Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label XSS Vulnerability. Show all posts
XSS Vulnerability
Blogger CSP Vulnerability and Exploits XSS Attacks XSS Flaw XSS Vulnerability

Expert Posts About Blogger's CSP Flaw

A cybersecurity expert found a strategy to escape Content Security Policy (CSP) functions via WordPress. The hack, found by Paulos Yibelo, depends on exploiting origin method execution. The strategy incorporates JSON padding to execute a function. 

It allows the exploit of a WordPress account, however, along with cross-site scripting (XSS) exploit, that the expert doesn't have as of now. Yibelo hasn't tried to use the trick on live websites yet, limiting the exploits for test research websites owned by the experts. 

“I haven’t really attempted to because it requires a logged-in WordPress user or admin to visit my website, so I install the plugin and have an HTML injection – which is illegal to do," said Yibelo. He also mentioned that they didn't try to abuse the bug in the open on bug bounty forums. 

The exports informed WordPress about the issue three months ago, however, the latter didn't reply. It was then that Yibelo published the findings publically on a tech blogpost. 

Attacks may happen in two situations: First, websites that don't use WordPress primarily but have a WordPress endpoint on the same domain or subdomain. Second, a WordPress-hosted website that uses a CSP header. 

Yibelo's blog says if an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full-blown XSS that can be escalated to perform [remote code execution] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP. 

Yibelo hopes that wordpress fixes this issue soon for CSP to stay relevant on WordPress endpoint hosting sites. CSP is a technology established by sites and in use by browsers that may restrict resources and block XSS attacks. 

Port Swigger reports "CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a page can load and restricting whether a page can be framed by other pages."
Read more »
XSS Vulnerability
API Cloud based services Cyber Security Email XSS Vulnerability

Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

 

Multiple security flaws have been uncovered in the Zimbra email collaboration software, which could be abused to compromise email accounts by sending a malicious message or even take control of the mail server if it is housed on a cloud infrastructure. Researchers from code quality and security solutions company SonarSource found and reported the flaws in Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released with mitigations. 

"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. "As a result, an attacker would gain unrestricted access to all sent and received emails of all employees." 

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronising mail, calendar, and contacts with Microsoft Outlook, among other things. It's utilised by more than 200,000 companies in 160 countries. 

The first flaw, discovered by Simon Scannell, could be exploited simply by opening a malicious email with a JavaScript payload. A cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim's browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim's emails as well as their webmail session. They also claimed that it would serve as a starting point for additional assaults: “With this, other features of Zimbra could be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organisation with any permitted role. If the two bugs are combined, a remote attacker will be able to obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials. 

"Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet," the company noted in its advisory. "If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly."
Read more »
XSS Vulnerability
Cyber Security HackerOne HTML Java PayPal XSS Vulnerability

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”
Read more »
XSS Vulnerability
Breaking News hacker news Vulnerability XSS Vulnerability

Uploader.swf flash file in vBulletin forum vulnerable to XSS

Attention! vBulletin forums users, there is a flash file in the vBulletin forum software which is vulnerable to Cross site scripting(XSS).

The file "Uploader.swf" is located either in located in 'clientscript/yui/uploader/assets' or '/core/clientscript/yui/uploader/assets'.

"It has come to our attention that there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue." vBulletin Security advisory reads.

vBulletin recommends users to delete the Uploader.swf file from your forums and replace it with another empty file provided in their forum.  This will force the vBulletin to use javascript based uploader instead.

Proof of concept:
http://forum_Domain/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert(/XSS/);}//
Read more »
XSS Vulnerability
hacker news Vulnerability XSS Vulnerability

Critical security vulnerabilities patched in Adobe Flash Player and ColdFusion

Adobe has issued security hotfix for two critical vulnerabilities in ColdFusion web application server.  They have also issued security update for the Adobe Flash player.

The cross site scripting(XSS) vulnerability (CVE-2013-5326) could be exploited by a remote, authenticated user on ColdFusion 10 and earlier versions when the CFIDE directory is exposed. 

The other vulnerability in ColdFusion is "unauthorized remote access(CVE-2013-5328)"- marked as critical security flaw.

Adobe Flash Player 11.9.900.117 and earlier versions are vulnerable to a critical bug that "could cause a crash and potentially allow an attacker to take control of the affected system".

Users are recommended to follow the instruction provided in these pages: 1.http://www.adobe.com/support/security/bulletins/apsb13-27.html , 2.http://www.adobe.com/support/security/bulletins/apsb13-26.html 
Read more »
XSS Vulnerability
SQL Injection Vulnerability Vulnerability Web Application Vulnerability XSS Vulnerability

OpenEMR affected by Multiple Vulnerabilities

The most popular open source electronic medical records (OpenEMR) is said to have multiple vulnerabilities by the Trustwave SpiderLabs.

It reported that with a guest access, mixed with some application issues the user was able to compromise with the server running OpenEMR and it even served as a dock for attacking the internal networks.

The Researcher found a SQL Injection vulnerability in "Reports > Visits > SuperBill > Dates" location. 

"By browsing to this page and dumping in junk in either the start or end date parameters", he saw the SQL error message saying "ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC"

It also claimed to dump most of the database contents and important datas of patients as well as numerous usernames and passwords." I let my GPU box chew on the password hashes for a bit, and kept poking at the application." (the blog says)

OpenEMR is also reported to have HTML injection/XSS on an 'Office Notes' page. The user was even able to beguile the user visiting the page to attempt authentication with his system, which was hosting a fake SMB server with static challenges:

Image Credits: SpiderLabs

"This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH."(SpiderLabs reports)

The OpenEMR has been informed of it and they have patched the vulnerabilities in the latest 4.1.1 patch.

Author: Shalini Bhushan


Read more »
XSS Vulnerability
Defencely Post Request XSS vulnerability Vulnerability XSS Vulnerability

Defencely Website vulnerable to Non Persistent XSS

Security Researcher Vedachala has discovered a post based Cross site Scripting vulnerability in the Defencely website - A company that provides web application penetration testing service.

The main page of the Defencely allows user to enter their website to get a security report.  The form gets the input and pass the website address as "website_url" parameter to "Defencely.com/report_submit.php".

"If a web application is getting user's input, it is always better to double check and make sure the parameter is sanitized." 

Post based xss in Defencely

Veda has identified that "website_url" parameter is not sanitized and vulnerable to post request based XSS.  He successfully managed to get the injected-script executed.

In one of the facebook group related to Security , the researcher provided the proof-of-concept(You can also find the details at pastebin.com/9JeJ1HK6).  We have successfully verified the vulnerability.  At the time of writing, the website is still vulnerable.

*Update:
 Another Security Researcher named QuisterTow has discovered one more xss Vulnerability in the Defencely website.

The researcher provided the following POC in the pastebin(http://pastebin.com/yZzyezqG):
www.defencely.com/getstarted.php?id=Ij48aW1nIHNyYz14IG9uZXJyb3I9cHJvbXB0KCd4c3NlZCcpIC8+&price=OTk=&plan=c3RhcnRlcg==

At the time of writing, we are still able to reproduce the vulnerability.
Read more »
XSS Vulnerability
Rahul Tyagi Security News XSS Vulnerability

Rahul Tyagi found xss in Sony , Counter-strike websites

Rahul Tyagi , Senior Security Analyst from TechDefence, has identified cross site scripting vulnerabilities in high profile websites including sony, counter-strike.

Earlier Today, we got a notification from the researcher saying he found xss vulnerability in the official blog of counter-strike.  I have confirmed the vulnerability.


He also identified a non-persistent xss in Sony website.  After reporting the vulnerability, he also got appreciation and invitation mail from SONY for the SONY's security conference.


Rahul also claimed to have identified vulnerability in few other famous websites including howstuffworks, forbes, bbc, indiatimes, Indianexpress. 

Read more »
Subscribe to: Posts (Atom)