Websecurity - Веб безпека

New bonus vulnerabilities at Ask. The Cross-Site Scripting hole sent me Silentz today (in contact script). Nice one, man. And after I checked it I found also 3 additional holes in that script and 4 holes in another script. So there are a lot of new XSS at Ask (thanks to Silentz).

The holes at Ask (www.ask.com) in contact forms Ask Customer Service and Consumer Feedback. And these are XSS vulnerabilities like in MOSEB-10: Vulnerabilities at www.ask.com (total 8 new holes).

Ask Customer Service (www.ask.com/contact).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection (PR5)

The vulnerabilities are in optional-name, require-email, optional-url and optional-message parameters:
http://www.ask.com/contact?optional-name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR5 and black seo guys will be happy.

Consumer Feedback (www.ask.com/contactlegal).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are also in optional-name, require-email, optional-url and optional-message parameters.

Moral: writing to search engine vendor in contact form can be risky.

Next participant of the project is Ask search engine. It is one of the popular search engines.

The vulnerabilities are in Ask web search. These Cross-Site Scripting holes I found 10.05.2007.

XSS:

• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection (PR5)

The vulnerabilities are in qid and jss parameters:
http://www.ask.com/web?q=test&qid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR5. So black seo guys will be happy.

Moral: searching in the web can be dangerous.

P.S.

I prepared others holes at Ask.com. So wait for today’s bonus post .

В даній добірці експлоіти в веб додатках:

• Woltlab Burning Board <= 1.0.2, 2.3.6 search.php SQL Injection Exploit (деталі)
• MGB 0.5.4.5 (email.php id variable) Remote SQL Injection Exploit (деталі)
• Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit (деталі)
• Uberghey 0.3.1 (frontpage.php) Remote File Include Vulnerability (деталі)
• PHPMyphorum 1.5a (mep/frame.php) Remote File Include Vulnerability (деталі)
• Oreon <= 1.2.3 RC4 (lang/index.php file) Remote Inclusion Vulnerability (деталі)
• phpBP <= RC3 (2.204) (sql/cmd) Remote Code Execution Exploit (деталі)
• JV2 Folder Gallery Remote Admin uName and Pass. Exploit (деталі)
• SAP ‘enserver.exe’ file downloader (деталі)
• DigiAffiliate <= V1.4 Remote Blind SQL Injection Exploit (деталі)

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нові уразливості.

На дев’ятий день Місяця багів в Пошукових Системах я опублікував 24 Cross-Site Scripting уразливості. Цього разу інформація про дірки в пошуковій системі Рамблер.

• MOSEB-09: Vulnerabilities at Rambler (деталі)
• MOSEB-09 Bonus: Vulnerabilities at ftpsearch.rambler.ru (деталі)

12 XSS уразливостей в пошуку Рамблера по архівам (по 4 XSS в linux.rambler.ru, freebsd.rambler.ru та msdn.rambler.ru) та 12 XSS в пошуці Рамблера по FTP.

Очікуємо на наступний день Month of Search Engines Bugs.

New bonus vulnerabilities at Rambler. These Cross-Site Scripting holes I found 01.06.2007. I found them when I looked for another holes for the project, after Rambler untimely fixed some that I prepared. Rambler need to behave itself properly (when participating in the project).

The holes at Rambler-FTP (ftpsearch.rambler.ru) in search results and advanced settings. And these are XSS vulnerabilities like in MOSEB-09: Vulnerabilities at Rambler (total 12 new holes).

Search results (search.html).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in words, ftype, form, what and sort1 parameters:
http://ftpsearch.rambler.ru/db/ftpsearch/search.html?words=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Advanced settings (advanced.html).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in words, pflx, pfli, dflx, dfli, sl and sh parameters:
http://ftpsearch.rambler.ru/db/ftpsearch/advanced.html?words=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: searching on ftp can be dangerous.

Next participant of the project is Rambler. It is one of the most popular Russian search engines.

The vulnerabilities are in Rambler’s Linux Kernel Mail Archives search (linux.rambler.ru), FreeBSD Mail Archives search (freebsd.rambler.ru) and MSDN Library Search (msdn.rambler.ru). I already wrote about these vulnerabilities at linux.rambler.ru (and holes at freebsd and msdn searches are the same). These Cross-Site Scripting holes I found 03.01.2007 (at linux.rambler.ru) and 10.05.2007 (at freebsd.rambler.ru and at msdn.rambler.ru).

