OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

14 Sunday Jun 2015

Posted by essaybeans in 0day, CRLF, Web Application

Tags

0day Bug, Code Flaw, Computer Science, crime prevention, CRLF, cyber-intelligence, exploit, Hacking Attack, HTTP Response Splitting, Internet Testing, IT News, NetCat CMS, OSVDB 119342, OSVDB 119343, Vulnerabilities, Web Security, whitehat

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: March 07, 2015

Latest Update: March 07, 2015

Vulnerability Type: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) [CWE-93]

CVE Reference: *

OSVDB Reference: 119342, 119343

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Advisory Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be got from here,

http://netcat.ru/

Product Introduction:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at “/post.php” page with “redirect_url” parameter by adding “%0d%0a%20”.

(2.2) The second code flaw occurs at “redirect.php?” page with “url” parameter by adding “%0d%0a%20”.

Reference:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

11 Thursday Jun 2015

Posted by essaybeans in 0day, Open Redirect, Spam

≈ Leave a comment

Tags

0Day, 0day Bug, オンライン, オープンリダイレクト, サイバーセキュリティ, ハッキング防止, ホワイトハット, Computer Science, cyber-security, 脆弱性, FC2, Internet Problem, Japan Web, Online, Open Redirect, URF, Vulnerabilities, Web Service, Webサービス, whitehat, 日本のWeb, 未検証

<b>FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities</b>

</div>
<div></div>
<div></div>
<div>

<b>Domain:
</b>fc2.com

</div>
<div></div>
<div></div>
<div>

“FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third most popular video hosting service in Japan (after YouTube and Niconico), and a web hosting company headquartered in Las Vegas, Nevada. It is the sixth most popular website in Japan overall (as of January 2014). FC2 is an abbreviation of “Fantastic Kupi-Kupi (クピクピ)”. It is known to allow controversial adult content such as pornography and hate speech (unlike many of its competitors). The company uses rented office space for its headquarters which it shares with many other U.S.-based businesses. It also pays taxes in the United States. The physical servers are located in the United States. However, it is believed that the majority of the company and its users (including employees) are located within Japan” (Wikipedia)

</div>
<div></div>
<div></div>
<div></div>
<div>

The Alexa rank of fc2.com is 52 on February 18 2015. It is the toppest Japanese local website sevice.

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>(1) Vulnerability Description:</b>

</div>
<div></div>
<div>

FC2 online web service has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.” One consequences of it is Phishing. (OWASP)

</div>
<div></div>
<div></div>
<div>

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

</div>
<div></div>
<div>

In fact, during the test, it is not hard to find URL Redirection bugs in FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities. These bugs were found by using URFDS.

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>(2) </b>Use one of webpages for the following tests. The webpage address is “<a href=”http://securitypost.tumblr.com/”>http://securitypost.tumblr.com/</a>”. Can suppose that this webpage is malicious.

</div>
<div></div>
<div></div>
<div>

Vulnerable URL 1:
<a href=”http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F”>http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F</a>

</div>
<div></div>
<div>

POC Code:
<a href=”http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html</a>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

Vulnerable URL 2:
<a href=”http://blogranking.fc2.com/out.php?id=104304&url=http%3A%2F%2Ffc2.com%2F”>http://blogranking.fc2.com/out.php?id=104304&url=http%3A%2F%2Ffc2.com%2F</a>

</div>
<div></div>
<div>

POC Code:
<a href=”http://blogranking.fc2.com/out.php?id=104304&url=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blogranking.fc2.com/out.php?id=104304&url=http://www.tetraph.com/essayjeans/poems/distance.html</a>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>Poc Video:
</b><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”https://www.youtube.com/watch?v=r8vU2Z-ueQI”>https://www.youtube.com/watch?v=r8vU2Z-ueQI</a></span>

</div>
<div></div>
<div>

</div>
<div></div>
<div></div>
<div></div>
<div>

<b>Vulnerability Disclosure:
</b>Those vulnerabilities were reported to Rakuten, they are still unpatched.

