PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug

Tags

, , , ,

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug

 

Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability

Product: PhotoPost PHP

Vendor: PhotoPost

Vulnerable Versions: 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3

Tested Version: 4.8c vB3

Advisory Publication: July 25, 2015

Latest Update: July 28, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

photopost_cookie_xss1

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

PhotoPost

 

Product & Vulnerable Versions:

PhotoPost PHP

4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3

 

Vendor URL & Download:

Product can be obtained from here,

http://www.photopost.com/featuresphp.html

 

Product Introduction Overview:

“Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company’s own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 “dot” updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That’s because we designed PhotoPost from the beginning to integrate efficiently with a website’s existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. ”

 

 

 

(2) Vulnerability Details:

PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.

 

 

(2.1) The code flaw occurs at “|utmcct” parameter in “__utmz” Cookie.

For example, if a victim clicks the link below.

http://localhost/gallery/showphoto.php/photo/846/sort/’”><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)&gt;

The content of “__utmz” cookie will be the following:

__utma 194200300.1295483682.1438243020.1438243020.1438245659.2

__utmc 194200300

__utmz 194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral

__qca P0-814178849-1438243024810

__utmb 194200300

bbsessionhash 1683dd3bd3edffbd8383db382f025eba

bblastvisit 1438246612

So the malicious code can work in the user’s browser for long time.

 

 

(2.2) Forum Integrations

“PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community.

With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum’s look and feel, and with vBulletin 3.x we offer several additional enhancements.”

Forum Software User Login Stylesheets Enhanced*

vBulletin 5.x

vBulletin 4.x

vBulletin 3.x

Xenforo 1.x

UBBThreads 6.X

UBBThreads 7.X

InvisionBoard 1.0

InvisionBoard 2.0

InvisionBoard 3.0

FusionBB

MyBB 1.0

SMF 1.05 and up

SMF 2.0 and up

WowBB

e107

PHPBB 2.0

PHPBB 3.0

WordPress 3.x

vBulletin 2.x

DCForums +

IkonBoard

Nuke

PostNuke

Mambo

XMB Forums

(Src: http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php)

 

 

 

 

References:
http://tetraph.com/security/xss-vulnerability/photopost-php/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02357.html
http://computerobsess.blogspot.com/2015/07/photopost-php-48c-cookie
http://marc.info/?l=full-disclosure&m=143841053704734&w=4
http://lists.openwall.net/full-disclosure/2015/08/01/1
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2300
https://hackertopic.wordpress.com/2015/07/30/photopost-xss/
http://seclists.org/fulldisclosure/2015/Aug/0
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://en.hackdig.com/08/26974.htm

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

Tags

, , , , , , ,

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

 

Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected XSS Web Security Vulnerability

Product: Knowledge Tree Document Management System

Vendor: Knowledge Inc

Vulnerable Versions: OSS 3.0.3b

Tested Version: OSS 3.0.3b

Advisory Publication: August 22, 2015

Latest Update: August 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

knowledge_tree_page

 

 

knowledge tree_xss

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

KnowledgeTree

 

Product & Vulnerable Versions:

Knowledge Tree Document Management System

OSS 3.0.3b

 

Vendor URL & Download:

Product can be obtained from here,
http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html
http://www.knowledgetree.com/

 

Product Introduction Overview:

“KnowledgeTree is open source document management software designed for business people to use and install. Seamlessly connect people, ideas, and processes to satisfy all your collaboration, compliance, and business process requirements. KnowledgeTree works with Microsoft® Office®, Microsoft® Windows® and Linux®.”

 

 

 

 

(2) Vulnerability Details:

KnowledgeTree web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. KnowledgeTree has patched some of them. “Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there.”. It has listed similar exploits, such as Bugtraq (Security Focus) 32920.

 

(2.1) The code flaw occurs at “&errorMessage” parameter in “login.php” page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.

