• About

computer pitch

~ Computer Technology, News, Security …

computer pitch

Tag Archives: Computer Science

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

14 Sunday Jun 2015

Posted by essaybeans in 0day, CRLF, Web Application

≈ Leave a comment

Tags

0day Bug, Code Flaw, Computer Science, crime prevention, CRLF, cyber-intelligence, exploit, Hacking Attack, HTTP Response Splitting, Internet Testing, IT News, NetCat CMS, OSVDB 119342, OSVDB 119343, Vulnerabilities, Web Security, whitehat

netcat_1

 

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

 

Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: March 07, 2015

Latest Update: March 07, 2015

Vulnerability Type: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) [CWE-93]

CVE Reference: *

OSVDB Reference: 119342, 119343

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

Advisory Details:



(1) Vendor & Product Description:



Vendor:

NetCat

 

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be got from here,

http://netcat.ru/

 

Product Introduction:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at “/post.php” page with “redirect_url” parameter by adding “%0d%0a%20”.

(2.2) The second code flaw occurs at “redirect.php?” page with “url” parameter by adding “%0d%0a%20”.

 

 

 

 

Reference:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

Advertisements

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

11 Thursday Jun 2015

Posted by essaybeans in 0day, Open Redirect, Spam

≈ Leave a comment

Tags

0Day, 0day Bug, オンライン, オープンリダイレクト, サイバーセキュリティ, ハッキング防止, ホワイトハット, Computer Science, cyber-security, 脆弱性, FC2, Internet Problem, Japan Web, Online, Open Redirect, URF, Vulnerabilities, Web Service, Webサービス, whitehat, 日本のWeb, 未検証

<div><a href=”https://vulnerabilitypost.files.wordpress.com/2015/06/fc2_com_2.png”><img class=”alignnone  wp-image-434″ src=”https://vulnerabilitypost.files.wordpress.com/2015/06/fc2_com_2.png?w=300&#8243; alt=”fc2_com_2″ width=”483″ height=”314″ /></a></div>
<div></div>
<div>

&nbsp;

<b>FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities</b>

</div>
<div></div>
<div></div>
<div>

&nbsp;

<b>Domain:
</b>fc2.com

</div>
<div></div>
<div></div>
<div>

“FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third most popular video hosting service in Japan (after YouTube and Niconico), and a web hosting company headquartered in Las Vegas, Nevada. It is the sixth most popular website in Japan overall (as of January 2014). FC2 is an abbreviation of “Fantastic Kupi-Kupi (クピクピ)”. It is known to allow controversial adult content such as pornography and hate speech (unlike many of its competitors). The company uses rented office space for its headquarters which it shares with many other U.S.-based businesses. It also pays taxes in the United States. The physical servers are located in the United States. However, it is believed that the majority of the company and its users (including employees) are located within Japan” (Wikipedia)

</div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

The Alexa rank of fc2.com is 52 on February 18 2015. It is the toppest Japanese local website sevice.

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

&nbsp;

<b>(1) Vulnerability Description:</b>

</div>
<div></div>
<div>

FC2 online web service has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.” One consequences of it is Phishing. (OWASP)

</div>
<div></div>
<div></div>
<div>

&nbsp;

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) &amp; Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

</div>
<div></div>
<div>

&nbsp;

In fact, during the test, it is not hard to find URL Redirection bugs in FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities. These bugs were found by using URFDS.

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

&nbsp;

<b>(2) </b>Use one of webpages for the following tests. The webpage address is “<a href=”http://securitypost.tumblr.com/”>http://securitypost.tumblr.com/</a>&#8221;. Can suppose that this webpage is malicious.

