Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label XSS Vulnerability. Show all posts

Expert Posts About Blogger's CSP Flaw

A cybersecurity expert found a strategy to escape Content Security Policy (CSP) functions via WordPress. The hack, found by Paulos Yibelo, depends on exploiting origin method execution. The strategy incorporates JSON padding to execute a function. 

It allows the exploit of a WordPress account, however, along with cross-site scripting (XSS) exploit, that the expert doesn't have as of now. Yibelo hasn't tried to use the trick on live websites yet, limiting the exploits for test research websites owned by the experts. 

“I haven’t really attempted to because it requires a logged-in WordPress user or admin to visit my website, so I install the plugin and have an HTML injection – which is illegal to do," said Yibelo. He also mentioned that they didn't try to abuse the bug in the open on bug bounty forums. 

The exports informed WordPress about the issue three months ago, however, the latter didn't reply. It was then that Yibelo published the findings publically on a tech blogpost. 

Attacks may happen in two situations: First, websites that don't use WordPress primarily but have a WordPress endpoint on the same domain or subdomain. Second, a WordPress-hosted website that uses a CSP header. 

Yibelo's blog says if an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full-blown XSS that can be escalated to perform [remote code execution] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP. 

Yibelo hopes that wordpress fixes this issue soon for CSP to stay relevant on WordPress endpoint hosting sites. CSP is a technology established by sites and in use by browsers that may restrict resources and block XSS attacks. 

Port Swigger reports "CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a page can load and restricting whether a page can be framed by other pages."

Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

 

Multiple security flaws have been uncovered in the Zimbra email collaboration software, which could be abused to compromise email accounts by sending a malicious message or even take control of the mail server if it is housed on a cloud infrastructure. Researchers from code quality and security solutions company SonarSource found and reported the flaws in Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released with mitigations. 

"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. "As a result, an attacker would gain unrestricted access to all sent and received emails of all employees." 

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronising mail, calendar, and contacts with Microsoft Outlook, among other things. It's utilised by more than 200,000 companies in 160 countries. 

The first flaw, discovered by Simon Scannell, could be exploited simply by opening a malicious email with a JavaScript payload. A cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim's browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim's emails as well as their webmail session. They also claimed that it would serve as a starting point for additional assaults: “With this, other features of Zimbra could be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organisation with any permitted role. If the two bugs are combined, a remote attacker will be able to obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials. 

"Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet," the company noted in its advisory. "If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly."

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”

Uploader.swf flash file in vBulletin forum vulnerable to XSS

Attention! vBulletin forums users, there is a flash file in the vBulletin forum software which is vulnerable to Cross site scripting(XSS).

The file "Uploader.swf" is located either in located in 'clientscript/yui/uploader/assets' or '/core/clientscript/yui/uploader/assets'.

"It has come to our attention that there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue." vBulletin Security advisory reads.

vBulletin recommends users to delete the Uploader.swf file from your forums and replace it with another empty file provided in their forum.  This will force the vBulletin to use javascript based uploader instead.

Proof of concept:
http://forum_Domain/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert(/XSS/);}//

Critical security vulnerabilities patched in Adobe Flash Player and ColdFusion

Adobe has issued security hotfix for two critical vulnerabilities in ColdFusion web application server.  They have also issued security update for the Adobe Flash player.

The cross site scripting(XSS) vulnerability (CVE-2013-5326) could be exploited by a remote, authenticated user on ColdFusion 10 and earlier versions when the CFIDE directory is exposed. 

The other vulnerability in ColdFusion is "unauthorized remote access(CVE-2013-5328)"- marked as critical security flaw.

Adobe Flash Player 11.9.900.117 and earlier versions are vulnerable to a critical bug that "could cause a crash and potentially allow an attacker to take control of the affected system".

