Uploader.swf flash file in vBulletin forum vulnerable to XSS

Attention! vBulletin forums users, there is a flash file in the vBulletin forum software which is vulnerable to Cross site scripting(XSS).

The file "Uploader.swf" is located either in located in 'clientscript/yui/uploader/assets' or '/core/clientscript/yui/uploader/assets'.

"It has come to our attention that there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue." vBulletin Security advisory reads.

vBulletin recommends users to delete the Uploader.swf file from your forums and replace it with another empty file provided in their forum.  This will force the vBulletin to use javascript based uploader instead.

Proof of concept:
http://forum_Domain/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert(/XSS/);}//

Critical security vulnerabilities patched in Adobe Flash Player and ColdFusion

Adobe has issued security hotfix for two critical vulnerabilities in ColdFusion web application server.  They have also issued security update for the Adobe Flash player.

The cross site scripting(XSS) vulnerability (CVE-2013-5326) could be exploited by a remote, authenticated user on ColdFusion 10 and earlier versions when the CFIDE directory is exposed. 

The other vulnerability in ColdFusion is "unauthorized remote access(CVE-2013-5328)"- marked as critical security flaw.

Adobe Flash Player 11.9.900.117 and earlier versions are vulnerable to a critical bug that "could cause a crash and potentially allow an attacker to take control of the affected system".

Users are recommended to follow the instruction provided in these pages: 1.http://www.adobe.com/support/security/bulletins/apsb13-27.html , 2.http://www.adobe.com/support/security/bulletins/apsb13-26.html 

OpenEMR affected by Multiple Vulnerabilities

The most popular open source electronic medical records (OpenEMR) is said to have multiple vulnerabilities by the Trustwave SpiderLabs.

It reported that with a guest access, mixed with some application issues the user was able to compromise with the server running OpenEMR and it even served as a dock for attacking the internal networks.

The Researcher found a SQL Injection vulnerability in "Reports > Visits > SuperBill > Dates" location. 

"By browsing to this page and dumping in junk in either the start or end date parameters", he saw the SQL error message saying "ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC"

It also claimed to dump most of the database contents and important datas of patients as well as numerous usernames and passwords." I let my GPU box chew on the password hashes for a bit, and kept poking at the application." (the blog says)

OpenEMR is also reported to have HTML injection/XSS on an 'Office Notes' page. The user was even able to beguile the user visiting the page to attempt authentication with his system, which was hosting a fake SMB server with static challenges:

Image Credits: SpiderLabs

"This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH."(SpiderLabs reports)

The OpenEMR has been informed of it and they have patched the vulnerabilities in the latest 4.1.1 patch.

Author: Shalini Bhushan


Defencely Website vulnerable to Non Persistent XSS

Security Researcher Vedachala has discovered a post based Cross site Scripting vulnerability in the Defencely website - A company that provides web application penetration testing service.

The main page of the Defencely allows user to enter their website to get a security report.  The form gets the input and pass the website address as "website_url" parameter to "Defencely.com/report_submit.php".

"If a web application is getting user's input, it is always better to double check and make sure the parameter is sanitized." 

Post based xss in Defencely

Veda has identified that "website_url" parameter is not sanitized and vulnerable to post request based XSS.  He successfully managed to get the injected-script executed.

In one of the facebook group related to Security , the researcher provided the proof-of-concept(You can also find the details at pastebin.com/9JeJ1HK6).  We have successfully verified the vulnerability.  At the time of writing, the website is still vulnerable.

*Update:
 Another Security Researcher named QuisterTow has discovered one more xss Vulnerability in the Defencely website.

The researcher provided the following POC in the pastebin(http://pastebin.com/yZzyezqG):
www.defencely.com/getstarted.php?id=Ij48aW1nIHNyYz14IG9uZXJyb3I9cHJvbXB0KCd4c3NlZCcpIC8+&price=OTk=&plan=c3RhcnRlcg==

At the time of writing, we are still able to reproduce the vulnerability.

Rahul Tyagi found xss in Sony , Counter-strike websites

Rahul Tyagi , Senior Security Analyst from TechDefence, has identified cross site scripting vulnerabilities in high profile websites including sony, counter-strike.

Earlier Today, we got a notification from the researcher saying he found xss vulnerability in the official blog of counter-strike.  I have confirmed the vulnerability.


He also identified a non-persistent xss in Sony website.  After reporting the vulnerability, he also got appreciation and invitation mail from SONY for the SONY's security conference.


Rahul also claimed to have identified vulnerability in few other famous websites including howstuffworks, forbes, bbc, indiatimes, Indianexpress. 

XSS in Photobucket fixed

Recently a 15 year old tech blogger and security researcher named Indrajeet bhuyan found and helped fix a XSS vulnerability in Photobucket.







He had previously found vulnerabilities in Samsung, Disqus, NDTV, Jabong, IIT Bombay and many others. 

Editor's Note: It is good to see that such young hackers are acting responsibly and reporting vulnerabilities instead of simply defacing the site or using the vulnerabilities for malicious motives.I hope that Mr.Indrajeet bhuyan continues this.

Hackers infect Pentagon admin by exploiting XSS vulnerability

Recently, EHN received a news report from Tunisian Cyber Army and Al Qaida Electronic Army in which the hackers claimed to have infected the Pentagon administrator, as part of their on going operation called "#opBlackSummer".

The attack was happened after hackers identified a reflected cross site scripting(XSS) vulnerability in one of the sub domain of Pentagon (g1arng.army.pentagon.mil).

POC:
g1arng.army.pentagon.mil/Programs/Pages/Default.aspx?Category="><script>alert("xss by tca and AQECA on pentagon")</script>

xss vulnerability

The hacker managed to exploit this vulnerability for sending malicious payload to the admin of Pentagon. Hackers claims that they got success in infecting them.

Hackers said they compromised  some important file and steal cookies from the pentagon mail. The security breach was done with collaboration with Chinese hackers.

At the time of writing, the vulnerability is not fixed. If the TCA claim is true, then this one will be the best example that demonstrate the severity of simple reflected xss. Yesterday, i have sent notification to Pentagon team about the vulnerability but there is no response from them.

In another mail, the team said the have hacked the state.gov with SQL injection vulnerability. 

Persistent XSS vulnerability in Zendesk Support Ticket System

An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.

The title field is vulnerable to Persistent Cross site scripting.   The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.  

Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.

The title is being sanitized every time it is being displayed in the page.  Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.


POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-

The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.

The researcher claimed to have contacted the Zendesk but there is response from their side.  I've also sent notification to Zendesk. 

Cross Site Scripting Vulnerability In Times of India and NDTV


A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.

Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.

POC [Unfixed] :
http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.

POC [Unfixed] :
 http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN  etc.

Non-persistent XSS vulnerability in IBNLive

An 17 Years Old Security researcher Researcher V3d@ch4La From Indian Cub3r Dev!Ls, has discovered a non-persistent XSS security flaw in the official website of IBN(ibnlive.in.com) .

Cable News Network-Indian Broadcasting Network (CNN-IBN) is an English-language Indian television news channel. The network is a partnership between Global Broadcast News (GBN) and Turner International (Turner) in India (a subsidiary of Time Warner).
POC:
http://ibnlive.in.com/searcher/search.php?searchq=\"><script>alert(/ E Hacking News/)</script>





Multiple XSS and JSP Source code disclosure vulnerability in CNN

An Information Security researcher has discovered multiple Cross Site scripting vulnerability that affects one of the Top News channel website, CNN.

Few days back, The vulnerability was reported by  Quister Tow. The vulnerabilities resides in three different sub domain of CNN: searchapp.cnn.com, audience.cnn.com,dynamic.si.cnn.com.

POC:

1.http://dynamic.si.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp?searchName=<script>alert(/QuisterTow/)</script>

2.http://searchapp.cnn.com/weboffers/weboffers.jsp?itype=cnn&cid=cnn&text=&domains=;</script><script>alert(/QuisterTow/);</script>&csiID=csi3

3.http://audience.cnn.com/services/si/flow/scoreAlertManagement?_flowExecutionKey=<script>alert(/QuisterTow/)</script>




While i was verifying the XSS vulnerabilities, i found another critical security flaw in the website that expose the source code.

POC for JSP Source Code disclosure
http://sportsillustrated.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp

I have immediately reported CNN about the security flaw. But there is no response from their side and so i am publishing the details here.

XSS vulnerability in PhotoBucket and SecurityXploded

A Security Researcher kuksool from n0careteam, has identified Cross site scripting security flaw in two famous websites, Photobucket and SecurityXploded.

POC for photobucket [unfixed]:
*Load http://photobucket.com/plugin/search
* Enter the following code and hit enter:
 " onload=alert&#40;'xss!'&#41;>click me!"



POC for SecurityXploded [FIXED]:
*Load http://securityxploded.com
* Enter the following code and hit enter:
 " onload=alert&#40;'xss!'&#41;>click me!"

The researcher claimed to have reported to PhotoBucket team. Let us hope they will fix the vulnerability soon.

After i sent notification to SecurityXploded, they fixed the vulnerability immediately.

Click based XSS vulnerability in Yahoo



Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.

There is a cross site scripting vulnerability resides in the hk.promotions.yahoo.com domain.  The vulnerability is click based xss .  When i click the flash, it will display the xss code.

Poc code:
http://hk.promotions.yahoo.com/wedding2010/home_banner.swf?clickTAG=javascript:alert(/ E Hacking News /);

The above finding is really interesting one.  Just load the url and click in the flash content and it results in the code being executed.

At the time of writing, the vulnerability is still there .





Bollywood Actress Divya Dutta website vulnerable to critical vulnerabilities


Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.

There are two SQL Injection vulnerability in the website.  One of the vulnerabilities resides in the  Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7).  A malicious hacker can exploit this vulnerability and extract the database .

The other one is more critical one , it allows hackers to bypass authentication of the Login .  A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.

There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) .  Injecting the follow code in the fields and clicking the submit button executes the injected code:

"><script>alert('My Love For Divya Dutta')</script>




Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query.  It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.

I think she will respond after some blackhats attack the site, what do you think guys?

*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:

"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."


Non Persistent Cross Site scripting vulnerability in Monster India, Gulf and Hong Kong


A security Researcher Shikhil Sharma has identified a Non persistent Cross Site scripting vulnerability in one of the Leading online jobs search portal, Monster.

Monster is the largest job search engine in the world. Monster has over a million job postings at any time and over 1 million resumes, in the database (2008) and over 63 million job seekers per month. The company employs approximately 5,000 employees in 36 countries.

The Job search field in the Monster India website(jobsearch.monsterindia.com) is found to be vulnerable to the XSS injection.


POC:
http://jobsearch.monsterindia.com/searchresult.html?fts='/><script>alert('E+Hacking+News')</script>&x=0&y=0&mne=&mxe=
The same vulnerability affects the Hong Kong(jobsearch.monster.com.hk) and Gulf(jobsearch.monstergulf.com) branch of the Monster job portal.

TheR00tC0de found Two XSS vulnerabilities on Mediafire website

An Information Security Researcher with online handle 'TheR00tC0de' has identified two cross site scripting vulnerabilities in one of the famous file hosting service website , Mediafire (www.mediafire.com).

In an email Sent to EHN, the researcher provided the two vulnerable link that executes the code injected by hacker. 


Xss vulnerability in Mediafire

The researcher claimed that he sent notification about the vulnerability to Mediafire Team and waiting for their response.  The researcher asked me not to publish the vulnerable link. 

At EHN, I have confirmed those vulnerabilities.  Let us hope the Mediafire security team will soon fix the vulnerability.

Recently, one of the E Hacking News reader Mahadev Subedi identified a XSS vulnerability in the File Uploading service of Mediafire .

BrotherSoft website vulnerable to XSS Security flaw

An 21 Years Old Information Security Expert, Narendra Bhati From Sheogan Rajasthan , has discovered a non-persistent XSS security flaw in the official website of BrotherSoft.

Narendra found that the Search Query field in the Webpage of the brothersoft.com is vulnerable to  XSS attack.

BrotherSoft Providing worldwide customers as among the top 5 leading software download websites. Over 250,000 freeware and shareware are for free download which covers 7 channels including Windows, Mac, Mobile, etc. There are more than 10,00,000 downloads every day on their site.

POC code :
http://search.brothersoft.com/index.php?stype=windows&keyword="><script>alert("XSS")</script>

The site also allows users to inject the iframe code:
http://search.brothersoft.com/index.php?stype=windows&keyword="/><iframe+src="http://www.indiaresults.com/"+width=1000+height=1000></iframe>

He Also notice that Privacy Poliocy Page Of BrotherSoft is also vulnerable to XSS Narendra claimed that he reported about vulnerability 4 Days Ago to BrotherSoft but they failed to respond.

000webhost vulnerable to Non-Persistent Cross site scripting


One of the Top free web hosting provider, 000WebHost website is found to be vulnerable to Cross site scripting .  The vulnerability was discovered by the Cyber Security Researcher  Vedachala.

Domain name,Subdomain name and email address field in "Order Free Web Hosting" page of the site (000webhost.com) are vulnerable to xss injection.


The web app developer of this site fails to validate those inputs for the special characters that results in this security flaw.

POC code for this security bug:

    http://www.000webhost.com/order.php?domain=\"><script>alert(/e hacking news/)</script>&subdomain=\"><script>alert(/e hacking news/)</scrip&name=\"><script>alert(/E Hacking News/)</script>&email=\"><script>alert(/e hacking news/)</script>&pass1=\"><script>alert(/E Hacking New&pass2=\"><script>alert(/E Hacking New&aggree=yes&error_multiple=1&error_domain=1&error_subdomain=1&error_name=&error_email=1&error_pass=4&error_tos=&error_number=&error_js=&error_disposable=&error_bad_gmail=

The researcher also recently found a reflected xss vulnerability in the Airtel website. 

WhatsApp website vulnerable to XSS Security flaw

An Information Security Expert, Narendra Chavda From Ahmedabad Gujarat, has discovered a non-persistent XSS security flaw in the official website of WhatsApp.

Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to  XSS attack.


When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.

POC code :
www.whatsapp.com/faq/search/?q=<script>alert("E Hacking News")</script>
The site also allows users to inject the iframe code:
http://www.whatsapp.com/faq/search/?q=<iframe src="http://www.ehackingnews.com/"height="1000px"width="1000px">

Reflected XSS Vulnerability In Aegis Global Website

An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of Aegis Global website(www.aegisglobal.com).

Aegis group is manufacturing and services sectors of steel, energy, power, communications, shipping ports and logistics, and construction and also he have many BPO centre in india of call centre like TATA DOCOMO

The vulnerability exists in the Search field  of the website.  Injecting the xss code in the Search box will execute successfully the injected code.

For instance, injecting the following code in the search box will display the alert box:

    "><script>alert("E Hacking News")</script>

Narendra also found that the field allows user to run the iframe code also.  So , possibly, a hacker can inject phishing page to scam innocent visitors.

    "/><iframe src="http://www.google.com" width=1000 height=1000></iframe>