</div>
<div></div>
<div></div>
<div>

&nbsp;

Vulnerable URL 1:
<a href=”http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F”>http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F</a&gt;

</div>
<div></div>
<div>

POC Code:
<a href=”http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html</a&gt;

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

Vulnerable URL 2:
<a href=”http://blogranking.fc2.com/out.php?id=104304&amp;url=http%3A%2F%2Ffc2.com%2F”>http://blogranking.fc2.com/out.php?id=104304&amp;url=http%3A%2F%2Ffc2.com%2F</a&gt;

</div>
<div></div>
<div>

POC Code:
<a href=”http://blogranking.fc2.com/out.php?id=104304&amp;url=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blogranking.fc2.com/out.php?id=104304&amp;url=http://www.tetraph.com/essayjeans/poems/distance.html</a&gt;

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

<b>Poc Video:
</b><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”https://www.youtube.com/watch?v=r8vU2Z-ueQI”>https://www.youtube.com/watch?v=r8vU2Z-ueQI</a></span&gt;

</div>
<div></div>
<div>

&nbsp;

&nbsp;

<b>Related Articles:
</b><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://tetraph.com/security/security-news/fc2-service-open-redirect/”>http://tetraph.com/security/security-news/fc2-service-open-redirect/
</a></span><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://securityrelated.blogspot.com/2015/06/fc2-online-web-service-open-redirect.html”>http://securityrelated.blogspot.com/2015/06/fc2-online-web-service-open-redirect.html
</a></span><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://diebiyi.com/articles/news/fc2-service-open-redirect/”>http://diebiyi.com/articles/news/fc2-service-open-redirect/
</a></span><a href=”http://japanbroad.blogspot.jp/2015/06/fc2-web-url-redirection.html&#8221; target=”_blank”>http://japanbroad.blogspot.jp/2015/06/fc2-web-url-redirection.html
</a><a href=”https://hackertopic.wordpress.com/2015/06/11/fc2-web-url-redirection/&#8221; target=”_blank”>https://hackertopic.wordpress.com/2015/06/11/fc2-web-url-redirection/
</a><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://www.inzeed.com/kaleidoscope/it-news-2/fc2-service-open-redirect/”>http://www.inzeed.com/kaleidoscope/it-news-2/fc2-service-open-redirect/
</a></span><a href=”http://whitehatpost.blog.163.com/blog/static/24223205420155114363714/&#8221; target=”_blank”>http://whitehatpost.blog.163.com/blog/static/24223205420155114363714/
</a><a href=”https://infoswift.wordpress.com/2015/06/11/fc2-web-url-redirection/&#8221; target=”_blank”>https://infoswift.wordpress.com/2015/06/11/fc2-web-url-redirection/
</a><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://computerobsess.blogspot.com/2015/06/fc2-service-open-redirect.html”>http://computerobsess.blogspot.com/2015/06/fc2-service-open-redirect.html</a></span&gt;

</div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

<b>Vulnerability Disclosure:
</b>Those vulnerabilities were reported to Rakuten, they are still unpatched.

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

&nbsp;

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (<a href=”https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts/7cupBPk6YR3″>@justqdjing</a&gt;)
<a href=”http://www.tetraph.com/wangjing”>http://www.tetraph.com/wangjing</a&gt;

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

==================

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

&nbsp;

<b>FC2オンラインWebサービスオープンリダイレクト(未検証のリダイレクトとフォワード)サイバー·セキュリティの脆弱性</b>

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

<b>ドメイン:
</b>fc2.com

</div>
<div></div>
<div></div>
<div>

(1999年7月20日に設立)」FC2は、日本の人気ブログのホスト、(YouTubeやニコニコ後)は、日本で3番目に人気のビデオホスティングサービス、およびラスベガス、ネバダ州に本社を置くウェブホスティング会社です。それは第六最も人気のあります日本のウェブサイトは、全体的な。(2014年1月のように)FC2はの略で、「ファンタスティックKupi-Kupi(クピクピ)」。このようなポルノのような論争のアダルトコンテンツを許可し、(競合他社の多くとは異なり)スピーチを憎むことが知られています。」 (ウィキペディア)

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

fc2.comのAlexaのランクはそれがtoppest日本のローカルウェブサイトの流通サービスである2月18日2015年52あります。

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

&nbsp;

<b>(1)脆弱性の説明:</b>

</div>
<div></div>
<div>

FC2オンラインWebサービスは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト(未検証のリダイレクトとフォワード)攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「オープンリダイレクトがパラメータを受け取り、何の検証も行わずにパラメータ値にユーザーをリダイレクトするアプリケーションです。この脆弱性は、それを実現することなく、悪質なサイトを訪問するユーザーを取得するためにフィッシング攻撃で使用されています。。 “それの一つの結果はフィッシングで​​す。 (OWASP)

</div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE(9 9.0.8112.16421)で行われた、Mozilla Firefoxの(37.0.2)&グーグルクロム42.0.2311のUbuntuの(64ビット)(14.04.2)はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

</div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

実際には、テスト時には、FC2内のURLリダイレクトのバグを見つけることは難しいことではありません。多分fc2.comは、これらの脆弱性を軽減するためにはほとんど注意を払っています。

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

&nbsp;

<b>(2)</b>以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「<a href=”http://securitypost.tumblr.com/”>http://securitypost.tumblr.com/</a>」です。このウェブページに悪意であるとすることができます。

</div>
<div></div>
<div></div>
<div>

&nbsp;

脆弱URL 1:
<a href=”http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F”>http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F</a&gt;

</div>
<div></div>
<div>

POCコード:
<a href=”http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html</a&gt;

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

脆弱URL 2:
<a href=”http://blogranking.fc2.com/out.php?id=104304&amp;url=http%3A%2F%2Ffc2.com%2F”>http://blogranking.fc2.com/out.php?id=104304&amp;url=http%3A%2F%2Ffc2.com%2F</a&gt;

</div>
<div></div>
<div>

POCコード:
<a href=”http://blogranking.fc2.com/out.php?id=104304&amp;url=http://www.tetraph.com/essayjeans/poems/distance.html”>http://blogranking.fc2.com/out.php?id=104304&amp;url=http://www.tetraph.com/essayjeans/poems/distance.html</a&gt;

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

<b>脆弱性の公開:
</b>これらの脆弱性は楽天に報告された、彼らはまだパッチを適用していないです。

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

発見し、レポーター:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (<a href=”https://twitter.com/justqdjing/status/608913928874123265″>@justqdjing</a>)
<a href=”http://www.tetraph.com/wangjing”>http://www.tetraph.com/wangjing</a&gt;

</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

<b>POCビデオ:
</b><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”https://www.youtube.com/watch?v=r8vU2Z-ueQI”>https://www.youtube.com/watch?v=r8vU2Z-ueQI</a></span&gt;

</div>
<div></div>
<div></div>
<div></div>
<div>

&nbsp;

&nbsp;

<b>詳細:
</b><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://tetraph.com/security/security-news/fc2-service-open-redirect/”>http://tetraph.com/security/security-news/fc2-service-open-redirect/
</a></span><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://securityrelated.blogspot.com/2015/06/fc2-online-web-service-open-redirect.html”>http://securityrelated.blogspot.com/2015/06/fc2-online-web-service-open-redirect.html
</a></span><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://diebiyi.com/articles/news/fc2-service-open-redirect/”>http://diebiyi.com/articles/news/fc2-service-open-redirect/
</a></span><a href=”http://japanbroad.blogspot.jp/2015/06/fc2-web-url-redirection.html&#8221; target=”_blank”>http://japanbroad.blogspot.jp/2015/06/fc2-web-url-redirection.html
</a><a href=”https://hackertopic.wordpress.com/2015/06/11/fc2-web-url-redirection/&#8221; target=”_blank”>https://hackertopic.wordpress.com/2015/06/11/fc2-web-url-redirection/
</a><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://www.inzeed.com/kaleidoscope/it-news-2/fc2-service-open-redirect/”>http://www.inzeed.com/kaleidoscope/it-news-2/fc2-service-open-redirect/
</a></span><a href=”http://whitehatpost.blog.163.com/blog/static/24223205420155114363714/&#8221; target=”_blank”>http://whitehatpost.blog.163.com/blog/static/24223205420155114363714/
</a><a href=”https://infoswift.wordpress.com/2015/06/11/fc2-web-url-redirection/&#8221; target=”_blank”>https://infoswift.wordpress.com/2015/06/11/fc2-web-url-redirection/
</a><span style=”color:#222222;font-family:arial, sans-serif;”><a href=”http://computerobsess.blogspot.com/2015/06/fc2-service-open-redirect.html”>http://computerobsess.blogspot.com/2015/06/fc2-service-open-redirect.html</a></span&gt;
<div></div>
</div>
Attachments area
Preview YouTube video FC2 Online Web Service Unvalidated Redirects and Forwards Cyber Security Vulnerabilities

