Posts

Showing posts from March, 2011

Vulnerabilities in *McAfee.com

Vulnerabilities in *McAfee.com 1. VULNERABILITY DESCRIPTION -> Cross Site Scripting http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('http://attacker.in ') -> Information Disclosure > Internal Hostname: http://www.mcafee.com/js/omniture/omniture_profile.js ($ ruby host-extract.rb -a http://www.mcafee.com/js/omniture/omniture_profile.js ) -> Information Disclosure > Source Code Disclosure: view-source: http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp view-source: http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp view-source: http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp view-source: http://download.mcafee.com/clinic/Includes/common.asp view-source: http://download.mcafee.com/updates/upgrade_patches.asp view-source: http://download.mcafee.com/updates/common/dat_common.asp view-source: http://download.mcafee.com/updates/updates.asp view-source:

Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability

1. OVERVIEW The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL Redirection when "Enable [email protected]" access format, a new feature introduced in Plesk 7.0, is enabled in user preferences. 2. BACKGROUND Parallels Plesk Panel is a turnkey Web hosting system that includes fully automated billing and provisioning, an integrated SiteBuilder, and access to over a hundred Web-based applications that you can use to create unique service plans that meet a variety of customer needs. 3. VULNERABILITY DESCRIPTION The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly parse Query String parameter to set it apart from [email protected] format upon submission to the default web root url (/) of the affected domain (i.e www.domain.com/) . To further explain, when the URL with the format, http://domain.com/?@localhost, is requested, the Plesk mistakenly pars

PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerability

1. OVERVIEW The PHP-Nuke version 8.x and lower versions are vulnerable to Cross Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer Check) is found to be broken. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The PHP-Nu

PHP-Nuke 8.x <= Cross Site Scripting Vulnerability

1. OVERVIEW The PHP-Nuke version 8.x and lower are vulnerable to Cross Site Scrtipting. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The "sender_name" and the "sender_email" parameter are not properly sanitized upo

PHP-Nuke 8.x <= "chng_uid" Blind SQL Injection Vulnerability

1. OVERVIEW The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The "chng_uid" parameter is not properly sanitized upon submission to the /admin.php which le

Video: Bypassing phpNuke 8.x Referer Check Anti-CSRF Defense

[ View Online | Download ] Description: This demo proves that simply validating hostname in HTTP Referer, a widely deployed quick anti-csrf defense, can easily be bypassed.

Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability

Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability 1. OVERVIEW Joomla! 1.6.0 is vulnerable to Full Path Disclosure. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Direct access to a library file was not protected, which causes revealing the full internal path of a server whose PHP setting is set to show errors. 4. VERSION AFFECTED Joomla! 1.6.0 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla160/libraries/phpmailer/language/

XOOPS 2.5.0 <= Cross Site Scripting Vulnerability

1. OVERVIEW The XOOPS 2.5.0 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND XOOPS is an acronym of eXtensible Object Oriented Portal System. It's the #1 Content Management System (CMS) project on www.sourceforge.net and a recipient of several awards, and constantly places as finalist in various CMS and Open Source competitions. It incorporates many modules such as forums, photo galleries, calendars, article management etc. 3. VULNERABILITY DESCRIPTION Several parameters such as module/module[], memberslist_id[], newname[], oldname[] were not properly sanitized upon submission to the /modules/system/admin.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED XOOPS 2.5.0 and lower 5. PROOF-OF-CONCEPT/EXPLOIT Parameter: module http://attacker.in/xoops/modules/system/admin.php?fct=modu

Joomla! 1.6.0 | SQL Injection Vulnerability

==============================  Joomla! 1.6.0 | SQL Injection Vulnerability ============================== 1. OVERVIEW Joomla! 1.6.0 was vulnerable to SQL Injection. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Parameters (filter_order, filer_order_Dir) were not properly sanitized in Joomla! that lead to SQL Injection vulnerability.  This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure

Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability

=========================================  Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability ========================================= 1. OVERVIEW Joomla! 1.6.0 was vulnerable to Cross Site Scripting. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION The Query String parameter was not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted

[new tool announcement] host-extract

Host-Extract | Host/IP Pattern Extractor =============================== category: /pentest/enumeration/www useful area: blackbox testing This little ruby script tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL. With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files. This is unlike web crawler which looks for new links only in anchor tags (<a) or the like. In some cases, host-extract may give you false positives when there are some words like - main-site_ver_10.2.1.3.swf. With -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time. Please go to http://host-extract.googlecode.com/ for more info. Download/Update ============== svn co http://host-extract.googlecode.com/svn/tru

bbPress 1.0.2 <= Cross Site Scripting Vulnerability

1. OVERVIEW bbPress 1.0.2 and lower versions were vulnerable to Cross Site Scripting. 2. APPLICATION DESCRIPTION bbPress is plain and simple forum software, plain and simple with a twist from the creators of WordPress. It is focused on web standards, ease of use, ease of integration, and speed. 3. VULNERABILITY DESCRIPTION The "re" parameter was not properly sanitized upon submission to the /bb-login.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. If a user has already logged in to the application, an XSS attack will execute promptly. If not, it will execute after the user's successful logging in. 4. VERSIONS AFFECTED bbPress 1.0.2 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/bb-login.php?re=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiWFNTXG4iK2RvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4%3D 6. SOLUTION Upgrade to 1.0