YGN Ethical Hacker Group Blog

1. OVERVIEW The Joomla! web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Some URLs in Joomla! do not properly escape encoded user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS A...

UPDATE Check it out at svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only For those who don't know inspathx https://code.google.com/p/inspathx/ _____________________________ WHAT¶ A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's ever a common problem in PHP web applications that we're hating to see for ever. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure. http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt WHY¶ Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information. This script will do this job.   1. First...

/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */ http://core.yehg.net/lab/pr0js/files.php/%5Byehg.net%5D_DLLHijackAuditKitx.zip Modified by Aung Khant, YGN Ethical Hacker Group, Yangon, Myanmar http://yehg.net - Added sleep timer suport - Added regex support to scan only desired application and its associated file extensions Why did we modify? By default, DLLHijackAuditKit scans all associated file extensions with all installed applications in default timer of 3 seconds. DLLHijackAuditor from SecurityXploded is great for targetting only one application. However, according to our testing, it sometimes misses flaws. So, we tried to save time by adding timer support and regex support to our favorite HDM's DLLHijackAuditKit. How is useful? Sleep timer - for some applications like Adobe CS, which takes a few seconds to reach fully usable state               You do need to look at both analyze.js and audit.js for the two variables below.  ...

http://core.yehg.net/lab/#advisories.dll-hijacking DLL Hijacking is easy to find; yet it's evil dangerous. Bad guys claiming to be your friend can send you a zip file that contains your favorite singer's mp3 file together with a hidden mailcious dll file. For information about testing for DLL Hijacking and DLL Hijacking FAQ, see when_testing_for_dll_hijacking.txt . [alsee]_6.20.0.1_insecure_dll_hijacking [alshow]_1.91_insecure_dll_hijacking [alzip]_8.0.6.3_insecure_dll_hijacking [brava_pdf_reader]_3.3.0.18_insecure_dll_hijacking [celframe_office]_2008_insecure_dll_hijacking [e-press-one_office]_insecure_dll_hijacking [flash_player]_10.1.x_insecure_dll_hijacking_(dwmapi.dll) [gdocfusion]_2.5.1_insecure_dll_hijacking [ibm_lotus_symphony]_3-beta-4_insecure_dll_hijacking [keepass]_2.12_insecure_dll_hijacking_(dwmapi.dll) ...

http://yehg.net/lab/#home 2010-09 ------------ - Updated modrewrite-securityrule - Divided new tools section - joint - Added new tool - inspath [Internal Path Disclosure Finder]     - http://yehg.net/lab/pr0js/files.php/inspath.zip   - Added new article - Path Disclosure Vulnerability     - http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt     - Added inj3ct0r in Hacker Web Search   2010-08 ------------ - Added advisories:     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bc%5D_cross_site_scripting     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bcaccount%5D_persistent_cross_site_scripting     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_blastchatc%5D_cross_site_scripting     http://yehg.net/lab/pr0js/view.php/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting(XSS)     http://yehg.net/lab/pr0js/view.php/[adbard.net]_xss  ...

http://core.yehg.net/lab 2010-09 ------- Added advisories: DLL Hijacking archive Added texts: - Things to avoid as a (beginning) security researcher - When testing for dll hijacking vulnerability - Protection Against FOCA   2010-08 ------- - Added DropItsRight in tools section - Started the Core Security Division