20 September, 2011

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt


Ref: http://zeroscience.mk/blog/09/2011/toko-lite-cms-multiple-xss-post-injection-crlf-injection-http-response-splitting/

25 July, 2011

Online Grades 3.2.5 Multiple XSS Vulnerabilites

Online Grades suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via multiple parameters to the 'admin/admin.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

---

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5029.php

04 June, 2011

ZSL v3.0

Yeah, started to work on Zero Science Lab "corp" site... stay tuned!

31 May, 2011

Kentico CMS <=5.5R2.23 Cross-Site Scripting POST Injection Vulnerability

Kentico CMS suffers from a XSS vulnerability when parsing user input to the 'userContextMenu_parameter' parameter via POST method in '/examples/webparts/membership/users-viewer.aspx'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.


http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5015.php

21 April, 2011

Assassin's Creed: Brotherhood






Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.





Read on: http://zeroscience.mk/blog/04/2011/gesytec-elonfmt-activex-1-1-14-elonfmt-ocx-pid-item-buffer-overflow-seh/

06 April, 2011

Anfibia Reactor 2.1.1 (login.do) Remote XSS POST Injection Vulnerability

Vendor: Anfibia Software
Product web page: http://www.anfibia-soft.com
Affected version: 2.1.1.12

Summary: Fast web-based server monitoring. Keep an eye on servers,
connections, databases, cpu, hard drives and more!

Desc: The Anfibia Reactor JS service suffers from a XSS vulnerability
when parsing user input to the 'email' parameter via POST method in
'reactor/login.do' script at the manager login interface. Attackers
can exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk


[14.03.2011] Vulnerability discovered.
[16.03.2011] Contact with the vendor.
[16.03.2011] Vendor replies asking more details.
[16.03.2011] Sent vulnerability details to vendor.
[16.03.2011] Vendor confirms XSS issue.
[06.04.2011] Vendor releases version 3 to address this issue.
[06.04.2011] Coordinated public advisory released.





http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5008.php

http://www.zeroscience.mk/codes/anfibiareactor_xss.txt

15 March, 2011

Pointter PHP Content Management System 1.2 Multiple Vulnerabilities

Pointter PHP Content Management System 1.2 Multiple Vulnerabilities


Vendor: PangramSoft GmbH
Product web page: http://www.pointter.com
Affected version: 1.2

Summary: Pointter PHP Content Management System is an advanced, fast
and user friendly CMS script that can be used to build simple websites
or professional websites with product categorization, product blogs,
member login and search modules. The webmaster can create unlimited
static page boxes, static pages, main categories, sub categories and
product pages.

Desc: Pointter CMS suffers from multiple vulnerabilities (post-auth)
including: Stored XSS, bSQLi, LFI, Cookie Manipulation, DoS.

Tested on: Microsoft Windows XP Pro SP3 (en)

Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic


Advisory ID: ZSL-2011-5002
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5002.php


10.03.2011


---
XSS:
The stored XSS is pretty much everywhere in the admin panel, just posting the
string '"><script>alert(1)</script>' when editing some category, and on every
return on the main page u get annoyed.

LFI:
script: pointtercms/admin/functions/createcategory.php
post param: category
poc: category=../../../../../../../../../test.txt&code=0e=0

script: pointtercms/admin/functions/createpage.php
post param: pageurl

script: pointtercms/admin/functions/createproduct.php
post param: producturl


bSQLi:
script: pointtercms/admin/functions/editsettings.php
post param: onoff, count, boxname, tonoff, tname, monoff, mname, nonoff, nname,
memonoff, memname, searchonoff, searchname, pos, tpos, mpos, npos, mempos, mail.
poc: onoff=1'+and+sleep(10)%23&pos=0
- Response size: 0 bytes, Duration: 10016 ms


http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5002.php

31 January, 2011

Upcoming security books proposals

Thwart malicious network intrusion by using cutting-edge techniques for finding and fixing security flaws. Fully updated and expanded with nine new chapters, Gray Hat Hacking: The Ethical Hacker’s Handbook, Third Edition details the most recent vulnerabilities and remedies along with legal disclosure methods. Learn from the experts how hackers target systems, defeat production schemes, write malicious code, and exploit flaws in Windows and Linux systems. Malware analysis, penetration testing, SCADA, VoIP, and Web security are also covered in this comprehensive resource.

* Develop and launch exploits using BackTrack and Metasploit
* Employ physical, social engineering, and insider attack techniques
* Build Perl, Python, and Ruby scripts that initiate stack buffer overflows
* Understand and prevent malicious content in Adobe, Office, and multimedia files
* Detect and block client-side, Web server, VoIP, and SCADA attacks
* Reverse engineer, fuzz, and decompile Windows and Linux software
* Develop SQL injection, cross-site scripting, and forgery exploits
* Trap malware and rootkits using honeypots and SandBoxes

http://zeroscience.mk/blog/01/2011/upcoming-security-books-proposals/

22 January, 2011

CultBooking Internet Booking Engine Multiple Vulnerabilities

Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.

1. CultBooking suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the ‘lang’ parameter to cultbooking.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes. Conditional on ‘magic_quotes_gpc=off’.

2. CultBooking Hotel Booking System suffers from a XSS/PD vulnerability when parsing user input to the ‘bookingcode’, ‘email’ and ‘lang’ parameter via POST and GET methods in cultbooking.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

ZSL-2011-4987http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4987.php
ZSL-2011-4988http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4988.php


ref: http://zeroscience.mk/blog/01/2011/cultbooking-internet-booking-engine-multiple-vulnerabilities/