家庭小木屋

家是什么?众说纷纭。社会学家说,家是社会的最小细胞;婚姻学家说,家是风雨相依的两人世界;文学家说,家是宝盖下面养着的一群猪……究竟什么是家呢?记得在一个朋友的结婚典礼上司仪饱含深情的那句话:家不是讲理的地方,家不是放钱的地方,家不是两个人凑合过日子的地方……

IT 计算机信息网络安全技术:

VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug



Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web Security Vulnerability

Product: VuFind

Vendor: VuFind

Vulnerable Versions: 1.0

Tested Version: 1.0

Advisory Publication: September 20, 2015

Latest Update: September 25, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)









Caution Details:



(1) Vendor & Product Description:



Vendor:

VuFind




Product & Vulnerable Versions:

VuFind

1.0




Vendor URL & Download:

Product can be obtained from here,
http://sourceforge.net/p/vufind/news/





Product Introduction Overview:

"VuFind is a library resource portal designed and developed for libraries by libraries. The goal of VuFind is to enable your users to search and browse through all of your library's resources by replacing the traditional OPAC to include: Catalog Records, Locally Cached Journals, Digital Library Items, Institutional Repository, Institutional Bibliography, Other Library Collections and Resources. VuFind is completely modular so you can implement just the basic system, or all of the components. And since it's open source, you can modify the modules to best fit your need or you can add new modules to extend your resource offerings. VuFind runs on Solr Energy. Apache Solr, an open source search engine, offers amazing performance and scalability to allow for VuFind to respond to search queries in milliseconds time. It has the ability to be distributed if you need to spread the load of the catalog over many servers or in a server farm environment. VuFind is offered for free through the GPL open source license. This means that you can use the software for free. You can modify the software and share your successes with the community! Take a look at our VuFind Installations Wiki page to see how a variety of organizations have taken advantage of VuFind's flexibility. If you are already using VuFind, feel free to edit the page and share your accomplishments. "







(2) Vulnerability Details:

VuFind web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.


Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. VuFind has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training".



(2.1) The code flaw occurs at "lookfor?" parameter in "/vufind/Resource/Results?" page.


Some other researcher has reported a similar vulnerability here and VuFind has patched it.
https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html








(3) Solution:

Update to new version.









  References:
  http://tetraph.com/security/xss-vulnerability/vufind-xss/
  http://russiapost.blogspot.ru/2015/09/vufind-xss-issue.html
  https://infoswift.wordpress.com/2015/09/25/vufind-issue/
  http://www.openwall.com/lists/oss-security/2015/09/25/2
  http://whitehatview.tumblr.com/post/129834589981/vufind-xss-bugs 
  http://itsecurity.lofter.com/post/1cfbf9e7_854cb25 
  https://progressive-comp.com/?l=oss-security&m=144316469829656&w=1
  http://essayjeans.blog.163.com/blog/static/23717307420158253407863/
  http://seclists.org/oss-sec/2015/q3/639
  http://frenchairing.blogspot.fr/2015/09/vufind-bug.html
  https://itswift.wordpress.com/2015/09/22/vufind-0day/
  http://permalink.gmane.org/gmane.comp.security.oss.general/17836



谷雨 醉心 冬小麦:

IT 计算机&信息网络 技术:

Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug



Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web Security Vulnerability
Product: Winmail Server
Vendor: Winmail Server
Vulnerable Versions: 4.2   4.1
Tested Version: 4.2   4.1
Advisory Publication: August 24, 2015
Latest Update: August 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Caution Details:


(1) Vendor & Product Description:


Vendor:

Winmail Server



Product & Vulnerable Versions:
Winmail Server
4.2   4.1



Vendor URL & Download:

Product can be obtained from here,
http://www.magicwinmail.net/download.asp




Product Introduction Overview:

"Winmail Server is an enterprise class mail server software system offering a robust feature set, including extensive security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection, anti-virus protection, SSL security, Network Storage, remote access, Web-based administration, and a wide array of standard email options such as filtering, signatures, real-time monitoring, archiving, and public email folders. Winmail Server can be configured as a mail server or gateway for ISDN, ADSL, FTTB and cable modem networks, beyond standard LAN and Internet mail server configurations."








