The hacker Reckz0r who recently breached the CNN website has identified a Post based SQL injection vulnerability in Twitter support page.

'Referrer' parameter in the api_general form located at the support.twitter.com is vulnerable to SQLi. 

Although the vulnerability allow hacker to extract confidential data from Twitter, hacker didn't do involve in any malicious activities because he don't want his account to get suspended.

The screenshot provided by the hacker:



" vulnerability lies in http://support.twitter.com/forms/submitted?regarding=api_general - You see, there might be dozens of vulnerabilities lying in support.twitter.com. We can inject hidden boxes in this kind of atmosphere. " hacker said.

A critical vulnerability(CVE-2013-3336) has been identified in the Adobe ColdFusion - a commercial rapid web application development platform. The security flaw allows hackers to remotely retrieve files stored on the server.

ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX are affected.

Adobe in their security advisory warns that the vulnerability is already being exploited in the wild.

The company is in the process of finalizing a fix for this bug and expects it to be available on May 14, 2013.

In the meantime, the company offered a mitigation for this issue. Users can protect themselves by restricting public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories.

These security breaches are going to be next examples for the Government careless about the cyber security.  The hacker @WilyXem found two more Army websites are vulnerable to SQL Injection.

Brazilian Navy and Pakistan Army websites are found to be affected by the SQL Injection vulnerability.  The hacker tweeted few links that contains the proof-of-concepts(http://sprunge.us/ZUHM, sprunge.us/ZdKY, sprunge.us/CJGO)

The vulnerability exists in the Board of Historic & Documentation Navy(biblioteca.dphdm.mar.mil.br), Department of Distance Education(ead.densm.mar.mil.br) and Pakistan Army(www.pakistanarmy.gov.pk).

The POCs exposes the target database details including database name, database version and table details.

The same hacker yesterday hacked into the Royal Thai Navy website and leaked the login information from the database.

It seems that 2013 is the "Data Leakage Year"!many customers information and confidential data has been published on the internet coming from government institutions, famous vendors, and companies too.

Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor who found a high severity vulnerability in "Avira license daemon" days ago, is on the news again, but this time for finding and reporting Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications.SQL Injection vulnerabilities is ranked as Critical vulnerabilities, because if used by Hackers it will cause a database breach which will lead to confidential information leakage.

A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service.The vulnerability allows remote attackers to inject own sql commands to breach the database of that vulnerable application and get access to the users data.

The SQL Injection vulnerability is located in the index.php file of the soeasy module when processing to request manipulatedscId parameters. By manipulation of the scId parameter the attackers can inject own sql commands to compromise the webserverapplication dbms.

The vulnerability can be exploited by remote attackers without privileged application user account and without requireduser interaction. Successful exploitation of the sql injection vulnerability results in application and applicationservice dbms compromise.

But Ebrahim is a white hat hacker, so he reported the vulnerability to the Yahoo! security team with recommendations on how to patch the vulnerability.

According to Ebrahim, the time line of the vulnerability was:
================
2013-02-24:    Researcher Notification & Coordination
2013-02-25:    Vendor Notification
2013-03-01:    Vendor Response/Feedback
2013-04-01:    Vendor Fix/Patch by check
================

More details about the vulnerability could be found here:
http://www.resecure.me/public/Yahoo-TW-YSM-BSQLI.txt

As most of readers know that Yahoo! don't have a bug bounty program or Hall of fame too, so as a reward from Yahoo! to the researchers who find a vulnerabilities in Yahoo! applications, they do award researchers by sending them a T-shirts with Yahoo! logo and some other tokens.the researcher told us that he received a package sent to him by Yahoo! which contains 2 T-shirts and a big cup as a reward.

Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.

"As you may know, last month Facebook has closed many bugs leading to security reinforcement of  'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all   'redirect_uri' that has '#' or  '#!'." Researcher wrote in his blog.

"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as  aredirect_uri and it’s not rejected… So I said let’s use it too!!!"

Amine successfully generated a poc that redirects to another facebook page with the access token.  But he faced some problem while redirecting to external website.

Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.


POC video



Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.

Adobe uses an application called P4web which provides convenient access to versioned files through popular web browsers. Files can be viewed as icons or thumbnails and all standard operations can be performed in the browser.

Unfortunately,  the Adobe fails to restrict the Perforce P4web web client being accessed by users , it results in exposing the internal data.

For a security reasons, we are not providing the vulnerable link here.  The URL allows us to read the internal data including email IDs of Employees, Full Name. It also exposes the Internal system directory and computer names, Source codes.


"An application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly." Researcher said.

The researcher notified Adobe before few months but they failed to respond to them.  We have also notified Adobe about the vulnerability but there is no response from their side.

