Posts

Showing posts from 2010

MyBB 1.6 <= Cross Site Scripting Vulnerability

http://yehg.net/lab/pr0js/advisories/%5Bmybb1.6%5D_cross_site_scripting 1. OVERVIEW MyBB was vulnerable to Cross Site Scripting Vulnerability. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION Two XSS vulnerabilities were found. One is user-driven XSS on "url" parameter. User will get xssed upon successful log-in. The other is a reflected XSS on "posthash" parameter where the valid tid (topic id) is required for successful attack. The anti-CSRF check against "my_post_key" parameter was not done in thread/post preview mode and thus there came a way for XSS to be successful. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT User-driven XSS http://attacker.in/mybb/member.php?action=login&url=javascript:alert%28/XSS/%29 Reflected XSS http://attacker.in/mybb/newreply.php?

MyBB 1.6 <= SQL Injection Vulnerability

1. OVERVIEW Potential SQL Injection vulnerability was detected in MyBB. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION The "keywords" parameter was not properly sanitized in /private.php and /search.php which leads to SQL Injection vulnerability. Full exploitation possibility is probably mitigated by clean_keywords and clean_keywords_ft functions in inc/functions_search.php. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT => /search.php POST /mybb/search.php action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1 => /private.php POST /mybb/private.php my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff 6. SOLUTION Upgrade to 1.6.1 7. VENDOR

Metasploit plugin - vhost_scanner improved & updated

Metasploit vhost_scannery.rb This is an improved version of vhost_scanner in auxiliary/scanner/http/vhost_scanner.rb . We improved it by adding load-from-file support, more commonly used word list, title/header display, TLD support. Currently this hasn't been added to Metasploit SVN. You can test it by putting it into auxiliary/scanner/http/

Eclipse Source Code Disclosure

Funny Eclipse Source Code Disclosure   [ View Online | Download ] This is not to describe source code disclosure as a vulnerability for the open-source Eclipse. Java web servers have been notoriously known for source code disclosure flaw. This is a demo of this kind in the recent Eclipse Help Server "Helios" version. The flaw seems to be due to Eclipse adaptor linked with OSGI framework.Who else might be vulnerable?

Encoded XSS Attack Demonstration on Joomla! 1.5.20

Encoded XSS Attack Demonstration on Joomla! 1.5.20   [ View Online | Download ]

Site Update since 2010-10-08

Image
2010-11 ------------ - Added Metasploit plugin - vhost_scannery.rb   2010-10 ------------ - Updated HackerWebSearch - Added XSS attack demo on Joomla! 1.5.20 - Added XSS advisory on Joomla! 1.5.20 2010-09 ------------ - Updated modrewrite-securityrule - Divided new tools section - joint - Added new tool - inspath [Internal Path Disclosure Finder]     - http://yehg.net/lab/pr0js/files.php/inspath.zip   - Added new article - Path Disclosure Vulnerability     - http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt     - Added inj3ct0r in Hacker Web Search   2010-08 ------------ - Added advisories:     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bc%5D_cross_site_scripting     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bcaccount%5D_persistent_cross_site_scripting     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_blastchatc%5D_cross_site_scripting     http://yehg.net/lab/pr0js/view.php/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting(XSS)     http://yehg.net/lab

Joomla! 1.5.20 <= Cross Site Scripting (XSS) Vulnerability

Image
1. OVERVIEW The Joomla! web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Some URLs in Joomla! do not properly escape encoded user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS A

[Tool Update Announcement] inspathx - Path Disclosure Finder

Image
UPDATE Check it out at svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only For those who don't know inspathx https://code.google.com/p/inspathx/ _____________________________ WHAT¶ A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's ever a common problem in PHP web applications that we're hating to see for ever. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure. http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt WHY¶ Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information. This script will do this job.   1. First

Enhanced DLLHijackAuditKit

/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */ http://core.yehg.net/lab/pr0js/files.php/%5Byehg.net%5D_DLLHijackAuditKitx.zip Modified by Aung Khant, YGN Ethical Hacker Group, Yangon, Myanmar http://yehg.net - Added sleep timer suport - Added regex support to scan only desired application and its associated file extensions Why did we modify? By default, DLLHijackAuditKit scans all associated file extensions with all installed applications in default timer of 3 seconds. DLLHijackAuditor from SecurityXploded is great for targetting only one application. However, according to our testing, it sometimes misses flaws. So, we tried to save time by adding timer support and regex support to our favorite HDM's DLLHijackAuditKit. How is useful? Sleep timer - for some applications like Adobe CS, which takes a few seconds to reach fully usable state               You do need to look at both analyze.js and audit.js for the two variables below.               You should adjust them depending on the

