Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Web Application Vulnerability. Show all posts
Web Application Vulnerability
Vulnerability Web Application Vulnerability

Valve fixes a bug which allowed hackers to access its users account

Valve’s Steam, an American video game development and digital distribution company headquartered in Bellevue, Washington, United States which has millions of accounts all over the world, has fixed a loophole which could allow an attacker easily take over an arbitrary account by using account's username.

According to a report published in Master Herald, a flaw in the Steam’s password recovery feature was the reason behind the exploitation. As per a demonstration in a video posted on YouTube, the feature sends a recovery code to the registered e-mail address linked with the account. The code needs to be entered on a form through the Steam website.

However, the attacker could skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog. Although, the company has fixed the loophole, the vulnerability had done a lot of damages many users’ account.

“Now, the users, who actively trade on the Steam Market, are worried as they think their accounts have been compromised.

However, it is said that the Valve hasn’t commented on the situation yet.

The company has urged its users to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.

It is important to note that the information contained in the e-mail itself is not necessary to carry out the attack.


“Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them,” the report added.
Read more »
Web Application Vulnerability
Joomla vulnerability Vulnerability Web Application Vulnerability

Bug in Joomla! Extension VirtueMart allows hacker to gain Super Admin access

Security researchers at Sucuri found a critical security vulnerability in  VirtueMart, a popular e-commerce extension for the Joomla which has been downloaded more than 3.5 million times.

The vulnerability allows a malicious user to easily gain super admin privilege. With the Super Admin access, the hacker has full control of the website.

Sucuri removed the technical details about the bug after receiving a request from the developer of VirtueMart.

"VirtueMart uses Joomla’s JUser class “bind” and “save” methods to handle user accounts information. That’s not a problem in it of itself, but this class is very tricky and easy to make mistakes with." Researcher wrote in Sucuri's blog post.

VirtueMart has claimed the bug is in Joomla. Researchers at Sucuri also believe the problem is on the Joomla class itself. However, few Joomla experts disagree with the VirtueMart and Sucuri.

"The vulnerability is in VirtueMart's amateurish use of JUser, not the JUser class itself. JUser is a low level API in Joomla! which expects filtered input." Nicholas Dionysopoulos, a contributer to Joomla Project, posted in a Facebook post.

"The modus operandi of programmatic user account creation in Joomla! is to first filter the input using JInput (typically through JFactory::getApplication()->input, not a new object instance), construct an array with only the keys you need and the pass this to JUser. "


The bug was discovered last week and have been fixed in the latest version of VirtueMart(v2.6.10).
Read more »
Web Application Vulnerability
Breaking News Hacking News Web Application Vulnerability

Researcher finds vulnerability in eBay and claims he uploaded a shell

 
Jordan Jones(@CEHSecurity), a Security researcher, claims to have discovered a critical security vulnerability in the eBay website for employees that allowed him to upload a backdoor shell.

Jordan said in his tweet that he notified about the vulnerability to eBay.  A screenshot published in his twitter account shows that he is able to upload a 'shell.php' file in the following location:

"https://dsl.ebay.com/wp-includes/Text/Diff/Engine/shell.php"
At the time of writing, the file is still there.   The last modified date of the file is December 2012. It is quite possible to modify the TimeStamp. So, we are not sure from when the file is there.

Trying to access the shell ends up in blank page.  It means either the researcher have modified the shell to run only when a particular input is passed or it is not a shell.

Jordan have also discovered a cross site scripting vulnerability in the eBay Research Labs page(labs.ebay.com).
Read more »
Web Application Vulnerability
hacker news SSRF Vulnerability Web Application Vulnerability

Critical SSRF vulnerability in Paypal's subsidiary allows to access Internal Network

Shubham Shah, a web application pentester from Australia, has discovered a critical Server Side Request Forgery(SSRF) vulnerability in the Bill Me Later website, a subsidiary of Paypal. The vulnerability exists in the subdomain(merchants.billmelater.com).

"The vulnerability itself was found within a test bed for BillMeLater’s SOAP API, which allowed for queries to be made to any given host URL." researcher explained in his blog post.

An attacker is able to send request to any internal network through the API and get the response.  Some internal admin pages allowed him to query internal databases without asking any login credentials.

Researcher says that a successful exploitation may result in compromising the customers data.

The bug was reported to Paypal on October 2013 and he got reward from them on Jan. 2014.

Paypal has partially fixed the bug by restricting the SOAP API to access the internal servers.  However, researcher says that it still act as proxy to view other hosts.

If you would like to know more details about SSRF vulnerability and how it can be exploited for port scanning or internal network finding, you can refer the Riyaz Waliker blog post and this document.
Read more »
Web Application Vulnerability
Express Language Injection Indian Security Researchers Vulnerability Web Application Vulnerability

Express Language(EL) Injection vulnerability in Paypal's subsidiary

An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.