Users are recommended to follow the instruction provided in these pages: 1.http://www.adobe.com/support/security/bulletins/apsb13-27.html , 2.http://www.adobe.com/support/security/bulletins/apsb13-26.html 

OpenEMR affected by Multiple Vulnerabilities

The most popular open source electronic medical records (OpenEMR) is said to have multiple vulnerabilities by the Trustwave SpiderLabs.

It reported that with a guest access, mixed with some application issues the user was able to compromise with the server running OpenEMR and it even served as a dock for attacking the internal networks.

The Researcher found a SQL Injection vulnerability in "Reports > Visits > SuperBill > Dates" location. 

"By browsing to this page and dumping in junk in either the start or end date parameters", he saw the SQL error message saying "ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC"

It also claimed to dump most of the database contents and important datas of patients as well as numerous usernames and passwords." I let my GPU box chew on the password hashes for a bit, and kept poking at the application." (the blog says)

OpenEMR is also reported to have HTML injection/XSS on an 'Office Notes' page. The user was even able to beguile the user visiting the page to attempt authentication with his system, which was hosting a fake SMB server with static challenges:

Image Credits: SpiderLabs

"This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH."(SpiderLabs reports)

The OpenEMR has been informed of it and they have patched the vulnerabilities in the latest 4.1.1 patch.

Author: Shalini Bhushan


Defencely Website vulnerable to Non Persistent XSS

Security Researcher Vedachala has discovered a post based Cross site Scripting vulnerability in the Defencely website - A company that provides web application penetration testing service.

The main page of the Defencely allows user to enter their website to get a security report.  The form gets the input and pass the website address as "website_url" parameter to "Defencely.com/report_submit.php".

"If a web application is getting user's input, it is always better to double check and make sure the parameter is sanitized." 

Post based xss in Defencely

Veda has identified that "website_url" parameter is not sanitized and vulnerable to post request based XSS.  He successfully managed to get the injected-script executed.

In one of the facebook group related to Security , the researcher provided the proof-of-concept(You can also find the details at pastebin.com/9JeJ1HK6).  We have successfully verified the vulnerability.  At the time of writing, the website is still vulnerable.

*Update:
 Another Security Researcher named QuisterTow has discovered one more xss Vulnerability in the Defencely website.

The researcher provided the following POC in the pastebin(http://pastebin.com/yZzyezqG):
www.defencely.com/getstarted.php?id=Ij48aW1nIHNyYz14IG9uZXJyb3I9cHJvbXB0KCd4c3NlZCcpIC8+&price=OTk=&plan=c3RhcnRlcg==

At the time of writing, we are still able to reproduce the vulnerability.

Rahul Tyagi found xss in Sony , Counter-strike websites

Rahul Tyagi , Senior Security Analyst from TechDefence, has identified cross site scripting vulnerabilities in high profile websites including sony, counter-strike.

Earlier Today, we got a notification from the researcher saying he found xss vulnerability in the official blog of counter-strike.  I have confirmed the vulnerability.


He also identified a non-persistent xss in Sony website.  After reporting the vulnerability, he also got appreciation and invitation mail from SONY for the SONY's security conference.


Rahul also claimed to have identified vulnerability in few other famous websites including howstuffworks, forbes, bbc, indiatimes, Indianexpress. 

XSS in Photobucket fixed

Recently a 15 year old tech blogger and security researcher named Indrajeet bhuyan found and helped fix a XSS vulnerability in Photobucket.







He had previously found vulnerabilities in Samsung, Disqus, NDTV, Jabong, IIT Bombay and many others. 

Editor's Note: It is good to see that such young hackers are acting responsibly and reporting vulnerabilities instead of simply defacing the site or using the vulnerabilities for malicious motives.I hope that Mr.Indrajeet bhuyan continues this.

Hackers infect Pentagon admin by exploiting XSS vulnerability

Recently, EHN received a news report from Tunisian Cyber Army and Al Qaida Electronic Army in which the hackers claimed to have infected the Pentagon administrator, as part of their on going operation called "#opBlackSummer".

