Posts Tagged ‘ injection

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user’s browser session.

starkcrm_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php

BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the ‘message’ POST parameter thru the ‘Notification Center’ extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

boxbilling_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php

Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

Input passed via the ‘lang’ POST parameter in the newsletter plugin is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code.

ametys-xpath-injection

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php

Ovidentia 7.9.4 Multiple Remote Vulnerabilities

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

ovidentia-sqli2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php

Windu CMS 2.2 Multiple Stored XSS And CSRF Vulnerabilities

Windu CMS suffers from a cross-site request forgery vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple stored XSS vulnerabilities exist when parsing user input to the ‘name’ and ‘username’ POST parameters. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisories:

Windu CMS 2.2 CSRF Add Admin Exploit
Windu CMS 2.2 Multiple Persistent Cross-Site Scripting Vulnerabilities

windu_xss

MTP Scripts Multiple Products Multiple Stored XSS Vulnerabilities

MTP Scripts offers three products: MTP Image Gallery, MTP Guestbook and MTP Poll. All of the products suffer from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability
MTP Guestbook 1.0 Multiple Remote Script Insertion Vulnerabilities
MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities

OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability

The vulnerability is caused due to the improper verification of uploaded files in ‘/library/openflashchart/php-ofc-library/ofc_upload_image.php’ script thru the ‘name’ parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.

OpenEMR Shell Upload

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php

Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities

Oracle OpenSSO suffers from multiple cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory ID: ZSL-2012-5114
Link: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5114.php

NASA Tri-Agency Climate Education (TrACE) Multiple Vulnerabilities

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

The application suffers from a reflected cross-site scripting vulnerability when input is passed to the ‘product_id’, ‘pi’, ‘project_id’ and ‘funder’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The application also suffers from an SQL Injection vulnerabilities when input is passed to the ‘product_id’ and ‘grade’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5112.php

Oracle Identity Management 10g (username) XSS POST Injection Vulnerability

Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the ‘username’ parameter via POST method thru ‘/usermanagement/forgotpassword/index.jsp’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

HTTP Request Headers:
----------------------

POST /usermanagement/forgotpassword/index.jsp HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3
iTaN0Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; ORA_WX_SESSION="6F35B41473025957B17F02F62855B522D4E22D7B-1#2";
Location=external; portal=9.0.3+en-us+us+AMERICA+CACA1F130AE0024EE043996B1DDC024E+
4D3F611B686669BF0BEC9DC4267652AC337EA1C5259A2168CF43540DE72E3BD5E
F1F589B40A6CD4E7007EB4D085EBD0681A1B2515CB22B5BED14922088
923D86B742E69FDA5D716C437D416C5F5B26049DC71083712AA9EA;
MODPLSQL_TRC=ReqId:11a179::PID:856d5bb0

btnSubmit=SUBMIT
username="><script>alert('XSS');</script>

HTTP Response Headers:
-----------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: ORA_WX_SESSION="267FB4CAD2746E946102C01D527362A070E7D52C-1#2"; path=/
JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3iTaN0
Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; path=/usermanagement; secure
Location=external;path=/;
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.1 (N;ecid=216172960764121113,1)
Content-Length: 3198
Date: Fri, 28 Sep 2012 21:39:00 GMT

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5110.php