Posts

Showing posts from August, 2010

Joomla! Component com_bcaccount Persistent Cross Script Scripting (XSS) Vulnerability

Image
1. OVERVIEW The Joomla! Component com_bcaccount was vulnerable to Persistent Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bcaccount is a chat user account management component of widely-used Blastchat chat client component (com_blastchatc) designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bcaccount does not properly escape user profile information when it is saved. Attackers can craft CSRF payloads to save persistent XSS in users' profiles, which can turn into massive XSS worms cloning. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED

Joomla! Component com_bc Cross Script Scripting (XSS) Vulnerability

Image
1. OVERVIEW The Joomla! Component com_bc was vulnerable to Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bc is a widely-used Blastchat chat server component designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bc does not properly escape parameters:- ctask, bcItemid, lang, nlang , rid, rsid, sec_code, template, and usergid. This leads to Cross Site Scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED Versions Not Available (reason: Closed-source/Commercial Product) 5. PROOF-OF-CONCEPT/EXPLOIT Vulnerable URL-1: index2.php?o

BlastChat Chat Client Component version 3.3 <= Cross Script Scripting (XSS) Vulnerability

Image
1. OVERVIEW The BlastChat's chat client Component of Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, Drupal 6 was vulnerable to Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The BlastChat Chat Client Component is a widely-used Blastchat chat client component designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. The client chat component is available in multiple CMSes including Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, and Drupal 6. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The BlastChat's chat client Component does not properly escape "Itemid" parameter, which leads to Cross Site Scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-s

[site update] 08-11-2010 to 08-26-201

Image
08-26-2010 ------------ Added advisories: http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bc%5D_cross_site_scripting http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_bcaccount%5D_persistent_cross_site_scripting http://yehg.net/lab/pr0js/advisories/joomla/%5Bcom_blastchatc%5D_cross_site_scripting 08-24-2010 ------------ Updated Hacker Web Search Aggregator (aka. Ultimate Recon) http://yehg.net/q Updated PHP Charset Encoder http://yehg.net/e     08-20-2010 -------------- Added advisory: http://yehg.net/lab/pr0js/view.php/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting(XSS) 08-18-2010 -------------- Added two advisories:  1. Ad Bard Network(adbard.net)  - network-wide Cross Site Scripting Vulnerability     http://yehg.net/lab/pr0js/view.php/[adbard.net]_xss  2. Linkbucks.com XSS & URL Redirection Vulnerabilities     http://yehg.net/lab/pr0js/view.php/[linkbucks.com]_xss,redirect    08-14-2010 -------------- Added new article - Most Neglected Fact About CSRF http://yehg.net/lab/pr0js/

Ad Bard Network(adbard.net) - network-wide Cross Site Scripting Vulnerability

Image
1. OVERVIEW A famous advertising network for free/open-source software community, adbard.net, is currently vulnerable to Ad network-wide Cross Site Scripting vulnerability. All its advertising networks (http://adbard.net/adbard/websites) are vulnerable subsequently. Though the vulnerability is not tied to ad network sites, how it can be leveraged depends only on skills and well-thought plans of attackers. 2. SITE SERVICE DESCRIPTION The Ad Bard Network is the only advertising network designed specifically for reaching the developers, architects, users and influencers in the free software community, allowing advertisers to directly communicate with the key customers in this exciting new area. 3. VULNERABILITY DESCRIPTION The serve.php at adbard.net is vulnerable to Cross Site Scripting vulnerability as the "u" parameter is not properly sanitized. The serve.php is linked from Adbard.net's ad script (currently, it is 'http://cdn1.adbard.net/js/ab1.js'). 4. PROOF-OF-C

2Wire Broadband Router Session Hijacking Vulnerability

1. OVERVIEW The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session. 2. PRODUCT DESCRIPTION 2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment. They are distributed through most famous ISPs (see - http://2wire.com/?p=383 ) with ready-to-use pre-configured settings. Their Wireless SSIDs are well-known as "2WIRE" prefix. 3. VULNERABILITY DESCRIPTION The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user. This allows attackers to brute-force guess a valid session ID to compromise the administrator session. For more information about this kind of weekness, refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy. 4. VERSIONS AFFECTED Tested against: Model: 2700HGV-2 Gateway Hardware Version: 2700-100657-005 Software Version: 5.29.117.3 Other version

HP System Management Homepage(SMH) | URL Redirection Abuse

Discovered by Aung Khant (aungkhant<@>yehg.net) YGN Ethical Hacker Group, Myanmar http://yehg.net/ Product: HP System Management Homepage Description: Consolidated system management information helps IT Administrators predict, diagnose, and rapidly respond to potential and actual system failures for a single server. Vendor: HP Inc ( http://www.hp.com ) Vulnerability Affected: URL Redirection Abuse Versions tested: 2.x.x.x Versions affected: 2.x.x.x Other versions(3.x) might be affected as well. Date published: 04-25-2010 Severity: Medium Vulnerability Detail: Attacker can lure victim to redirect to his choice of malicious site via the trusted vulnerable SMH url. From there, serious attacks such as browser exploits can be performed to compromise victim's OS. POC URL: http://x.x.x.x:2301/[email protected] Solution: - Remove red3201.html under hpsmh\data\htdocs\ directory OR - sanitize RedirectUrl variable OR - Wait for Vendor's fix in next 4-6 mont

phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability

Image
1. OVERVIEW The phpMyAdmin web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION Some URLs in phpMyAdmin do not properly escape user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED phpMyAdmin 3.3.5 and lower phpMyAdmin 2.11.10 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/

linkbucks.com XSS & URL Redirection Vulnerabilities

Image
1. OVERVIEW A famous link-based advertising network, linkbucks.com, is currently vulnerable to Cross Site Scripting and URL Redirection vulnerabilities 2. SITE SERVICE DESCRIPTION Linkbucks is the first Internet advertising network to recognize that the interplay between websites and web users is the foundation of a successful viral campaign. Linkbucks brings web users, websites, and marketers together in a way that is beneficial to everyone. 3. VULNERABILITY DESCRIPTION The Default.aspx page at linkbucks.com is vulnerable to Cross Site Scripting vulnerability as the Message and ReturnURL parameters are not properly sanitized after a user's logging out. 4. PROOF-OF-CONCEPT/EXPLOIT + Cross Site Scripting (OWASP 2010 Top 10 - A2) http://www.linkbucks.com/Default.aspx?task=completed&MetaRefresh=2&Message="><script>alert(/XSS/)</script>&ReturnURL=/Default.aspx&NoText=true http://yehg.net/lab/pr0js/advisories/sites/linkbucks.com/xss