Twitter Bug #1: Cross-Site Scripting (XSS) Found in twitter.com

DescriptionSow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in twitter.com, which can be exploited by an attacker to conduct XSS attacks.Proof of concepthttps://twitter.com/intent/follow?original_referer=javascript:alert(document.cookie);&region=follow_link&screen_name=twitterapi&source=followbutton&variant=2.0ConclusionThis vulnerability has been confirmed...

Read More

Apple Bug #1: Cross-Site Scripting (XSS) Found in consultants.apple.com

DescriptionSow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in consultants.apple.com, which can be exploited by an attacker to conduct XSS attacks.Proof of concepthttp://consultants.apple.com/au/locator_results.php?sl=AU&citystate=VIC&page=2<script>alert(document.cookie)</script>ConclusionThis vulnerability has been confirmed and patched by Apple Security...

Read More

Oracle iPlanet Web Server 7.0.9 Multiple Cross-Site Scripting (XSS) Vulnerabilities

DescriptionOracle iPlanet Web Server is a web server designed for medium and large business applications. Oracle iPlanet Web Server builds on the earlier Sun ONE Web Server, iPlanet Web Server, and Netscape Enterprise Server products.Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Oracle iPlanet Web Server. These issues were discovered in a default installation of Oracle iPlanet Web Server 7.0.9. Other earlier versions may also be affected.Proof of conceptReflected...

Read More

Apache Camel 2.7.0 Multiple Cross-Site Scripting (XSS) Vulnerabilities

DescriptionApache Camel is a versatile open-source integration framework based on known Enterprise Integration Patterns. Camel empowers you to define routing and mediation rules in a variety of domain-specific languages, including a Java-based Fluent API, Spring or Blueprint XML Configuration files, and a Scala DSL.Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Apache...

Read More

HP System Management Homepage 6.2.2.7 Cross-Site Request Forgery (CSRF) Vulnerability

DescriptionHP System Management Homepage is a web-based interface that consolidates and simplifies the management of individual ProLiant and Integrity servers running Microsoft Windows or Linux operating systems, or HP 9000 and HP Integrity servers running HP-UX 11i.Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in HP System Management Homepage. This issue was discovered in a default installation of HP System Management Homepage 6.2.2.7. Other earlier versions may also...

Read More

Joomla! CMS 2.5.1 Blind SQL Injection Vulnerability

DescriptionJoomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently.Stratsec vulnerability researcher, Sow Ching Shiong has discovered Blind SQL Injection vulnerability in Joomla! CMS. This issue was discovered in a default installation of Joomla! CMS 2.5.1. Other earlier versions may also be affected.Proof of concept URLs which will...

Read More

Symantec IM Manager 8.4.17 SQL Injection and Cross-Site Scripting (XSS) Vulnerabilities

DescriptionSymantec IM Manager offers instant messaging management and security with support for public IM networks and enterprise IM platforms including AOL, Jabber, IBM Lotus Instant Messaging, ICQ, MSN Messenger, Microsoft Live Communications Server, Reuters, Yahoo! and GoogleTalk.Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec IM Manager. These issues were discovered in a default...

Read More

Pligg CMS 1.1.4 Cross-Site Scripting (XSS) Vulnerability

DescriptionPligg is an open source CMS (Content Management System) that you can download and use for free. Pligg CMS provides social publishing software that encourages visitors to register on your website so that they can submit content and connect with other users.Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Pligg CMS. This issue was discovered in a default installation of Pligg CMS 1.1.4. Other earlier versions may also be affected.Proof of concepthttp://[target]/pligg/search.php?adv=1&advancesearch=&nbsp;Search&nbsp;&date=1</title><script>alert(/XSS/)</script>&scategory=1&scomments=1&search=&sgroup=3&slink=3&stags=1&status=all&suser=1SolutionUpdate...

Read More

Symantec Endpoint Protection Manager 11.0.6 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

DescriptionSymantec End point Protection Manager Console lets user centrally manages the Symantec End point Protection clients. From the console user can install clients, set and enforce a securit ypolicy, and monitor and report on the clients. The console can be run from the computer hosting Symantec Endpoint Protection Manager or remotely through a Web-based interface.Sow Ching Shiong, an independent vulnerability researcher has discovered multiple...

Read More

Oracle Secure Backup 10.3.0.3.0 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

DescriptionOracle Secure Backup is a general-purpose network data protection tool that simplifies and automates the backup and restore of files on a file system. The software can also serve as a media management layer for Recovery Manager through the SBT interface.Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Oracle Secure Backup. These issues were discovered in a default installation...

Read More

Trend Micro Control Manager 5.5 Directory Traversal Vulnerability

DescriptionTrend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5...

Read More

Trend Micro Control Manager 5.5 Cross-Site Scripting (XSS) Vulnerability

DescriptionTrend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5 Build 1250 (Hot Fix: 1350). Other earlier versions may also be affected.Proof of concepthttps://[target]/commoncgi/servlet/CCGIServlet?ApHost=SLF_PRODUCT_TVCS"><script>alert(/XSS/)</script>&CGIAlias=SLF_PRODUCT_TVCS&Page=SolutionTrend...

Read More

Adobe ColdFusion 9.0.1.274733 Cross-Site Request Forgery (CSRF) Vulnerability

DescriptionAdobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.Proof of concept<html><body><form action="http://[target]:8500/CFIDE/administrator/security/useredit.cfm" id="csrf" method="post"><input...

Read More

Sybase EAServer 6.3.1 Directory Traversal Vulnerability

DescriptionSybase EAServer is the leading solution for distributed and Web-enabled PowerBuilder applications. EA Server can be used to run multiple websites, portals or Web applications. It allows access from Web browsers and provides a development platform for enterprise Web services.Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in Sybase EAServer. This issue was discovered in a default...

Read More

F-Secure Policy Manager Web Reporting 9.00.30231 Path Disclosure and Cross-Site Scripting (XSS) Vulnerability

DescriptionF-Secure Policy Manager Web Reporting allow administrators to identify computers that are unprotected or vulnerable to virus outbreaks before they actually occur.Sow Ching Shiong, an independent vulnerability researcher has identified a Path Disclosure and Cross-Site Scripting vulnerability in F-Secure Policy Manager Web Reporting. This issue was discovered in a default installation of F-Secure Policy Manager Web Reporting 9.00.30231....

Read More

HP Power Manager 4.3.2 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

DescriptionHP Power Manager (HPPM) is a web-based application that enables administrators to manage an HP UPS from a browser-based management console. Administrators can monitor, manage, and control a single UPS locally and remotely.Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in HP Power Manager. These issues were discovered in a default installation of HP Power Manager 4.3.2. Other earlier versions may also be affected.Proof of conceptCross-Site Request Forgery (CSRF)==========================<html><body><form...

Read More

PrestaShop 1.3.3 Cross-Site Scripting (XSS) Vulnerability

DescriptionPrestaShop is an e-commerce solution which is free and open source. It supports payment gateways such as Google Checkout, Authorize.net, Skrill, PayPal and Payments Pro via API. Further payment modules are offered commercially.Sow Ching Shiong, an independent vulnerability researcher has identified a Cross-Site Scripting vulnerability in PrestaShop. This issue was discovered in a default installation of PrestaShop 1.3.3. Other earlier...

Read More

CompleteFTP Server 4.0.2 Directory Traversal Vulnerability

DescriptionCompleteFTP Server is a high-performance Windows FTP server supporting FTP, FTPS, SFTP and SCP. It features both Windows and non-Windows users and a fully configurable virtual file-system.Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in CompleteFTP Server. This issue was discovered in a default installation of CompleteFTP Server 4.0.2. Other earlier versions may also be affected.Proof...

Read More

SnugServer FTP Server 4.3.0.126 Directory Traversal Vulnerability

DescriptionSnugServer is an Email Server, Web Server, FTP Server, NewsServer and ListServer. It's your all-in-one solution to managing your Internet Presence. Send/receive emails through your own server, host your own website(s) and so much more.Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in SnugServer FTP Server. This issue was discovered in a default installation of SnugServer FTP...

Read More

FileCOPA FTP Server 5.02 Directory Traversal Vulnerability

DescriptionFileCOPA is a commercial FTP server for Windows that is available as shareware.Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in FileCOPA FTP Server. This issue was discovered in a default installation of FileCOPA FTP Server 5.02. Other earlier versions may also be affected.Proof of conceptSolutionUpdate to version 5.03 or later.ReferenceSecunia: http://secunia.com/advisories/39843/Disclosure...

Read More