Posts Tagged ‘ mysql

BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the ‘message’ POST parameter thru the ‘Notification Center’ extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

boxbilling_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php

LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the ‘label_name’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Input passed to the ‘group_name’ POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

limesurvey-sql

Advisory [ZSL-2013-5161]:
LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Vendor patch:
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13491
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13494
http://www.limesurvey.org/en/stable-release

ImpressPages CMS 3.6 Multiple Vulnerabilities (XSS/SQLi/FD/RCE)

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Input passed to the ‘files[0][file]’ parameter in ‘/ip_cms/modules/administrator/repository/controller.php’ is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.

The RCE vulnerability is caused due to the improper verification of uploaded files in ‘/ip_cms/modules/developer/config_exp_imp/manager.php’ script thru the ‘manage()’ function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in ‘/file/tmp’ directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter ‘i_n_2[361]’ = on) for successful exploitation.

impresspages-linux-exploit44

impresspages-rce44

Advisories:

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/

WordPress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘hide-wc-extensions-message’ parameter in the ‘admin/woocommerce-admin-settings.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

woocommerce_xss2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5156.php

Ovidentia 7.9.4 Multiple Remote Vulnerabilities

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

ovidentia-sqli2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php

Gnew v2013.1 Multiple XSS And SQL Injection Vulnerabilities

Gnew 2013.1 suffers from multiple cross-site scripting and sql injection vulnerabilities. Input passed via several parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.php

FluxBB 1.5.3 Multiple Remote Vulnerabilities

FluxBB suffers from a cross-site scripting, cross-site request forgery and URL redirect vulnerability. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed via the ‘redirect_url’ parameter in ‘misc.php’ script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. It also fails to properly sanitize user-supplied input to the ‘form[board_title]’ POST parameter in the ‘admin_options.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

fluxbb_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5150.php

Qool CMS v2.0 RC2 Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities

Qool CMS suffers from multiple persistent cross-site scripting vulnerabilities. The issues are triggered when input passed via several POST parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Also, Qool CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Qool CMS XSS

Advisory ZSL-2013-5133: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php
Advisory ZSL-2013-5134: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5134.php

MTP Scripts Multiple Products Multiple Stored XSS Vulnerabilities

MTP Scripts offers three products: MTP Image Gallery, MTP Guestbook and MTP Poll. All of the products suffer from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability
MTP Guestbook 1.0 Multiple Remote Script Insertion Vulnerabilities
MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities

Squirrelcart v3.5.4 (table) Remote Cross-Site Scripting Vulnerability

Squirrelcart suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘table’ GET parameter in the ‘index.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Squirrelcart XSS

Vendor:

Squirrelcart Security Patch #SC130218
Release date: 02/19/2013

XSS (Cross Site Scripting) vulnerability patch
Affected Squirrelcart versions: v2.0.0 – 3.5.4

How to find your version number:
———————————————————————
You can locate your Squirrelcart version in the upper right hand corner of your control panel.

Patch Info and Instructions
———————————————————————
This is a patch for protecting against a XSS (Cross Site Scripting) vulnerability that was discovered on 02/19/2013 by Zero Science Lab:
http://www.zeroscience.mk/. This vulnerability is due to the table parameter passed in the control panel not being sanitized properly,
and can result in HTML or Javascript being inserted into the page.

http://www.squirrelcart.com/downloads.php
http://www.squirrelcart.com/index.php?downloads=1&id=123

ZSL Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5128.php