 

 

 

 

 

References:
http://seclists.org/oss-sec/2015/q3/458
http://tetraph.com/security/xss-vulnerability/knowledgetree-oss-3-0-3b-reflected-xss/
https://progressive-comp.com/?l=oss-security&m=144094021709472
https://infoswift.wordpress.com/2015/08/31/knowledge-tree-xss/
http://japanbroad.blogspot.jp/2015/08/knowledge-tree-bug-exploit.html
http://marc.info/?l=full-disclosure&m=144099659719456&w=4
http://tetraph.blog.163.com/blog/static/234603051201573144123156/
http://www.openwall.com/lists/oss-security/2015/08/30/2
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02446.html
http://itinfotech.tumblr.com/post/128016383831/knowledge-tree-xss
http://germancast.blogspot.com/2015/08/knowledge-tree-xss.html
http://permalink.gmane.org/gmane.comp.security.oss.general/17655
http://webtech.lofter.com/post/1cd3e0d3_806e1d4

 

MOZILLA ONLINE WEBSITE TWO SUB-DOMAINS XSS (CROSS-SITE SCRIPTING) BUGS ( ALL URLS UNDER THE TWO DOMAINS)

Tags

6864_cTAUHWda_o-600x401

 

 

Domains:
http://lxr.mozilla.org/
http://mxr.mozilla.org/
(The two domains above are almost the same)

 

Websites information:
“lxr.mozilla.org, mxr.mozilla.org are cross references designed to display the Mozilla source code. The sources displayed are those that are currently checked in to the mainline of the mozilla.org CVS server, Mercurial Server, and Subversion Server; these pages are updated many times a day, so they should be pretty close to the latest‑and‑greatest.” (from Mozilla)

“Mozilla is a free-software community which produces the Firefox web browser. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the Mozilla Foundation and its tax-paying subsidiary, the Mozilla Corporation. In addition to the Firefox browser, Mozilla also produces Thunderbird, Firefox Mobile, the Firefox OS mobile operating system, the bug tracking system Bugzilla and a number of other projects.” (Wikipedia)

 

 

 

(1) Vulnerability description:
Mozilla website has a computer cyber security problem. Hacker can attack it by XSS bugs. Here is the description of XSS: “Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.” (Acunetix)

 

 

All pages under the following two URLs are vulnerable.
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source

This means all URLs under the above two domains can be used for XSS attacks targeting Mozilla’s users.

Since there are large number of pages under them. Meanwhile, the contents of the two domains vary. This makes the vulnerability very dangerous. Attackers can use different URLs to design XSS attacks to Mozilla’s variety class of users.

 

 

mozilla_lxr_2_xss

 

mozilla_mxr_1_xss

 

 

 

POC Codes:

http://lxr.mozilla.org/mozilla-central/source/<body onload=prompt(“justqdjing”)>

http://mxr.mozilla.org/mozilla-central/source/<body onload=prompt(“justqdjing”)>

http://mxr.mozilla.org/mozilla-central/source/webapprt/<body onload=prompt(“justqdjing”)>

(2) Vulnerability Analysis:
Take the following link as an example,
http://lxr.mozilla.org/mozilla-central/source/chrome/<attacktest&gt;

In the page reflected, it contains the following codes.

<a href=”/mozilla-central/source/chrome/%253Cattacktest%253E”>

<attacktest></attacktest>

</a>

If insert “<body onload=prompt(“justqdjing”)>” into the URL, the code can be executed.

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

 

 

(3) Vulnerability Disclosure:
The vulnerability have been reported to bugzilla.mozilla.org. Mozilla are dealing with this issue.

 

Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

CVE-2015-2209 – DLGuard Full Path Disclosure (Information Leakage) Web Security Vulnerabilitie

Tags

, , , , , , , , , , , , , , , , ,

hacker_hand-100155589-large

 
 

CVE-2015-2209 – DLGuard Full Path Disclosure (Information Leakage) Web Security Vulnerabilities

Exploit Title: DLGuard “/index.php?” “&c” parameter Full Path Disclosure Web Security Vulnerabilities

Product: DLGuard
Vendor: DLGuard
Vulnerable Versions: v4.5
Tested Version: v4.5
Advisory Publication: January 18, 2015
Latest Update: March 20, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: CVE-2015-2209
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
Credit: Wang Jing [School of Mathematical Sciences (001), University of Science and Technology of China (USTC)] (@justqdjing)
 




Consultation Details:

(1) Vendor & Product Description:

Vendor:

DLGuard

Product & Version:

DLGuard
v4.5

Vendor URL & Download:

DLGuard can be obtained from here,

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don’t have the time for.”

“DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)
<2>Multiple item sales
<3>Membership websites”

“DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal’s E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before.”

(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
 
Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to important vulnerabilities.

(2.1) The first bug flaw occurs at “&c” parameter in “index.php?” page.

 

 
 
 
 

 
References:

 

Godaddy Online Website Covert Redirect Web Security Bugs Based on Google.com

Tags

,

StudyShare_GoDaddy2

 

Godaddy Online Website Covert Redirect Web Security Bugs Based on Google.com

 

(1) Domain:
godaddy.com

 

 

“GoDaddy is a publicly traded Internet domain registrar and web hosting company. As of 2014, GoDaddy was said to have had more than 59 million domain names under management, making it the world’s largest ICANN-accredited registrar. It serves more than 12 million customers and employs more than 4,000 people. The company is known for its celebrity spokespeople, Super Bowl ads and as being an online provider for small businesses. In addition to a postseason college football bowl game, it sponsors NASCAR. It has been involved in several controversies related to security and privacy. In addition to domain registration and hosting, GoDaddy also sells e-business related software and services.” (Wikipedia)

 

 

 

 

 

(2) Vulnerability Description:
Godaddy web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

The vulnerability occurs at “redirect.aspx?” page with “&target” parameter, i.e.
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com

 

 

 

(2.1) When a user is redirected from Godaddy to another site, Godaddy will check whether the redirected URL belongs to domains Godaddy’s whitelist, e.g.
google.com
apple.com

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Godaddy to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Godaddy directly.

 

One of the vulnerable domain is,
google.com

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://diebiyi.com/articles/“. Can suppose that this page is malicious.

 

Vulnerable URL:
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.godaddy.com

 

POC:
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fcontact.html

 

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/godaddy-covert-redirect-vulnerability.html

 

 

(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-partyapplications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

 

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

 

 
Related Articles:
https://twitter.com/tetraphibious/status/559167679353720834
http://tetraph.com/security/covert-redirect/godaddy-covert-redirect-vulnerability-based-on-google/
http://tetraph.blog.163.com/blog/static/234603051201444111919171/
http://whitehatpost.lofter.com/post/1cc773c8_706b6bf
http://japanbroad.blogspot.jp/2015/06/godaddy-bug.html
http://securitypost.tumblr.com/post/119439859067/itinfotech-id-oauth
https://infoswift.wordpress.com/2014/07/02/godaddy-hack/
http://germancast.blogspot.de/2014/06/godaddy-exploit.html
http://www.inzeed.com/kaleidoscope/covert-redirect/godaddy-covert-redirect-vulnerability-based-on-google/
https://mathfas.wordpress.com/2014/07/07/godaddy-hacking/

Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

Tags

, ,

Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

 

 

Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web Security Vulnerability

Product: Winmail Server

Vendor: Winmail Server

Vulnerable Versions: 4.2 4.1

Tested Version: 4.2 4.1

Advisory Publication: August 24, 2015

Latest Update: August 30, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

winmail_page1

 

winmail_xss

 

 

Caution Details:

 



(1) Vendor & Product Description:

Vendor:

Winmail Server

 

Product & Vulnerable Versions:

Winmail Server

4.2 4.1

 

Vendor URL & Download:

Product can be obtained from here,
http://www.magicwinmail.net/download.asp

 


Product Introduction Overview:

“Winmail Server is an enterprise class mail server software system offering a robust feature set, including extensive security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection, anti-virus protection, SSL security, Network Storage, remote access, Web-based administration, and a wide array of standard email options such as filtering, signatures, real-time monitoring, archiving, and public email folders. Winmail Server can be configured as a mail server or gateway for ISDN, ADSL, FTTB and cable modem networks, beyond standard LAN and Internet mail server configurations.”

 

 

 


(2) Vulnerability Details:

Winmail Server web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Winmail Server has patched some of them. “scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training”. Scip has recorded similar XSS bugs, such as scipID 26980.

 

(2.1) The code flaw occurs at “&lid” parameter in “badlogin.php” page. In fact, CVE-2005-3692 mentions that “&retid” parameter in “badlogin.php” page is vulnerable to XSS attacks. But it does not mention “&lid” parameter”. The scipID of the bug is 26980. Bugtraq (SecurityFocus) ID is 15493. OSVDB ID is 20926.

 

 

 

 

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

Tags

, , , , , , , , , , , , , , , , , , , , ,

itsecurity

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

 

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

 

Exploit Title: CVE-2015-2563 Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Web Security Vulnerabilities

Product: phpVID

Vendor: Vastal I-tech

Vulnerable Versions: 1.2.3 0.9.9

Tested Version: 1.2.3 0.9.9

Advisory Publication: March 13, 2015

Latest Update: April 25, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2563

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

Direction Details:



(1) Vendor & Product Description:



Vendor:

Vastal I-tech

 

Product & Vulnerable Versions:

phpVID

1.2.3

0.9.9

 

Vendor URL & Download:

phpVID can be approached from here,

http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA


Product Introduction Overview:

“phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy.”


“The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a “single dedicated server”. phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: http://www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com.”


“Server Requirements:

Preferred Server: Linux any Version

PHP 4.1.0 or above

MySQL 3.1.10 or above

GD Library 2.0.1 or above

Mod Rewrite and .htaccess enabled on server.

FFMPEG (If you wish to convert the videos to Adobe Flash)”

 

 

(2) Vulnerability Details:

phpVID web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpVID has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to important vulnerabilities.



(2.1) The first code programming flaw occurs at “&order_by” “&cat” parameters in “groups.php?” page.

 

 

 


Related Links:

http://packetstormsecurity.com/files/130754/Vastal-I-tech-phpVID-1.2.3-SQL-Injection.html

https://progressive-comp.com/?l=full-disclosure&m=142601071700617&w=2

http://seclists.org/fulldisclosure/2015/Mar/58

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1699

http://lists.openwall.net/full-disclosure/2015/03/10/8

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142601071700617&w=2

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2563/

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2

https://cxsecurity.com/issue/WLB-2015020091

https://www.facebook.com/permalink.php?story_fbid=935563809832135&id=874373602617823

http://t.qq.com/p/t/482410003538035

http://biboying.lofter.com/post/1cc9f4f5_6ee2aa5

http://mathpost.tumblr.com/post/118768553885/xingti-cve-2015-2563-vastal-i-tech-phpvid

http://essayjeans.lofter.com/post/1cc7459a_6ee4fcb

http://xingti.tumblr.com/post/118768481545/cve-2015-2563-vastal-i-tech-phpvid-1-2-3-sql

https://plus.google.com/113698571167401884560/posts/gftS84rfD3A

https://itswift.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/

https://www.facebook.com/essayjeans/posts/827458144012006

https://tetraph.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/

http://mathstopic.blogspot.com/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html

http://yurusi.blogspot.sg/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html

https://twitter.com/tetraphibious/status/598057025247907840

http://tetraph.blog.163.com/blog/static/23460305120154125453111/


CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

Tags

, , , , , , , , , , , , , , , , , , , ,

 

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

 

Exploit Title: vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities
Product: vBulletin Forum
Vendor:vBulletin
Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4
Tested Version:5.1.3 4.2.2
Advisory Publication: February 12, 2015
Latest Update:February 26, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9469
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Writer and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
 
 
 

Preposition Details:
(1) Vendor & Product Description:
Vendor:
vBulletin
 

Product & Version:
vBulletin Forum
5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4
 

Vendor URL & Download:
vBulletin can be acquired from here,

 

Product Introduction Overview:
“vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.”
Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3.
Simplified site set up and customization
The new Site Builder makes it easier than ever to build and manage a site. Customizable page templates, drag-and-drop configuration and in-line site editing simplify page layout. A variety of design themes can be easily selected.
Dynamic tools for content discovery
Customizable content modules provide enhanced content discovery, engaging users into deeper site visits. The vBulletin search has been re-architected to significantly improve the quality of its results, further facilitating content discovery.
Sleek new UI features activity stream and increased social engagement
Improved social functionality includes groups, new user profiles, comments functionality, an integrated messaging hub, social content curation, real-time updates and more.
Expanded photo and video capabilities
The new interface invites users to quickly post photos and video, expanding content on vBulletin sites. This media is then leveraged by being better integrated with the rest of a site’s content. User profiles provide an engaging aggregation of all media posted by them.
Category-leading mobile optimization
The integrated mobile-optimized version ensures smartphone visitors will stay longer and return.
Robust architecture
Improved architecture provides better performance and easier customization
Built-in SEO helps maximize search traffic
Easy-to-use upgrader tool available for vBulletin 3 and 4 sites, plus importer for sites on other forum software”

 
 
 

(2) Vulnerability Details:
vBulletin web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.
Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. vBulletion has patched some of them. Gmane (pronounced “mane”) is an e-mail to news gateway. It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list’s inclusion on the service. It has published suggestions, advisories, solutions related to important vulnerabilities.
 

