Posts Tagged ‘ web

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user’s browser session.

starkcrm_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php

CloudFlare vs Incapsula: Round 2 – Comparative Penetration Testing Analysis Report

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.



Direct download: http://zeroscience.mk/files/wafreport2013v2.pdf

Here’s a video to show some Blocks and Bypasses from both vendors:



Resin Application and Web Server 4.0.36 Multiple Vulnerabilities

Resin Application and Web Server The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘logout’ GET parameter in the ‘index.php’ script. URI-based XSS issue is also present and both of the vulnerabilities can be triggered once the user/admin is logged in (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Source code disclosure vulnerability is present in the mentioned software. The vulnerability is caused do to an improper sanitization of the ‘file’ parameter when used for reading help files. An attacker can exploit this vulnerability by directly requesting a ‘.jsp’ file for example in the root directory of the server to view its source code that might reveal sensitive information.

resinwebserver_scd

resin-xss1

Advisory ZSL-2013-5143: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php
Advisory ZSL-2013-5144: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5144.php

OpenEMR 4.1.1 (site param) Remote XSS Vulnerability

OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘site’ GET parameter in the central ‘globals.php’ script which is called by every script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5129.php

Vendor: http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

CloudFlare vs Incapsula vs ModSecurity – A Comparative Penetration Testing Analysis Report

This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment.


Direct download: http://zeroscience.mk/files/wafreport2013.pdf

Update response:

Incapsula: http://www.incapsula.com/the-incapsula-blog/item/699-incapsula-pentested-review
ModSecurity: http://permalink.gmane.org/gmane.comp.apache.mod-security.user/10035
CloudFlare: http://blog.cloudflare.com/heuristics-and-rules-why-we-built-a-new-old-waf

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.


/install.php:
-------------

113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }



Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

AbanteCart 1.1.3 (index.php) Multiple Reflected XSS Vulnerabilities

AbanteCart suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to ‘index.php’ script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5125.php

Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities

Oracle OpenSSO suffers from multiple cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory ID: ZSL-2012-5114
Link: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5114.php

PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability

PRADO Framework suffers from an arbitrary file read vulnerability. Input passed to the ‘sr’ parameter in ‘functional_tests.php’ is not properly sanitised before being used to get the contents of a resource. This can be exploited to read arbitrary data from local resources with directory traversal attack.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5113.php

NASA Tri-Agency Climate Education (TrACE) Multiple Vulnerabilities

The Tri-Agency Climate Education (TrACE) Catalog provides search and browse access to a catalog of educational products and resources. TrACE focuses on climate education resources that have been developed by initiatives funded through NASA, NOAA, and NSF, comprising a tri-agency collaboration around climate education.

The application suffers from a reflected cross-site scripting vulnerability when input is passed to the ‘product_id’, ‘pi’, ‘project_id’ and ‘funder’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The application also suffers from an SQL Injection vulnerabilities when input is passed to the ‘product_id’ and ‘grade’ GET parameters in ‘trace_results.php’ script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisories:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5111.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5112.php