KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

 

Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected XSS Web Security Vulnerability

Product: Knowledge Tree Document Management System

Vendor: Knowledge Inc

Vulnerable Versions: OSS 3.0.3b

Tested Version: OSS 3.0.3b

Advisory Publication: August 22, 2015

Latest Update: August 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

knowledge_tree_page

 

 

knowledge tree_xss

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

KnowledgeTree

 

Product & Vulnerable Versions:

Knowledge Tree Document Management System

OSS 3.0.3b

 

Vendor URL & Download:

Product can be obtained from here,
http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html
http://www.knowledgetree.com/

 

Product Introduction Overview:

“KnowledgeTree is open source document management software designed for business people to use and install. Seamlessly connect people, ideas, and processes to satisfy all your collaboration, compliance, and business process requirements. KnowledgeTree works with Microsoft® Office®, Microsoft® Windows® and Linux®.”

 

 

 

 

(2) Vulnerability Details:

KnowledgeTree web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. KnowledgeTree has patched some of them. “Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there.”. It has listed similar exploits, such as Bugtraq (Security Focus) 32920.

 

(2.1) The code flaw occurs at “&errorMessage” parameter in “login.php” page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.

 

 

 

 

 

 

Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability

rakuten_de_search_xss1

Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability

“Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce platform Rakuten Ichiba is the largest e-commerce site in Japan and among the world’s largest by sales. Hiroshi Mikitani founded the company in February 1997 as MDM, Inc., and is still its chief executive. Rakuten Shopping Mall (楽天市場 Rakuten Ichiba?) started operations in May 1997. In June 1999, the company changed its name to Rakuten, Inc. The Japanese word rakuten means optimism. In 2012, the company’s revenues totaled US$4.6 billion with operating profits of about US$244 million. In June 2013, Rakuten, Inc. reported it had a total of 10,351 employees worldwide. In 2005, Rakuten started expanding outside Japan, mainly through acquisitions and joint ventures. Its acquisitions include Buy.com (now Rakuten.com Shopping in the US), Priceminister (France), Ikeda (now Rakuten Brasil), Tradoria (now Rakuten Deutschland), Play.com (UK), Wuaki.tv (Spain), and Kobo Inc. (Canada). The company has investments in Pinterest, Ozon.ru, AHA Life, and Daily Grommet.” (Wikipedia)

 

The Alexa rank of rakuten.co.jp is 64 on May 29 2015. It is the second toppest Japanese local sevice website.




(1) Vulnerability description:

Rakuten has a computer cyber security bug problem. It is vulnerable to XSS attacks. Here is the description of XSS: “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.” (OWSAP)

 

The program code flaw occurs at “q” parameter in at “suchen/asd/?” pages, i.e.
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=reddit_nice_music_news

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The bugs found by using CSXDS.

 

POC Code:
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment‘ /”><img src=x onerror=prompt(/justqdjing/)>

Vulnerability Disclosure:
Those vulnerabilities are patched now.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing








===








楽天ウェブ検索ページXSS(クロスサイトスクリプティング)のWebセキュリティ脆弱性

 

ドメイン:
http://www.rakuten.de/

“楽天株式会社(らくてん、英: Rakuten, Inc.)は、ネットショッピングなどのインターネットサービスを運営している[日本の企業である。1997年に現会長兼社長の三木谷浩史が創業した。 インターネットショッピングモール「楽天市場」や総合旅行サイト「楽天トラベル」、ポータルサイト「インフォシーク」の運営その他ECサイトの運営を行う。東京証券取引所第一部上場企業(証券コード:4755)。グループ会員は9,977万人。” (ja.wikipedia.org)






(1)脆弱性の説明:

rakuten.deは、コンピュータのサイバーセキュリティバグの問題があります。これは、XSS攻撃に対して脆弱です。ここでXSSの説明です:「クロスサイトスクリプティング(XSS)攻撃は、悪意のあるスクリプトがそうでなければ良性と信頼できるWebサイトに注入された注入の種類、ある攻撃者が悪意のあるコードを送信するために、Webアプリケーションを使用する際にXSS攻撃が発生しました。 、一般的にブラウザ側スクリプトの形で、別のエンドユーザーに。これらの攻撃が成功することを可能に傷はかなり普及しているWebアプリケーションはそれを検証するか、エンコードせずに生成する出力内のユーザからの入力を使用して任意の場所に発生します。」 (OWSAP)

 

プログラムコードの欠陥は、に “Q”パラメータで発生する「suchen / ASD /? “ページ、すなわち、
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=reddit_nice_music_news



