Posts Tagged ‘ remote

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user’s browser session.

starkcrm_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php

NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability

The application suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the ‘id’ GET parameter in the ‘locdelete’ (JSP) script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

inventoria_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5167.php

ACE Stream Media 2.1 (acestream://) Format String Exploit PoC

ACE Stream Media (Ace Player HD) is prone to a remote format string vulnerability because the application fails to properly sanitize user-supplied input thru the URI using the ‘acestream://’ protocol before including it in the format-specifier argument of a formatted-printing function. A remote attacker may exploit this issue to execute arbitrary code with the privileges of the user running the affected application and/or cause memory address disclosure. Failed exploit attempts may cause denial-of-service (DoS) conditions.

aceplayercrash

acestream

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php

BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the ‘message’ POST parameter thru the ‘Notification Center’ extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

boxbilling_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php

Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

Input passed via the ‘lang’ POST parameter in the newsletter plugin is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code.

ametys-xpath-injection

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php

LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the ‘label_name’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Input passed to the ‘group_name’ POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

limesurvey-sql

Advisory [ZSL-2013-5161]:
LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Vendor patch:
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13491
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13494
http://www.limesurvey.org/en/stable-release

ImpressPages CMS 3.6 Multiple Vulnerabilities (XSS/SQLi/FD/RCE)

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Input passed to the ‘files[0][file]’ parameter in ‘/ip_cms/modules/administrator/repository/controller.php’ is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.

The RCE vulnerability is caused due to the improper verification of uploaded files in ‘/ip_cms/modules/developer/config_exp_imp/manager.php’ script thru the ‘manage()’ function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in ‘/file/tmp’ directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter ‘i_n_2[361]’ = on) for successful exploitation.

impresspages-linux-exploit44

impresspages-rce44

Advisories:

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/

WordPress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘hide-wc-extensions-message’ parameter in the ‘admin/woocommerce-admin-settings.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

woocommerce_xss2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5156.php

Ovidentia 7.9.4 Multiple Remote Vulnerabilities

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

ovidentia-sqli2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php

Gnew v2013.1 Multiple XSS And SQL Injection Vulnerabilities

Gnew 2013.1 suffers from multiple cross-site scripting and sql injection vulnerabilities. Input passed via several parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.php