Posts Tagged ‘ zero science lab

CloudFlare vs Incapsula: Round 2 – Comparative Penetration Testing Analysis Report

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.



Direct download: http://zeroscience.mk/files/wafreport2013v2.pdf

Here’s a video to show some Blocks and Bypasses from both vendors:



Ovidentia 7.9.4 Multiple Remote Vulnerabilities

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

ovidentia-sqli2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php

Resin Application and Web Server 4.0.36 Multiple Vulnerabilities

Resin Application and Web Server The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘logout’ GET parameter in the ‘index.php’ script. URI-based XSS issue is also present and both of the vulnerabilities can be triggered once the user/admin is logged in (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Source code disclosure vulnerability is present in the mentioned software. The vulnerability is caused do to an improper sanitization of the ‘file’ parameter when used for reading help files. An attacker can exploit this vulnerability by directly requesting a ‘.jsp’ file for example in the root directory of the server to view its source code that might reveal sensitive information.

resinwebserver_scd

resin-xss1

Advisory ZSL-2013-5143: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php
Advisory ZSL-2013-5144: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5144.php

WordPress Securimage-WP Plugin v3.2.4 URI-based XSS Vulnerability

Securimage-WP suffers from a XSS issue in ‘siwp_test.php’ that uses the ‘PHP_SELF’ variable. The vulnerability is present because there isn’t any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

securimage_wp_xss2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5140.php

Axis Commerce 0.8.7.2 Remote Script Insertion Vulnerabilities

Axis Commerce suffers from multiple stored XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5115.php

IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities

IBM System Storage DS Storage Manager Profiler suffers from an SQL Injection and a Cross-Site Scripting (XSS) vulnerability. Input passed via the GET parameter ‘selectedModuleOnly’ in ‘ModuleServlet.do’ script is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The GET parameter ‘updateRegn’ in the ‘SoftwareRegistration.do’ script is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

ZSL Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

IBM Advisory: https://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172

Project KoKiNo

http://liquidworm.deviantart.com/art/The-Observers-301017154

http://liquidworm.deviantart.com/art/Shoo6-301016589

Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities

Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session or disclose the full installation path of the affected CMS.

——————————————————————————–

Reflected (Non-Persistent) XSS:

1. username
2. password
3. verification_code
4. email_address
5. password_verify
6. firstname
7. lastname

Stored (Persistent) XSS:

8. groupname
9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5086.php
Vendor: http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html

Themida and WinLicense Vulnerabilities

The vulnerability in Themida is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TMD file. Successful exploitation may allow execution of arbitrary code.

WinLicense is prone to an unspecified memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious XML file to execute arbitrary code and to cause denial-of-service conditions.

Advisories:

ZSL-2012-5079http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5079.php
ZSL-2012-5080http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5080.php

net4visions.com Multiple Products Multiple Vulnerabilities

iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.

The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:

ZSL-2011-5046iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability