Mostrando entradas con la etiqueta SPAS3C-WV. Mostrar todas las entradas
Mostrando entradas con la etiqueta SPAS3C-WV. Mostrar todas las entradas

miércoles, 23 de febrero de 2011

:::SPAS3C-WV-006:::Multiple Vulnerabilities in Mozilla Sites



This is old stuff, which i should have posted before, discovered in Mozilla websites several weeks ago:

  • bugzilla.mozilla.org: CSRF (saved searches).
  • creative.mozilla.org: CSRF (user profile).
  • developer.mozilla.org: Plain text password disclosure.
I will provide some details about them.

1. CSRF (saved searches) in bugzilla.mozilla.org

PoC: http://pastebin.com/63H2YtMd

Sec-Severity: Low/Medium


Description: Saved searches for bugzilla user's panel are not protected against CSRF attacks and it could be used to add bullshit.

This vulnerability affects to Bugzilla (bug tracking system of mozilla foundation) <= 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
Reference: http://www.bugzilla.org/security/3.2.9/

Screenshot:

Fig.1: Launching the CSRF exploit


Fig.2: Exploit executed succesfully

2. CSRF (user profile) in creative.mozilla.org

PoC: http://pastebin.com/0r1MyvVv

Sec-Severity: Critical

CVE: N/A

Description: User profile could be changed using a CSRF attack.

Screenshot:

Fig.3: CSRF (user profile) in create.mozilla.org

3. Plain text password disclosure in developer.mozilla.org

PoC: Register to developer.mozilla.org and then, come back to check your mail. This site sent your password in plain text.

Sec-Severity: High

CVE: N/A

Description: MDC sent your password in plain text.

Screenshot:


Fig.4: Plain text password disclosure

And yep, my MDC password contains an "e".

On the other hand, Mozilla security team solves these issues quickly.
That's all. Be safe ;)

Publicado por en No hay comentarios:
Etiquetas: ,

viernes, 6 de agosto de 2010

:::SPAS3C-WV-005:::Vulnerability in Joomla! Core (Back-end) <= 1.5.19



About two months ago, i found several vulnerabilities in Joomla! v<= 1.5.19 and these are my advisories. This one was published on Joomla! Security Center: here

  • Project: Joomla!
  • Severity: Medium
  • Versions: 1.5.19 and all previous 1.5 releases
  • Exploit type: XSS Injection
  • Reported Date: 2010-June-8

Back-end was vulnerable to XSS/HTML Code Injection. Get var "menutype" used in "com_menus" (core component) allowed the injection.

Proof-of-Concept:

http://[HOST]/[JOOMLA-PATH]/administrator/index.php?option=com_menus&task=view&menutype=mainmenu%22%20onmouseover=%22alert%28%27Discovered%20by%20Jose%20A.%20Vazquez%27%29;

Some screenshots:


Fig.1: XSS triggered in Joomla! Back-end



Fig.2: Code injected.

Be safe ;)
Publicado por en 3 comentarios:
Etiquetas: ,

lunes, 5 de julio de 2010

:::SPAS3C-WV-004:::Session Hijacking in Steam WebSite




About two months ago, my little girl gave me a great present for my birthday and i got Call of Duty Modern WarFare 2 (I <3 C0D).
Lots of minutes of game later, I decided to check security in Steam Website and i got very interesting results.

WebSite was vulnerable to XSS/HTML Injection and it could be exploited to steal cookies of users. I made a PoC showing how to launch the vulnerabilities using any browser (where xss was allowed) or "steam" schema uri (steam://openurl/) due to steam used its own internal browser.

The "steam browser" had/has some limitations:
  • This browser didn't/doesn't allow to change the url -> Solution was schema uri.
  • This browser had/has an url length restriction -> Solution was to use an evil JS file hosted anywhere.

Fig.1: Triggering one simple PoC.


Fig. 2: Session Hijacking PoC.

I also recorded a video showing how the issue could be exploited.
Watch in youtube: here

I made my game more secure but they (steam-website security team) didn't give me a present like a new nice game.

Be safe ;)

Publicado por en 3 comentarios:
Etiquetas: ,

miércoles, 23 de junio de 2010

:::SPAS3C-WV-003:::Google IO XSS/HTML Injection Vulnerability



This post is about a bug discovered in Google IO (XSS/HTML Injection)

Risk: Medium

"Google I/O brings together thousands of developers for two days of deep technical content, focused on building the next generation of web, mobile, and enterprise applications with Google and open web technologies such as Android, Google Chrome, Google APIs, Google Web Toolkit, App Engine, and more."

Source: here

Get var "error" was vulnerable to XSS/HTML code injection but some tags and javascript events were filtered trying to do more difficult the explotation.
Also i noticed that viewing source code, error var triggered a SQL error, so I tried to make a SQL Injection but no worked.

Proof of concept:

Indirect. Needed user interaction (event JavaScript: onmouseout) -> https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ca%20href=%22http://www.malware.es%22%20onmouseout=%22alert%281%29%22%3EHOLA%20GOOGLE%3C/a%3E


Fig.1: XSS (Indirect) and HTML Injection.

Direct. Not needed user interaction (event JavaScript: onerror) -> https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ch1%3E%3Cimg%20src=%22pepe.jpg%22%20onerror=%22alert%281%29%22%3EHI%20GOOGLE%20SECURITY%20TEAM%20I%27M%20%20ONLY%20TESTING%3C/a%3E%3C/h1%3E


Fig.2: XSS (Direct) and HTML Injection.

Be safe ;)
Publicado por en 2 comentarios:
Etiquetas: ,

miércoles, 9 de junio de 2010

:::SPAS3C-WV-002:::Google App (Ventures) BSQLi Vulnerability



One month ago, I found serveral vulnerabilities in Google's sites.

These issues got fixed all and I want to say that Google Security Team did a good job and they fixed it soon.

All issues was discovered between 4 May and 9 May (year 2010, of course).

This issue is the most important in my opinion: Blind SQL Injection in googleventures.com

Risk: High

Google Ventures is Google’s venture capital arm.

We do primarily three things:
  1. Seek out the most innovative and interesting entrepreneurs and companies we can find
  2. Perform in-depth due diligence and invest in those we are most excited about
  3. Do everything we can to help those companies succeed
We invest for financial return, across all sectors and in all stages of a company’s growth. We are particularly interested in areas where access to our team, facilities, technology or other resources can help a company become more successful, but we do not limit our investments to those of strategic interest to Google – we look for companies and people that have the best opportunity to create significant, disruptive and innovative ventures.

Source: here

Site was made using PHP+MySQL (some parts) and GET var "jobid" vulnerable to injection of SQL code.

Proofs Of Concept (Searching MySQL version)

Return: 1=1 (True), so MySQL version is 5

Link PoC -> http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=5,1,0)=1--


Fig. 1: BSQLi. True result.

Return 1=0 (False), so MySQL version isn't 4.

Link PoC -> http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=4,1,0)=1--


Fig. 2: BSQLi. False result.

Also I tried to get a SQL Injection, with "Union Select" Statement but It didn't work.


Fig. 3: Trying SQL Injection "Union Select". MySQL error.

I didn't want to do a further research because I considered that it was enough.

Be safe ;)
Publicado por en No hay comentarios:
Etiquetas: ,

sábado, 8 de mayo de 2010

:::SPAS3C-WV-001::: Multiple Vulnerabilities in ILIAS 4.0.3


== BRIEFING ==

Ilias is a LMS (Learning Management System) created by a german university. It's used by universities, schools and high schools around the world.
This document is the advisory sent to Ilias Security Team, therefore it is written in present time.
Personally, I've worked previously with this team and vulnerabilities was patched in short time, but this release takes almost two months. Anyway, I think that it is a punctual fact.

Examples are tested against my old university. I had already finished XD.

I know that my english is :( but it was enough to help.

Credits given: 4.0.5 Release Notes


TITLE: MULTIPLE VULNERABILITIES IN ILIAS 4.0.3 (2010-01-26)
AUTHOR:JOSÉ A. VÁZQUEZ GONZÁLEZ
IMPACT: COOKIE STEALING AND MORE (MULTIPLE)]
DISCOVERED DATE: 2010-02-19

== DISCLAIMER ==

The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.


== FIRST: SIMPLE BUG (NOT INJECTABLE) ==

Risk: Low

Using tag GET var, we could stop comments, but here XSS or HTML INJECTIONS is not possible, this would be a simple BUG.


-> Issue in [BUG]



Fig. 1: Simple bug.

This will be the HTML source code returned:

... --> &#" id="block_pdcontent_0_blimg" /> -->

We use End Comment Tag (-->).

Anyway, html tags are restricted so this isn't exploitable with a HTML or XSS Injection.


== SECOND: XSS O HTML INJECTION (PERSISTENT) ==

Risk: Medium


Changing Personal Information, setting for Street, City and Country:

XSS by J. A. Vazquez " onmouseover="alert('J.A. Vazquez');//

Save this changes.


When you move mouse in input tag, with value: "XSS by J. A. Vazquez", XSS is triggered.


Fig. 2: XSS triggered.

Note: This XSS is persistent, in control event, but this only affects my account. Therefore It's medium Risk.


== THIRD: XSS O HTML INJECTION (PERSISTENT) ==

Risk: High


Changing departament parameter for:

");alert('XSS by J.A. Vazquez');//

Saving changes, we bypass protection in CDATA...

Now we go to Public Profile and set "Departament" as visible.

Then, go to location and set "show in personal profile".

Now if a user visit our profile, he could be owned with xss attack.



Fig. 3: Direct and Persistent XSS

Note: This XSS could be reproduced using other vars (any of location, for example, city, street or view) (No tested but it's probably). This XSS is persistent and it doesn't need a javascript event for triggering. It's triggered in page load.


== FOURTH: XSS O HTML INJECTION (PERSISTENT) ==

Risk: Medium

Go to bookmark section and create a folder, then set a new bookmark in this folder with:

Title: Nice XSS by J.A. Vazquez
Description: Nice XSS by J.A. Vazquez
URL: aa" onmouseover="alert('Creado por J.A. Vazquez!');


Fig. 4.1: XSS in bookmark. Location 1.


Fig. 4.2: XSS in bookmark. Location 2.

Note: This XSS only affects to own user. It's loaded in a javascript event and it could be reproduced in two different location.


== FIFTH: ARBITRARY SESSION_ID INSERTION ==

Risk: Medium

Plugin Tiny MCE has some vulnerabilities.


Use [SESSION_ID] your PHPSESSID.


You display a MDB2 (MYSQL) ERROR.


Fig. 5.1: SQL Error.

But if we put any value in session_id, this value is stored. I've tried a SQL Injection Attack, but it's not reachable.


Fig. 5.2: Session_id corrupted in DB.

== SIXTH: DIRECTORY TRAVERSAL VULNERABILITY ==

Risk: High

Plugin Tiny MCE is vulnerable to Directory Traversal.

Go to -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=6&session_id=%&client_id=test_403/../../../&obj_type=frm


Fig. 6: Denial Of Service using DT.

Note: Tested only in localhost because server could be DoSed (Denial Of service). Depends on Script time execution.
Btw, Local File Inclusion (LFI) or Remote File Inclusion (RFI) is not possible) (In this case, "client_id" var is used to load image titles, etc).

== CREDITS ==

Author of this advisory is Independient Security researcher José A. Vázquez Gonzalez. Copyright © 2010 José Antonio Vázquez González.


That's all. Be safe ;)
Publicado por en No hay comentarios:
Etiquetas: ,
Suscribirse a: Entradas (Atom)