Posts

Showing posts from October, 2010

Joomla! 1.5.20 <= Cross Site Scripting (XSS) Vulnerability

Image
1. OVERVIEW

The Joomla! web application was vulnerable to Cross Site Scripting
vulnerability.


2. PRODUCT DESCRIPTION

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.


3. VULNERABILITY DESCRIPTION

Some URLs in Joomla! do not properly escape encoded user inputs that
lead to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').


4. VERSIONS AFFECTED

Joomla! 1.5.…

[Tool Update Announcement] inspathx - Path Disclosure Finder

Image
UPDATE

Check it out at

svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only


For those who don't know inspathx

https://code.google.com/p/inspathx/

_____________________________

WHAT¶

A tool that uses local source tree to make requests to the url and
search for path inclusion error messages. It's ever a common problem
in PHP web applications that we're hating to see for ever. We hope
this tool triggers no path disclosure flaws any more. See our article
about path disclosure.

http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt



WHY¶

Web application developers sometimes fail to add safe checks against
authentications, file inclusion ..etc are prone to reveal possible
sensitive information when those applications' URLs are directly
requested. Sometimes, it's a clue to File Inclusion vulnerability. For
open-source applications, source code can be downloaded and checked to
find such information.

This script will do this job.

  1. First you have to download…

Enhanced DLLHijackAuditKit

/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */

http://core.yehg.net/lab/pr0js/files.php/%5Byehg.net%5D_DLLHijackAuditKitx.zip

Modified by
Aung Khant, YGN Ethical Hacker Group, Yangon, Myanmar
http://yehg.net

- Added sleep timer suport
- Added regex support to scan only desired application and its associated file extensions


Why did we modify?

By default, DLLHijackAuditKit scans all associated file extensions with all installed applications in default timer of 3 seconds.
DLLHijackAuditor from SecurityXploded is great for targetting only one application.
However, according to our testing, it sometimes misses flaws.

So, we tried to save time by adding timer support and regex support to our favorite HDM's
DLLHijackAuditKit.

How is useful?


Sleep timer - for some applications like Adobe CS, which takes a few seconds to reach fully usable state
              You do need to look at both analyze.js and audit.js for the two variables below.
              You should adjust them depending on the application…

DLL Hijacking Advisories Archive

Image

[web] Site Update Log since 2010-09

Image
http://yehg.net/lab/#home
2010-09
------------

- Updated modrewrite-securityrule

- Divided new tools section - joint

- Added new tool - inspath [Internal Path Disclosure Finder]
    - http://yehg.net/lab/pr0js/files.php/inspath.zip

- Added new article - Path Disclosure Vulnerability
    - http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt

- Added inj3ct0r in Hacker Web Search


2010-08
------------
- Added advisories:
    http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bc%5D_cross_site_scripting
    http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bcaccount%5D_persistent_cross_site_scripting
    http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_blastchatc%5D_cross_site_scripting
    http://yehg.net/lab/pr0js/view.php/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting(XSS)
    http://yehg.net/lab/pr0js/view.php/[adbard.net]_xss
    http://yehg.net/lab/pr0js/view.php/[linkbucks.com]_xss,redirect
    http://yehg.net/lab/pr0js/advisories/2wire/%5B2wire%5D_session_hijacking_vulnerability

- Up…

[core] Site Update Log since 2010-09

Image
http://core.yehg.net/lab


2010-09
-------
Added advisories:
DLL Hijacking archive

Added texts:
- Things to avoid as a (beginning) security researcher
- When testing for dll hijacking vulnerability
- Protection Against FOCA

2010-08
-------
- Added DropItsRight in tools section
- Started the Core Security Division