German Security Researchers have discovered that freezing an Android phone allows hackers to access the Encrypted data stored in the phone.

The encryption method introduced in the Android version "Ice cream sandwich" by Google. 

The researchers bypassed this encryption system method by freezing the smartphone for an hour.

"Quickly connecting and disconnecting the battery of a frozen phone forced the handset into a vulnerable mode. " According to BBC report.

"This loophole let them start it up with some custom-built software rather than its onboard Android operating system."

The hack allowed the researchers to access the encrypted contact lists, browsing histories and photos.

For more information:
https://www1.informatik.uni-erlangen.de/frost

Following the partial bypass vulnerability in Note II, a new security flaw has been discovered that allows hackers to completely bypass lock screen on Samsung Galaxy S3 .

The bug was discovered by Sean McMillan and posted as Full disclosure in the Seclists mailing list.

The instruction provided by McMillan : How to bypass the Lock screen in galaxy S3 
1) On the code entry screen press Emergency Call
2) Then press Emergency Contacts
3) Press the Home button once
4) Just after pressing the Home button press the power button quickly
5) If successful, pressing the power button again will
bring you to the S3's home screen


McMillan said that it can "take quite a few attempts to get this working, sometimes this method works straight away, other times it can
take more than 20 attempts." 

An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.

The title field is vulnerable to Persistent Cross site scripting.   The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.  

Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.

The title is being sanitized every time it is being displayed in the page.  Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.


POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-

The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.

The researcher claimed to have contacted the Zendesk but there is response from their side.  I've also sent notification to Zendesk. 

Narendra Bhati, an Information security researcher from Sheogan Rajasthan, has identified a critical UI redressing vulnerability in the Rediffmail website - a web based e-mail service provided by Rediff.com

Rediff is the Number one Indian web portal that offers news, information, entertainment, and shopping. Rediff.com was the first website domain name registered in India in 1996.

The website allows other websites to include the iframe of Rediffmail page

POC :
<iframe src="http://f5mail.rediff.com/ajaxprism/container#Inbox" width="1000" height="1000">

The vulnerability allows hacker to lure the victim into changing the personal information of victim.  It also allows to lure the victim into sending SMS to anyone.

Narendra has created a small POC code that lure users with "Online Prize Contest".  When a user copy&paste Gift code and click the submit button, it will update the user information. 

You can check his poc here:
http://pastebin.com/qrhZpdeX

The researcher discovered the vulnerability in january and sent notification to Rediffmail. Then as usual rediffmail not reply to him regarding to security- Then after 1 Month Narendra Decided to report it to EHN

A hacker named as kuksool from the hacker group "n0careteam" has discovered a Cross Site scripting vulnerability in the Alexa website -A California-based subsidiary company of Amazon.com that provides infromation about websites including Internet traffic stats, rank.

The vulnerability exists in the Alexa Toolbar search page(search.toolbars.alexa.com) - A custom search provided by Google.

If you have installed the toolbar in your browser & inject this script in the search box, it successfully executes the given script:

"><script>alert(" E Hacking News")</script>

Xss in Alexa Toolbar Search

POC:

http://search.toolbars.alexa.com/?q="><script>alert("+E+Hacking+News")</script>

Recently the same hacker group discovered XSS vulnerability in high profile websites including Russian and Malaysia Government sites, Music.com, New York Magazine.

A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.

Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.

POC [Unfixed] :

http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.

POC [Unfixed] :
 http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN  etc.

An 21 Years Old Information Security Expert, Narendra Bhati(R00t Sh3ll The Untracable) From Sheoganj Rajasthan ,Who Recently Acknowledge By Acquia.com and also find Many Persistent XSS And One SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shiksha.com,Times Of India, News Bullet Sub Domain Of Start News Channel.

Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-)

Shiksha.com is part of the naukri.com group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are 99acres.com, JeevanSathi.com, Brijj.com and AskNaukri.com.


TIMES NOW(timesnow.tv) is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.

In all these websites search fields are found to be vulnerable to the XSS injection.

POC code for Times Of India Tv:

http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakthesecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0

POC FOR Shiksha.com :

http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurity.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=-1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duration=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_search&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggestor_suggestion_shown=5

 Narendra also found that shiksha.com is also vulnerable to CSRF that allow attacker to change mobile no. of victim by a malicious web page .

Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN. 

A Security Researcher kuksool from n0careteam, has identified Cross site scripting security flaw in two famous websites, Photobucket and SecurityXploded.

POC for photobucket [unfixed]:
*Load http://photobucket.com/plugin/search
* Enter the following code and hit enter:
 " onload=alert&#40;'xss!'&#41;>click me!"



POC for SecurityXploded [FIXED]:
*Load http://securityxploded.com
* Enter the following code and hit enter:
 " onload=alert&#40;'xss!'&#41;>click me!"

The researcher claimed to have reported to PhotoBucket team. Let us hope they will fix the vulnerability soon.

After i sent notification to SecurityXploded, they fixed the vulnerability immediately.

An 21 Years Old Information Security Expert, Narendra Bhati From Sheogan Rajasthan ,Who recently find Non Persistent XSS In Brother Soft Aircel & MTS Mobile And SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shane Warne

Narendra Want To Say That “Maa, Papa And Bhayya One Day I Will Make You Proud On Me”

Narendra found that the Search Query field in the Webpage of the www.shanewarne.com is vulnerable to  XSS attack.

Shane’s  world class talents have been recognized through a number of distinguished awards, including being named one of only five Wisden’s Cricketers of the 20th Century, in Australia’s Cricket Team of the 20th Century, BBC Sports Personality of the Year in 2005, and Victoria’s Greatest Ever Sportsman in 2002.  In 2011 Shane was honored with the unveiling of a bronze statue of him at the Melbourne Cricket Ground, and in early 2012 was inducted into the Australian Cricket Hall of Fame.         
                                   
When an attacker visits "www.shanewarne.com " and enter the xss code in the field , it successfully executes the entered script.

POC code :

http://www.shanewarne.com/search/content?q=<script>alert("E+Hacking+News")</script>

The site also allows users to inject the iframe code:
http://www.shanewarne.com/search/content?q="/><iframe+src="http://www.ehackingnews.com"+width=1000+height=1000></iframe>


Narendra also successfully in redirection that sharn warne website to another website.  After 5 seconds of loading of website the page going to redirect to inouted website. So its easy for the attacker to redirect to a phishing website or another website to make target to innocent user and steal them credentials.. ;-)

POC Code

http://www.shanewarne.com/search/content?q=<meta+http-equiv="refresh"+content="2;url=http://www.google.com/">

Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.

There are two SQL Injection vulnerability in the website.  One of the vulnerabilities resides in the  Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7).  A malicious hacker can exploit this vulnerability and extract the database .

The other one is more critical one , it allows hackers to bypass authentication of the Login .  A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.

There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) .  Injecting the follow code in the fields and clicking the submit button executes the injected code:

"><script>alert('My Love For Divya Dutta')</script>

Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query.  It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.

I think she will respond after some blackhats attack the site, what do you think guys?

*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:

"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."

A Security Researcher Michael Messner has identified multiple vulnerabilities in D'Link DIR-600 and DIR-300 routers that allows hackers to execute arbitrary shell commands.

According to researcher blog post, the vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter .

The OS Command Injection vulnerability allows attacker to start telnetd to compromise the device.

CSRF vulnerability: For changing the password, there is no request to the current password. So, a hacker can change the password without knowing the current password, by sending malicious script to victim that sends request to change the password.

The researcher identified that there is no password hashing implemented and saves root password in plain text in the var/passwd file.

According to H-online report, a hacker can exploit the vulnerability for redirecting a router's entire internet traffic to a third-party server.

Messner send notification about the vulnerability to D-Link but they responded that the issue is browser related and they will not provide a fix.

A security Researcher Shikhil Sharma has identified a Non persistent Cross Site scripting vulnerability in one of the Leading online jobs search portal, Monster.

Monster is the largest job search engine in the world. Monster has over a million job postings at any time and over 1 million resumes, in the database (2008) and over 63 million job seekers per month. The company employs approximately 5,000 employees in 36 countries.

The Job search field in the Monster India website(jobsearch.monsterindia.com) is found to be vulnerable to the XSS injection.


POC:

http://jobsearch.monsterindia.com/searchresult.html?fts='/><script>alert('E+Hacking+News')</script>&x=0&y=0&mne=&mxe=

The same vulnerability affects the Hong Kong(jobsearch.monster.com.hk) and Gulf(jobsearch.monstergulf.com) branch of the Monster job portal.

An Information Security Researcher with online handle 'TheR00tC0de' has identified two cross site scripting vulnerabilities in one of the famous file hosting service website , Mediafire (www.mediafire.com).

In an email Sent to EHN, the researcher provided the two vulnerable link that executes the code injected by hacker. 

Xss vulnerability in Mediafire

The researcher claimed that he sent notification about the vulnerability to Mediafire Team and waiting for their response.  The researcher asked me not to publish the vulnerable link. 

At EHN, I have confirmed those vulnerabilities.  Let us hope the Mediafire security team will soon fix the vulnerability.

Recently, one of the E Hacking News reader Mahadev Subedi identified a XSS vulnerability in the File Uploading service of Mediafire .