The attack was happened after hackers identified a reflected cross site scripting(XSS) vulnerability in one of the sub domain of Pentagon (g1arng.army.pentagon.mil).

POC:
g1arng.army.pentagon.mil/Programs/Pages/Default.aspx?Category="><script>alert("xss by tca and AQECA on pentagon")</script>

xss vulnerability

The hacker managed to exploit this vulnerability for sending malicious payload to the admin of Pentagon. Hackers claims that they got success in infecting them.

Hackers said they compromised  some important file and steal cookies from the pentagon mail. The security breach was done with collaboration with Chinese hackers.

At the time of writing, the vulnerability is not fixed. If the TCA claim is true, then this one will be the best example that demonstrate the severity of simple reflected xss. Yesterday, i have sent notification to Pentagon team about the vulnerability but there is no response from them.

In another mail, the team said the have hacked the state.gov with SQL injection vulnerability. 

Persistent XSS vulnerability in Zendesk Support Ticket System

An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.

The title field is vulnerable to Persistent Cross site scripting.   The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.  

Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.

The title is being sanitized every time it is being displayed in the page.  Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.


POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-

The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.

The researcher claimed to have contacted the Zendesk but there is response from their side.  I've also sent notification to Zendesk. 

Cross Site Scripting Vulnerability In Times of India and NDTV


A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.

Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.

POC [Unfixed] :
http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.

POC [Unfixed] :
 http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN  etc.

Non-persistent XSS vulnerability in IBNLive

An 17 Years Old Security researcher Researcher V3d@ch4La From Indian Cub3r Dev!Ls, has discovered a non-persistent XSS security flaw in the official website of IBN(ibnlive.in.com) .

Cable News Network-Indian Broadcasting Network (CNN-IBN) is an English-language Indian television news channel. The network is a partnership between Global Broadcast News (GBN) and Turner International (Turner) in India (a subsidiary of Time Warner).
POC:
http://ibnlive.in.com/searcher/search.php?searchq=\"><script>alert(/ E Hacking News/)</script>





Multiple XSS and JSP Source code disclosure vulnerability in CNN

An Information Security researcher has discovered multiple Cross Site scripting vulnerability that affects one of the Top News channel website, CNN.

Few days back, The vulnerability was reported by  Quister Tow. The vulnerabilities resides in three different sub domain of CNN: searchapp.cnn.com, audience.cnn.com,dynamic.si.cnn.com.

POC:

1.http://dynamic.si.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp?searchName=<script>alert(/QuisterTow/)</script>

2.http://searchapp.cnn.com/weboffers/weboffers.jsp?itype=cnn&cid=cnn&text=&domains=;</script><script>alert(/QuisterTow/);</script>&csiID=csi3

3.http://audience.cnn.com/services/si/flow/scoreAlertManagement?_flowExecutionKey=<script>alert(/QuisterTow/)</script>




While i was verifying the XSS vulnerabilities, i found another critical security flaw in the website that expose the source code.

POC for JSP Source Code disclosure
http://sportsillustrated.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp

I have immediately reported CNN about the security flaw. But there is no response from their side and so i am publishing the details here.

XSS vulnerability in PhotoBucket and SecurityXploded

A Security Researcher kuksool from n0careteam, has identified Cross site scripting security flaw in two famous websites, Photobucket and SecurityXploded.

POC for photobucket [unfixed]:
*Load http://photobucket.com/plugin/search
* Enter the following code and hit enter:
 " onload=alert&#40;'xss!'&#41;>click me!"



POC for SecurityXploded [FIXED]:
*Load http://securityxploded.com
* Enter the following code and hit enter:
 " onload=alert&#40;'xss!'&#41;>click me!"

The researcher claimed to have reported to PhotoBucket team. Let us hope they will fix the vulnerability soon.