(2) Vulnerability Details:

Winmail Server web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Winmail Server has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training". Scip has recorded similar XSS bugs, such as scipID 26980.



(2.1) 
The code flaw occurs at "&lid" parameter in "badlogin.php" page. In fact, CVE-2005-3692 mentions that "&retid" parameter in "badlogin.php" page is vulnerable to XSS attacks. But it does not mention "&lid" parameter". The scipID of the bug is 26980. Bugtraq (SecurityFocus) ID is 15493. OSVDB ID is 20926.








References: 
http://seclists.org/oss-sec/2015/q3/459 
http://www.tetraph.com/security/xss-vulnerability/winmail-server-4-2-reflected-xss/ 
http://computerobsess.blogspot.com/2015/08/winmail-xss.html
http://marc.info/?l=oss-security&m=144094251309925&w=4
http://permalink.gmane.org/gmane.comp.security.oss.general/17656
https://webtechwire.wordpress.com/2015/08/31/winmail-xss/
http://tetraph.blog.163.com/blog/static/234603051201573115638385/
http://webtechhut.blogspot.com/2015/08/winmail-xss-0day.html
http://ittechnology.lofter.com/post/1cfbf60d_806df2e
http://www.inzeed.com/kaleidoscope/xss-vulnerability/fc2-blog-xss/
http://webcabinet.tumblr.com/post/128010125747/winmail-xss-bug 
http://www.openwall.com/lists/oss-security/2015/08/30/3
https://progressive-comp.com/?l=oss-security&m=144094251309925&w=1



谷雨 醉心 冬小麦:

文豆 & 文库:

Green Life 的喜欢:

IT 计算机&信息网络 技术:

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities


Domain:
http://espn.go.com/


“ESPN (originally an acronym for Entertainment and Sports Programming Network) is a U.S.-based global cable and satellite television channel that is owned by ESPN Inc., a joint venture between The Walt Disney Company (which operates the network, through its 80% controlling ownership interest) and Hearst Corporation (which holds the remaining 20% interest). The channel focuses on sports-related programming including live and recorded event telecasts, sports news and talk shows, and other original programming.


ESPN broadcasts primarily from studio facilities located in Bristol, Connecticut. The network also operates offices in Miami, New York City, Seattle, Charlotte, and Los Angeles. John Skipper currently serves as president of ESPN, a position he has held since January 1, 2012. While ESPN is one of the most successful sports networks, it has been subject to criticism, which includes accusations of biased coverage, conflict of interest, and controversies with individual broadcasters and analysts. ESPN headquarters in Bristol, Connecticut. As of February 2015, ESPN is available to approximately 94,396,000 paid television households (81.1% of households with at least one television set) in the United States. In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries, operating regional channels in Australia, Brazil, Latin America and the United Kingdom, and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada.”(Wikipedia)


Vulnerability description:
Espn.go.com has a cyber security bug problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN’s “login” & “register” pages that are credible. Attackers can abuse those links to mislead ESPN’s users. The success rate of attacks may be high.


During the tests, besides the links given above, large number of ESPN’s links are vulnerable to those attacks.


The programming code flaw occurs at “espn.go.com”’s “login?” & “register” pages with “redirect” parameter, i.e.

http://streak.espn.go.com/en/login?redirect=

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=

https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/



Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8.



Disclosed by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing)
http://www.tetraph.com/wangjing/





“The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and Open Redirect vulnerabilities and cyber intelligence recommendations.




