24 November, 2013

20 September, 2011

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt


Ref: http://zeroscience.mk/blog/09/2011/toko-lite-cms-multiple-xss-post-injection-crlf-injection-http-response-splitting/

25 July, 2011

Online Grades 3.2.5 Multiple XSS Vulnerabilites

Online Grades suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via multiple parameters to the 'admin/admin.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

---

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5029.php

04 June, 2011

ZSL v3.0

Yeah, started to work on Zero Science Lab "corp" site... stay tuned!

31 May, 2011

Kentico CMS <=5.5R2.23 Cross-Site Scripting POST Injection Vulnerability

Kentico CMS suffers from a XSS vulnerability when parsing user input to the 'userContextMenu_parameter' parameter via POST method in '/examples/webparts/membership/users-viewer.aspx'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.


http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5015.php

21 April, 2011

Assassin's Creed: Brotherhood






Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.





Read on: http://zeroscience.mk/blog/04/2011/gesytec-elonfmt-activex-1-1-14-elonfmt-ocx-pid-item-buffer-overflow-seh/