標籤 hacker-prevention 下的所有文章

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Security Vulnerabilities

18638880

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities


Exploit Title: OptimalSite CMS /display_dialog.php image Parameter XSS Web Security Vulnerability

Vendor: OptimalSite

Product: OptimalSite Content Management System (CMS)

Vulnerable Versions: V.1 V2.4

Tested Version: V.1 V2.4

Advisory Publication: January 24, 2015

Latest Update: January 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9562

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Jing Wang [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)





Suggestion Details:

(1) Vendor & Product Description

Vendor:

OptimalSite


Product & Version:

OptimalSite Content Management System (CMS)

V.1

V2.4


Vendor URL & Download:

The product can be obtained from here,

http://www.optimalsite.com/en/


Product Description Overview:

“Content management system OptimalSite is an online software package that enables the management of information published on a website. OptimalSite consists of the system core and integrated modules, which allow expanding website possibilities and functionality. You may select a set of modules that suits your needs best.


Website page structure

Website page structure is presented in a tree structure similar to Windows Explorer, so that several page levels can be created for each item on the menu. The website’s structure itself can be easily edited: you can create new website pages, delete unnecessary ones, and temporarily disable individual pages.


Website languages

OptimalSite may be used to create a website in different languages, the number of which is not limited. Different information may be presented in each separate language and the structure of pages in each language may also differ.


WYSIWYG (What You See Is What You Get) text editor

Using this universal text editor makes posting and replacing information on the website effortless. Even a minimum knowledge of MS Word and MS Excel will make it easy to use the tools of WYSIWYG text editor and implement your ideas.


Search function in the system

By using search function system’s administrator is able to find any information that is published in administrative environment. It is possible to execute a search in the whole system and in separate its’ modules as well.


Recycle bin function

System administrator is able to delete useless data. All deleted data is stored in recycle bin, so administrator can restore information anytime. “




(2) Vulnerability Details:

OptimalSite web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other the similar product 0-day vulnerabilities have been found by some other bug hunter researchers before. OptinalSite has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services." Openwall has published suggestions, advisories, solutions details related to XSS vulnerabilities.


(2.1) The code programming flaw occurs at “&image" parameter in “display_dialog.php" page.






http://lists.openwall.net/full-disclosure/2015/02/02/3

http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1546

https://zuiyuxiang.wordpress.com/2015/05/10/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-security-vulnerabilities/

http://frenchairing.blogspot.com/2015/05/cve-2014-9562-optimalsite-content.html

http://tetraph.blog.163.com/blog/static/234603051201541082835108/

https://www.facebook.com/permalink.php?story_fbid=1623045457913931&id=1567915086760302

https://twitter.com/buttercarrot/status/597377286996791299

http://www.weibo.com/5099722551/ChdSxaqGR?ref=home&rid=4_0_1_2669612892358968742&type=comment

https://plus.google.com/113115469311022848114/posts/9mdeMorsS2C

http://ittechnology.lofter.com/post/1cfbf60d_6e93c47

http://itinfotech.tumblr.com/post/118602673596/securitypost-cve-2014-9562-optimalsite-content

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities

201402Return-oriented-programming-ROP-computer-security-exploit-technique

 

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities


 

Exploit Title: CVE-2015-2214 NetCat CMS Full Path Disclosure Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1

Tested Version: 5.01   3.12

Advisory Publication: February 27, 2015

Latest Update: May 05, 2015

Vulnerability Type: Information Leak / Disclosure [CWE-200]

CVE Reference: CVE-2015-2214

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Credit and Writer: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 
 
 

Consultation Details:


 

(1) Vendor & Product Description:

Vendor:

NetCat


 

Product & Version:

NetCat

5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


 

Vendor URL & Download:

NetCat can be accessed from here,

http://netcat.ru/


 

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."


“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."


“We give a discount on any edition NetCat

We try to help our partners to enter into a close-knit team. To reduce your expenses on the development of a new system, we provide special conditions for the acquisition of commercial licenses NetCat, for a partner is assigned a permanent discount of 40%, which according to the results of further sales could be increased to 60%."


“Teach your developers work with the secrets NetCat

In addition to the detailed documentation and video tutorials to new partners we offer a unique free service – direct contact with the developer from the team NetCat, which will help in the development of product development tools."


“We give customers

Once you develop the three sites NetCat information about you appear in our ranking developers. This means that you not only begin to receive direct requests from clients but also become a member of tenders conducted by customers. In addition, if the partner is really good work, employees NetCat begin recommending it to clients requesting assistance in the choice of contractor."


“We will help in the promotion of

The company is a regular participant NetCat large number of forums, seminars and conferences. We are happy to organize together with partners involved, help with advertising materials and share information for the report."


“Confirmed its status in the eyes of customers

We have a very flexible system of certification of partners: we do not give certificates for the sale of licenses and for the developed sites. So, for example, to obtain a certificate “Development of corporate websites’ to add to your personal account three implementation of the appropriate type."

 
 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Netcat has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to important vulnerabilities.

 

(2.1) The first programming code flaw occurs at “&redirect_url" parameter in “netshop/post.php?" page.

 
 
 
 
 

References:

http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html

http://seclists.org/fulldisclosure/2015/Mar/8

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01740.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1645

http://lists.openwall.net/full-disclosure/2015/03/02/6

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142527117510514&w=2

http://marc.info/?l=full-disclosure&m=142527117510514&w=4

https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://www.tetraph.com/blog/information-leakage-vulnerability/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

http://essayjeans.blog.163.com/blog/static/2371730742015411113047382/

http://www.weibo.com/1644370627/ChjMoA9hD?type=comment#_rnd1431315096193

http://homehut.lofter.com/post/1d226c81_6eae13a

 

Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities

Hacker Research Topics

iStock_000007384492-keyboard_5

Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: Proverbs Web Calendar /calendar.php Multiple Parameters XSS (Cross-site Scripting) Security Vulnerabilities

Vendor: Proverbs

Product: Proverbs Web Calendar

Vulnerable Versions: 1.0.0 1.1 1.2.2 2.1 2.1.2

Tested Version: 1.2.2 2.1

Advisory Publication: April 03, 2015

Latest Update: April 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Suggestion Details:


(1) Vendor & Product Description:


Vendor:

Proverbs

Product & Vulnerable Versions:

Proverbs Web Calendar

1.0.0

1.1

1.2.2

2.1

2.1.2

Vendor URL:

http://www.proverbs.biz/

Download:

Proverbs Web Calendar can be obtained from here,

http://www.proverbsllc.com/demos/calendar/calendar.php

http://www.hotscripts.com/listing/proverbs-web-calendar/

http://www.c-point.com/free_php_scripts/calendar.php

http://www.html.it/articoli/proverbs-php-web-calendar-v-100-1/

Product Introduction Overview:

“This is a web event calendar developed using PHP and powered by MySQL. The calendar is viewed in month format initially with a…

View original post 詳見內文:約166字

6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities

Hacker Research Topics

Security-Researchers-Discover-Java-Binary-Planting-Vulnerability

6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

6kbbs

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

Vendor URL & download:

6kbbs can be obtained from here,

http://www.6kbbs.com/download.html

http://code.google.com/p/6kbbs/downloads/list

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability…

View original post 詳見內文:約315字

76.3% WEATHER CHANNEL WEBSITE LINKS VULNERABLE TO REFLECTED CROSS-SITE SCRIPTING (XSS)

 

380

 

Popular Weather Channel web site (Weather.com) has been found to be vulnerable to a reflected Cross-Site Scripting flaw, according to security researcher Wang Jing’s research. The vulnerability lies in that Weather.com does not filter malicious script codes when constructing HTML tags with its URLs. This way, an attacker just adds a malicious script at the end of the URL and executes it.

“If The Weather Channel’s users were exploited, their Identity may be stolen,” Jing said via email. “At the same time, attackers may use the vulnerability to spy users’ habits, access sensitive information, alter browser functionality, perform denial of service attacks, etc.”

Wang Jing is a Ph.D student from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He found that at list 76.3% of Weather Channel website links were vulnerable to XSS attacks. Attackers just need to add scripts at end of Weather Channel’s URLs. Then the scripts will be executed.

 

 

Related News:

http://www.scmagazine.com/the-weather-channels-website-found-vulnerable-to-xss-attacks/article/386010/

http://www.hotforsecurity.com/blog/weather-channel-web-site-vulnerable-to-reflected-cross-site-scripting-xss-10906.html

http://www.computerworld.com/article/2852502/weathercom-fixes-web-app-flaws.html

http://seclists.org/fulldisclosure/2014/Nov/89

http://packetstormsecurity.com/files/129288/weatherchannel-xss.txt

http://webcabinet.tumblr.com/post/116076287997/whitehatview-the-weather-channel-fixes-web-app

http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-weather-com-almost-all-links-vulnerable-to-xss-attacks/

http://www.securitylab.ru/news/462524.php

http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8

http://www.tetraph.com/blog/it-news/weather-channel-xss/

https://www.facebook.com/websecuritiesnews/posts/699866823466824

https://itswift.wordpress.com/2014/12/01/76-3-weather-channel-xss-attacks/

https://www.secnews.gr/weather-channel-xss

 

 

 

OAuth and OpenID Users Threatened by New Security Flaw, Covert Redirect

heartbleed_bug_hackers

 

A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect" by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

 

Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.

 

Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw’s finder, Mathematics Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

 

Wang believes it’s unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.

 

“The vulnerability is usually due to the existing weakness in the third-party websites," Wang writes on his own blog. “However, they have little incentive to fix the problem."

 

The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.

 

Normal phishing attempts can be easy to spot, because the malicious page’s URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.

 

For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.

 

If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she could use to spread more socially engineered attacks to your Facebook friends.

 

Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.

 

Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.

 

Wang told CNET Facebook had told him it “understood the risks associated with OAuth 2.0″ but that fixing the flaw would be “something that can’t be accomplished in the short term." Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.

 

Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there’s no company or dedicated team that could devote itself to fixing the issue.

 

 

Where does that leave things?

“Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service," Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.

 

“It’s not easy to fix, and any effective remedies would negatively impact the user experience," Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. “Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws."

 

Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.

 

If you think someone has gained access to one of your online accounts, notify the service and change that account’s password immediately.

 

 

 

 

 

Related Articles:

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://whitehatview.tumblr.com/post/120695795041

http://russiapost.blogspot.ru/2015/05/openid-oauth-20.html

http://www.diebiyi.com/articles/security/covert-redirect/covert_redirect/

https://itswift.wordpress.com/2014/05/06/microsoft-google-facebook-attacked/

http://tetraph.blog.163.com/blog/static/2346030512015420103814617/

http://itsecurity.lofter.com/post/1cfbf9e7_72e2dbe

http://ithut.tumblr.com/post/119493304233/securitypost-une-faille-dans-lintegration

http://japanbroad.blogspot.jp/2015/05/oauthopenid-facebook.html

http://webtech.lofter.com/post/1cd3e0d3_6f0f291

https://webtechwire.wordpress.com/2014/05/11/covert-redirect-attack-worldwide/

http://whitehatview.tumblr.com/post/119489968576/securitypost-sicherheitslucke-in-oauth-2-0-und

http://www.inzeed.com/kaleidoscope/computer-security/facebook-google-attack/