TP-LINK WDR4300 – Stored XSS & DoS

22 settembre 2014 - Fonte: http://www.mondounix.com
Advisory Information
===============
 
Vendors Contacted: TP-LINK
Vendor Patched: Yes, Firmware 140916
System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others.
Versions Affected: 130617 , possibly earlier 
CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728
 
 
Vulnerabilities Description
===================
 
# Stored XSS -
 
It is possible inject javascript code via DHCP hostname field, 
If the administrator will visit the dhcp clients page (web panel)
the script will execute.
 
# DoS (web server) -
Denial of service condition to the device web server, remotely or locally send the
device a "GET" request with an extra "Header" with a long value...

Leggi il seguito »

WordPress WooCommerce Reflected XSS

19 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WooCommerce - excelling eCommerce
Version: 2.1.12
Homepage: http://wordpress.org/plugins/woocommerce/
Advisory report: 
https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
 
Description
================
Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do
 
Vulnerability
================
An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) 
can execute arbitrary JavaScript within...

Leggi il seguito »

WatchGuard XTM 11.8.3 Reflected XSS (CVE-2014-6413)

19 settembre 2014 - Fonte: http://www.mondounix.com
I. VULNERABILITY
 
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8.3
 
II. BACKGROUND
-------------------------
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks
and the businesses they power.
 
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.
The code injection is done through the parameter "poll_name" in the
page “/firewall/policy?pol_name=(HERE XSS)”
 
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “poll_name” correctly.
https://10.200.210.100:8080/network/dynamic_dns_config?intf=aaaa<scrip
t>alert(document.cookie)</script>
 
V....

Leggi il seguito »

MODX Revolution Reflected Cross-Site Scripting (XSS)

19 settembre 2014 - Fonte: http://www.mondounix.com
Advisory ID: HTB23229
Product: MODX Revolution
Vendor: MODX
Vulnerable Version(s): 2.3.1-pl and probably prior
Tested Version: 2.3.1-pl
Advisory Publication:  August 20, 2014  [without technical details]
Vendor Notification: August 20, 2014 
Vendor Patch: September 11, 2014 
Public Disclosure: September 17, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5451
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech...

Leggi il seguito »

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

15 settembre 2014 - Fonte: http://www.mondounix.com
WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent:...

Leggi il seguito »

LogAnalyzer 3.6.5 Cross Site Scripting

7 settembre 2014 - Fonte: http://www.mondounix.com
Author: Dolev Farhi @dolevff
Application: LogAnalyzer
Date: 8.2.2014
Tested on: Red Hat Enterprise Linux 6.4
Relevant CVEs: CVE-2014-6070
 
 
1. About the application
------------------------
LogAnalyzer is a web interface to syslog and other network event data. 
It provides easy browsing, analysis of realtime network events and 
reporting services.
 
 
2. Vulnerabilities Descriptions:
-----------------------------
It was found that an XSS injection is possible on a syslog server 
running LogAnalyzer version 3.6.5.
by changing the hostname of any entity logging to syslog server with 
LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script...

Leggi il seguito »

Mpay24 prestashop payment module multiple vulnerabilities

7 settembre 2014 - Fonte: http://www.mondounix.com
 Mpay24 PrestaShop Payment Module Multiple Vulnerabilities
 
   - ·         Affected Vendor: Mpay24
   - ·         Affected Software: Mpay24 Payment Module
   - ·         Affected Version: 1.5 and earlier
   - ·         Issue Type: SQL injection and information disclosure
   - ·         Notification Date: 10 February 2014
   - ·         Release Date: 03 September 2014
   - ·         Discovered by: Eldar Marcussen
   - ·         Issue status: Patch available
 
Summary
 
BAE Systems Applied Intelligence researcher, Eldar Marcussen has identified
two high impact vulnerabilities in the Mpay24 payment module for the
Prestashop e-commerce solution.
 
“Mpay24 is the online-payment platform for e- and m-commerce...

Leggi il seguito »

Facebook Messenger / App MIME Sniffing Cross Site Scripting

7 settembre 2014 - Fonte: http://www.mondounix.com
I. VULNERABILITY
-------------------------
Reflected XSS Attacks vulnerabilities used MIME Sniffing in Facebook
Messenger and Facebook App for iOS.
 
II. BACKGROUND
-------------------------
Facebook is a social networks
 
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability by MIME Sniffing.
The code injection is done through chat use send file.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the contente of file send, only
valitation of extention.
Content of file face.jjjj:
<script src="https://www.dropbox.com/s/hp796og5p9va7zt/face.js?dl=1">
</script>
Content of file face.js:
alert("Alert XSS Chat send File Facebook...

Leggi il seguito »

Olat Stored Cross Site Scripting

7 settembre 2014 - Fonte: http://www.mondounix.com
# Affected software: //demo.olat.org/
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: Stored XSS
# Author: Ankit Bharathan ,Provensec labs
# Description: Goto personal folder open any folder and create a new
document xss.tct
and then edit it fill field with "><img src=d
onerror=confirm(/provensec/);>
 
Then open folder and in new tab
example:
 
http://demo.olat.org/olat/auth/1%3A2%3A1001302707%3A6%3A0%3Aserv%3Ax/public/dddd.tct.html

(5)

...

Leggi il seguito »