Posts Tagged ‘ scripting

phpThumb() v1.7.11 (dir & title) Cross-Site Scripting Vulnerability

phpThumb is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘dir’ and the ‘title’ parameter of the ‘phpThumb.demo.random.php’ and ‘phpThumb.demo.showpic.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5088
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5088.php

2012
05/16
POSTED BY
CATEGORY
Internal
Comments Off

Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities

Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session or disclose the full installation path of the affected CMS.

——————————————————————————–

Reflected (Non-Persistent) XSS:

1. username
2. password
3. verification_code
4. email_address
5. password_verify
6. firstname
7. lastname

Stored (Persistent) XSS:

8. groupname
9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5086.php
Vendor: http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html

2012
05/02
POSTED BY
CATEGORY
Internal
Comments Off

Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities

Anchor CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: “intext:Powered by Anchor, version 0.6

Advisory ID: ZSL-2012-5085
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5085.php

2012
04/20
POSTED BY
CATEGORY
Internal
Comments Off

BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities

BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: footer: “powered by BGS CMS”

Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php

2012
04/11
POSTED BY
CATEGORY
Internal
Comments Off

phpList 2.10.17 Remote SQL Injection and XSS Vulnerability

Input passed via the parameter ‘sortby’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘num’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor status:

[05.03.2012] Vulnerabilities discovered.
[19.03.2012] Submited details to the vendor’s bug tracking system.
[19.03.2012] Vendor investigates, confirms and fixes the issues.
[19.03.2012] Sent patch release coordination to the vendor.
[21.03.2012] Vendor releases version 2.10.18 to address these issues.
[21.03.2012] Coordinated public security advisory released.

Advisory ID: ZSL-2012-5081
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php

Vendor Advisory: https://www.phplist.com/?lid=567
https://mantis.phplist.com/view.php?id=16557

2012
03/21
POSTED BY
CATEGORY
Internal
Comments Off

Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities

Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html

Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt

2012
03/10
POSTED BY
CATEGORY
Internal
Comments Off

Fork CMS 3.2.7 Multiple HTML Code Injection Vulnerabilities

Fork CMS suffers from multiple XSS vulnerabilities when parsing user input to several parameters in different scripts, via POST and GET methods. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5076
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php

2012
03/06
POSTED BY
CATEGORY
Internal
Comments Off

ManageEngine ADManager Plus 5.2 Multiple XSS Vulnerabilities

ADManager Plus suffers from multiple XSS vulnerabilities when parsing user input to the ‘domainName’ parameter in the ‘/jsp/AddDC.jsp’ script via GET method and ‘operation’ parameter in the ‘/DomainConfig.do’ script via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

PoC(s):

#1

– GET http://localhost:8080/jsp/AddDC.jsp?domainName=”><script>alert(‘zsl’)</script> HTTP/1.1

#2

– POST http://localhost:8080/DomainConfig.do?methodToCall=save HTTP/1.1

– DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation=”><script>alert(‘zsl’)</script>&reset=

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5070.php

2012
02/07
POSTED BY
CATEGORY
Internal
Comments Off

Limny 3.0.1 (login.php) Remote URI Based Cross-Site Scripting Vulnerability

Limny suffers from a XSS issue in ‘/admin/login.php’ that uses the ‘PHP_SELF’ variable. The vulnerability is present because there isn’t any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

——————————————————————————–

/admin/login.php
----------------
100: <form name="limny_login" action="<?php print $_SERVER['PHP_SELF']; ?>" method="post">

——————————————————————————–

Advisory: ZSL-2012-5066

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5066.php

2012
01/04
POSTED BY
CATEGORY
Internal
Comments Off

Manx cms.xml Multiple Vulnerabilities

(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Advisories:
ZSL-2011-5058http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php

:):

2011
11/28
POSTED BY
CATEGORY
Internal
Comments Off

Rete Mirabilia

Site Meter