Posts Tagged ‘ vulnerabilities ’
BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.
Dork: footer: “powered by BGS CMS”
Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php
Input passed via the parameter ‘sortby’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘num’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Vendor status:
[05.03.2012] Vulnerabilities discovered.
[19.03.2012] Submited details to the vendor’s bug tracking system.
[19.03.2012] Vendor investigates, confirms and fixes the issues.
[19.03.2012] Sent patch release coordination to the vendor.
[21.03.2012] Vendor releases version 2.10.18 to address these issues.
[21.03.2012] Coordinated public security advisory released.
Advisory ID: ZSL-2012-5081
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php
Vendor Advisory: https://www.phplist.com/?lid=567
https://mantis.phplist.com/view.php?id=16557
Zend Server and its components suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Original Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
TXT: http://www.zeroscience.mk/codes/zend_s03.txt
HTML: http://www.zeroscience.mk/codes/zend_s03.html
Vendor: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt
MindManager suffers from several vulnerabilities included into the whole package. Several OCX and DLL libraries from 3rd party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow and denial of service (IE). Also the application is vulnerable to insecure library loading with every file extension thru ssgp.dll and dwmapi.dll.
Advisory ID: ZSL-2012-5068
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5068.php
Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities
Input passed via the parameters ‘filter’ in ‘widget.dokumenti_lista.php’ and ‘fin_nalog_id’ in ‘nalozi_naslov.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘config’ in ‘nalozi_naslov.php’ and ‘widget.dokumenti_lista.php’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability
The vulnerability is caused due to an error in the logon authentication script (login.php) and can be exploited to bypass the login procedure by defining the ‘username’ and ‘password’ POST parameters with an SQL Injection attack, gaining admin privileges.
(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.
(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.
(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.
Advisories:
ZSL-2011-5058 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php
:):
Input passed via the parameters ‘redirect.php’ in ‘message.php’ and ‘w’ and ‘d’ in ‘index.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Path disclosure resides in the ‘sq’ parameter in ‘/plugins/search/search.php’ script.
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5051.php
ATutor products: ATutor, AContent and AChecker suffer from multiple vulnerabilities including: cross-site scripting (stored, non-persistent), http response splitting, sql injection, path disclosure.
Advisories:
ZSL-2011-5037 – ATutor 2.0.2 (lang) HTTP Response Splitting Vulnerability
ZSL-2011-5036 – ATutor 2.0.2 Multiple Remote Vulnerabilities (SQLi/XSS/PD)
ZSL-2011-5035 – AChecker 1.2 Multiple Remote XSS/PD vulnerabilities
ZSL-2011-5034 – AChecker 1.2 Multiple Error-Based SQL Injection Vulnerabilities
ZSL-2011-5033 – AContent 1.1 (category_name) Remote Script Insertion Vulnerability
ZSL-2011-5032 – AContent 1.1 Multiple Cross-Site Scripting Vulnerabilities
ZSL-2011-5031 – AContent 1.1 Multiple SQL Injection Vulnerabilities
Issues have been reported to the vendor, but not assigned yet, so…that’s that. Cheers ;)
Digital Scribe suffers from multiple POST XSS vulnerabilities. Input thru the POST parameters ‘title’, ‘last’ and ‘email’ in register.php is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.
Details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5030.php
NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):
- Action
- EnablePasswords
- _Checks
- _ValidationError
- ListIndex
- SiteList_0
- SSIErrorMessage
- SSIExtensions
- SSITimeFormat
- SSIabbrevSize
- EnableSSI
- LogCGIErrors
- LoggingInterval
- ExtendedLogging
- CGITimeOut
The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.
————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————
Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php
IT.com.mk Exploit Database