Posts

Showing posts from February, 2011

PHPShop 0.8.1 <= | Cross Site Scripting Vulnerability

1. OVERVIEW The PHPShop 0.8.1 and lower versions are currently vulnerable to Cross Site Scripting. 2. BACKGROUND PHPShop is a PHP-powered shopping cart application. It is released under the GNU General Public License. The primary purpose of PHPShop is to provide a simple shopping cart solution that is easy to customize to suit any purpose. PHPShop has less features that many other shopping cart applications, but is generally easier to customize. 3. VULNERABILITY DESCRIPTION The "re" parameter was not properly sanitized upon submission to the /bb-login.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED PHP 0.8.1 <= 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/phpshop0_8_1/?page=store/XSS&%26%26%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%3d1 6. SOLUTION The vendor has discontinued this product. It is

Vanilla Forums 2.0.17.1 ~ 2.0.17.5 <= Cross Site Scripting Vulnerability

1. OVERVIEW The Vanilla Forums 2.0.17.1 till 2.0.17.5  were vulnerable to Cross Site Scripting. 2. BACKGROUND Vanilla Forums are open-source, standards-compliant, customizable discussion forums. It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools, and great user experience. Vanilla is also built with integration at the forefront, so it can seamlessly integrate with your existing website, blog, or custom-built application. 3. VULNERABILITY DESCRIPTION The 'p' parameter  was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 2.0.17.1 ~ 2.0.17.5 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/vanilla/index.php?p=/entry/"><script>alert(/XSS/)</script> 6. SOLUTION Upgrade to Vanilla Forums

[whatweb] New and updated Plugins Covering Network Devices

Image
barracuda-load-balancer.rb added new plugins [ yehgdotnet ] binarysec-firewall.rb added new plugins [ yehgdotnet ] citrix-netscaler.rb added new plugins [ yehgdotnet ] cloudflare.rb added new plugins [ yehgdotnet ] evercookie.rb added new plugins [ yehgdotnet ] f5-bigip-loadbalancer.rb added new plugins [ yehgdotnet ] fortinet-firewall.rb added new plugins [ yehgdotnet ] juniper-load-balancer.rb

[Tool] Tell-Me-Web | Automating WhatWeb from NMap Output

Tell-Me-Web The tell-me-web takes gnmap output (-oG) generated together with -sV option. It extracts all hosts with http & https ports open. Then it feeds them into whatweb. Log Path Scan results can be found in logs/ folder. How to configure Edit $whatweb variable and insert it your whatweb path in whatweb.config file. Svn ignore whatweb.config (svn propedit svn:ignore ./whatweb.config) How to download/update svn co http://tellmeweb.googlecode.com/svn/trunk/ tellmeweb

[Tool Update Announcement] inspathx - Path Disclosure Finder

For those who don't know inspathx, please visit: http://inspathx.googlecode.com/ Check the update via svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx CHANGELOG =========== covered remaining checks (empty array, null cookie) in Full_Path_Disclosure ( http://www.owasp.org/index.php/Full_Path_Disclosure ) of OWASP Application Security Desk Reference (ASDR) Project added support for generating path definition file and you can now use -d with path-definition file to check in addition to cms directory path added support for reading gzip/deflate compressed response from server added regexp support (use your own regexp rules to search in returned responses in addition to built-in regexp error messages) added null session cookie  support        --null-cookie [will auto null session for all languages ] added custom headers  support        --headers "cookie: sid[]=1\r\nX-pingback:: " added data (GET/POST)  support        --data (var=1&var=2) added method (get by

Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability (CVE-2011-0535)

1. OVERVIEW The Zikula 1.2.4 and lower versions were vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND Zikula is a Web Application Toolkit, which allows you to run impressive websites and build powerful online applications. Zikula has received praise for many things, but we belive the highlights are ease of use, quick and easy development, security and performance and lastly flexibility. 3. VULNERABILITY DESCRIPTION Zikula CMS 1.2.4 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick t