mAdserve SQL Injection

16 aprile 2014 - Fonte: http://www.mondounix.com
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be 
exploited to execute arbitrary SQL commands in application’s database and compromise vulnerable website.
 
 
1) SQL Injection in mAdserve: CVE-2014-2654
 
1.1 The vulnerability exists due to insufficient sanitization of user Input passed via the "id" HTTP GET parameter to 
"/www/cp/edit_ad_unit.php" script. A remote authenticated attacker can inject and execute arbitrary SQL commands in 
application’s database and gain complete control over the application.  
 
The exploitation example below displays version of MySQL server:
 
http://[host]/www/cp/edit_ad_unit.php?id=1%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,version%28%29,13,14,15,16,17%20--%202
 
 
1.2...

Leggi il seguito »

Orbit Open Ad Server SQL Injection

10 aprile 2014 - Fonte: http://www.mondounix.com
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to 
perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control 
over the vulnerable website.
 
1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540
 
Input passed via the "site_directory_sort_field" HTTP POST parameter to "/guest/site_directory" URL is not properly 
sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.
 
The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application...

Leggi il seguito »

Sendy 1.1.9.1 – SQL Injection Vulnerability

10 aprile 2014 - Fonte: http://www.mondounix.com
Sendy contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /send-to script not 
properly sanitizing user-supplied input to the "c" parameter. This may allow a remote attacker to inject or manipulate 
SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 
Proofs:
 
# sqlmap -u 'http://server1/send-to?i=1&c=10' --cookie="version=1.1.9.1; PHPSESSID=[phpsessid value]; 
logged_in=[logged_in value]" -p c -D sendy --tables
 
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is...

Leggi il seguito »

MacOSX 10.9.2/XNU HFS Multiple Vulnerabilities

7 aprile 2014 - Fonte: http://www.mondounix.com
MacOSX/XNU HFS Multiple Vulnerabilities
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cifrex.org/
 
===================
 
On November 8th, I've reported vulnerability in hard links for HFS+
(CVE-2013-6799)
 
http://cxsecurity.com/issue/WLB-2013110059
 
The HFS+ file system does not apply strict privilege rules during the
creating of hard links. The ability to create hard links to directories is
wrong implemented and such an issue is affecting os versions greater or
equal to 10.5. Officially Apple allows you to create hard links only for
your time machine. <see wiki> Vulnerability CVE-2013-6799 (incomplete fix
for CVE-2010-0105) allow to create hard link to directory and the number of
hard links...

Leggi il seguito »

Cartelle condivise – facciamo ordine con ABE

4 aprile 2014 - Fonte: http://www.danielelonghi.com
Vuoi che i tuoi utenti accedendo ad una cartella condivisa (shared folder) possano visualizzare solo file e cartelle di cui dispongono i permessi? Forse potrà interessarti la feature ‘Access-based enumeration (ABE)‘. Presente nativamente da Windows Server 2008 (anche da Windows Server 2003 dopo la Service Pack 1), ABE permette ad un utente che accede ad una cartella […]...

Leggi il seguito »

Drupal 7.26 Custom Search 7.x-1.13 Cross Site Scripting

3 aprile 2014 - Fonte: http://www.mondounix.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Vulnerability Report
 
 
Author: Justin C. Klein Keane <justin@madirish.net>
Reported: 19 Feb, 2014
 
 
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Custom Search module "alters the default
search box in many ways. If you need to have options available like in
advanced search, but directly in the search box, this module is for
you."  The Drupal Custom Search module
(https://drupal.org/project/custom_search) contains a persistent cross
site scripting (XSS) vulnerability due to the fact that it fails to
sanitize filter labels...

Leggi il seguito »

WordPress Js-Multi-Hotel 2.2.1 XSS / DoS / Disclosure / Abuse

3 aprile 2014 - Fonte: http://www.mondounix.com
Hello list!
 
There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.
 
These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Joomlaskin
http://www.joomlaskin.it
 
-------------------------
Affected...

Leggi il seguito »

WordPress XCloner 3.1.0 Cross Site Request Forgery

3 aprile 2014 - Fonte: http://www.mondounix.com
Advisory ID: HTB23206
Product: XCloner Wordpress plugin
Vendor: XCloner
Vulnerable Version(s): 3.1.0 and probably prior
Tested Version: 3.1.0
Advisory Publication:  March 12, 2014  [without technical details]
Vendor Notification: March 12, 2014 
Vendor Patch: March 13, 2014 
Public Disclosure: April 2, 2014 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-2340
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech...

Leggi il seguito »

WordPress Business Intelligence 1.0.6 Shell Upload

31 marzo 2014 - Fonte: http://www.mondounix.com
##############################################################################################
# Exploit Title   : wordpress plugin "wp-business-intelligence" Remote code execution exploit
# Exploit Author  : Manish Kishan Tanwar
# vendor Home     : www.wpbusinessintelligence.com
# Version Affected: 1.0.6
# Discovered At   : IndiShell LAB (indishell.in aka indian cyber army)
# Love to         : zero cool,Team indishell,Hardeep Singh
##############################################################################################
 
 
////////////////////////////////////
POC Remote code Execution
////////////////////////////////////
this Plugin is vulnerable to remote code execution exploit because of ofc_upload_image.php...

Leggi il seguito »

WordPress HTML Sitemap 1.2 Cross Site Request Forgery

31 marzo 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
 
Description
================
CSRF vulnerability in WP HTML Sitemap 1.2
 
Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the 
sitemap if a logged-in admin user visits a link of the attacker’s choosing.
Line 202 of inc/AdminPage.php says “// check whether form was just 
submitted” but the following if/elseif statements only check whether a 
particular button was pressed without checking nonce values. The form in 
question is printed in wp_html_sitemap_AdminPage::createSitemapForm() 
around line 146...

Leggi il seguito »