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

14 Tuesday Apr 2015

Posted by essaybeans in HTML Injection, OSVDB, Web Application

≈ 1 Comment

Tags

0day-exploit, 3.12, Computer Science, cyber-intelligence, Hack Prevention, HTML Injection, internet, IT Bug, justqdjing, NetCat CMS, OSVDB 120807, Program Flaw, tetraph, Vulnerabilities, Web Application, Web Security, Whitehat Test

web INTERNET_COMPUTER_CONCEPT

 

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

 

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

OSVDB Reference: 120807

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 



Advisory Details:



(1) Vendor & Product Description:


Vendor:

NetCat

 

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

 

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.

 

(2.1) The programming code flaw occurs at “/catalog/search.php?” page with “&q” parameter.

 

 

 

 

Related Articles:
http://www.osvdb.org/show/osvdb/120807
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1843
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01922.html
http://cxsecurity.com/search/author/DESC/AND/FIND/1/10/Wang+Jing/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=1
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/242232054201551434123334/
http://russiapost.blogspot.ru/2015/06/netcat-html-injection.html
https://inzeed.wordpress.com/2015/04/21/netcat-html-injection/
http://computerobsess.blogspot.com/2015/06/osvdb-120807.html
http://blog.163.com/greensun_2006/blog/static/11122112201551434045926/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html/
http://germancast.blogspot.de/2015/06/netcat-html-injection.html
http://diebiyi.com/articles/security/netcat-cms-3-12-html-injection/

 

 

 

Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

14 Tuesday Apr 2015

Posted by essaybeans in Computer Technology, IT Security

≈ 1 Comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cve, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

opoint

 

Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

 

Exploit Title: Opoint Media Intelligence click.php? &noblink parameter URL Redirection Security Vulnerabilities

Vendor: Opoint

Product: Opoint Media Intelligence

Vulnerable Versions:

Tested Version:

Advisory Publication: April 14, 2015

Latest Update: April 14, 2015

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Discover and Writer: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

 

 

Suggestion Details:

 

(1) Vendor & Product Description:

Vendor:

Opoint

 

Product & Version:

Opoint Media Intelligence

 

Vendor URL & Download:

Opoint Media Intelligence can be got from here,

http://www.opoint.com/index.php?page=home

 

Product Introduction Overview:

“Today, some libraries want to enhance their online presence in ways that go beyond the traditional OPAC and the “library portal” model to better integrate the latest Web functionality. With Opoint Media Intelligence, libraries will be able to take advantage of the latest Web technologies and engage Web-savvy users more effectively than ever before. Opoint Media Intelligence is a complete update of the Web OPAC interface”

“Opoint Media Intelligence breaks through the functional and design limitations of the traditional online catalog. Its solid technology framework supports tools for patron access such as Spell Check; integrated Really Simple Syndication (RSS) feeds; a suite of products for seamless Campus Computing; and deep control over information content and presentation with Cascading Style Sheets (CSS). Opoint Media Intelligence is also a platform for participation when integrated with Innovative’s Patron Ratings features and Community Reviews product. What’s more, with Opoint Media Intelligence’s RightResult™ search technology, the most relevant materials display at the top so patrons get to the specific items or topics they want to explore immediately. Opoint Media Intelligence can also interconnect with Innovative’s discovery services platform, Encore. And for elegant access through Blackberry® Storm™ or iPhone™, the AirPAC provides catalog searching, item requesting, and more.”