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (<a href=”https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts/7cupBPk6YR3″>@justqdjing</a>)
<a href=”http://www.tetraph.com/wangjing”>http://www.tetraph.com/wangjing</a>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

==================

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>FC2オンラインWebサービスオープンリダイレクト（未検証のリダイレクトとフォワード）サイバー·セキュリティの脆弱性</b>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>ドメイン：
</b>fc2.com

</div>
<div></div>
<div></div>
<div>

（1999年7月20日に設立）」FC2は、日本の人気ブログのホスト、（YouTubeやニコニコ後）は、日本で3番目に人気のビデオホスティングサービス、およびラスベガス、ネバダ州に本社を置くウェブホスティング会社です。それは第六最も人気のあります日本のウェブサイトは、全体的な。（2014年1月のように）FC2はの略で、「ファンタスティックKupi-Kupi（クピクピ）」。このようなポルノのような論争のアダルトコンテンツを許可し、（競合他社の多くとは異なり）スピーチを憎むことが知られています。」（ウィキペディア）

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

fc2.comのAlexaのランクはそれがtoppest日本のローカルウェブサイトの流通サービスである2月18日2015年52あります。

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>（1）脆弱性の説明：</b>

</div>
<div></div>
<div>

FC2オンラインWebサービスは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト（未検証のリダイレクトとフォワード）攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「オープンリダイレクトがパラメータを受け取り、何の検証も行わずにパラメータ値にユーザーをリダイレクトするアプリケーションです。この脆弱性は、それを実現することなく、悪質なサイトを訪問するユーザーを取得するためにフィッシング攻撃で使用されています。。 “それの一つの結果はフィッシングです。（OWASP）

</div>
<div></div>
<div></div>
<div></div>
<div>

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE（9 9.0.8112.16421）で行われた、Mozilla Firefoxの（37.0.2）＆グーグルクロム42.0.2311のUbuntuの（64ビット）（14.04.2）はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

</div>
<div></div>
<div></div>
<div></div>
<div>

実際には、テスト時には、FC2内のURLリダイレクトのバグを見つけることは難しいことではありません。多分fc2.comは、これらの脆弱性を軽減するためにはほとんど注意を払っています。

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>（2）</b>以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「<a href=”http://securitypost.tumblr.com/”>http://securitypost.tumblr.com/</a>」です。このウェブページに悪意であるとすることができます。

</div>
<div></div>
<div></div>
<div>

脆弱URL 1：
<a href=”http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F”>http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F</a>

</div>
<div></div>
<div>

POCコード：
<a href=”http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html</a>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

脆弱URL 2：
<a href=”http://blogranking.fc2.com/out.php?id=104304&url=http%3A%2F%2Ffc2.com%2F”>http://blogranking.fc2.com/out.php?id=104304&url=http%3A%2F%2Ffc2.com%2F</a>

</div>
<div></div>
<div>

POCコード：
<a href=”http://blogranking.fc2.com/out.php?id=104304&url=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blogranking.fc2.com/out.php?id=104304&url=http://www.tetraph.com/essayjeans/poems/distance.html</a>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>脆弱性の公開：
</b>これらの脆弱性は楽天に報告された、彼らはまだパッチを適用していないです。

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

発見し、レポーター：
王ジン (Wang Jing)、数理科学研究部門（MAS）、物理的および数理科学科（SPMS）、南洋理工大学（NTU）、シンガポール。（<a href=”https://twitter.com/justqdjing/status/608913928874123265″>@justqdjing</a>）
<a href=”http://www.tetraph.com/wangjing”>http://www.tetraph.com/wangjing</a>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

<b>POCビデオ：
</b><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”https://www.youtube.com/watch?v=r8vU2Z-ueQI”>https://www.youtube.com/watch?v=r8vU2Z-ueQI</a></span>

</div>
<div></div>
<div></div>
<div></div>
<div>

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

14 Tuesday Apr 2015

Posted by essaybeans in HTML Injection, OSVDB, Web Application

≈ 1 Comment

Tags

0day-exploit, 3.12, Computer Science, cyber-intelligence, Hack Prevention, HTML Injection, internet, IT Bug, justqdjing, NetCat CMS, OSVDB 120807, Program Flaw, tetraph, Vulnerabilities, Web Application, Web Security, Whitehat Test

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

OSVDB Reference: 120807

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Advisory Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

Product Introduction Overview:

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.

(2.1) The programming code flaw occurs at “/catalog/search.php?” page with “&q” parameter.

Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

14 Tuesday Apr 2015

Posted by essaybeans in Computer Technology, IT Security

≈ 1 Comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cve, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

Exploit Title: Opoint Media Intelligence click.php? &noblink parameter URL Redirection Security Vulnerabilities

Vendor: Opoint

Product: Opoint Media Intelligence

Vulnerable Versions:

Tested Version:

Advisory Publication: April 14, 2015

Latest Update: April 14, 2015

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Discover and Writer: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

Opoint

Product & Version:

Opoint Media Intelligence

Vendor URL & Download:

Opoint Media Intelligence can be got from here,

http://www.opoint.com/index.php?page=home

Product Introduction Overview:

“Today, some libraries want to enhance their online presence in ways that go beyond the traditional OPAC and the “library portal” model to better integrate the latest Web functionality. With Opoint Media Intelligence, libraries will be able to take advantage of the latest Web technologies and engage Web-savvy users more effectively than ever before. Opoint Media Intelligence is a complete update of the Web OPAC interface”

“Opoint Media Intelligence breaks through the functional and design limitations of the traditional online catalog. Its solid technology framework supports tools for patron access such as Spell Check; integrated Really Simple Syndication (RSS) feeds; a suite of products for seamless Campus Computing; and deep control over information content and presentation with Cascading Style Sheets (CSS). Opoint Media Intelligence is also a platform for participation when integrated with Innovative’s Patron Ratings features and Community Reviews product. What’s more, with Opoint Media Intelligence’s RightResult™ search technology, the most relevant materials display at the top so patrons get to the specific items or topics they want to explore immediately. Opoint Media Intelligence can also interconnect with Innovative’s discovery services platform, Encore. And for elegant access through Blackberry® Storm™ or iPhone™, the AirPAC provides catalog searching, item requesting, and more.”

(2) Vulnerability Details:

Opoint Media Intelligence web application has a security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Other Opoint products 0day vulnerabilities have been found by some other bug hunter researchers before. Opoint has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to Open Redirect vulnerabilities.

(2.1) The first code programming flaw occurs at “func/click.php?” page with “&noblink” parameter.

References:

http://tetraph.com/security/open-redirect/opoint-media-intelligence-unvalidated-redirects-and-forwards/

http://securityrelated.blogspot.com/2015/04/opoint-media-intelligence-unvalidated.html

http://www.inzeed.com/kaleidoscope/computer-web-security/opoint-media-intelligence-open-redirect/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/opoint-media-intelligence-open-redirect/

https://computerpitch.wordpress.com/2015/04/14/opoint-media-intelligence-open-redirect/

http://www.iedb.ir/author-Wang%20Jing.html

http://www.websecuritywatch.com/open-redirect-vulnerability-in-wordpress-newsletter-2-6-x-2-5-x/

http://lists.openwall.net/full-disclosure/2015/03/02/7

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1646

Times of India website vulnerable to Cross Site Scripting (XSS) attacks

04 Saturday Apr 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

Times of India website vulnerable to Cross Site Scripting (XSS) attacks

India’s premier daily and popular website, Times of India is vulnerable to critical cross site scripting (XSS) attacks. Times of India which operates a website called indiatimes.com is a top news website in India and elsewhere.

The XSS vulnerability in the Times of India website was discovered by Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He has found that the vulnerability occurs atIndiatimes’s URL links. Indiatimes only party filters the filenames in its website. Jing says due to this almost all URLs under Indiatimes’s “Photogallery” and “Top-lists” topics are affected by this vulnerability.

http://mathdaily.lofter.com/post/1cc75b20_4180765

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities

04 Saturday Apr 2015

Posted by essaybeans in CVE, FPD, Information Leakage

≈ Leave a comment

Tags

0day-exploit, attack-defense, bug-vulnerability, Computer Science, Computer Security, computer-engineering, crime-prevent, cve-information, cyber-intelligence, cyber-security, FPD, Full Path Disclosure, hacker-prevention, IEEE, Information Leakage, Internet-information, IT News, math student, NetCat, PHP Code, wangjing, web-application-test, whitehat-technology

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities

Exploit Title: CVE-2015-2214 NetCat CMS Full Path Disclosure Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 5.01 3.12

Advisory Publication: February 27, 2015

Latest Update: May 05, 2015

Vulnerability Type: Information Leak / Disclosure [CWE-200]

CVE Reference: CVE-2015-2214

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Credit and Writer: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Consultation Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be accessed from here,

http://netcat.ru/

Product Introduction Overview:

“We give a discount on any edition NetCat

We try to help our partners to enter into a close-knit team. To reduce your expenses on the development of a new system, we provide special conditions for the acquisition of commercial licenses NetCat, for a partner is assigned a permanent discount of 40%, which according to the results of further sales could be increased to 60%.”

