Posts Tagged ‘ application

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user’s browser session.

starkcrm_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php

CloudFlare vs Incapsula: Round 2 – Comparative Penetration Testing Analysis Report

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.



Direct download: http://zeroscience.mk/files/wafreport2013v2.pdf

Here’s a video to show some Blocks and Bypasses from both vendors:



Resin Application and Web Server 4.0.36 Multiple Vulnerabilities

Resin Application and Web Server The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘logout’ GET parameter in the ‘index.php’ script. URI-based XSS issue is also present and both of the vulnerabilities can be triggered once the user/admin is logged in (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Source code disclosure vulnerability is present in the mentioned software. The vulnerability is caused do to an improper sanitization of the ‘file’ parameter when used for reading help files. An attacker can exploit this vulnerability by directly requesting a ‘.jsp’ file for example in the root directory of the server to view its source code that might reveal sensitive information.

resinwebserver_scd

resin-xss1

Advisory ZSL-2013-5143: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php
Advisory ZSL-2013-5144: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5144.php

CloudFlare vs Incapsula vs ModSecurity – A Comparative Penetration Testing Analysis Report

This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment.


Direct download: http://zeroscience.mk/files/wafreport2013.pdf

Update response:

Incapsula: http://www.incapsula.com/the-incapsula-blog/item/699-incapsula-pentested-review
ModSecurity: http://permalink.gmane.org/gmane.comp.apache.mod-security.user/10035
CloudFlare: http://blog.cloudflare.com/heuristics-and-rules-why-we-built-a-new-old-waf

AbanteCart 1.1.3 (index.php) Multiple Reflected XSS Vulnerabilities

AbanteCart suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to ‘index.php’ script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5125.php

NVIDIA Install Application 2.1002.85.551 (NVI2.dll) Unicode Buffer Overflow PoC

The vulnerability is caused due to a boundary error in NVI2.DLL when handling the value assigned to the ‘pDirectory’ string variable in the ‘AddPackages’ function and can be exploited to cause a unicode buffer overflow by inserting an overly long array of data which may lead to execution of arbitrary code.
-Null pointer read-

There are more bugs in this driver package, several affecting kernelbase.dll.

Advisory ID: ZSL-2012-5116
Link: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5116.php

NASA Tri-Agency Climate Education (TrACE) Multiple Vulnerabilities

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

The application suffers from a reflected cross-site scripting vulnerability when input is passed to the ‘product_id’, ‘pi’, ‘project_id’ and ‘funder’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The application also suffers from an SQL Injection vulnerabilities when input is passed to the ‘product_id’ and ‘grade’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5112.php

webgrind 1.0 (file param) Local File Inclusion Vulnerability

webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the ‘file’ parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.


---------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
---------------------------

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php

Thanks to Michael Meyer, OpenVAS Project.

Manx cms.xml Multiple Vulnerabilities

(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Advisories:
ZSL-2011-5058http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php

:):

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt