Posts Tagged ‘ fix

LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the ‘label_name’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Input passed to the ‘group_name’ POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

limesurvey-sql

Advisory [ZSL-2013-5161]:
LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Vendor patch:
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13491
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13494
http://www.limesurvey.org/en/stable-release

ImpressPages CMS 3.6 Multiple Vulnerabilities (XSS/SQLi/FD/RCE)

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Input passed to the ‘files[0][file]’ parameter in ‘/ip_cms/modules/administrator/repository/controller.php’ is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.

The RCE vulnerability is caused due to the improper verification of uploaded files in ‘/ip_cms/modules/developer/config_exp_imp/manager.php’ script thru the ‘manage()’ function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in ‘/file/tmp’ directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter ‘i_n_2[361]’ = on) for successful exploitation.

impresspages-linux-exploit44

impresspages-rce44

Advisories:

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/

Atlassian JIRA v6.0.3 Arbitrary HTML/Script Execution Vulnerability

JIRA suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the ‘name’ GET parameter in the ‘deleteuserconfirm.jsp’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php

jira_credits

jira2_xss

jira-workflow

Cisco.com закрпен од XSS ранливост

Ранливост од типот XSS (Cross-Site Scripting) беше пронајдена на еден од под-домените на Cisco официјалната страница. Пронајдената ранливост (23.04.2013) веднаш беше пријавена до безбедносниот тим на Cisco кадешто одговорија веднаш и стапија во соработка со Zero Science Lab за креирање на закрпа.

Закрпата е имплементирана од 15 јули, 2013 година. Поздрав до Cisco Emergency Response Team ;]

cisco_xss1

OpenEMR 4.1.1 (site param) Remote XSS Vulnerability

OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘site’ GET parameter in the central ‘globals.php’ script which is called by every script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5129.php

Vendor: http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

Joomla Incapsula Component 1.4.6_b Reflected Cross-Site Scripting Vulnerability

The Joomla Incapsula component suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘token’ GET parameter in the ‘Security.php’ and ‘Performance.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

incapsula1xss

incapsula2xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5121.php

ViArt Shop Multiple Vulnerabilities

ViArt Shop suffers from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Also, the software suffers from remote arbitrary command execution vulnerability when input passed to the ‘DATA’ POST parameter in ‘sips_response.php’ is not properly sanitised before being used to process product payment data. This can be exploited to execute arbitrary commands via specially crafted requests.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5108.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5109.php

IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities

IBM System Storage DS Storage Manager Profiler suffers from an SQL Injection and a Cross-Site Scripting (XSS) vulnerability. Input passed via the GET parameter ‘selectedModuleOnly’ in ‘ModuleServlet.do’ script is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The GET parameter ‘updateRegn’ in the ‘SoftwareRegistration.do’ script is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

ZSL Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

IBM Advisory: https://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172

Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow

The vulnerability is caused due to a boundary error in the processing of a playlist file, which can be exploited to cause a heap based buffer overflow when a user opens e.g. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.

 

Apple: http://support.apple.com/kb/HT5318
ZSL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php

TXT: http://www.zeroscience.mk/codes/itunes_bof.txt

PyroCMS 2.1.1 CRLF Injection And Stored XSS Vulnerability

PyroCMS suffers from a stored XSS and HTTP Response Splitting vulnerability when parsing user input to the ‘title’ and ‘redirect_to’ parameters via POST method thru ‘index.php’ script. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session or insert arbitrary HTTP headers, which are included in a response sent to the user.

 

 

 

 

Advisory ID: ZSL-2012-5092
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5092.php