Tuesday, 30 December 2014

DoubleClick do Google pode ser vulnerável a ataques

DoubleClick do Google pode ser vulnerável a ataques


Segundo o pesquisador Wang Jing, um estudante de matemática , a partir de Nanyang Technological Univeristity , Singapura, do Tetraph blog, o DoubleClick – sistema de compra e venda de anúncios do Google – estaria suscetível a ataques do tipo spam e phishing. A descoberta deixa o Google e os utilizadores/usuários do DoubleClick em alerta.





















Entenda a vulnerabilidade do DoubleClick

Em sua pesquisa, Wang Jing encontrou vulnerabilidades de Open Redirect, que permitiram que hackers redirecionassem usuários para um site malicioso, sem a necessidade de qualquer validação, ou seja, o usuário clicaria em um anúncio e ao invés de ser direcionado para o site da propaganda, seria redirecionado para um site infectado.

Jing afirmou ainda que a grande popularidade do DoubleClick faz com que os ataques a essas vulnerabilidades sejam mais comuns, em especial para spam e phishing.








CVE-2014-8489 Ping Identity Corporation “PingFederate 6.10.1 SP Endpoints” Dest Redirect Privilege Escalation Security Vulnerability

CVE-2014-8489 Ping Identity Corporation “PingFederate 6.10.1 SP Endpoints” Dest Redirect Privilege Escalation Security Vulnerability













Exploit Title: “Ping Identity Corporation” “PingFederate 6.10.1 SP Endpoints” Dest Redirect Privilege Escalation Security Vulnerability
Product: PingFederate 6.10.1 SP Endpoints
Vendor: Ping Identity Corporation
Vulnerable Versions: 6.10.1
Tested Version: 6.10.1
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8489
CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 10.0
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]








http://article.gmane.org/gmane.comp.security.fulldisclosure/1302/match=

CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Web Application Cyber Security Zero Day Bug





CVE-2014-8751  goYWP WebPress Multiple XSS (Cross-Site Scripting) Web Application Cyber Security Zero Day Bug


Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: December 09, 2014
Latest Update: January 01, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)






Advisory Details:


(1) Vendor & Product Description:



Vendor:

goYWP



Product & Vulnerable Versions:

WebPress
13.00.06



Vendor URL & Download:

Product can be obtained from here,
http://www.goywp.com/view/cms
http://www.goywp.com/demo.php




Google Dork:
Powered by goYWP.com



Product Introduction:
“WebPress is the foundation on which we build web sites. It’s our unique Content Management System (CMS), flexible enough for us to build your dream site, and easy enough for you to maintain it yourself. Webpress online content payment utility fit goywp unique modules solutions interactive services tried-and-true combination tools education ywp nkpress nkpress th pay customers website services webpress bills allowing cms custom location ywp ywp our team history connect feedback featured sites client streetparagould area network blog facebook twitter linkedin flickr delicious myspace e-newsletter subscribe 112 ywp about nkpress about development web design flash applications mobile design custom networking e-commerce th programming social software interface upi websites great schools utilities sizes businesses creates client blog expectations approach area branding work featured add-on tons custom programming changing industry security offer management contact e-commerce granular integration.”







































(2) Vulnerability Details:
WebPress web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. WebPress has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training".


(2.1) The first security code flaw occurs at “/search.php” page with “&search_param” parameter in HTTP GET.

(2.2) The second security code flaw occurs at “/forms.php” (form submission ) page with “&name”, “&address” “&comment” parameters in HTTP POST.









References:
https://computertechhut.wordpress.com/2014/12/29/cve-2014-8751

Monday, 29 December 2014

CVE-2014-8754 WordPress "Ad-Manager Plugin" Unvalidated Redirects and Forwards Web Security Vulnerability



















CVE-2014-8754 WordPress "Ad-Manager Plugin" Unvalidated Redirects and Forwards Web Security Vulnerability



Exploit Title: WordPress Ad-Manager Plugin Unvalidated Redirects and Forwards Vulnerability
Product: WordPress Ad-Manager Plugin
Vendor: CodeCanyon
Vulnerable Versions: 1.1.2
Tested Version: 1.1.2
Advisory Publication: November 25, 2014
Latest Update: December 15, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8754
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification
Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

























Caution Details:


(1) Vendor & Product Description:



Vendor:

CodeCanyon



Product & Vulnerable Versions:

WordPress Ad-Manager Plugin
1.1.2



Vendor URL & Download:

Product can be obtained from here,
http://codecanyon.net/item/wordpress-admanager/544421





Product Introduction Overview:

"Wordpress Ad-Manager offers you a simple solution to implement advertising into your posts, your blog or any other Wordpress page. You can use pictures and images or HTML snippets like Google AdSense to incorporate advertising in an easy way. You are able to select ads via Ad Zones, to re-size them or to limit the height or the width. Wordpress Ad-Manager also offers statistics for the site admin. However, Wordpress Ad-Manager’s best feature is its simplicity. It’s easy to set up and also comes with a widget. What more could one want?"