(1) XSS Web Security Vulnerability
XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft

  • Accessing sensitive or restricted information

  • Gaining free access to otherwise paid for content

  • Spying on user’s web browsing habits

  • Altering browser functionality

  • Public defamation of an individual or corporation

  • Web application defacement

  • Denial of Service attacks




Detail:
http://seclists.org/fulldisclosure/2014/Dec/36




More Details:
http://lists.openwall.net/full-disclosure/2014/12/09/6
http://marc.info/?l=full-disclosure&m=141815942329008&w=4
https://packetstormsecurity.com/files/129450/espngocom-xssredirect.txt
http://inzeed.tumblr.com/post/118510896051/webcabinet-espn-are-suffering
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts/EdBhzmtNLts
https://www.facebook.com/pcwebsecurities/posts/701707826641804
https://hackertopic.wordpress.com/2014/12/17/espn-espn-go-com-
http://lifegreen.lofter.com/post/1cfbf37e_731a270
http://tetraph.blog.163.com/blog/static/234603051201555111422339/
http://frenchairing.blogspot.fr/2015/06/espn-espngocom-login-register-page-xss.html
http://webtech.lofter.com/post/1cd3e0d3_6e6902d
https://twitter.com/essayjeans/status/606833415166394368
https://www.facebook.com/tetraph/posts/1659649470921679
http://www.weibo.com/1644370627/Clc3JaGP7?from=page_1005051644370627
http://russiapost.blogspot.ru/2015/06/espn-espngocom-login-register-page-xss.html
http://ithut.tumblr.com/post/120779685303/inzeed-espn-xss-open-redirect
https://progressive-comp.com/?l=full-disclosure&m=141815942329008&w=1
http://www.inzeed.com/kaleidoscope/xss-vulnerability/espn-xss-open-redirect/


谷雨 醉心 冬小麦:

IT 计算机信息网络安全技术:

行者路上有風有雨有彩虹:

IT 计算机&信息网络 技术:

Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs



Domain:
http://www.facebook.com



"Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website's membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students." (Wikipedia)


"Facebook had over 1.44 billion monthly active users as of March 2015.Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion." (Wikipedia)


Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/





(1) General Vulnerabilities Description:

(1.1) Two Facebook vulnerabilities are introduced in this article.

Facebook has a computer cyber security bug problem. It can be exploited by Open Redirect attacks.  This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do "Covert Redirect" to other websites such as Amazon, eBay, Go-daddy, Yahoo, 163, Mail.ru etc.


(1.1.1) One Facebook Open Redirect vulnerability was reported to Facebook. Facebook adopted a new mechanism to patch it. Though the reported URL redirection vulnerabilities are patched. However, all old generated URLs are still vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook's third-party interaction system or database management system or both. Another reason may be related to Facebook's design for different kind of browsers.


(1.1.2) Another new Open Redirect vulnerability related to Facebook is introduced, too. For reference, please read section (3).



Detail:
http://seclists.org/fulldisclosure/2015/Jan/22





Related Articles:
https://packetstormsecurity.com/files/129914/facebook-redirect.txt
https://rstforums.com/forum/archive/index.php/t-95459.html
https://progressive-comp.com/?l=full-disclosure&m=142104333521454&w=1
http://whitehatpost.blog.163.com/blog/static/24223205420155501020837/
http://webtechhut.blogspot.com/2015/06/facebook-old-generated-urls-still.html
http://qianqiuxue.tumblr.com/post/120750458855/itinfotech-facebook-web-security
http://www.weibo.com/5099722551/Cl8mZk3Q3?from=page_1005055099722551
https://infoswift.wordpress.com/2015/01/15/facebook-old-generated-urls
https://twitter.com/buttercarrot/status/606696103329693696
https://www.facebook.com/permalink.php?story_fbid=891088980930247
http://itinfotech.tumblr.com/post/120750347586/facebook-web-security-0day-bug
http://frenchairing.blogspot.fr/2015/06/facebook-old-generated-urls-still.html
http://essaybeans.lofter.com/post/1cc77d20_7300027
http://japanbroad.blogspot.jp/2015/06/facebook-old-generated-urls-still.html
http://ittechnology.lofter.com/post/1cfbf60d_72fd108
https://inzeed.wordpress.com/2015/01/18/facebook-old-generated-urls-still
https://www.facebook.com/permalink.php?story_fbid=745417422235670
http://www.inzeed.com/kaleidoscope/computer-security/facebook-open-redirect/