“Teach your developers work with the secrets NetCat

In addition to the detailed documentation and video tutorials to new partners we offer a unique free service – direct contact with the developer from the team NetCat, which will help in the development of product development tools.”

“We give customers

Once you develop the three sites NetCat information about you appear in our ranking developers. This means that you not only begin to receive direct requests from clients but also become a member of tenders conducted by customers. In addition, if the partner is really good work, employees NetCat begin recommending it to clients requesting assistance in the choice of contractor.”

“We will help in the promotion of

The company is a regular participant NetCat large number of forums, seminars and conferences. We are happy to organize together with partners involved, help with advertising materials and share information for the report.”

“Confirmed its status in the eyes of customers

We have a very flexible system of certification of partners: we do not give certificates for the sale of licenses and for the developed sites. So, for example, to obtain a certificate “Development of corporate websites’ to add to your personal account three implementation of the appropriate type.”

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Netcat has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to important vulnerabilities.

(2.1) The first programming code flaw occurs at “&redirect_url” parameter in “netshop/post.php?” page.

References:

http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html

http://seclists.org/fulldisclosure/2015/Mar/8

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01740.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1645

http://lists.openwall.net/full-disclosure/2015/03/02/6

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142527117510514&w=2

http://marc.info/?l=full-disclosure&m=142527117510514&w=4

https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://www.tetraph.com/blog/information-leakage-vulnerability/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

http://essayjeans.blog.163.com/blog/static/2371730742015411113047382/

http://www.weibo.com/1644370627/ChjMoA9hD?type=comment#_rnd1431315096193

http://homehut.lofter.com/post/1d226c81_6eae13a

http://qianqiuxue.tumblr.com/post/118667786020/cve-2015-2214-netcat-cms-full-path-disclosure

http://frenchairing.blogspot.sg/2015/05/cve-2015-2214-netcat-cms-full-path.html

https://dailymem.wordpress.com/2015/05/10/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

https://www.facebook.com/mathtopics/posts/459369960879593

https://plus.google.com/u/0/110001022997295385049/posts/XNQAXkF1me7

https://twitter.com/yangziyou/status/597607457670569985

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Security Vulnerability

04 Saturday Apr 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Security Vulnerability
Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9
Exploitability Subscore: 8.6

Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore]

http://xingzhehong.lofter.com/post/1cfd0db2_55b5153

CVE-2014-7293 NYU OpenSSO Integration XSS (Cross-Site Scripting) Security Vulnerability

24 Tuesday Mar 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

Exploit Title: NYU OpenSSO Integration Logon Page url Parameter XSS

Product: OpenSSO Integration

Vendor: NYU

Vulnerable Versions: 2.1 and probability prior

Tested Version: 2.1

Advisory Publication: DEC 29, 2014

Latest Update: DEC 29, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7293

Risk Level: Medium

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-7293-nyu-opensso-integration-xss-cross-site-scripting-security-vulnerability/

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

12 Thursday Mar 2015

Posted by essaybeans in 0day, CVE, SQL Injection

≈ Leave a comment

Tags

0-day Exploit, Bug-Hunter, Computer Science, Computer Security, Crime-Defense, CVE-Publish, cyber-intelligence, cyber-security, Hack-Prevent, IEEE, Internet-Attack-Testing, IT News, JingWang, math student, PHP-Code-Flaw, SQL Injection, Vulnerability Information, web-application-test, whitehat-technology

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2066 DLGuard /index.php c parameter SQL Injection Web Security Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v4.5

Tested Version: v4.5

Advisory Publication: February 18, 2015

Latest Update: May 01, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2066

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:

(1) Vendor & Product Description:

Vendor:

DLGuard

Product & Version:

DLGuard

v4.5

Vendor URL & Download:

DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don’t have the time for.”

“DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)

<2>Multiple item sales

<3>Membership websites”

“DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal’s E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before.”

(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to important vulnerabilities.

(2.1) The bug programming flaw vulnerability occurs at “&c” parameter in “index.php?” page.

References:

http://seclists.org/fulldisclosure/2015/Feb/69

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01703.html

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1607

http://lists.openwall.net/full-disclosure/2015/02/18/6

http://marc.info/?a=139222176300014&r=1&w=4

http://www.tetraph.com/blog/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

https://plus.google.com/u/0/107140622279666498863/posts/44pDNaZao8v