 

 

 

(2) Vulnerability Details:

Opoint Media Intelligence web application has a security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Other Opoint products 0day vulnerabilities have been found by some other bug hunter researchers before. Opoint has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to Open Redirect vulnerabilities.

 

(2.1) The first code programming flaw occurs at “func/click.php?” page with “&noblink” parameter.

 

 

 

 

References:

http://tetraph.com/security/open-redirect/opoint-media-intelligence-unvalidated-redirects-and-forwards/

http://securityrelated.blogspot.com/2015/04/opoint-media-intelligence-unvalidated.html

http://www.inzeed.com/kaleidoscope/computer-web-security/opoint-media-intelligence-open-redirect/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/opoint-media-intelligence-open-redirect/

https://computerpitch.wordpress.com/2015/04/14/opoint-media-intelligence-open-redirect/

http://www.iedb.ir/author-Wang%20Jing.html

http://www.websecuritywatch.com/open-redirect-vulnerability-in-wordpress-newsletter-2-6-x-2-5-x/

http://lists.openwall.net/full-disclosure/2015/03/02/7

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1646

 

Times of India website vulnerable to Cross Site Scripting (XSS) attacks

04 Saturday Apr 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

Times of India website vulnerable to Cross Site Scripting (XSS) attacks

 

India’s premier daily and popular website, Times of India is vulnerable to critical cross site scripting (XSS) attacks.  Times of India which operates a website called indiatimes.com is a top news website in India and elsewhere.

computer-phone

The XSS vulnerability in the Times of India website was discovered by Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.  He has found that the vulnerability occurs atIndiatimes’s URL links. Indiatimes only party filters the filenames in its website.  Jing says due to this almost all URLs under Indiatimes’s “Photogallery” and “Top-lists” topics are affected by this vulnerability.

http://mathdaily.lofter.com/post/1cc75b20_4180765

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities

04 Saturday Apr 2015

Posted by essaybeans in CVE, FPD, Information Leakage

≈ Leave a comment

Tags

0day-exploit, attack-defense, bug-vulnerability, Computer Science, Computer Security, computer-engineering, crime-prevent, cve-information, cyber-intelligence, cyber-security, FPD, Full Path Disclosure, hacker-prevention, IEEE, Information Leakage, Internet-information, IT News, math student, NetCat, PHP Code, wangjing, web-application-test, whitehat-technology

hacker-security

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities


Exploit Title: CVE-2015-2214 NetCat CMS Full Path Disclosure Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 5.01 3.12

Advisory Publication: February 27, 2015

Latest Update: May 05, 2015

Vulnerability Type: Information Leak / Disclosure [CWE-200]

CVE Reference: CVE-2015-2214

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Credit and Writer: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Consultation Details:


(1) Vendor & Product Description:

Vendor:

NetCat


Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1


Vendor URL & Download:

NetCat can be accessed from here,

http://netcat.ru/


Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”


“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”


“We give a discount on any edition NetCat

We try to help our partners to enter into a close-knit team. To reduce your expenses on the development of a new system, we provide special conditions for the acquisition of commercial licenses NetCat, for a partner is assigned a permanent discount of 40%, which according to the results of further sales could be increased to 60%.”


“Teach your developers work with the secrets NetCat

In addition to the detailed documentation and video tutorials to new partners we offer a unique free service – direct contact with the developer from the team NetCat, which will help in the development of product development tools.”


“We give customers

Once you develop the three sites NetCat information about you appear in our ranking developers. This means that you not only begin to receive direct requests from clients but also become a member of tenders conducted by customers. In addition, if the partner is really good work, employees NetCat begin recommending it to clients requesting assistance in the choice of contractor.”


“We will help in the promotion of

The company is a regular participant NetCat large number of forums, seminars and conferences. We are happy to organize together with partners involved, help with advertising materials and share information for the report.”


“Confirmed its status in the eyes of customers

We have a very flexible system of certification of partners: we do not give certificates for the sale of licenses and for the developed sites. So, for example, to obtain a certificate “Development of corporate websites’ to add to your personal account three implementation of the appropriate type.”