(2) Vulnerability Details:

Ad-Manager Plugin web application has a computer cyber security problem. Hacker can exploit it by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks  are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Ad-Manager Plugin has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishs suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.



(2.1) The Dest Redirect Privilege Escalation code flaw occurs at "track-click.php" page with "&out" parameter.










References:

http://tetraph.com/security/cves/cve-2014-8754
http://computerobsess.blogspot.com/2014/12/cve-2014-8754-wordpress-ad-manager.html
http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014110533
http://seclists.org/fulldisclosure/2014/Nov/93
http://www.osvdb.org/creditees/12822-wang-jing
https://progressive-comp.com/?l=full-disclosure&m=141705602927943&w=1
https://packetstormsecurity.com/files/129290/WordPress-Ad-Manager
http://cxsecurity.com/issue/WLB-2014120003
http://www.cnvd.org.cn/flaw/show/CNVD-2014-08598
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01370.html
http://russiapost.blogspot.com/2014/12/wordpress-ad-manager-open-redirect.html
http://marc.info/?l=full-disclosure&m=141705602927943&w=4



CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Web Application Zero Day Bug




















Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness
Product: LibCal
Vendor: Springshare
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7291
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Solution Status: Fixed by Vendor
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)










Recommendation Details:


(1) Vendor & Product Description:


Vendor:
Springshare


Product & Vulnerable Versions:
LibCal
2.0


Vendor URL & download:
http://springshare.com/libcal/

Product Introduction Overview: “LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations."

    "Manage Calendar & Event Registrations
    Create custom Registration Forms
    Manage Consultation Appointments"
    Create an Online Room Booking System
    Display Library & Departmental Hours
    Share Calendar/Event Info via Widgets"





(2) Vulnerability Details: Springshare LibCal web application has a security bug problem. Hacker can exploit it by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.




(2.1) The first code programming flaw  occur at “/api_events.php?” page, with “&m” and “&cid” parameters.







(3) Solutions: 2014-10-01: Report vulnerability to Vendor 2014-10-15: Vendor replied with thanks and vendor changed the source code






 

References:







CVE-2014-7292 Newtelligence dasBlog Dest Redirect Privilege Escalation Web Application Zero Day Bug











Exploit Title: Newtelligence dasBlog Dest Redirect Privilege Escalation Vulnerability
Product: dasBlog
Vendor:  Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125) 2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update:   OCT 15, 2014
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification
Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)






Proposition Details:





(1) Vendor & Product Description:





Vendor:

Newtelligence







Product & Vulnerable Versions:

dasBlog

2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125) 2.1(2.1.8102.813)







Vendor URL & download:

dasBlog can be obtained from here,

http://dasblog.codeplex.com/documentation






What is dasBlog?
"dasBlog Community Edition is an ASP.NET weblogging application. It runs on ASP.NET 1.1 and is developed in C#. dasBlog, an evolution of the BlogX weblog engine, adds lots of additional features like Trackback, Pingback, Mail notifications, full Blogger/M."

"This dasBlog 2.3.1 release comes almost 3 years since the release of dasBlog 2.3, we know this is an internet lifetime, and in many cases our user base may have moved on to other applications, (and/or are just checking back in to see what we have to offer, or you stuck with us and you may be outgrowing your current dasBlog installation! That said, if this is your first experience with dasBlog or you’re looking for improvements in your current dasBlog, you will find that dasBlog 2.3.1 is an incremental improvement, now supporting .NET 4 and resolving some minor support operations issues, and is even more robust and stable than it ever has been. What you will not find is a host of new features or much expansion of the existing features."









(2) Advisory Details:
Newtelligence dasBlog ct.ashx is vulnerable to Open Redirect attacks. Hacker can exploit it by Unvalidated Redirects and Forwards (Open Redirect or URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

dasBlog supports a feature called Click-Through which basically tracks all links clicked inside your blog posts. It's a nice feature that allows the blogger to stay informed what kind of content readers like. If Click-Through is turned on, all URLs inside blog entries will be replaced with <URL to your blog>/ct.ashx?id=<Blog entry ID>&url=<URL-encoded original URL> which of course breaks WebSnapr previews.
 
 Web.config code:
<add verb="*" path="ct.ashx" type="newtelligence.DasBlog.Web.Services.ClickThroughHandler, newtelligence.DasBlog.Web.Services"/>

 
(2.1) The vulnerability occurs at "ct.ashx?" page, with "&url" parameter,.









(3) Solutions:
2014-10-15 Public disclosure with self-written patch.






References:
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01235.html
https://packetstormsecurity.com/files/128749/Newtelligence-dasBlog-2.3-Open-Redirect.htmlml