Posts Tagged ‘ remote

Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities

Input passed via the parameters ‘redirect.php’ in ‘message.php’ and ‘w’ and ‘d’ in ‘index.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Path disclosure resides in the ‘sq’ parameter in ‘/plugins/search/search.php’ script.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5051.php

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt

net4visions.com Multiple Products Multiple Vulnerabilities

iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.

The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:

ZSL-2011-5046iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability

Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit

MiniFTPServer suffers from a denial of service vulnerability when passing large number of bytes after authentication, resulting in a crash. No need for a valid FTP command to exploit this issue.

dbg output:

(1540.918): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
0:011> d edx
00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(…….d…
00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr…………..
00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ….Ld……….
00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 …………P…
00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ….h..y….pd..
00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 ………….r..
0:011> d
00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ……….\{….
00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 …..d……`..y
00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ……………y
00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ….A.A.A.A.A.A.
00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.


Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php

ManageEngine ServiceDesk Plus 8.0 Multiple Stored XSS Vulnerabilities

The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS. Vendor issued a patch to address these issues.

Stored XSS (post-auth):

Param: reqName (POST)
Scripts: WorkOrder.do, Problems.cc, AddNewProblem.cc, ChangeDetails.cc (http://localhost:8080/common/UpdateField.jsp)

Params: reqName, description, level, priority, category, title, attach (POST)
Script: WorkOrder.do

Params: keywords, comments (POST)
Script: AddSolution.do

Params: supportDetails, contractName, comments (POST)
Script: ContractDef.do

Param: organizationName (POST)
Script: VendorDef.do

Param: COMMENTS (POST)
Script: MarkUnavailability.jsp (MySchedule.do)

Attack string: “><script>alert(1)</script>

HTTP Header XSS:

Elements: referer, accept-language
Scripts: HomePage.do, MySchedule.do, WorkOrder.do

————
GET /HomePage.do HTTP/1.0
Accept: */*
User-Agent: joxy-poxy
Host: localhost:8080
Cookie: JSESSIONID=AD4D28ADDB611A3DE6EAC2C6B4C8808E;JSESSIONIDSSO=B1F6034451E9457EEEF3DA09BA424247
Connection: Close
accept-language: 1<script>alert(1)</script>
Pragma: no-cache
————

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php

TCExam Multiple Remote Vulnerabilities + Patch

TCExam bellow version 11.2.012 is vulnerable to multiple XSS and SQL Injection attack. Update to version 11.2.012!

TCExam version 11.02.009, 11.2.010 and 11.2.011 tested.

********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1. /admin/code/tce_colorpicker.php (frm, fld, tag) – GET
2. /admin/code/tce_edit_backup.php (backup_file) – POST
3. /admin/code/tce_edit_group.php (group_name, group_id) – POST
4. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
5. /admin/code/tce_edit_rating.php (test_id) – POST
6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) – POST
7. /admin/code/tce_edit_test.php (test_id) – POST
8. /admin/code/tce_filemanager.php (file) – POST
9. /admin/code/tce_select_mediafile.php (frm, fld, file) – GET, GET, POST
10. /admin/code/tce_select_users.php (new_group_id) – POST
11. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
12. /admin/code/tce_show_result_user.php (test_id) – POST
13. /public/code/tce_user_change_email.php (xl_user_email) – POST
14. /public/code/tce_user_change_password.php (xl_newpassword) – POST
15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

********** Cross-Site Scripting URI Based (script name) **********

1. /admin/code/index.php
2. /admin/code/tce_csv_users.php
3. /admin/code/tce_edit_answer.php
4. /admin/code/tce_edit_backup.php
5. /admin/code/tce_edit_group.php
6. /admin/code/tce_edit_module.php
7. /admin/code/tce_edit_question.php
8. /admin/code/tce_edit_rating.php
9. /admin/code/tce_edit_subject.php
10. /admin/code/tce_edit_test.php
11. /admin/code/tce_edit_user.php
12. /admin/code/tce_filemanager.php
13. /admin/code/tce_import_omr_answers.php
14. /admin/code/tce_import_xml_questions.php
15. /admin/code/tce_import_xml_users.php
16. /admin/code/tce_menu_modules.php
17. /admin/code/tce_menu_tests.php
18. /admin/code/tce_menu_users.php
19. /admin/code/tce_page_info.php
20. /admin/code/tce_select_mediafile.php
21. /admin/code/tce_select_users.php
22. /admin/code/tce_show_all_questions.php
23. /admin/code/tce_show_allresults_users.php
24. /admin/code/tce_show_online_users.php
25. /admin/code/tce_show_result_allusers.php
26. /admin/code/tce_show_result_questions.php
27. /admin/code/tce_show_result_user.php
28. /admin/code/tce_xml_users.php
29. /public/code/index.php
30. /public/code/tce_page_user.php
31. /public/code/tce_user_change_email.php
32. /public/code/tce_user_change_password.php
33. /public/code/tce_user_registration.php

********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code

********** SQL Injection (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
3. /admin/code/tce_edit_rating.php (test_id) – POST
4. /admin/code/tce_edit_subject.php (subject_module_id) – POST
5. /admin/code/tce_edit_test.php (test_id) – POST
6. /admin/code/tce_select_users.php (new_group_id) – POST
7. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
8. /admin/code/tce_show_result_questions.php (orderdir, order_field) – POST, GET
9. /admin/code/tce_show_result_user.php (test_id) – POST

********** Possible Cookie Manupulation (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

Advisory ZSL-2011-5025: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php
Advisory: ZSL-2011-5026: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5026.php

NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities

NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):

– Action
– EnablePasswords
– _Checks
– _ValidationError
– ListIndex
– SiteList_0
– SSIErrorMessage
– SSIExtensions
– SSITimeFormat
– SSIabbrevSize
– EnableSSI
– LogCGIErrors
– LoggingInterval
– ExtendedLogging
– CGITimeOut

The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.

————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————

Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php

Sitemagic CMS 2010.04.17 (SMExt) Remote XSS Vulnerability

Sitemagic CMS suffers from a XSS vulnerability when parsing user input to the ‘SMExt’ parameter via GET method in ‘index.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Vendor Status
[10.06.2011] Initial contact with the vendor.
[10.06.2011] Vendor replies asking more details.
[10.06.2011] Sent vulnerability details to vendor.
[11.06.2011] Vendor replies.
[12.06.2011] Vendor confirms vulnerability.
[15.06.2011] Asked vendor for scheduled patch release date.
[17.06.2011] No reply from vendor.
[18.06.2011] Sent another e-mail to vendor asking for scheduled patch release date, pointing out the reasonable timeframe for fixing a XSS issue.
[18.06.2011] Vendor says that they will keep me posted when new release is available.
[20.06.2011] Informed the vendor that the advisory release will be on 21st of June.
[21.06.2011] Public security advisory released.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5020.php

Multiple vulnerabilities in Pacer Edition CMS

Pacer Edition CMS suffers from multiple vulnerabilities including cross-site scripting, local file inclusion and arbitrary file deletion. You can view details of the issues on the following advisory links:

Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit [ZSL-2011-5017]
Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability [ZSL-2011-5018]
Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability [ZSL-2011-5019]

Kentico CMS 5.5R2.23 and bellow XSS POST Injection Vulnerability + Fix

Kentico CMS suffers from a XSS vulnerability when parsing user input to the ‘userContextMenu_parameter’ parameter via POST method in ‘/examples/webparts/membership/users-viewer.aspx’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5015.php

Vendor patch: http://devnet.kentico.com/Bugtracker/Hotfixes.aspx

t00t!