Posts Tagged ‘ patch

Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities

Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session or disclose the full installation path of the affected CMS.

——————————————————————————–

Reflected (Non-Persistent) XSS:

1. username
2. password
3. verification_code
4. email_address
5. password_verify
6. firstname
7. lastname

Stored (Persistent) XSS:

8. groupname
9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5086.php
Vendor: http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html

2012
05/02
POSTED BY
CATEGORY
Internal
Comments Off

Zend Optimizer 3.3.3 (Windows) Insecure Permissions

The Zend Optimizer package for Windows is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the library file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full control) for the ‘Everyone’ group, for the ‘ZendExtensionManager.dll’ library file and ‘ZendOptimizer.dll’ which are bundled with the Zend Optimizer (Runtime for PHP 5.2 and earlier) installation package.


C:\Program Files\Zend\ZendOptimizer-3.3.0\lib>cacls ZendExtensionManager.dll
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\ZendExtensionManager.dll Everyone:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
TESTPC\TESTUSER:F

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib>cd Optimizer-3.3.0\php-5.2.x

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x>cacls ZendOptimizer.dll
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x\ZendOptimizer.dll Everyone:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
TESTPC\TESTUSER:F

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x>

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php

2012
04/03
POSTED BY
CATEGORY
Internal
Comments Off

phpList 2.10.17 Remote SQL Injection and XSS Vulnerability

Input passed via the parameter ‘sortby’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘num’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor status:

[05.03.2012] Vulnerabilities discovered.
[19.03.2012] Submited details to the vendor’s bug tracking system.
[19.03.2012] Vendor investigates, confirms and fixes the issues.
[19.03.2012] Sent patch release coordination to the vendor.
[21.03.2012] Vendor releases version 2.10.18 to address these issues.
[21.03.2012] Coordinated public security advisory released.

Advisory ID: ZSL-2012-5081
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php

Vendor Advisory: https://www.phplist.com/?lid=567
https://mantis.phplist.com/view.php?id=16557

2012
03/21
POSTED BY
CATEGORY
Internal
Comments Off

Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities

Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html

Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt

2012
03/10
POSTED BY
CATEGORY
Internal
Comments Off

SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution

The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.

Vendor releases patch for this issue: http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5071.php

2012
02/08
POSTED BY
CATEGORY
Internal
Comments Off

vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities

vtiger CRM suffers from a XSS vulnerability when parsing user input to the ‘_operation’ and ‘search’ parameters via GET method in ‘/modules/mobile/index.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2011-5052
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5052.php

Vendor: http://wiki.vtiger.com/index.php/Vtiger530:Release_Notes

GHDB: http://www.exploit-db.com/ghdb/3737/

2011
10/26
POSTED BY
CATEGORY
Internal
Comments Off

Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities

Input passed via the parameters ‘redirect.php’ in ‘message.php’ and ‘w’ and ‘d’ in ‘index.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Path disclosure resides in the ‘sq’ parameter in ‘/plugins/search/search.php’ script.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5051.php

2011
10/10
POSTED BY
CATEGORY
Internal
Comments Off

Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities

Photoshop Elements 8 suffers from a buffer overflow vulnerability when dealing with .ABR (brushes) and .GRD (gradients) format files. The application fails to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code on the affected system or denial of service scenario.

Tested on:
———-
Microsoft Windows XP Professional Service Pack 3 (English)

Vulnerability discovered by:
—————————-
Gjoko ‘LiquidWorm’ Krstic
Zero Science Lab (http://www.zeroscience.mk)
liquidworm gmail com

Vendor status:
————–
[22.09.2009] Vulnerabilities discovered.
[09.03.2010] Sent detailed info to the vendor with PoC files.
[09.03.2010] Vendor responds with assigned tracking numbers of the issues.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor replies confirming the vulnerabilities.
[03.06.2011] Asked vendor for scheduled patch release date.
[05.06.2011] Vendor replies with a scheduled timeframe.
[02.09.2011] Asked vendor for an exact patch release date.
[03.09.2011] Vendor replies.
[09.09.2011] Asked vendor for assigned advisory ID.
[10.09.2011] Vendor tags their Adobe Advisory ID: APSA11-03.
[01.10.2011] Coordinated public security advisory released.

Advisory details:
—————–
Advisory ID: ZSL-2011-5049
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php

Adobe Advisory ID: APSA11-03
Adobe Advisory URL: http://www.adobe.com/support/security/advisories/apsa11-03.html
Adobe PSIRT ID: 447,448

CVE ID: CVE-2011-2443
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443

CWE ID: CWE-120
CWE URL: http://cwe.mitre.org/data/definitions/120.html

REF #1: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
REF #2: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php

Proof Of Concept:
—————–
http://www.zeroscience.mk/codes/brush_gradiently.rar (11071 bytes)

2011
10/01
POSTED BY
CATEGORY
Internal
Comments Off

ManageEngine ServiceDesk Plus 8.0 Multiple Stored XSS Vulnerabilities

The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS. Vendor issued a patch to address these issues.