According to OWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter.  In some cases, it allows attackers to execute arbitrary code on the server.

Researcher Malik said in his blog that Zong was running an outdated version of Clearspace(Now known as Jive software) on a subdomain.

"Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in his blog.

He found two forms in the site which are vulnerable to this bug. He was able to perform some arithmetic operations using the vulnerable field.

One of the vulnerable urls:
https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}

An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server.  In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.

Paypal has offered some bounty amount for his finding.  Researcher didn't disclose the bounty amount.

About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011.  You can find the document here: https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Read more »
Web Application Vulnerability
DDOS Attacks Tomcat Vulnerability Vulnerability Web Application Vulnerability

CVE-2014-0050: Apache Tomcat vulnerable to Denial of service attack

If you are a developer, you should always be careful when writing loops especially an endless loops [ for(;;) or while(true) ] which are coded to be stopped by an 'if' statement.

Security researchers from TrustWave have explained how an endless 'for' loop resulted in a denial of service vulnerability that could allow attackers to launch DOS attacks against websites hosted on Apache Tomcat servers.

The vulnerability(CVE-2014-0050) is located in Apache Commons FileUpload file.  The 'for' loop in the file is coded in such a way that it will be stopped by raising an exception or by returning a value. 

An attacker can send a malformed 'Content-type' header for a multipart request which could result in an infinite loop.

Multipart is often used in HTTP request for uploading files.  Values in the multipart requests are separated by a magic line called "boundary".  Boundary is a random string which will be defined in the 'content-type' header.

By sending a boundary value longer than 4091 characters and 'body' longer than 4096 characters, the 'for' loop won't be stopped by both 'if' statement.

TrustWave researchers managed to send four times a request containing more than 4091 characters in the boundary field that forces vulnerable tomcat server into an infinite loop.  As a result, the tomcat server will end up in consuming all available CPU resources until it is stopped.
Read more »
Web Application Vulnerability
Hacking News Joomla vulnerability Vulnerability Web Application Vulnerability

Thousands of Joomla websites using JomSocial vulnerable to Remote Code Execution

Thousands of Joomla websites using JomSocial are vulnerable to Remote Code Execution vulnerability.  JomSocial is a social networking extension for Joomla CMS.

The extension is currently listed on the Joomla's Vulnerable Extension list.  The vulnerability is being exploited in the wild, several users have reported that someone had hacked into their website.

According to JomSocial, hackers breached JomSocial website by exploiting this vulnerability.  The security experts at JomSocial have spotted the attack and released a patch for this vulnerability.  While analyzing the vulnerability which is being exploited, they also discovered another critical vulnerability.

The vulnerability was discovered by a security researcher Matias Fontanini.  He notified JomSocial about the vulnerability.  At first, the team said that they have fixed the issue in the 3.1.0.1. However, researcher found 3.1.0.1 is also vulnerable.

Vulnerability Details:
The vulnerability is located in the 'photos' controller, 'ajaxUploadAvatar' task. The parameters parsed by the 'Azrul' plugin are not properly sanitized before being used in a call to the 'call_user_func_array' PHP function.

"This allows an attacker to execute arbitrary static class functions, using any amount of user-provided parameters."  An attacker can exploit this vulnerability by calling CStringHelper::escape function and execute arbitrary PHP code.

HTTP Request exploiting the vulnerability

More technical details about the vulnerability and exploit code is available here.

As you can see that exploit code is already publicly available, all JomScoial Admins are advised to upgrade to latest version of the extension (v3.1.0.4) as soon as possible.
Read more »
Web Application Vulnerability
Breaking News Remote Code Execution Vulnerability Web Application Vulnerability

Critical Remote Code Execution vulnerability patched in MediaWiki, affecting WikiPedia

A Critical Remote Code Execution vulnerability has recently been patched the Mediawiki in its wiki Software.  Thousands of Wiki sites including WikiPedia have been impacted by this security bug.

Security researchers from Checkpoint identified this vulnerability(CVE-2014-1610) affecting all versions starting with version 1.8.  The websites are vulnerable only, if a specific non-default setting is enabled.

According to the security advisory, an attacker could have exploited this vulnerability to make file and system changes and gained complete control over the server.

Checkpoint said that an attacker could have injected malware code into every page WikiPedia.org which could have put millions of users' system at potential risk of malware infection.

Fortunately, Checkpoint immediately informed the WikiMedia foundation about the presence this security bug.  On 28th Jan., the foundation released patch for this bug.

The security advisory says that this is the third critical remote code execution vulnerability discovered in MediaWiki since 2006.
Read more »
Subscribe to: Posts (Atom)