YGN Ethical Hacker Group Blog

1. OVERVIEW

The PHPShop 0.8.1 and lower versions are currently vulnerable to Cross Site Scripting.


2. BACKGROUND

PHPShop is a PHP-powered shopping cart application. It is released under the GNU General Public License.
The primary purpose of PHPShop is to provide a simple shopping cart solution that is easy to customize to suit any purpose. PHPShop has less features that many other shopping cart applications, but is generally easier to customize.


3. VULNERABILITY DESCRIPTION

The "re" parameter was not properly sanitized upon submission to the /bb-login.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser.


4. VERSIONS AFFECTED

PHP 0.8.1 <=


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost/phpshop0_8_1/?page=store/XSS&%26%26%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%3d1


6. SOLUTION

The vendor has discontinued this product.
It is recommende…

1. OVERVIEW

The Vanilla Forums 2.0.17.1 till 2.0.17.5  were vulnerable to Cross Site Scripting.


2. BACKGROUND

Vanilla Forums are open-source, standards-compliant, customizable discussion forums.
It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools,
and great user experience. Vanilla is also built with integration at the forefront, so it can
seamlessly integrate with your existing website, blog, or custom-built application.


3. VULNERABILITY DESCRIPTION

The 'p' parameter  was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack.
This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser.


4. VERSIONS AFFECTED

2.0.17.1 ~ 2.0.17.5


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost/vanilla/index.php?p=/entry/"><script>alert(/XSS/)</script>


6. SOLUTION

Upgrade to Vanilla Forums 2.0.17.6…

barracuda-load-balancer.rb
added new plugins [yehgdotnet]binarysec-firewall.rb
added new plugins [yehgdotnet]citrix-netscaler.rb
added new plugins [yehgdotnet]cloudflare.rb
added new plugins [yehgdotnet]evercookie.rb
added new plugins [yehgdotnet]f5-bigip-loadbalancer.rb
added new plugins [yehgdotnet]fortinet-firewall.rb
added new plugins [yehgdotnet]juniper-load-balancer.rb
added new plugins [yehgdotnet]juniper-netscreen-secure-access.rb
added new plugins [yehgdotnet]microsoft-outlook-web-access.rb
added new plugins [yehgdotnet]profense-firewall.rb
added new plugins [yehgdotnet]vtigercrm.rb
added new plugins [yehgdotnet]watchguard-firewall.rbfixed watchguard-firewall.rb [yehgdotnet]

Tell-Me-Web

The tell-me-web takes gnmap output (-oG) generated together with -sV option.
It extracts all hosts with http & https ports open. Then it feeds them into whatweb.

Log Path

Scan results can be found in logs/ folder.

How to configure

Edit $whatweb variable and insert it your whatweb path in whatweb.config file.
Svn ignore whatweb.config (svn propedit svn:ignore ./whatweb.config)

How to download/update

svn co http://tellmeweb.googlecode.com/svn/trunk/ tellmeweb

For those who don't know inspathx, please visit:
http://inspathx.googlecode.com/

Check the update via
svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx

CHANGELOG
===========
covered remaining checks (empty array, null cookie) in
Full_Path_Disclosure
(http://www.owasp.org/index.php/Full_Path_Disclosure) of OWASP
Application Security Desk Reference (ASDR) Project

added support for generating path definition file and you can now use
-d with path-definition file to check in addition to cms directory
path
added support for reading gzip/deflate compressed response from server
added regexp support (use your own regexp rules to search in returned
responses in addition to built-in regexp error messages)
added null session cookie  support
       --null-cookie [will auto null session for all languages ]
added custom headers  support
       --headers "cookie: sid[]=1\r\nX-pingback:: "
added data (GET/POST)  support
       --data (var=1&var=2)
added method (get by default)  support
      …

1. OVERVIEW

The Zikula 1.2.4 and lower versions were vulnerable to Cross Site Request Forgery (CSRF).


2. BACKGROUND

Zikula is a Web Application Toolkit, which allows you to run impressive websites and build powerful online applications. Zikula has received praise for many things, but we belive the highlights are ease of use, quick and easy development, security and performance and lastly flexibility.


3. VULNERABILITY DESCRIPTION

Zikula CMS 1.2.4 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the v…