabilities

The vulnerabilities are caused due to a boundary error in several .dll libraries when handling the value assigned to different functions and can be exploited to cause a stack-based buffer overflow via an overly long string which may lead to execution of arbitrary code on the affected machine.

sehchain-sonypc-immdbg

sonypc_immdbg

sonypccuploadmgr

sonyresearch

Advisories:

Sony PC Companion 2.1 (Admin_RemoveDirectory()) Stack-based Unicode Buffer Overload
Sony PC Companion 2.1 (CheckCompatibility()) Stack-based Unicode Buffer Overload
Sony PC Companion 2.1 (Load()) Stack-based Unicode Buffer Overload SEH
Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overload SEH

t00t

NVIDIA Install Application 2.1002.85.551 (NVI2.dll) Unicode Buffer Overflow PoC

The vulnerability is caused due to a boundary error in NVI2.DLL when handling the value assigned to the ‘pDirectory’ string variable in the ‘AddPackages’ function and can be exploited to cause a unicode buffer overflow by inserting an overly long array of data which may lead to execution of arbitrary code.
-Null pointer read-

There are more bugs in this driver package, several affecting kernelbase.dll.

Advisory ID: ZSL-2012-5116
Link: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5116.php

Axis Commerce 0.8.7.2 Remote Script Insertion Vulnerabilities

Axis Commerce suffers from multiple stored XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5115.php

Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities

Oracle OpenSSO suffers from multiple cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory ID: ZSL-2012-5114
Link: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5114.php

PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability

PRADO Framework suffers from an arbitrary file read vulnerability. Input passed to the ‘sr’ parameter in ‘functional_tests.php’ is not properly sanitised before being used to get the contents of a resource. This can be exploited to read arbitrary data from local resources with directory traversal attack.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5113.php

NASA Tri-Agency Climate Education (TrACE) Multiple Vulnerabilities

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

The application suffers from a reflected cross-site scripting vulnerability when input is passed to the ‘product_id’, ‘pi’, ‘project_id’ and ‘funder’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The application also suffers from an SQL Injection vulnerabilities when input is passed to the ‘product_id’ and ‘grade’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5112.php