Posts

Showing posts from October, 2012

F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection

1. OVERVIEW F5 FirePass SSL VPN is vulnerable to Open URL Redirection. 2. BACKGROUND F5 FirePass SSL VPN provides secure remote access to enterprise applications and data for users over any device or network while protecting your corporate. (See http://www.f5.com/pdf/products/firepass-overview.pdf ) 3. VULNERABILITY DESCRIPTION F5 FirePass SSL VPN contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "refreshURL" parameter upon submission to the "my.activation.cns.php3" script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED 4xxx Series 5. PROOF-OF-CONCEPT/EXPLOIT https://[VPN_HOST]/my.activation.cns.php3?langchar=&ui_translation=&refreshURL= http://yehg.net/ 6. SOLUTION We have n

SilverStripe CMS 2.4.7 <= Persistent Cross Site Scripting Vulnerability

1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Persistent Cross Site Scripting. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION The "Title" parameter was not properly sanitized upon submission to "/index.php/admin/security/EditForm/field/Roles/AddForm" and "/index.php/admin/RootForm" urls, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT //////////////////////////////////////// POST /index.php/admin/security/EditForm/field/Roles/AddForm?SecurityID=[ID] HTTP/1.1 Host: loc

SilverStripe CMS 2.4.7 <= Arbitrary URL Redirection

1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION SilverStripe CMS contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "BackURL" parameter upon submission to the "/index.php/Security/login" script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/index.php/Security/login?BackURL=//yehg.net 6. SOLUTION Upgrade to t