Posts Tagged ‘ vulnerability ’
Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in ‘/artzone/artpublic/database/’ directory as ‘db_backup_[type].[yyyy-mm-dd].sql.gz’ filename.
Advisory ID: ZSL-2012-5091
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php
Artiphp CMS suffers from multiple cross-site scripting vulnerabilities via several parameters thru POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.
Advisory ID: ZSL-2012-5090
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5090.php
PoC:
POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
add_img_name_post "onmouseover=prompt(1) joxy
adresse_destinataire
adresse_expediteur lab%40zeroscience.mk
asciiart_post "onmouseover=prompt(2) joxy
expediteur "onmouseover=prompt(3) joxy
message Hello%20World
message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send Send
titre_sav "onmouseover=prompt(4) joxy
url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920 2
backupDB is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘onlyDB’ parameter of the ‘backupDB.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.
Advisory ID: ZSL-2012-5089
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5089.php
phpThumb is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘dir’ and the ‘title’ parameter of the ‘phpThumb.demo.random.php’ and ‘phpThumb.demo.showpic.php’ scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.
Advisory ID: ZSL-2012-5088
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5088.php
Andromeda is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the ‘s’ parameter of the ‘andromeda.php’ script.
Advisory ID: ZSL-2012-5087
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5087.php
Dork: “powered by andromeda version”
PoC: http://localhost/AndromedaPHP/andromeda.php?q=s&s=”><script>alert(1);</script>
Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session or disclose the full installation path of the affected CMS.
——————————————————————————–
Reflected (Non-Persistent) XSS:
1. username
2. password
3. verification_code
4. email_address
5. password_verify
6. firstname
7. lastname
Stored (Persistent) XSS:
8. groupname
9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description
——————————————————————————–
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5086.php
Vendor: http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html
Anchor CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.
Dork: “intext:Powered by Anchor, version 0.6”
Advisory ID: ZSL-2012-5085
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5085.php
The vulnerability is caused due to the Search box function not checking the boundary of user input. This can be exploited to cause a DoS due to memory exhaustion when inserting a long string of bytes (~80mil B / 80 MB) into the Search field in the GUI.
Advisory ID: ZSL-2012-5082
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5082.php
Input passed via the parameter ‘sortby’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘num’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Vendor status:
[05.03.2012] Vulnerabilities discovered.
[19.03.2012] Submited details to the vendor’s bug tracking system.
[19.03.2012] Vendor investigates, confirms and fixes the issues.
[19.03.2012] Sent patch release coordination to the vendor.
[21.03.2012] Vendor releases version 2.10.18 to address these issues.
[21.03.2012] Coordinated public security advisory released.
Advisory ID: ZSL-2012-5081
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php
Vendor Advisory: https://www.phplist.com/?lid=567
https://mantis.phplist.com/view.php?id=16557
Fork CMS suffers from multiple XSS vulnerabilities when parsing user input to several parameters in different scripts, via POST and GET methods. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.
Advisory ID: ZSL-2012-5076
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php
IT.com.mk Exploit Database