この脆弱性は、ユーザのログインなしで攻撃される可能性があります。テストはWindows 7でのUbuntu(14.04)とIE​​(8.0。7601)にはFirefox(37.02)で行いました。




 

POCコード:
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment ‘/ “> <IMG SRC = x onerror = alert(/ tetraph /)>




脆弱性の公開:
これらの脆弱性は、現在パッチが適用されます。

 

 

 

発見し、レポーター:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing



CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

images18

 

CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

 

Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: InstantForum.NET

Vendor: InstantASP

Vulnerable Versions: v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0

Tested Version: v4.1.3 v4.1.1 v4.1.2

Advisory Publication: February 18, 2015

Latest Update: April 05, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9468

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 
 
 
 

Preposition Details:

(1) Vendor & Product Description:

Vendor:

InstantASP


 

Product & Version:

InstantForum.NET

v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0

 

Vendor URL & Download:

InstantForum.NET can be purchased from here,

http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html

 

Product Introduction Overview:

“InstantForum.NET is a feature rich, ultra high performance ASP.NET & SQL Server discussion forum solution designed to meet the needs of the most demanding online communities or internal collaboration environments. Now in the forth generation, InstantForum.NET has been completely rewritten from the ground-up over several months to introduce some truly unique features & performance enhancements.”


“The new administrator control panel now offers the most comprehensive control panel available for any ASP.NET based forum today. Advanced security features such as role based permissions and our unique Permission Sets feature provides unparalleled configurable control over the content and features that are available to your users within the forum. Moderators can easily be assigned to specific forums with dedicated moderator privileges for each forum. Bulk moderation options ensure even the busiest forums can be managed effectively by your moderators.”


“The forums template driven skinning architecture offers complete customization support. Each skin can be customized to support a completely unique layout or visual appearance. A single central style sheet controls every aspect of a skins appearance. The use of unique HTML wrappers and ASP.NET 1.1 master pages ensures page designers can easily integrate an existing design around the forum. Skins, wrappers & master page templates can be applied globally to all forums or to any specific forum.”

 
 

(2) Vulnerability Details:

InstantForum.NET web application has a cyber security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. InstantForum has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, cyber intelligence, attack defense and solutions details related to important vulnerabilities.

 

(2.1) The first programming code flaw occurs at “&SessionID” parameter in “Join.aspx?” page.


(2.2) The second programming code flaw occurs at “&SessionID” parameter in “Logon.aspx?” page.

 
 
 
 

References:

https://tetraph.wordpress.com/2015/05/13/cve-2014-9468/

http://whitehatview.tumblr.com/post/118853357881/tetraph-cve-2014-9468-instantasp

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

cyber-security-breach-hacked

 

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities
 

Exploit Title: vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: vBulletin Forum

Vendor: vBulletin

Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4

Tested Version: 5.1.3 4.2.2

Advisory Publication: February 12, 2015

Latest Update: February 26, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9469

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Writer and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

Preposition Details:

(1) Vendor & Product Description:

Vendor:

vBulletin

 

Product & Version:

vBulletin Forum

5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4

 
Vendor URL & Download:

vBulletin can be acquired from here,

 

Product Introduction Overview:

“vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.”

Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3.

Simplified site set up and customization

The new Site Builder makes it easier than ever to build and manage a site. Customizable page templates, drag-and-drop configuration and in-line site editing simplify page layout. A variety of design themes can be easily selected.
Dynamic tools for content discovery

Customizable content modules provide enhanced content discovery, engaging users into deeper site visits. The vBulletin search has been re-architected to significantly improve the quality of its results, further facilitating content discovery.
Sleek new UI features activity stream and increased social engagement

Improved social functionality includes groups, new user profiles, comments functionality, an integrated messaging hub, social content curation, real-time updates and more.
Expanded photo and video capabilities

The new interface invites users to quickly post photos and video, expanding content on vBulletin sites. This media is then leveraged by being better integrated with the rest of a site’s content. User profiles provide an engaging aggregation of all media posted by them.
Category-leading mobile optimization

The integrated mobile-optimized version ensures smartphone visitors will stay longer and return.
Robust architecture

Improved architecture provides better performance and easier customization

Built-in SEO helps maximize search traffic

Easy-to-use upgrader tool available for vBulletin 3 and 4 sites, plus importer for sites on other forum software”

 

 

(2) Vulnerability Details:

vBulletin web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. vBulletion has patched some of them. Gmane (pronounced “mane”) is an e-mail to news gateway. It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list’s inclusion on the service. It has published suggestions, advisories, solutions related to important vulnerabilities.

