Posts

Showing posts from July, 2011

Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross Site Scripting. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION Several parameters (page_owner, content,internalname, QUERY_STRING) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Elgg 1.7.9 <= 5. PROOF-OF-CONCEPT/EXPLOIT

[whatweb] updated ./plugin-development/get-pattern

https://github.com/yehgdotnet/whatweb-plugins/blob/master/plugin-development/get-pattern Added server,cookie,www-authenticate header in /plugin-development/get-pattern $ ./get-pattern http://demo.phpmyadmin.net/master/ == Page Pattern Generator 0.1 for WhatWeb ==         by Aung Khant, http://yehg.net URL: http://demo.phpmyadmin.net/master/ {:name=>'Page MD5', :md5=>'619ef6970f8609c42b944ea776734663'}, {:name=>'HTML Tag Pattern', :tagpattern=>'!doctype,html,head,meta,link,link,title,/title,link,link,link,meta,script,/script,script,/script,script,/script,script,/script,script,/script,script,/script,script,/script,script,/script,/head,body,script,/script,div,h1,/h1,a,/a,/div,div,a,img,/a,h1,bdo,/bdo,/h1,form,input,input,input,input,input,input,fieldset,input,legend,/legend,select,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option,/option,option

[whatweb] new plugins - MapServer & HopfTimeServer

https://github.com/yehgdotnet/whatweb-plugins/blob/master/new-plugins/MapServer.rb   $ ./whatweb --follow-redirect=same-domain -a 4 -v -p MapServer http://demo.mapserver.org/ demo.mapserver.org/cgi-bin/mapserv/?map=* [200] http://demo.mapserver.org [200] MapServer[Invalid Map Parameter Detection,Version - 5.6.5 ]   https://github.com/yehgdotnet/whatweb-plugins/blob/master/new-plugins/HopfTimeServer.rb   $ ./whatweb --follow-redirect=same-domain -a 4 -v -p HopfTimeServer http://www.timesync.eu/ www.timesync.eu/ [200] www.timesync.eu/cgi-bin/main.cgi?ntp&0 [200] www.timesync.eu/cgi-bin/main.cgi?ntp&0 [200] http://www.timesync.eu/ [200] HopfTimeServer[Generic Version - 727x,Version - 727100]                                                           ______________________________________________ Plugins/Development in progress for  the WhatWeb https://github.com/urbanadventurer/WhatWeb

Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities (CVE-2011-2710)

1. OVERVIEW Joomla! 1.7.0-RC and versions of 1.6.x are vulnerable to multiple Cross Site Scripting issues. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Several parameters (searchword, Request URI) in Joomla! Core components are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitr

Updated ssl-enum-ciphers.nse with sslenum=weak option

The original script, ssl-enum-ciphers, was modified so that it can return only the list of known weak algorithms when specified with sslenum=weak option. With that option, only the known following weak ciphers will be tested. $ nmap --script ssl-enum-ciphers --script-args sslenum=weak -p 443 <host> @output | ssl-enum-ciphers: | SSLv3 | Weak Ciphers (6) | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | TLS_DHE_RSA_WITH_DES_CBC_SHA | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | TLS_RSA_WITH_DES_CBC_SHA | Compressors (1) | uncompressed link: http://yehg.net/lab/pr0js/tools/plugins/nmap/ssl-enum-ciphers.nse

MyST BlogSite | Multiple Vulnerabilities

========================================= MyST BlogSite | Multiple Vulnerabilities ========================================= 1. VULNERABILITY DESCRIPTION --> Issue Title: Arbitrary URL Redirect Component: MyST BlogSite ClickDirector Ref: OWASP - Top 10 - 2010 - A10 Ref-Link: https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards Proof-Of-Concept: http://blogsite.com/public/click/~sites/attacker.in/malware_exists_in_this_page/ http://blog.cenzic.com/public/click/~sites/attacker.in/malware_exists_in_this_page/ [FIXED] --> Issue Title: Information Leakage Ref: WASC-13 Ref-Link: http://projects.webappsec.org/w/page/13246936/Information-Leakage This could be used to brute force (http://blogsite.com/login) Proof-Of-Concept: http://blogsite.com/public/mostl/1 http://blogsite.com/public/mostl/2 http://blogsite.com/public/my-account/1 http://blogsite.com/public/my-account/2 http://blogsite.com/public/object/1 http://blo

[Metasploit] Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service

# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS # Version: 5.0 - 7.0 # Tested on: unpatched version of windows xp, 2k3, & Vista Enterprise http://dev.metasploit.com/redmine/attachments/1427/iis567_ftpd_stackexhaust.rb This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" service must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload. --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanm

Vulnerabilities in developer.apple.com

1. VULNERABILITY DESCRIPTION Arbitrary URL Redirect ====================== POC (Browsers: All) https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in/malware_exists_in_this_page Issue References: OWASP Top 10 A10 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 601 - http://cwe.mitre.org/data/definitions/601.html Cross Site Scripting(XSS) Via Arbitrary URL Redirect ==================================================== POC (Browsers: Safari, Opera): https://developer.apple.com/membercenter/urlRedirect.action?fullURL=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQ3Jvc3MgU2l0ZSBTY3JpcHRpbmcgRGVtbyBieVxuXG55ZWhnLm5ldFxuIik8L3NjcmlwdD4%3D Issue References: OWASP Top 10 A2 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 79 - http://cwe.mitre.org/data/definitions/79.html HTTP Response Splitting(HRS) Via Arbitrary URL Redirect =====================================================

[metasploit] TYPSoft FTP Server 1.1 RETR Denial of Service

http://dev.metasploit.com/redmine/attachments/1317/typsoft11_retr.rb Module Category: modules/auxiliary/dos/windows/ftp This module triggers Denial of Service in the TYPSSoft FTP Server 1.1 and earlier by issuing multiple "RETR" command requests. Software Link: http://www.softpedia.com/get/Internet/Servers/FTP-Servers/TYPSoft-FTP-Server.shtml