(2.1) The programming code flaw occurs at “forum/help” page. Add “hash symbol” first. Then add script at the end of it.
 
 
 
 
 
Related Work:

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

Tags

, , , , , , , , , , , , , , , , , , , , , , , , , , ,

GTY_email_hacker_dm_130718_16x9_608

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.* 4.*.0.*

Tested Version: 5.*.0.* 4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.










Related Work:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html





CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Tags

, , , , , , , , , , , , , , , , , , , , , , ,

Cybersecurity-crash-course

CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: InstantForum.NET

Vendor: InstantASP

Vulnerable Versions: v4.1.3   v4.1.1   v4.1.2   v4.0.0   v4.1.0   v3.4.0

Tested Version: v4.1.3   v4.1.1   v4.1.2

Advisory Publication: February 18, 2015

Latest Update: April 05, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9468

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

Preposition Details:

(1) Vendor & Product Description:

Vendor:

InstantASP

 

Product & Version:

InstantForum.NET

v4.1.3   v4.1.1   v4.1.2   v4.0.0   v4.1.0   v3.4.0

 

Vendor URL & Download:

InstantForum.NET can be purchased from here,

http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html

 

Product Introduction Overview:

“InstantForum.NET is a feature rich, ultra high performance ASP.NET & SQL Server discussion forum solution designed to meet the needs of the most demanding online communities or internal collaboration environments. Now in the forth generation, InstantForum.NET has been completely rewritten from the ground-up over several months to introduce some truly unique features & performance enhancements.“
“The new administrator control panel now offers the most comprehensive control panel available for any ASP.NET based forum today. Advanced security features such as role based permissions and our unique Permission Sets feature provides unparalleled configurable control over the content and features that are available to your users within the forum. Moderators can easily be assigned to specific forums with dedicated moderator privileges for each forum. Bulk moderation options ensure even the busiest forums can be managed effectively by your moderators.”
“The forums template driven skinning architecture offers complete customization support. Each skin can be customized to support a completely unique layout or visual appearance. A single central style sheet controls every aspect of a skins appearance. The use of unique HTML wrappers and ASP.NET 1.1 master pages ensures page designers can easily integrate an existing design around the forum. Skins, wrappers & master page templates can be applied globally to all forums or to any specific forum.”

 

 

(2) Vulnerability Details:

InstantForum.NET web application has a cyber security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. InstantForum has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, cyber intelligence, attack defense and solutions details related to important vulnerabilities.

 

(2.1) The first programming code flaw occurs at “&SessionID” parameter in “Join.aspx?” page.
(2.2) The second programming code flaw occurs at “&SessionID” parameter in “Logon.aspx?” page.

 

 

 

 

References:

http://tetraph.com/security/cves/cve-2014-9468-instantasp-instantforum-net-multiple-xss-cross-site-scripting-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/cve-2014-9468-instantasp.html

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9468

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9468

http://packetstormsecurity.com/files/authors/11717

http://marc.info/?a=139222176300014&r=1&w=4

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://lists.openwall.net/full-disclosure/2015/02/18/7

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1608

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01704.html

http://seclists.org/fulldisclosure/2015/Feb/70

http://www.inzeed.com/kaleidoscope/cves/cve-2014-9468/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9468/

https://vulnerabilitypost.wordpress.com/2015/02/18/cve-2014-9468/

https://mathfas.wordpress.com/2015/05/13/cve-2014-9468/

http://www.tetraph.com/blog/cves/cve-2014-9468/

http://computerobsess.blogspot.com/2015/05/cve-2014-9468-instantasp.html

http://tetraph.blogspot.com/2015/05/cve-2014-9468.html