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Netcat has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to important vulnerabilities.


(2.1) The first programming code flaw occurs at “&redirect_url” parameter in “netshop/post.php?” page.

References:

http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html

http://seclists.org/fulldisclosure/2015/Mar/8

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01740.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1645

http://lists.openwall.net/full-disclosure/2015/03/02/6

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142527117510514&w=2

http://marc.info/?l=full-disclosure&m=142527117510514&w=4

https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://www.tetraph.com/blog/information-leakage-vulnerability/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

http://essayjeans.blog.163.com/blog/static/2371730742015411113047382/

http://www.weibo.com/1644370627/ChjMoA9hD?type=comment#_rnd1431315096193

http://homehut.lofter.com/post/1d226c81_6eae13a

http://qianqiuxue.tumblr.com/post/118667786020/cve-2015-2214-netcat-cms-full-path-disclosure

http://frenchairing.blogspot.sg/2015/05/cve-2015-2214-netcat-cms-full-path.html

https://dailymem.wordpress.com/2015/05/10/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

https://www.facebook.com/mathtopics/posts/459369960879593

https://plus.google.com/u/0/110001022997295385049/posts/XNQAXkF1me7

https://twitter.com/yangziyou/status/597607457670569985

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Security Vulnerability

04 Saturday Apr 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

computer-tree-250x165
CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Security Vulnerability
Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9
Exploitability Subscore: 8.6

Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore]

http://xingzhehong.lofter.com/post/1cfd0db2_55b5153

CVE-2014-7293 NYU OpenSSO Integration XSS (Cross-Site Scripting) Security Vulnerability

24 Tuesday Mar 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

coding

Exploit Title: NYU OpenSSO Integration Logon Page url Parameter XSS

Product: OpenSSO Integration

Vendor: NYU

Vulnerable Versions: 2.1 and probability prior

Tested Version: 2.1

Advisory Publication: DEC 29, 2014

Latest Update: DEC 29, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7293

Risk Level: Medium

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-7293-nyu-opensso-integration-xss-cross-site-scripting-security-vulnerability/

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

12 Thursday Mar 2015

Posted by essaybeans in 0day, CVE, SQL Injection

≈ Leave a comment

Tags

0-day Exploit, Bug-Hunter, Computer Science, Computer Security, Crime-Defense, CVE-Publish, cyber-intelligence, cyber-security, Hack-Prevent, IEEE, Internet-Attack-Testing, IT News, JingWang, math student, PHP-Code-Flaw, SQL Injection, Vulnerability Information, web-application-test, whitehat-technology

Computer-VUlnerability-650x465

 

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2066 DLGuard /index.php c parameter SQL Injection Web Security Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v4.5

Tested Version: v4.5

Advisory Publication: February 18, 2015

Latest Update: May 01, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2066

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Wang Jing  [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)






Caution Details:

(1) Vendor & Product Description:

Vendor:

DLGuard

Product & Version:

DLGuard

v4.5

Vendor URL & Download:

DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don’t have the time for.”

“DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)

<2>Multiple item sales

<3>Membership websites”

“DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal’s E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before.”


(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to important vulnerabilities.

(2.1) The bug programming flaw vulnerability occurs at “&c” parameter in “index.php?” page.

 
 
 

References:

http://seclists.org/fulldisclosure/2015/Feb/69

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01703.html

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1607

http://lists.openwall.net/full-disclosure/2015/02/18/6

http://marc.info/?a=139222176300014&r=1&w=4

http://www.tetraph.com/blog/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

https://plus.google.com/u/0/107140622279666498863/posts/44pDNaZao8v

https://inzeed.wordpress.com/2015/05/10/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://shellmantis.tumblr.com/post/118658089031/inzeed-cve-2015-2066-dlguard-sql-injection#notes

http://tetraphlike.lofter.com/post/1cf5a072_6ea70f7

http://russiapost.blogspot.ru/2015/05/cve-2015-2066-dlguard-sql-injection-web.html21

https://www.facebook.com/computersecurities/posts/375386899314769

http://blog.163.com/greensun_2006/blog/static/11122112201541193421290/

https://twitter.com/tetraphibious/status/597577800023838720

http://www.weibo.com/3973471553/Chj5OFIPk?from=page_1005053973471553_profile&wvr=6&mod=weibotime&type=comment#_rnd1431308778074