(2.1) The programming code flaw occurs at “forum/help” page. Add “hash symbol” first. Then add script at the end of it.

 

 

 
 
 

References:

https://www.facebook.com/permalink.php?story_fbid=880689078636904&id=825031907535955&__mref=message_bubble

http://shellmantis.tumblr.com/post/118777939056/lifegrey-cve-2014-9469-vbulletin-xss#notes

http://testingcode.lofter.com/post/1cd26eb9_6eec951

https://www.facebook.com/permalink.php?story_fbid=661392814005834&id=594347777377005&__mref=message_bubble

http://tetraph.blogspot.com/2015/05/cve-2014-9469-vbulletin-xss-cross-site.html

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2014-9469-vbulletin-xss/

https://www.facebook.com/computersecurities/posts/375780759275383?
http://tetraph.lofter.com/post/1cc758e0_6eeac27

https://plus.google.com/102963385033389079817/posts/1ACxSMZYmCS

http://computerobsess.blogspot.com/2015/05/cve-2014-9469-vbulletin-xss-cross-site.html

https://twitter.com/justqdjing/status/598116948245807105

 

 

 

 

CVE-2008-2335 – Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities

vastal_2

 

CVE-2008-2335 – Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities
Exploit Title: Vastal I-tech phpVID Multiple XSS Security Vulnerabilities
Product: phpVID
Vendor: Vastal I-tech
Vulnerable Versions: 1.2.3   0.9.9
Tested Version: 1.2.3   0.9.9
Advisory Publication: March 10, 2015
Latest Update: March 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2008-2335
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Suggestion Details:

(1) Vendor & Product Description:


Vendor:

Vastal I-tech

 

Product & Vulnerable Versions:

phpVID

1.2.3

0.9.9

 

Vendor URL & Download:

phpVID can be bought from here,

http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA

 

Product Introduction:

“phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy. “

“The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a “single dedicated server”. phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: http://www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com.”

“Server Requirements:

Preferred Server: Linux any Version

PHP 4.1.0 or above

MySQL 3.1.10 or above

GD Library 2.0.1 or above

Mod Rewrite and .htaccess enabled on server.

FFMPEG (If you wish to convert the videos to Adobe Flash)”

 

 

 

(2) Vulnerability Details:

phpVID web application has a security bug problem. It can be exploited by XSS (Cross-site Scripting) attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Some bug hunter researchers also have found other XSS vulnerabilities related to it before. phpVID has patched some of them.

(2.1) The first code programming flaw occurs at “members.php?” page with “&browse” parameter.

(2.2) The second code programming flaw occurs at “login.php?” page with “&next” parameter.

(2.3) The third code programming flaw occurs at “search_results.php?” page with “&query” parameter.

(2.4) The fourth code programming flaw occurs at “groups.php?” page with “&type” parameter.

 

 

 

 

References:
http://www.tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss
http://securityrelated.blogspot.com/2015/03/vastal-i-tech-phpvid-123-multiple-xss.html
http://www.inzeed.com/kaleidoscope/computer-web-security/vastal-i-tech-phpvid-1-2-3
http://diebiyi.com/articles/security/vastal-i-tech-phpvid-1-2-3-multiple
https://cxsecurity.com/issue/WLB-2015030026
http://computerobsess.blogspot.com/2015/09/vastal-xss.html
https://hackertopic.wordpress.com/2015/08/13/vastal-xss/
http://lists.openwall.net/full-disclosure/2015/03/10/9
http://tetraph.blog.163.com/blog/static/234603051201584111058296/
http://marc.info/?l=full-disclosure&m=142601091100720&w=4
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1700

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

vastal_1

 

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2563 Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Web Security Vulnerabilities

Product: phpVID

Vendor: Vastal I-tech

Vulnerable Versions: 1.2.3 0.9.9

Tested Version: 1.2.3 0.9.9

Advisory Publication: March 13, 2015

Latest Update: April 25, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2563

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Direction Details:



(1) Vendor & Product Description:



Vendor:

Vastal I-tech

 

Product & Vulnerable Versions:

phpVID

1.2.3

0.9.9

 

Vendor URL & Download:

phpVID can be approached from here,

http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA


Product Introduction Overview:

“phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy.”


“The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a “single dedicated server”. phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: http://www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com.”


“Server Requirements:

Preferred Server: Linux any Version

PHP 4.1.0 or above

MySQL 3.1.10 or above

GD Library 2.0.1 or above

Mod Rewrite and .htaccess enabled on server.

FFMPEG (If you wish to convert the videos to Adobe Flash)”

 

 

 

(2) Vulnerability Details:

phpVID web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpVID has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to important vulnerabilities.



(2.1) The first code programming flaw occurs at “&order_by” “&cat” parameters in “groups.php?” page.


 

 

 

 

Related Links:

http://packetstormsecurity.com/files/130754/Vastal-I-tech-phpVID-1.2.3-SQL-Injection.html

https://progressive-comp.com/?l=full-disclosure&m=142601071700617&w=2

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1699

http://lists.openwall.net/full-disclosure/2015/03/10/8

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142601071700617&w=2

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2563/

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2

https://cxsecurity.com/issue/WLB-2015020091

https://www.facebook.com/permalink.php?story_fbid=935563809832135&id=874373602617823

http://biboying.lofter.com/post/1cc9f4f5_6ee2aa5

http://mathpost.tumblr.com/post/118768553885/xingti-cve-2015-2563-vastal-i-tech-phpvid


WordPress Daily Edition Theme v1.6.2 Information Leakage Security Vulnerabilities

wordpress_daily_edition_4

WordPress Daily Edition Theme v1.6.2 Information Leakage Security Vulnerabilities

Exploit Title: WordPress Daily Edition Theme /thumb.php src Parameters Information Leakage Security Vulnerabilities

Product: WordPress Daily Edition Theme

Vendor: WooThemes

Vulnerable Versions: v1.6.* v1.5.* v1.4.* v1.3.* v1.2.* v1.1.* v.1.0.*

Tested Version: v1.6.2

Advisory Publication: March 10, 2015

Latest Update: March 10, 2015

Vulnerability Type: Information Exposure [CWE-200]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]


Advisory Details:

(1) Vendor & Product Description:

Vendor:

WooThemes

Product & Vulnerable Versions:

WordPress Daily Edition Theme

version 1.6.7

version 1.6.6

version 1.6.5

version 1.6.4

version 1.6.3

version 1.6.2

version 1.6.1

version 1.6

version 1.5

version 1.4.11

version 1.4.10

version 1.4.9

version 1.4.8

version 1.4.7

version 1.4.6

version 1.4.5

version 1.4.4

version 1.4.3

version 1.4.2

version 1.4.1

version 1.4.0

version 1.3.2

version 1.3.1

version 1.3

version 1.2.1

version 1.2

version 1.1.2

version 1.1.1

version 1.1

version 1.0.12

version 1.0.11

version 1.0.10

version 1.0.9

version 1.0.8

version 1.0.7

version 1.0.6

version 1.0.5

version 1.0.4

version 1.0.3

version 1.0.2

version 1.0.1

version 1.0

Vendor URL & buy:

WordPress Daily Edition Theme can be got from here,

http://www.woothemes.com/products/daily-edition/

http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt

Product Introduction:

“Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication”

“The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management.”

“Unique Features

These are some of the more unique features that you will find within the theme:

A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots.

A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives.

A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display.

A javascript home page video player with thumbnail hover effect.

16 delicious colour schemes to choose from!”

(2) Vulnerability Details:

WordPress Daily Edition Theme has a web application security bug problem. It can be exploited by information leakage attacks. This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

(2.1) The code flaw occurs at “thumb.php?” page with “src” parameters.

References:

http://tetraph.com/security/information-leakage-vulnerability/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162_10.html

http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/

https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/

http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2

https://cxsecurity.com/issue/WLB-2015020093

WordPress Daily Edition Theme v1.6.2 XSS (Cross-site Scripting) Security Vulnerabilities

wordpress_daily_editon2

WordPress Daily Edition Theme v1.6.2 XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: WordPress Daily Edition Theme /fiche-disque.php id Parameters XSS Security Vulnerabilities

Product: WordPress Daily Edition Theme

Vendor: WooThemes

Vulnerable Versions: v1.6.* v1.5.* v1.4.* v1.3.* v1.2.* v1.1.* v.1.0.*

Tested Version: v1.6.2

Advisory Publication: March 10, 2015

Latest Update: March 10, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

Advisory Details:


(1) Vendor & Product Description:


Vendor:

WooThemes

Product & Vulnerable Versions:

WordPress Daily Edition Theme

version 1.6.7

version 1.6.6

version 1.6.5

version 1.6.4

version 1.6.3

version 1.6.2

version 1.6.1

version 1.6

version 1.5

version 1.4.11

version 1.4.10

version 1.4.9

version 1.4.8

version 1.4.7

version 1.4.6

version 1.4.5

version 1.4.4

version 1.4.3

version 1.4.2

version 1.4.1

version 1.4.0

version 1.3.2

version 1.3.1

version 1.3

version 1.2.1

version 1.2

version 1.1.2

version 1.1.1

version 1.1

version 1.0.12

version 1.0.11

version 1.0.10

version 1.0.9

version 1.0.8

version 1.0.7

version 1.0.6

version 1.0.5

version 1.0.4

version 1.0.3

version 1.0.2

version 1.0.1

version 1.0

Vendor URL & buy:

WordPress Daily Edition Theme can be got from here,

http://www.woothemes.com/products/daily-edition/

http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt

Product Introduction:

“Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication”

“The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management.”

“Unique Features

These are some of the more unique features that you will find within the theme:

A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots.

A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives.

A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display.

A javascript home page video player with thumbnail hover effect.

16 delicious colour schemes to choose from!”

(2) Vulnerability Details:

WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

(2.1) The code programming flaw occurs at “fiche-disque.php?” page with “id” parameters.

References:

http://tetraph.com/security/xss-vulnerability/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-xss.html

http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/

https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142426561507008&w=2

https://cxsecurity.com/issue/WLB-2015030029

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

superwebmailer_1

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. 



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.








Related Results:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html





CVE-2015-1475 – My Little Forum Multiple XSS Web Security Vulnerabilities

computer-security-art

CVE-2015-1475  – My Little Forum Multiple XSS Web Security Vulnerabilities

Exploit Title: My Little Forum Multiple XSS Web Security Vulnerabilities

Vendor: My Little Forum

Product: My Little Forum

Vulnerable Versions: 2.3.3  2.2  1.7

Tested Version: 2.3.3  2.2  1.7

Advisory Publication: February 04, 2015

Latest Update: February 11, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-1475

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Jing Wang [School of Mathematical Sciences (001), University of Science and Technology of China (USTC)] (@justqdjing)


 
 
 

Recommendation Details:

(1) Vendor & Product Description
 

Vendor:

My Little Forum
 

Product & Version:

My Little Forum

2.3.3

2.2

1.7

 
Vendor URL & Download:

http://mylittleforum.net/

 
Product Description:

“my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL.

Features

Usenet like threaded tree structure of the messages

Different views of the threads possible (classical, table, folded)

Categories and tags

BB codes and smilies

Image upload

Avatars

RSS Feeds

Template engine (Smarty)

Different methods of spam protection (can be combined: graphical/mathematical CAPTCHA, wordfilter, IP filter, Akismet, Bad-Behavior)

Localization: language files, time zone and UTF-8 support (see current version for already available languages)”


 
 

(2) Vulnerability Details:

My Little Forum  web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. My Little Forum has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to XSS vulnerabilities.

(2.1) The first programming code flaw occurs at “forum.php?” page with “&page”, “&category” parameters.

(2.2) The second programming code flaw occurs at “board_entry.php?” page with “&page”, “&order” parameters.

(2.3) The third programming code flaw occurs at  “forum_entry.php” page with “&order”, “&page” parameters.


 
 
 

References:

http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html

http://seclists.org/fulldisclosure/2015/Feb/15

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01652.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1553

http://packetstormsecurity.com/files/authors/11270

http://marc.info/?a=139222176300014&r=1&w=4

http://lists.openwall.net/full-disclosure/2015/02/03/2

http://essaybeans.blogspot.com/2015/05/cve-2015-1475-my-little-forum-multiple.html

http://www.osvdb.org/creditees/12822-wang-jing

https://infoswift.wordpress.com/2015/05/12/cve-2015-1475-my-little-forum-multiple-xss-web-security-vulnerabilities/

https://twitter.com/tetraphibious/status/597971919892185088

http://japanbroad.blogspot.jp/2015/05/cve-2015-1475-my-little-forum-multiple.html

https://www.facebook.com/tetraph/posts/1649600031926623

http://user.qzone.qq.com/2519094351/blog/1431403836

https://www.facebook.com/permalink.php?story_fbid=460795864075109&id=405943696226993

https://plus.google.com/+wangfeiblackcookie/posts/Sj63XDPhH1j

http://essayjeans.blog.163.com/blog/static/2371730742015412037547/#

http://whitehatpost.lofter.com/post/1cc773c8_6ed5839

http://whitehatview.tumblr.com/post/118754859716/cve-2015-1475-my-little-forum-multiple-xss-web