Stored XSS (post-auth):

Param: reqName (POST)
Scripts: WorkOrder.do, Problems.cc, AddNewProblem.cc, ChangeDetails.cc (http://localhost:8080/common/UpdateField.jsp)

Params: reqName, description, level, priority, category, title, attach (POST)
Script: WorkOrder.do

Params: keywords, comments (POST)
Script: AddSolution.do

Params: supportDetails, contractName, comments (POST)
Script: ContractDef.do

Param: organizationName (POST)
Script: VendorDef.do

Param: COMMENTS (POST)
Script: MarkUnavailability.jsp (MySchedule.do)

Attack string: “><script>alert(1)</script>

HTTP Header XSS:

Elements: referer, accept-language
Scripts: HomePage.do, MySchedule.do, WorkOrder.do

————
GET /HomePage.do HTTP/1.0
Accept: */*
User-Agent: joxy-poxy
Host: localhost:8080
Cookie: JSESSIONID=AD4D28ADDB611A3DE6EAC2C6B4C8808E;JSESSIONIDSSO=B1F6034451E9457EEEF3DA09BA424247
Connection: Close
accept-language: 1<script>alert(1)</script>
Pragma: no-cache
————

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php

2011
08/23
POSTED BY
CATEGORY
Internal
Comments Off

TCExam Multiple Remote Vulnerabilities + Patch

TCExam bellow version 11.2.012 is vulnerable to multiple XSS and SQL Injection attack. Update to version 11.2.012!

TCExam version 11.02.009, 11.2.010 and 11.2.011 tested.

********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1. /admin/code/tce_colorpicker.php (frm, fld, tag) – GET
2. /admin/code/tce_edit_backup.php (backup_file) – POST
3. /admin/code/tce_edit_group.php (group_name, group_id) – POST
4. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
5. /admin/code/tce_edit_rating.php (test_id) – POST
6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) – POST
7. /admin/code/tce_edit_test.php (test_id) – POST
8. /admin/code/tce_filemanager.php (file) – POST
9. /admin/code/tce_select_mediafile.php (frm, fld, file) – GET, GET, POST
10. /admin/code/tce_select_users.php (new_group_id) – POST
11. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
12. /admin/code/tce_show_result_user.php (test_id) – POST
13. /public/code/tce_user_change_email.php (xl_user_email) – POST
14. /public/code/tce_user_change_password.php (xl_newpassword) – POST
15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

********** Cross-Site Scripting URI Based (script name) **********

1. /admin/code/index.php
2. /admin/code/tce_csv_users.php
3. /admin/code/tce_edit_answer.php
4. /admin/code/tce_edit_backup.php
5. /admin/code/tce_edit_group.php
6. /admin/code/tce_edit_module.php
7. /admin/code/tce_edit_question.php
8. /admin/code/tce_edit_rating.php
9. /admin/code/tce_edit_subject.php
10. /admin/code/tce_edit_test.php
11. /admin/code/tce_edit_user.php
12. /admin/code/tce_filemanager.php
13. /admin/code/tce_import_omr_answers.php
14. /admin/code/tce_import_xml_questions.php
15. /admin/code/tce_import_xml_users.php
16. /admin/code/tce_menu_modules.php
17. /admin/code/tce_menu_tests.php
18. /admin/code/tce_menu_users.php
19. /admin/code/tce_page_info.php
20. /admin/code/tce_select_mediafile.php
21. /admin/code/tce_select_users.php
22. /admin/code/tce_show_all_questions.php
23. /admin/code/tce_show_allresults_users.php
24. /admin/code/tce_show_online_users.php
25. /admin/code/tce_show_result_allusers.php
26. /admin/code/tce_show_result_questions.php
27. /admin/code/tce_show_result_user.php
28. /admin/code/tce_xml_users.php
29. /public/code/index.php
30. /public/code/tce_page_user.php
31. /public/code/tce_user_change_email.php
32. /public/code/tce_user_change_password.php
33. /public/code/tce_user_registration.php

********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code

********** SQL Injection (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
3. /admin/code/tce_edit_rating.php (test_id) – POST
4. /admin/code/tce_edit_subject.php (subject_module_id) – POST
5. /admin/code/tce_edit_test.php (test_id) – POST
6. /admin/code/tce_select_users.php (new_group_id) – POST
7. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
8. /admin/code/tce_show_result_questions.php (orderdir, order_field) – POST, GET
9. /admin/code/tce_show_result_user.php (test_id) – POST

********** Possible Cookie Manupulation (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

Advisory ZSL-2011-5025: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php
Advisory: ZSL-2011-5026: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5026.php

2011
07/13
POSTED BY
CATEGORY
Internal
Comments Off

Rete Mirabilia

Site Meter