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

04 Wednesday Mar 2015

Posted by essaybeans in IT Security

≈ Leave a comment

Tags

0-day, Application Exploit, browser, Computer Science, Computer Security, cyber-security, Database Tech, Hacker Research, Information Security, Internet Testing, IT Security, IT Technology, PHP Code, Scripting Programming, vulnerability, Web Development, Web Flaw, Web Security, Website Bug, white-hat

CVE-2014-7291  Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability


175801847
Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Vulnerabilit
Product: LibCal
Vendor: Springshare
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7291
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Solution Status: Fixed by Vendor
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

http://itprompt.blogspot.com/2014/12/cve-2014-7291-springshare-libcal-xss.html

← Older posts
February 2019
M T W T F S S
« Nov    
 123
45678910
11121314151617
18192021222324
25262728  

Archives

  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • October 2013
  • August 2013
  • August 2012

Recent Posts

  • PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug
  • KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug
  • MOZILLA ONLINE WEBSITE TWO SUB-DOMAINS XSS (CROSS-SITE SCRIPTING) BUGS ( ALL URLS UNDER THE TWO DOMAINS)
  • CVE-2015-2209 – DLGuard Full Path Disclosure (Information Leakage) Web Security Vulnerabilitie
  • Godaddy Online Website Covert Redirect Web Security Bugs Based on Google.com
  • Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug
  • CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities
  • CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities
  • CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities
  • CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities
  • CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities
  • OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities
  • BUGTRAQ 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities
  • FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities
  • FC2 fc2.com Online Website URLs XSS (cross site scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag)
  • Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability
  • Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities
  • CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities
  • CVE-2015-2243 Webshop hun v1.062S Directory Traversal Web Security Vulnerabilities
  • Comsenz SupeSite CMS Stored XSS (Cross-site Scripting) Security Vulnerabilities
  • Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities
  • OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities
  • NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities
  • Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities
  • CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability
  • CVE-2014-9557 SMARTCMS MULTIPLE XSS (CROSS-SITE SCRIPTING) SECURITY VULNERABILITY
  • The Weather Channel fixes web app flaws
  • 紐約時報所有2013年前舊文章XSS漏洞
  • Times of India website vulnerable to Cross Site Scripting (XSS) attacks
  • CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities
  • ヤフーYahoo.co.jpオープンリダイレクトセキュリティ脆弱性
  • DoubleClick do Google pode ser vulnerável a ataques
  • CNN出现XSS及Open Redirect安全漏洞
  • CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Security Vulnerability
  • 隱蔽重定向安全漏洞
  • CVE-2014-7293 NYU OpenSSO Integration XSS (Cross-Site Scripting) Security Vulnerability
  • CVE-2015-2242 – Webshop hun v1.062S SQL Injection Web Security Vulnerabilities
  • CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities
  • CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability
  • CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities
  • About Group 超过 99.88% 的链接容易遭受 XSS 和 XFS 攻击
  • CVE-2014-8752 JCE-Tech “Video Niche Script” XSS (Cross-Site Scripting) Security Vulnerability
  • About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Web Security Vulnerabilities
  • CVE-2015-1475 – My Little Forum Multiple XSS Web Security Vulnerabilities
  • Maxwell’s Formulation – Differential Forms on Euclidean Space
  • Yahoo and Yahoo Japan May be Vulnerable to Spams
  • Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities
  • CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability
  • Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs
  • CVE-2014-9561 Softbb.net SoftBB XSS (Cross-Site Scripting) Security Vulnerability
Advertisements

Create a free website or blog at WordPress.com.

Cancel
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy