计算机网络技术

Web News, Technology, Science, etc

网络技术是从1990年代中期发展起来的新技术,它把互联网上分散的资源融为有机整体,实现资源的全面共享和有机协作,使人们能够透明地使用资源的整体能力并按需获取信息。

白帽子安全:

IT 计算机&信息网络 技术:

URFDS: Systematic discovery of Unvalidated Redirects and Forwards in web applications

Author:
Jing Wang, Hongjun Wu
School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore

Abstract:
URL redirection is necessary in web applications. Well-designed redirection makes better user experience. However, if usedimproperly, it could give rise to attacks such as phishing. These improperly used redirections are called Unvalidated Redirects and Forwards (URF). This paper prescribes a mechanism to systemically discover URF vulnerabilities in web applications. The prototype implementation, that we call Unvalidated Redirects and Forwards Detection System (URFDS), uses a black-box scanning technique to modify URLs and analyse the generated output to identify URF. In order to show the feasible of our approach, we tested 142,522,691 unique links and found a great number of vulnerabilities in top websites and popular applications that were overlooked by previous works.

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7346891


日常生活點滴的記錄:

IT 计算机信息网络安全技术:

白帽子计算机安全:

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug


Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability

Product: PhotoPost PHP

Vendor: PhotoPost

Vulnerable Versions: 4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3

Tested Version: 4.8c  vB3

Advisory Publication: July 25, 2015

Latest Update: July 28, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)




Caution Details:


(1) Vendor & Product Description:


Vendor:

PhotoPost


Product & Vulnerable Versions:

PhotoPost PHP

4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3


Vendor URL & Download:

Product can be obtained from here,

http://www.photopost.com/featuresphp.html


Product Introduction Overview:

"Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company's own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 "dot" updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That's because we designed PhotoPost from the beginning to integrate efficiently with a website's existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. "




(2) Vulnerability Details:

PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.


(2.1) The code flaw occurs at "|utmcct" parameter in "__utmz" Cookie.


For example, if a victim clicks the link below.

http://localhost/gallery/showphoto.php/photo/846/sort/'"><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)>


The content of "__utmz" cookie will be the following:

__utma194200300.1295483682.1438243020.1438243020.1438245659.2

__utmc194200300

__utmz194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral

__qcaP0-814178849-1438243024810

__utmb194200300

bbsessionhash1683dd3bd3edffbd8383db382f025eba

bblastvisit1438246612


So the malicious code can work in the user's browser for long time.


(2.2) Forum Integrations

"PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community.


With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum's look and feel, and with vBulletin 3.x we offer several additional enhancements."


Forum SoftwareUser LoginStylesheetsEnhanced*

vBulletin 5.x

vBulletin 4.x

vBulletin 3.x

Xenforo 1.x

UBBThreads 6.X

UBBThreads 7.X

InvisionBoard 1.0

InvisionBoard 2.0

InvisionBoard 3.0

FusionBB

MyBB 1.0

SMF 1.05 and up

SMF 2.0 and up

WowBB

e107

PHPBB 2.0

PHPBB 3.0

Wordpress 3.x

vBulletin 2.x

DCForums +

IkonBoard

Nuke

PostNuke

Mambo

XMB Forums


(Src: http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php)





References:
http://tetraph.com/security/xss-vulnerability/photopost-php/

http://computerobsess.blogspot.com/2015/07/photopost-php-48c-cookie
http://marc.info/?l=full-disclosure&m=143841053704734&w=4

http://lists.openwall.net/full-disclosure/2015/08/01/1
 
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2300
 
https://hackertopic.wordpress.com/2015/07/30/photopost-xss/
http://seclists.org/fulldisclosure/2015/Aug/0
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://en.hackdig.com/08/26974.htm
http://ithut.tumblr.com/post/125743980368/securitypost-photopost-php-48c-cookie-based
http://whitehatpost.blog.163.com/blog/static/24223205420157341741249/

   

tetraph的喜欢:

日常生活點滴的記錄:

测试想法:

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs


Though Yahoo lists open redirect vulnerability on its bug bounty program. However, it seems Yahoo do not take this vulnerability seriously at all.


Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo's responses were "It is working as designed". However, these vulnerabilities were patched later.


Several other security researcher complained about getting similar treatment, too.
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119


All Open Redirect Vulnerabilities are intended behavior? If so, why patch them later?


