Posts Tagged ‘ remote

Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities

Anchor CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: “intext:Powered by Anchor, version 0.6

Advisory ID: ZSL-2012-5085
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5085.php

phpList 2.10.17 Remote SQL Injection and XSS Vulnerability

Input passed via the parameter ‘sortby’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘num’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor status:

[05.03.2012] Vulnerabilities discovered.
[19.03.2012] Submited details to the vendor’s bug tracking system.
[19.03.2012] Vendor investigates, confirms and fixes the issues.
[19.03.2012] Sent patch release coordination to the vendor.
[21.03.2012] Vendor releases version 2.10.18 to address these issues.
[21.03.2012] Coordinated public security advisory released.

Advisory ID: ZSL-2012-5081
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php

Vendor Advisory: https://www.phplist.com/?lid=567
https://mantis.phplist.com/view.php?id=16557

Promise WebPAM v2.2.0.13 Multiple Remote Vulnerabilities

Input passed via the parameters ‘entSortOrder’ and ‘entSort’ in ‘ent_i.jsp’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The parameters ‘startTime’ and ‘endTime’ in ‘ent_i.jsp’ are vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The parameter ‘userID’ in ‘usr_ent.jsp’ and ‘usr_t.jsp’ is vulnerable to HTTP Response Splitting which can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2012-5077
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5077.php

webgrind 1.0 (file param) Local File Inclusion Vulnerability

webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the ‘file’ parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.


---------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
---------------------------

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php

Thanks to Michael Meyer, OpenVAS Project.

WampServer <= 2.2c (lang) Remote Cross-Site Scripting Vulnerability

WampServer is vulnerable to cross-site scripting vulnerability. This issue is due to the application’s failure to properly sanitize user-supplied input thru the ‘lang’ parameter (GET) in index.php script. An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials, phishing as well as other attacks.

Advisory ID: ZSL-2012-5072
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5072.php

Related Advisory ID: ZSL-2010-4926
Related Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4926.php

CVE-2010-0700: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0700
CWE-79: http://cwe.mitre.org/data/definitions/79.html

SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution

The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.

Vendor releases patch for this issue: http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5071.php

Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

Discovered on 25.01.2012 included in Mindjet MindManager 2012 for Windows version 10.0.493.

COMRaider Output:

-----------
Exception Code: ACCESS_VIOLATION
Disasm: 7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] (KERNEL32.dll)

Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 41414141

Called From Returns To
--------------------------------------------------
KERNEL32.7C834D8F pdfxctrl.1001D8E7
pdfxctrl.1001D8E7 41414141

Registers:
--------------------------------------------------
EIP 7C834D8F -> Asc: SOFTWARE\Tracker Software\pdf
EAX 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBX 00000003
ECX 0000008C
EDX 00001815
EDI 0013FFFD -> 41000000
ESI 0013CD74 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B780 -> 0013EDE4
ESP 0013B75C -> 0000302A -> Uni: *0*0

Block Disassembly:
--------------------------------------------------
7C834D82 MOV CL,[EDI+1]
7C834D85 INC EDI
7C834D86 TEST CL,CL
7C834D88 JNZ SHORT 7C834D82
7C834D8A MOV ECX,EDX
7C834D8C SHR ECX,2
7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH 7C834D91 MOV ECX,EDX 7C834D93 AND ECX,3 7C834D96 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI] 7C834D98 OR DWORD PTR [EBP-4],FFFFFFFF 7C834D9C CALL 7C802511 7C834DA1 RETN 8 7C834DA4 NOP 7C834DA5 NOP ArgDump: -------------------------------------------------- EBP+8 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBP+12 0013B790 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 41414141
EBP+20 41414141
EBP+24 41414141
EBP+28 41414141

Stack Dump:
--------------------------------------------------
13B75C 2A 30 00 00 84 63 18 00 03 00 00 00 5C B7 13 00 [.....c......\...]
13B76C 2A 30 00 00 AC F1 13 00 C0 9A 83 7C A8 4D 83 7C [.............M..]
13B77C 00 00 00 00 E4 ED 13 00 E7 D8 01 10 E0 E9 13 00 [................]
13B78C 90 B7 13 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
13B79C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]

-----------

CompanyName Tracker Software Products
FileDescription PDF Printer Preferences ActiveX
FileVersion 3.60.0128
InternalName pdfxctrl.dll
LegalCopyright Copyright © 2001-2006 by Tracker Software Products
OriginalFileName pdfxctrl.dll
ProductName Tracker Software Products pdfxctrl.PdfPrinterPreferences ActiveX
ProductVersion 3.60

Advisory ID: ZSL-2012-5067 (Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH))
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php

Limny 3.0.1 (login.php) Remote URI Based Cross-Site Scripting Vulnerability

Limny suffers from a XSS issue in ‘/admin/login.php’ that uses the ‘PHP_SELF’ variable. The vulnerability is present because there isn’t any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

——————————————————————————–

/admin/login.php
----------------
100: <form name="limny_login" action="<?php print $_SERVER['PHP_SELF']; ?>" method="post">

——————————————————————————–

Advisory: ZSL-2012-5066

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5066.php

SopCast 3.4.7.45585 Multiple Vulnerabilities

SopCast suffers from a stack-based buffer overflow vulnerability when parsing the user input using the SoP protocol in sopocx.ocx module allowing the attacker to gain system access and execute arbitrary code on the affected machine. The issue is triggered when adding 514 bytes of string to the sop:// protocol (GET), causing the app to open the link (channel) and crashing. The application will crash even with ‘sop://[anything]’ because it fails to properly sanitize and handle the uri segment, but with exactly 514 bytes the stack gets overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes denial of service scenario. You can also edit the ‘<address>’ element in the favorites.xml file as the attack vector.

SopCast is also vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full control) for the ‘Everyone’ group, for the ‘Diagnose.exe’ binary file which is bundled with the SopCast installation package.

Advisories:

ZSL-2011-5062SopCast 3.4.7 (Diagnose.exe) Improper Permissions
ZSL-2011-5063SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC

SetSeed CMS 5.8.20 (loggedInUser) Remote SQL Injection Vulnerability

SetSeed CMS is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the vulnerable script using the cookie input ‘loggedInUser’, which could allow the attacker to view, add, modify or delete information in the back-end database.

———
GET /setseed-hub/ HTTP/1.1
Cookie: loggedInKey=PYNS9QVWLEBG1E7C9UFCT674DYNW9YJ; loggedInUser=1%27; PHPSESSID=d6qiobigb5204mkuvculibhgd4
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

HTTP/1.1 200 OK
Date: Wed, 02 Nov 2011 15:39:39 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Content-Length: 150
Keep-Alive: timeout=5, max=62
Connection: Keep-Alive
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near ”1”’ at line 1

———

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5053.php