Thursday 27 December 2012

[EN] 5 RCE in GetSimple 3.1.2 - Updated

Latest GetSimple CMS (3.1.2) is vulnerable to authentication bypass, and remote code exec.

RCE in latest GetSimple CMS



One of five exploits is here.
To all of you, who mailed me with feedback - thanks!

If you need 4 sploit more (to testing) - just let me know;)

o/

Monday 24 December 2012

[EN] OSSEC Cool Dashboard - New release!

This time update version is with number 0.5, what you can check here. :)

As always Jess was extremly fast with new patch. Work with such a good coder is a pleasure.

Now, check OCD!

Friday 21 December 2012

[EN] All about filtering...

To know how I feel when I'm testing 'another' web-code, watch this. ;D

Merry Xmas ;)
o/

Thursday 20 December 2012

[EN] Joomla 3.0.2 leaked again

Joomla 3.0.2 is vulnerable to sql leak.

If user supplied malformed data to cookie (by adding a value to md5 string), then
sql leak is possible and Joomla's table names prefix can be read.

Add 'malformed' value here - Burp

... and now you can see an error from <prefix>_session table:

SQL Leak - now you know what is the prefix

:)

If you watch this request/response you will see that those screens was created from 'administrators' link. To stop comments like 'not usefull because possible from admin' - try to reproduce this from normal (registered) or pre-auth user. ;)

Another place where user can input malformed data, looks like this:

SQL Leak


cheers

[EN] Constant Contact for WordPress 2.3.12 XSSed

Constant Contact for WordPress 2.3.12 is vulnerable to XSS attack.

cc_username and cc_password parameters are vulnerable to persistent XSS.

[EN] Dooodl (1.1.4) XSSed

"History Viewer Look & Feel" in latest Dooodl is vulnerable to persistent XSS.

All forms available at wp-admin/admin.php?page=dooodl_gallery_layout&settings-updated=true
are vulnerable to XSS attack.

Add filtering for user input for parameters described as:
Body backgroundcolor, Dooodl item backgroundcolor, Link backgroundcolor, Link textcolor,
Title textcolor, General textcolor, Title backgroundcolor, Intro backgroundcolor, Intro textcolor

[EN] Constant Contact for WordPress 2.3.12 XSSed

In latest Constant Contact for WordPress (2.3.12) we have two vulnerable parameters.

cc_username and cc_password parameters are vulnerable to persistent XSS.

[EN] Admin Menu Editor XSSed

Latest version of "Admin Menu Editor" (1.1.13) plugin is vulnerable to persistent XSS attack.

Try to add some filtering in "Menu title" form ;)

[EN] Google Analyticator 6.4.1 XSSed

Google Analyticator 6.4.1 is vulnerable to cross-site scripting.


'Download extensions to track' is vulnerable to XSS.

Also ga_adsense, ga_extra, ga_extra_after and ga_outbound_prefix parameters are also vulnerable to XSS.


[EN] Faster Image Insert 2.4.0 XSSed

Faster Image Insert (2.4.0) is vulnerable to XSS attack.

'Set custom string' form is vulnerable to XSS.
'Custom post types' is also vulnerable.

[EN] Events Manager 5.3.2.1 XSSed

Events Manager 5.3.2.1 is vulnerable to cross-site scripting.

'pno', '_wpnonce', 'cols', 'limit' parameters are vulnerable to XSS.

'Bypass' for include xss code for limit parameter can be done by adding:
limit="></option></select><img src=x onerror=alert(1)><option>
(because you must close <option> and <select> tags and then add xss).

[EN] Google Analytics for WordPress 4.2.8 XSSed

Google Analytics for WordPress (4.2.8) is vulnerable to cross-site scripting.

In wp-admin/options-general.php?page=google-analytics-for-wordpress page
go to "Internal Links to Track as Outbound" and as a 'Internal links to track as outbound'
form, type your XSS code.

'Label to use' form is also vulnerable. Both are persistent.

Tuesday 18 December 2012

[EN] Installing WP-plugins without FTP server

Few times when I was testing some plugins for Wordpress I was wondering how can I install plugin without FTP server. Wordpress after default installation needs configured ftp when you want to install new plugin, but here is one quick-hack I found at net:

Edit your wp-config.php file and add there line:
define('FS_METHOD', 'direct');

Now save your file, and enjoy installing plugins without ftp server. :)

Cheers
o/

[EN] WP-StatsDashboard XSSed

http://wordpress.org/extend/plugins/wp-stats-dashboard/

Very nice WordPress plugin. But it's vulnerable to XSS :)

When you're in 'Basic settings' type your 'Blog ID' name in HTML :]

This post will be updated, because in this plugin we will have more bugs.


Cheers o/



[EN] FIAGallery 2.16 Persistent XSS

Sure it's another 'admin' XSS, anyway - bug is bug ;)

XSSed parameter 
Check it out at http://wordpress.org/extend/plugins/flash-album-gallery/.

Add htmlentities() to display this variable.

[EN] ReFlex Gallery 1.3 - Persistent XSS

ReFlex Gallery 1.3 - Multiple persistent XSS:
http://wordpress.org/extend/plugins/reflex-gallery/

'Enter Gallery Name' and 'Enter Gallery Description' are vulnerable to XSS.

Try to filter inputs from users in add-gallery.php:
<code>
43:    <p><input type="text" name="galleryCode" value="[ReflexGallery id='<?php echo $this->reflexdb->getNewGalleryId(); ?>']" size="40" /></p></div>
70:                <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
75:                <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
</code>

To patch it, just add htmentities(). Like this:

<code>

kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$ grep htmlentities -n add-gallery.php
70:  <td><input type="text" size="30" name="galleryName" value="<?php echo htmlentities($galleryName); ?>" /></td>
75:  <td><input type="text" size="50" name="galleryDescription" value="<?php echo htmlentities($galleryDescription); ?>" /></td>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$

</code>


:)

[EN] WP Easy Gallery 2.6 XSS'ed - updated

Multiple XSS vulnerabilities found in latest WP Easy Gallery:

XSS is possible because parameter "galleryName" is not filtered.
User can add JS/HTML as a 'Gallery Name', so exploitation is possible.

As you can see below, 'galleryDescription' is also vulnerable.

If you want to check which one parameter is vulnerable here too, type at console:

<code>
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$ grep -n echo add-gallery.php | grep php | grep -e "\\$"

(...)
75: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
80: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
85: <td><input id="upload_image" type="text" size="36" name="upload_image" value="<?php echo $imagepath; ?>" />
91: <td><input type="text" size="10" name="gallerythumbwidth" value="<?php echo $thumbwidth; ?>" /></td>
96: <td><input type="text" size="10" name="gallerythumbheight" value="<?php echo $thumbheight; ?>" /></td>

(...)
 kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$
</code>
------------------------------------

Update:
Also parameter "select_gallery" is vulnerable to this attack.

Update : 27.12.2012:

galleryName, galleryDescription, upload_image, gallerythumbwidth, gallerythumbheight
parameters are not filtered after users input.

Payload to reproduce this vulnerability:
']"/><body onload=alert(/boom/)>



[EN] Concrete5 CMS 6.0.2 - multiple vulnerabilities

Hi,

Concrete5 Team is creating a patch for my last few findings.

Once the patch is released, a more detailed info will be published.

Cheers,
o/

[EN] ATutor 2.1 vulnerabilities

Hi,

few findings at Atutor CMS .

I must say that Developers Team is really fast :)

Good job, thanks!

(Post will be updated as soon as dev-team will release the patch.)

* Update 20.12.2012 *
Today dev team send me information about patch. 
Post will be updated as soon as possible.  

o/

[EN] phpWebSite XSS

In cooperation with Matt, I would like to present you new patch for phpWebSite 1.7.3 :)

Matt, thanks for a fast reply and writting patch. It was pleasure to work with you!

Details here, so update please ;)

Monday 17 December 2012

[EN] LinkedIn.com XSSed

Yes yes, LinkedIn is vulnerable to persistent XSS :)

I found a vulnerability for users logged in. This time it is stored (persistent) XSS.
But it will be 'private' until LinkedIn Staff will secure it.

Cheers
o/