Showing posts with label singapore. Show all posts
Showing posts with label singapore. Show all posts

Saturday, 20 June 2015

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks



Domain Description:
http://www.weather.com/


"The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather.  Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather."

"As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives." (Wikipedia)
Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.


Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel's URLs. Then the scripts will be executed.


10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.


The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes. 
The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.














POC Codes, e.g.
http://www.weather.com/slideshows/main/"--/>"><img src=x onerror=prompt('justqdjing')>
http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>"><img src=x onerror=prompt('justqdjing')>t%28%27justqdjing%27%29%3E
http://www.weather.com/news/main/"><img src=x onerror=prompt('justqdjing')>





POC Video:




The Weather Channel has patched this Vulnerability in late November, 2014 (last Week).  "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.






Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)








More Details:


Posted by at No comments:
Labels: , , , , , , , , , , , , , , , ,

Wednesday, 17 June 2015

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability











GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

Domain: getpocket.com
"Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world's leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows." (From: https://getpocket.com/about)


Vulnerability Description:
Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.

 "Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application." (OWSAP)


Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.



Vulnerability Details:
The code programming flaw exists at "https://getpocket.com/edit/edit" page, i.e.https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Vulnerable URL:
https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=


Use a website created by me for the following tests. The website is "http://itinfotech.tumblr.com/". Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.
<a href="https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test">getpocket csrf test</a> [1]


When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her "Pocket" without his/her notice. An attack happens.




Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Sunday, 14 June 2015

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities




CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities
Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]
CVE Reference: *
CXSecurity Reference: WLB-2015040034 
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Writer and Reporter: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)





Suggestion Details:


(1) Vendor & Product Description:


Vendor:
6kbbs

Product & Vulnerable Versions:
6kbbs
v7.1
v8.0

Vendor URL & download:
6kbbs can be gain from here,
http://www.6kbbs.com/download.html
http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

Product Introduction Overview:
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions."

 "1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user's posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; ..."


(2) Vulnerability Details:
6kbbs web application has a computer cyber security bug problem. It can be exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

 Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to csrf vulnerabilities.
(2.1) The first code programming flaw occurs at "/portalchannel_ajax.php?" page with "&id" and &code" parameters in HTTP $POST.

 (2.2) The second code programming flaw occurs at "/admin.php?" page with "&fileids" parameter in HTTP $POST.




Related Articles:
http://cxsecurity.com/issue/WLB-2015040034
http://lists.openwall.net/full-disclosure/2015/04/05/7
http://www.intelligentexploit.com/view-details.html?id=21071
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
https://www.mail-archive.com/fulldisclosure@seclists.org/msg01902.html
http://seclists.org/fulldisclosure/2015/Apr/13
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-csrf
http://essayjeans.blog.163.com/blog/static/237173074201551435316925/
https://itinfotechnology.wordpress.com/2015/04/14/6kbbs-crsf/
http://frenchairing.blogspot.fr/2015/06/6kbbs-crsf.html
http://tetraph.blog.163.com/blog/static/234603051201551444917365/
http://diebiyi.com/articles/security/6kbbs-v8-0-csrf
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-csrf










Posted by at No comments:
Labels: , , , , , , , , , , , , , , , ,

Tuesday, 12 May 2015

CVE-2015-2563 - Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities


















CVE-2015-2563 - Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities


Exploit Title: CVE-2015-2563 Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Web Security Vulnerabilities
Product: phpVID
Vendor: Vastal I-tech
Vulnerable Versions: 1.2.3   0.9.9
Tested Version: 1.2.3   0.9.9
Advisory Publication: March 13, 2015
Latest Update: April 25, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: CVE-2015-2563 
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)






Direction Details:


(1) Vendor & Product Description:


Vendor:
Vastal I-tech



Product & Vulnerable Versions:
phpVID
1.2.3
0.9.9



Vendor URL & Download:
phpVID can be approached from here,
http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA



Product Introduction Overview: 
"phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy."

"The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a "single dedicated server". phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com."

"Server Requirements:
Preferred Server: Linux any Version
PHP 4.1.0 or above
MySQL 3.1.10 or above
GD Library 2.0.1 or above
Mod Rewrite and .htaccess enabled on server.
FFMPEG (If you wish to convert the videos to Adobe Flash)"





(2) Vulnerability Details:
phpVID web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpVID has patched some of them. "Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services." Openwall has published suggestions, advisories, solutions details related to important vulnerabilities.


(2.1) The first code programming flaw occurs at "&order_by" "&cat" parameters in "groups.php?" page.








Related Links:
http://packetstormsecurity.com/files/130754/Vastal-I-tech-phpVID-1.2.3-SQL-Injection.html
https://progressive-comp.com/?l=full-disclosure&m=142601071700617&w=2
http://seclists.org/fulldisclosure/2015/Mar/58
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1699
http://lists.openwall.net/full-disclosure/2015/03/10/8
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142601071700617&w=2
http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2563/
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2
https://cxsecurity.com/issue/WLB-2015020091
https://www.facebook.com/permalink.php?story_fbid=935563809832135&id=874373602617823
http://t.qq.com/p/t/482410003538035
http://biboying.lofter.com/post/1cc9f4f5_6ee2aa5
http://mathpost.tumblr.com/post/118768553885/xingti-cve-2015-2563-vastal-i-tech-phpvid
http://essayjeans.lofter.com/post/1cc7459a_6ee4fcb
http://xingti.tumblr.com/post/118768481545/cve-2015-2563-vastal-i-tech-phpvid-1-2-3-sql
https://plus.google.com/113698571167401884560/posts/gftS84rfD3A
https://itswift.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/
https://www.facebook.com/essayjeans/posts/827458144012006
https://tetraph.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/
http://mathstopic.blogspot.com/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html
http://yurusi.blogspot.sg/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html
https://twitter.com/tetraphibious/status/598057025247907840
http://tetraph.blog.163.com/blog/static/23460305120154125453111/








Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , , , ,

CVE-2015-2349 - SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities
















CVE-2015-2349 - SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities


Exploit Title: CVE-2015-2349 - SuperWebMailer /defaultnewsletter.php" HTMLForm Parameter XSS Web Security Vulnerabilities
Product: SuperWebMailer
Vendor: SuperWebMailer
Vulnerable Versions: 5.*.0.*   4.*.0.*
Tested Version: 5.*.0.*   4.*.0.*
Advisory Publication: March 11, 2015
Latest Update: May 03, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-2349
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)







Information Details:


(1) Vendor & Product Description:


Vendor:
SuperWebMailer



Product & Vulnerable Versions:
SuperWebMailer
5.60.0.01190
5.50.0.01160
5.40.0.01145
5.30.0.01123
5.20.0.01113
5.10.0.00982
5.05.0.00970
5.02.0.00965
5.00.0.00962
4.50.0.00930
4.40.0.00917
4.31.0.00914
4.30.0.00907
4.20.0.00892
4.10.0.00875


Vendor URL & Download:
SuperWebMailer can be gained from here,



Product Introduction Overview:
"Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing."

"To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm."

"It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant"





(2) Vulnerability Details:
SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. 


Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.

(2.1) The programming code flaw occurs at "&HTMLForm" parameter in "defaultnewsletter.php?" page.








Related Results:
http://seclists.org/fulldisclosure/2015/Mar/55
http://www.securityfocus.com/bid/73063
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2
https://cxsecurity.com/issue/WLB-2015030043
http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf
http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer
http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss
http://essaybeans.lofter.com/post/1cc77d20_6edf28c
https://www.facebook.com/essaybeans/posts/561250300683107
https://twitter.com/essayjeans/status/598021595974602752
https://www.facebook.com/pcwebsecurities/posts/687478118064775
http://tetraph.blog.163.com/blog/static/234603051201541231655569/
https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp
http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html
https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/
http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/
https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/
http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html







Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)