From report of CNET, Yahoo's users were attacked by redirection vulnerabilities. "Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. "




Moreover, since Yahoo is well-known worldwide. these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Alibaba, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security bug problems have not been patched. Other similar web and computer flaws will be published in the near future.




The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.


Disclosed by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing



Both Yahoo and Yahoo Japan online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.



Detail:
http://seclists.org/fulldisclosure/2014/Dec/88




Related Articles:
http://lists.openwall.net/full-disclosure/2014/12/19/10
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1355
http://diebiyi.com/articles/security/open-redirect/yahoo-yahoo-com-yahoo-co-jp
http://essaybeans.blogspot.com/2015/06/yahoo-yahoocom-yahoocojp-open-redirect.html
https://webtechwire.wordpress.com/2014/12/23/yahoo-yahoo-com-yahoo-co-jp
https://twitter.com/essayjeans/status/606789286428438528
http://inzeed.tumblr.com/post/118511483471/securitypost-yahoo-and-yahoo-japan-may-be
http://essayjeans.lofter.com/post/1cc7459a_7314ba3
https://plus.google.com/u/0/+essayjeans/posts/GxcKENw4ira
http://www.weibo.com/3973471553/ClaSVxObt?from=page_1005053973471553
http://computerobsess.blogspot.com/2015/06/yahoo-yahoocom-yahoocojp-open-redirect.html
https://www.facebook.com/permalink.php?story_fbid=841616792540365
http://xingti.tumblr.com/post/120770694665/lifegrey-yahoo-url-redirection-bug
http://xingzhehong.lofter.com/post/1cfd0db2_6e68fe3
https://redysnowfox.wordpress.com/2014/12/25/yahoo-open-redirect/
http://whitehatpost.blog.163.com/blog/static/24223205420155581240158
https://www.facebook.com/websecuritiesnews/posts/803277513125754
http://www.inzeed.com/kaleidoscope/spamming/yahoo-url-redirection/


测试想法:

日常生活點滴的記錄:

琐事,日常之事:

IT 计算机信息网络安全技术:

Internet Users Threatened by New Serious Security Flaw, Covert Redirect


A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed "Covert Redirect" by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.


Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.


Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw's finder, Mathematics Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.


Wang believes it's unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.


"The vulnerability is usually due to the existing weakness in the third-party websites," Wang writes on his own blog. "However, they have little incentive to fix the problem."


The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.


Normal phishing attempts can be easy to spot, because the malicious page's URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.


For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.


If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she  could use to spread more socially engineered attacks to your Facebook friends.


Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.


Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.


Wang told CNET Facebook had told him it "understood the risks associated with OAuth 2.0" but that fixing the flaw would be "something that can't be accomplished in the short term." Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.


Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there's no company or dedicated team that could devote itself to fixing the issue.



Where does that leave things? 

"Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service," Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.


"It's not easy to fix, and any effective remedies would negatively impact the user experience," Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. "Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws."


Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.


If you think someone has gained access to one of your online accounts, notify the service and change that account's password immediately.





Related Articles:

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

http://whitehatview.tumblr.com/post/120695795041

http://russiapost.blogspot.ru/2015/05/openid-oauth-20.html

http://www.diebiyi.com/articles/security/covert-redirect/covert_redirect/

http://itsecurity.lofter.com/post/1cfbf9e7_72e2dbe

http://ithut.tumblr.com/post/119493304233/securitypost-une-faille-dans-lintegration

http://japanbroad.blogspot.jp/2015/05/oauthopenid-facebook.html

http://webtech.lofter.com/post/1cd3e0d3_6f0f291

https://webtechwire.wordpress.com/2014/05/11/covert-redirect-attack-worldwide/

http://whitehatview.tumblr.com/post/119489968576/securitypost-sicherheitslucke-in-oauth-2-0-und

http://www.inzeed.com/kaleidoscope/computer-security/facebook-google-attack/


家庭小木屋:

CVE-2015-2214 - NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities


Exploit Title: CVE-2015-2214 NetCat CMS Full Path Disclosure Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 5.01 3.12

Advisory Publication: February 27, 2015

Latest Update: May 05, 2015

Vulnerability Type: Information Leak / Disclosure [CWE-200]

CVE Reference: CVE-2015-2214

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Discover and Writer: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)




Suggestion Details:


(1) Vendor & Product Description:

Vendor:

NetCat


Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1


Vendor URL & Download:

NetCat can be accessed from here,

http://netcat.ru/


Product Introduction Overview:

NetCat.ru is russian local company. "NetCat designed to create an absolute majority of the types of sites: from simple "business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data - in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."


"Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."


"We give a discount on any edition NetCat

We try to help our partners to enter into a close-knit team. To reduce your expenses on the development of a new system, we provide special conditions for the acquisition of commercial licenses NetCat, for a partner is assigned a permanent discount of 40%, which according to the results of further sales could be increased to 60%."


"Teach your developers work with the secrets NetCat

In addition to the detailed documentation and video tutorials to new partners we offer a unique free service - direct contact with the developer from the team NetCat, which will help in the development of product development tools."


"We give customers

Once you develop the three sites NetCat information about you appear in our ranking developers. This means that you not only begin to receive direct requests from clients but also become a member of tenders conducted by customers. In addition, if the partner is really good work, employees NetCat begin recommending it to clients requesting assistance in the choice of contractor."


"We will help in the promotion of

The company is a regular participant NetCat large number of forums, seminars and conferences. We are happy to organize together with partners involved, help with advertising materials and share information for the report."


"Confirmed its status in the eyes of customers

We have a very flexible system of certification of partners: we do not give certificates for the sale of licenses and for the developed sites. So, for example, to obtain a certificate "Development of corporate websites' to add to your personal account three implementation of the appropriate type."




(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by information leakage attacks - Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Netcat has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to important vulnerabilities.



(2.1) The first programming code flaw occurs at "&redirect_url" parameter in "netshop/post.php?" page.







References:

http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html

http://seclists.org/fulldisclosure/2015/Mar/8

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01740.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1645

http://lists.openwall.net/full-disclosure/2015/03/02/6

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142527117510514&w=2

http://marc.info/?l=full-disclosure&m=142527117510514&w=4

https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://www.tetraph.com/blog/information-leakage-vulnerability/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

http://essayjeans.blog.163.com/blog/static/2371730742015411113047382/

http://www.weibo.com/1644370627/ChjMoA9hD?type=comment#_rnd1431315096193

http://homehut.lofter.com/post/1d226c81_6eae13a

http://qianqiuxue.tumblr.com/post/118667786020/cve-2015-2214-netcat-cms-full-path-disclosure

http://frenchairing.blogspot.fr/2015/05/cve-2015-2214-netcat-cms-full-path.html

https://dailymem.wordpress.com/2015/05/10/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

https://www.facebook.com/mathtopics/posts/459369960879593

https://plus.google.com/u/0/110001022997295385049/posts/XNQAXkF1me7

https://twitter.com/yangziyou/status/597607457670569985


日常生活點滴的記錄:

tetraph的喜欢:

行者路上有風有雨有彩虹:

CVE-2015-2066 - DLGuard SQL Injection Web Security Vulnerabilities

 

Exploit Title: CVE-2015-2066 DLGuard /index.php c parameter SQL Injection Web Security Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v4.5

Tested Version: v4.5

Advisory Publication: February 18, 2015

Latest Update: May 01, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]

CVE Reference: CVE-2015-2066

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 





Recommendation Details:

 

(1) Vendor & Product Description:

 

Vendor:

DLGuard

 

Product & Version:

DLGuard

v4.5

 

Vendor URL & Download:

DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php

 

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don't have the time for."

 

"DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)

<2>Multiple item sales

<3>Membership websites"

 

"DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal's E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before."

 


(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

 

Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to important vulnerabilities.

 

(2.1) The bug programming flaw vulnerability occurs at "&c" parameter in “index.php?” page.

 





 

References:

http://seclists.org/fulldisclosure/2015/Feb/69

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01703.html

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1607

http://lists.openwall.net/full-disclosure/2015/02/18/6

http://marc.info/?a=139222176300014&r=1&w=4

http://www.tetraph.com/blog/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

https://plus.google.com/u/0/107140622279666498863/posts/44pDNaZao8v

https://biyiniao.wordpress.com/2015/05/11/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://shellmantis.tumblr.com/post/118658089031/inzeed-cve-2015-2066-dlguard-sql-injection#notes

http://xingzhehong.lofter.com/post/1cfd0db2_6ea8323

http://russiapost.blogspot.ru/2015/05/cve-2015-2066-dlguard-sql-injection-web.html

https://www.facebook.com/computersecurities/posts/375386899314769

http://blog.163.com/greensun_2006/blog/static/11122112201541193421290/

https://twitter.com/tetraphibious/status/597577800023838720

http://www.weibo.com/3973471553/Chj5OFIPk?from=page_1005053973471553_profile&wvr=6&mod=weibotime&type=comment#_rnd1431308778074


     

湛天雲海碧波影:

IT 计算机信息网络安全技术:

IT 计算机&信息网络 技术:

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities


Exploit Title:  OptimalSite CMS /display_dialog.php image Parameter XSS Web Security Vulnerability

Vendor: OptimalSite

Product: OptimalSite Content Management System (CMS) 

Vulnerable Versions: V.1 V2.4

Tested Version: V.1 V2.4

Advisory Publication: January 24, 2015

Latest Update: January 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9562

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Jing Wang [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)


Suggestion Details:


(1) Vendor & Product Description


Vendor: 

OptimalSite


Product & Version: 

OptimalSite Content Management System (CMS) 

V.1 

V2.4


Vendor URL & Download:

The product can be obtained from here,

http://www.optimalsite.com/en/


Product Description Overview: 

"Content management system OptimalSite is an online software package that enables the management of information published on a website. OptimalSite consists of the system core and integrated modules, which allow expanding website possibilities and functionality. You may select a set of modules that suits your needs best. 


Website page structure

Website page structure is presented in a tree structure similar to Windows Explorer, so that several page levels can be created for each item on the menu.  The website's structure itself can be easily edited: you can create new website pages, delete unnecessary ones, and temporarily disable individual pages.


Website languages

OptimalSite may be used to create a website in different languages, the number of which is not limited. Different information may be presented in each separate language and the structure of pages in each language may also differ. 


WYSIWYG (What You See Is What You Get) text editor

Using this universal text editor makes posting and replacing information on the website effortless.   Even a minimum knowledge of MS Word and MS Excel will make it easy to use the tools of WYSIWYG text editor and implement your ideas. 


Search function in the system

By using search function system’s administrator is able to find any information that is published in administrative environment. It is possible to execute a search in the whole system and in separate its’ modules as well.


Recycle bin function

System administrator is able to delete useless data.  All deleted data is stored in recycle bin, so administrator can restore information anytime. "


(2) Vulnerability Details:

OptimalSite web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.


Several other the similar product 0-day vulnerabilities have been found by some other bug hunter researchers before. OptinalSite has patched some of them. "Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services." Openwall has published suggestions, advisories, solutions details related to XSS vulnerabilities.



(2.1) The code programming flaw occurs at "&image" parameter in "display_dialog.php" page.





References:

http://www.tetraph.com/blog/xss-vulnerability/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/xss-vulnerability/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9562

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9562

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01646.html

http://lists.openwall.net/full-disclosure/2015/02/02/3

http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1546

https://redysnowfox.wordpress.com/2015/05/10/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

http://japanbroad.blogspot.sg/2015/05/cve-2014-9562-optimalsite-content.html

http://tetraph.blog.163.com/blog/static/234603051201541082835108/

https://www.facebook.com/permalink.php?story_fbid=1025716320801705&id=922151957824809

https://twitter.com/yangziyou/status/597377123976785920

http://www.weibo.com/5337321538/ChdW1skbf?ref=home&rid=0_0_1_2666499023890563989&type=comment#_rnd1431261523301

https://plus.google.com/110001022997295385049/posts/7rNn4ynjzRP

http://itsecurity.lofter.com/post/1cfbf9e7_6e96648

http://securitypost.tumblr.com/post/118602594462/cve-2014-9562-optimalsite-content-management

     


IT 计算机信息网络安全技术:

Yahoo and Yahoo Japan May be Vulnerable to Spams


Student security researcher Wang Jing from School of Physical and Mathematical Sciences at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo.


After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed”. It seems that Yahoo do not take the vulnerabilities seriously at all.


Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior”. However, these vulnerabilities were patched later.“


The vulnerability of Yahoo occurs at “ard.yahoo.com” page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp”.
Proof of concept on YouTube were also released to illustrate exploits. 

(1)Yahoo Open Redirect
https://www.youtube.com/watch?v=k4eFLsTyZkg
(2)Yahoo Japan Unvalidated Redirects and Forwards (URF)
https://www.youtube.com/watch?v=2SM78WKAVr8

In fact, Yahoo’s users were attacked based on redirection this year. Base on CNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ” 


Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.
Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.


On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year.” 

 
Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust.”