DLL Hijacking Advisories Archive

Image
http://core.yehg.net/lab/#advisories.dll-hijacking DLL Hijacking is easy to find; yet it's evil dangerous. Bad guys claiming to be your friend can send you a zip file that contains your favorite singer's mp3 file together with a hidden mailcious dll file. For information about testing for DLL Hijacking and DLL Hijacking FAQ, see when_testing_for_dll_hijacking.txt . [alsee]_6.20.0.1_insecure_dll_hijacking [alshow]_1.91_insecure_dll_hijacking [alzip]_8.0.6.3_insecure_dll_hijacking [brava_pdf_reader]_3.3.0.18_insecure_dll_hijacking [celframe_office]_2008_insecure_dll_hijacking [e-press-one_office]_insecure_dll_hijacking [flash_player]_10.1.x_insecure_dll_hijacking_(dwmapi.dll) [gdocfusion]_2.5.1_insecure_dll_hijacking [ibm_lotus_symphony]_3-beta-4_insecure_dll_hijacking [keepass]_2.12_insecure_dll_hijacking_(dwmapi.dll)

[web] Site Update Log since 2010-09

Image
http://yehg.net/lab/#home 2010-09 ------------ - Updated modrewrite-securityrule - Divided new tools section - joint - Added new tool - inspath [Internal Path Disclosure Finder]     - http://yehg.net/lab/pr0js/files.php/inspath.zip   - Added new article - Path Disclosure Vulnerability     - http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt     - Added inj3ct0r in Hacker Web Search   2010-08 ------------ - Added advisories:     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bc%5D_cross_site_scripting     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bcaccount%5D_persistent_cross_site_scripting     http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_blastchatc%5D_cross_site_scripting     http://yehg.net/lab/pr0js/view.php/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting(XSS)     http://yehg.net/lab/pr0js/view.php/[adbard.net]_xss     http://yehg.net/lab/pr0js/view.php/[linkbucks.com]_xss,redirect     http://yehg.net/lab/pr0js/advisories/2wire/%5B2wire%5D_session_hij

[core] Site Update Log since 2010-09

Image
http://core.yehg.net/lab 2010-09 ------- Added advisories: DLL Hijacking archive Added texts: - Things to avoid as a (beginning) security researcher - When testing for dll hijacking vulnerability - Protection Against FOCA   2010-08 ------- - Added DropItsRight in tools section - Started the Core Security Division

Joomla! Component com_bcaccount Persistent Cross Script Scripting (XSS) Vulnerability

Image
1. OVERVIEW The Joomla! Component com_bcaccount was vulnerable to Persistent Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bcaccount is a chat user account management component of widely-used Blastchat chat client component (com_blastchatc) designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bcaccount does not properly escape user profile information when it is saved. Attackers can craft CSRF payloads to save persistent XSS in users' profiles, which can turn into massive XSS worms cloning. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED

Joomla! Component com_bc Cross Script Scripting (XSS) Vulnerability

Image
1. OVERVIEW The Joomla! Component com_bc was vulnerable to Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bc is a widely-used Blastchat chat server component designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bc does not properly escape parameters:- ctask, bcItemid, lang, nlang , rid, rsid, sec_code, template, and usergid. This leads to Cross Site Scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED Versions Not Available (reason: Closed-source/Commercial Product) 5. PROOF-OF-CONCEPT/EXPLOIT Vulnerable URL-1: index2.php?o

BlastChat Chat Client Component version 3.3 <= Cross Script Scripting (XSS) Vulnerability

Image
1. OVERVIEW The BlastChat's chat client Component of Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, Drupal 6 was vulnerable to Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The BlastChat Chat Client Component is a widely-used Blastchat chat client component designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. The client chat component is available in multiple CMSes including Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, and Drupal 6. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The BlastChat's chat client Component does not properly escape "Itemid" parameter, which leads to Cross Site Scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-s

[site update] 08-11-2010 to 08-26-201

Image
08-26-2010 ------------ Added advisories: http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bc%5D_cross_site_scripting http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bcaccount%5D_persistent_cross_site_scripting http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_blastchatc%5D_cross_site_scripting 08-24-2010 ------------ Updated Hacker Web Search Aggregator (aka. Ultimate Recon) http://yehg.net/q Updated PHP Charset Encoder http://yehg.net/e     08-20-2010 -------------- Added advisory: http://yehg.net/lab/pr0js/view.php/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting(XSS) 08-18-2010 -------------- Added two advisories:  1. Ad Bard Network(adbard.net)  - network-wide Cross Site Scripting Vulnerability     http://yehg.net/lab/pr0js/view.php/[adbard.net]_xss  2. Linkbucks.com XSS & URL Redirection Vulnerabilities     http://yehg.net/lab/pr0js/view.php/[linkbucks.com]_xss,redirect    08-14-2010 -------------- Added new article - Most Neglected Fact About CSRF http://yehg.net/lab/pr0js/

Ad Bard Network(adbard.net) - network-wide Cross Site Scripting Vulnerability

Image
1. OVERVIEW A famous advertising network for free/open-source software community, adbard.net, is currently vulnerable to Ad network-wide Cross Site Scripting vulnerability. All its advertising networks (http://adbard.net/adbard/websites) are vulnerable subsequently. Though the vulnerability is not tied to ad network sites, how it can be leveraged depends only on skills and well-thought plans of attackers. 2. SITE SERVICE DESCRIPTION The Ad Bard Network is the only advertising network designed specifically for reaching the developers, architects, users and influencers in the free software community, allowing advertisers to directly communicate with the key customers in this exciting new area. 3. VULNERABILITY DESCRIPTION The serve.php at adbard.net is vulnerable to Cross Site Scripting vulnerability as the "u" parameter is not properly sanitized. The serve.php is linked from Adbard.net's ad script (currently, it is 'http://cdn1.adbard.net/js/ab1.js'). 4. PROOF-OF-C

2Wire Broadband Router Session Hijacking Vulnerability

1. OVERVIEW The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session. 2. PRODUCT DESCRIPTION 2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment. They are distributed through most famous ISPs (see - http://2wire.com/?p=383 ) with ready-to-use pre-configured settings. Their Wireless SSIDs are well-known as "2WIRE" prefix. 3. VULNERABILITY DESCRIPTION The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user. This allows attackers to brute-force guess a valid session ID to compromise the administrator session. For more information about this kind of weekness, refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy. 4. VERSIONS AFFECTED Tested against: Model: 2700HGV-2 Gateway Hardware Version: 2700-100657-005 Software Version: 5.29.117.3 Other version

HP System Management Homepage(SMH) | URL Redirection Abuse

Discovered by Aung Khant (aungkhant<@>yehg.net) YGN Ethical Hacker Group, Myanmar http://yehg.net/ Product: HP System Management Homepage Description: Consolidated system management information helps IT Administrators predict, diagnose, and rapidly respond to potential and actual system failures for a single server. Vendor: HP Inc ( http://www.hp.com ) Vulnerability Affected: URL Redirection Abuse Versions tested: 2.x.x.x Versions affected: 2.x.x.x Other versions(3.x) might be affected as well. Date published: 04-25-2010 Severity: Medium Vulnerability Detail: Attacker can lure victim to redirect to his choice of malicious site via the trusted vulnerable SMH url. From there, serious attacks such as browser exploits can be performed to compromise victim's OS. POC URL: http://x.x.x.x:2301/[email protected] Solution: - Remove red3201.html under hpsmh\data\htdocs\ directory OR - sanitize RedirectUrl variable OR - Wait for Vendor's fix in next 4-6 mont

phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability

Image
1. OVERVIEW The phpMyAdmin web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION Some URLs in phpMyAdmin do not properly escape user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED phpMyAdmin 3.3.5 and lower phpMyAdmin 2.11.10 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/

linkbucks.com XSS & URL Redirection Vulnerabilities

Image
1. OVERVIEW A famous link-based advertising network, linkbucks.com, is currently vulnerable to Cross Site Scripting and URL Redirection vulnerabilities 2. SITE SERVICE DESCRIPTION Linkbucks is the first Internet advertising network to recognize that the interplay between websites and web users is the foundation of a successful viral campaign. Linkbucks brings web users, websites, and marketers together in a way that is beneficial to everyone. 3. VULNERABILITY DESCRIPTION The Default.aspx page at linkbucks.com is vulnerable to Cross Site Scripting vulnerability as the Message and ReturnURL parameters are not properly sanitized after a user's logging out. 4. PROOF-OF-CONCEPT/EXPLOIT + Cross Site Scripting (OWASP 2010 Top 10 - A2) http://www.linkbucks.com/Default.aspx?task=completed&MetaRefresh=2&Message="><script>alert(/XSS/)</script>&ReturnURL=/Default.aspx&NoText=true http://yehg.net/lab/pr0js/advisories/sites/linkbucks.com/xss