After i sent notification to SecurityXploded, they fixed the vulnerability immediately.

Click based XSS vulnerability in Yahoo



Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.

There is a cross site scripting vulnerability resides in the hk.promotions.yahoo.com domain.  The vulnerability is click based xss .  When i click the flash, it will display the xss code.

Poc code:
http://hk.promotions.yahoo.com/wedding2010/home_banner.swf?clickTAG=javascript:alert(/ E Hacking News /);

The above finding is really interesting one.  Just load the url and click in the flash content and it results in the code being executed.

At the time of writing, the vulnerability is still there .





Bollywood Actress Divya Dutta website vulnerable to critical vulnerabilities


Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.

There are two SQL Injection vulnerability in the website.  One of the vulnerabilities resides in the  Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7).  A malicious hacker can exploit this vulnerability and extract the database .

The other one is more critical one , it allows hackers to bypass authentication of the Login .  A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.

There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) .  Injecting the follow code in the fields and clicking the submit button executes the injected code:

"><script>alert('My Love For Divya Dutta')</script>




Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query.  It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.

I think she will respond after some blackhats attack the site, what do you think guys?

*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:

"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."


Non Persistent Cross Site scripting vulnerability in Monster India, Gulf and Hong Kong


A security Researcher Shikhil Sharma has identified a Non persistent Cross Site scripting vulnerability in one of the Leading online jobs search portal, Monster.

Monster is the largest job search engine in the world. Monster has over a million job postings at any time and over 1 million resumes, in the database (2008) and over 63 million job seekers per month. The company employs approximately 5,000 employees in 36 countries.

The Job search field in the Monster India website(jobsearch.monsterindia.com) is found to be vulnerable to the XSS injection.


POC:
http://jobsearch.monsterindia.com/searchresult.html?fts='/><script>alert('E+Hacking+News')</script>&x=0&y=0&mne=&mxe=
The same vulnerability affects the Hong Kong(jobsearch.monster.com.hk) and Gulf(jobsearch.monstergulf.com) branch of the Monster job portal.

TheR00tC0de found Two XSS vulnerabilities on Mediafire website

An Information Security Researcher with online handle 'TheR00tC0de' has identified two cross site scripting vulnerabilities in one of the famous file hosting service website , Mediafire (www.mediafire.com).

In an email Sent to EHN, the researcher provided the two vulnerable link that executes the code injected by hacker. 


Xss vulnerability in Mediafire

The researcher claimed that he sent notification about the vulnerability to Mediafire Team and waiting for their response.  The researcher asked me not to publish the vulnerable link. 

At EHN, I have confirmed those vulnerabilities.  Let us hope the Mediafire security team will soon fix the vulnerability.

Recently, one of the E Hacking News reader Mahadev Subedi identified a XSS vulnerability in the File Uploading service of Mediafire .

BrotherSoft website vulnerable to XSS Security flaw

An 21 Years Old Information Security Expert, Narendra Bhati From Sheogan Rajasthan , has discovered a non-persistent XSS security flaw in the official website of BrotherSoft.

Narendra found that the Search Query field in the Webpage of the brothersoft.com is vulnerable to  XSS attack.

BrotherSoft Providing worldwide customers as among the top 5 leading software download websites. Over 250,000 freeware and shareware are for free download which covers 7 channels including Windows, Mac, Mobile, etc. There are more than 10,00,000 downloads every day on their site.

POC code :
http://search.brothersoft.com/index.php?stype=windows&keyword="><script>alert("XSS")</script>

The site also allows users to inject the iframe code:
http://search.brothersoft.com/index.php?stype=windows&keyword="/><iframe+src="http://www.indiaresults.com/"+width=1000+height=1000></iframe>

He Also notice that Privacy Poliocy Page Of BrotherSoft is also vulnerable to XSS Narendra claimed that he reported about vulnerability 4 Days Ago to BrotherSoft but they failed to respond.