Posts Tagged ‘ multiple

IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities

IBM System Storage DS Storage Manager Profiler suffers from an SQL Injection and a Cross-Site Scripting (XSS) vulnerability. Input passed via the GET parameter ‘selectedModuleOnly’ in ‘ModuleServlet.do’ script is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The GET parameter ‘updateRegn’ in the ‘SoftwareRegistration.do’ script is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

ZSL Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

IBM Advisory: https://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172

Artiphp CMS v5.5.0 Multiple XSS POST Injection Vulnerabilities

Artiphp CMS suffers from multiple cross-site scripting vulnerabilities via several parameters thru POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5090
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5090.php

PoC:

POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post "onmouseover=prompt(1) joxy
adresse_destinataire
adresse_expediteur lab%40zeroscience.mk
asciiart_post "onmouseover=prompt(2) joxy
expediteur "onmouseover=prompt(3) joxy
message Hello%20World
message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send Send
titre_sav "onmouseover=prompt(4) joxy
url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920 2

BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities

BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: footer: “powered by BGS CMS”

Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php

Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities

Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html

Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt

Promise WebPAM v2.2.0.13 Multiple Remote Vulnerabilities

Input passed via the parameters ‘entSortOrder’ and ‘entSort’ in ‘ent_i.jsp’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The parameters ‘startTime’ and ‘endTime’ in ‘ent_i.jsp’ are vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The parameter ‘userID’ in ‘usr_ent.jsp’ and ‘usr_t.jsp’ is vulnerable to HTTP Response Splitting which can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2012-5077
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5077.php

ManageEngine ADManager Plus 5.2 Multiple XSS Vulnerabilities

ADManager Plus suffers from multiple XSS vulnerabilities when parsing user input to the ‘domainName’ parameter in the ‘/jsp/AddDC.jsp’ script via GET method and ‘operation’ parameter in the ‘/DomainConfig.do’ script via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

PoC(s):

#1

– GET http://localhost:8080/jsp/AddDC.jsp?domainName=”><script>alert(‘zsl’)</script> HTTP/1.1

#2

– POST http://localhost:8080/DomainConfig.do?methodToCall=save HTTP/1.1

– DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation=”><script>alert(‘zsl’)</script>&reset=

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5070.php

Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities

MindManager suffers from several vulnerabilities included into the whole package. Several OCX and DLL libraries from 3rd party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow and denial of service (IE). Also the application is vulnerable to insecure library loading with every file extension thru ssgp.dll and dwmapi.dll.

Advisory ID: ZSL-2012-5068
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5068.php

Infoproject Biznis Heroj Multiple Vulnerabilities

Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities

Input passed via the parameters ‘filter’ in ‘widget.dokumenti_lista.php’ and ‘fin_nalog_id’ in ‘nalozi_naslov.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘config’ in ‘nalozi_naslov.php’ and ‘widget.dokumenti_lista.php’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability

The vulnerability is caused due to an error in the logon authentication script (login.php) and can be exploited to bypass the login procedure by defining the ‘username’ and ‘password’ POST parameters with an SQL Injection attack, gaining admin privileges.

Manx cms.xml Multiple Vulnerabilities

(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Advisories:
ZSL-2011-5058http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php

:):

Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability

The CMS suffers from multiple XSS vulnerabilities. Input thru the POST parameters ‘SITE_NAME’ (stored), ‘return’ (reflected) and the GET parameter ‘search’ (reflected) thru Hotaru.php, are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5057.php