YGN Ethical Hacker Group Blog

1. OVERVIEW F5 FirePass SSL VPN is vulnerable to Open URL Redirection. 2. BACKGROUND F5 FirePass SSL VPN provides secure remote access to enterprise applications and data for users over any device or network while protecting your corporate. (See http://www.f5.com/pdf/products/firepass-overview.pdf ) 3. VULNERABILITY DESCRIPTION F5 FirePass SSL VPN contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "refreshURL" parameter upon submission to the "my.activation.cns.php3" script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED 4xxx Series 5. PROOF-OF-CONCEPT/EXPLOIT https://[VPN_HOST]/my.activation.cns.php3?langchar=&ui_translation=&refreshURL= http://yehg.net/ 6. SOLUTION We have n...

1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Persistent Cross Site Scripting. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION The "Title" parameter was not properly sanitized upon submission to "/index.php/admin/security/EditForm/field/Roles/AddForm" and "/index.php/admin/RootForm" urls, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT //////////////////////////////////////// POST /index.php/admin/security/EditForm/field/Roles/AddForm?SecurityID=[ID] HTTP/1.1 Host: loc...

1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION SilverStripe CMS contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "BackURL" parameter upon submission to the "/index.php/Security/login" script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/index.php/Security/login?BackURL=//yehg.net 6. SOLUTION Upgrade to t...