There is only one moment (such as with Microsoft at MOSEB-05) - Rambler fixed all these vulnerabilities before this official disclosure. As I checked these holes at 1st of June, when I was sending notifications to search engines vendors, I found that they fixed these holes (which were planned for MOSEB). Holes at linux.rambler.ru was planned for main bug and holes at freebsd.rambler.ru and msdn.rambler.ru was planned for bonus bug. It was bad move from them to fix these vulns untimely (because when you are in project, holes need to be fixed in time). But I found a lot of others holes at Rambler, so it will be in my project certainly (with working XSS).

http://linux.rambler.ru

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)

The vulnerabilities are in qs, st_date, end_date and set parameters:
http://linux.rambler.ru/cgi-bin/advanced.cgi?qs=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://freebsd.rambler.ru

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)

The vulnerabilities are also in qs, st_date, end_date and set parameters.

http://msdn.rambler.ru

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)

The vulnerabilities are also in qs, st_date, end_date and set parameters.

Moral: searching for Linux, FreeBSD and MSDN can be dangerous.

P.S.

I prepared a lot of others holes at Rambler (and they are still working). So wait for today’s bonus post . Rambler can’t hide from me.

В даній добірці уразливості в веб додатках:

• a-blog Cross-Site Scripting Vulnerability (деталі)
• opentaps “SEARCH_STRING” Cross-Site Scripting Vulnerability (деталі)
• b2 - 0.5 * [index] Remote File Include Vulnerability (деталі)
• Okul Merkezi Portal v1.0 Remote File IncLude Vuln. (деталі)
• Calendar MX BASIC <= 1.0.2 (ID) Remote SQL Injection Vulnerability (деталі)
• Enthrallweb eCars 1.0 (types.asp) Remote SQL Injection Vulnerability (деталі)
• SQL injection vulnerability in Haberx 1.02 through 1.1 (деталі)
• Vulnerability in Zope (деталі)
• Multiple PHP remote file inclusion vulnerabilities in UNAK-CMS (деталі)
• SQL injection vulnerability in Techno Dreams Articles&Papers Package (деталі)

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нову уразливість.

На восьмий день Місяця багів в Пошукових Системах я опублікував одну Cross-Site Scripting уразливість. Цього разу інформація про дірку в пошуковій системі Search Europe.

• MOSEB-08: Vulnerability at searcheurope.com (деталі)

XSS уразливість в результатах пошуку Search Europe.

Очікуємо на наступний день Month of Search Engines Bugs.

Next participant of the project is Search Europe search engine. This is regional engine and it has European releated information (it’s not big, but it is regional). I found this site when was looking for European engines for the project, because there are to many engines from USA in participants’ list (and I was trying to make the project world-wide).

So here it is - one more European search engine (even if it’s locating in USA , as I got to know later), in addition to Ukrainian and Russian engines. Don’t worry guys, there will be others European engines during this month (but larger part of all participants are USA engines).

There is vulnerability at main site of Search Europe (www.searcheurope.com) in search results. This Cross-Site Scripting hole I found 25.05.2007.

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in query parameter:
http://www.searcheurope.com/cgi-bin/links/search.cgi?query=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


Moral: even simple searching can be risky.

Компанія Microsoft опублікувала на сайті своєї служби підтримки інструкцію зі створення програми, що дозволяє обійти захист веб-сервера Internet Information Services (IIS).

Зловмисник може скористатися помилкою в бібліотеці Webhits.dll, що входить в IIS, для доступу до закритих документів в обхід ідентифікації. Помилка відноситься тільки до IIS версій 5.х. На даний момент вихідний код програми, що використовує помилку, вже вилучений із сайта Microsoft. Проте, поки не існує оновлення для IIS, що виправляє цю помилку.

Для захисту від хакерів Microsoft рекомендує обновити IIS до версії 6.0. Цей програмний комплекс поставляється тільки в комплекті з серверною операційною системою Windows Server 2003.

По матеріалам http://www.securitylab.ru.