4 out of 5 websites are vulnerable

Four out of Five Sites are Vulnerable, says Herald Online in article about Web Application Security.

Frost & Sullivan's recent White Paper (WP) discusses the growing threat to web applications putting it into its right business context. Describing the mysterious world of web applications hacking, the paper gives also an overview of the likely victims and outlines what are the solutions for organisations to protect themselves. The paper benefits from the insight and experience of leading security companies and organizations, like MITRE , High-Tech Bridge , and Online Trust Alliance (OTA), who have provided excellent support to Frost & Sullivan during the WP review.

Read more here: http://www.heraldonline.com/2012/09/05/4236143/web-application-security-is-an.html

Related links:

• Frost & Sullivan Whitepaper
• High-Tech Bridge security publication
• Post on htbridge.blogspot.com

HTB23111: TCExam 11.3.008 multiple vulnerabilities

TCExam version 11.3.008 suffers from SQL injection and cross-site scripting (XSS) vulnerabilities. Details of issues published by High-Tech Bridge Security Research Lab and available for public on their advisory page: TCExam multiple vulnerabilities.

1. SQL injection: Input passed via the "user_groups[]" POST parameter to "admin/code/tce_edit_test.php", "subject_id" POST parameter to "/admin/code/tce_show_all_questions.php" scripts are not properly sanitised before being used in a SQL query.
2. Cross-site scripting (XSS): Input passed via the "cid" and "uids" GET parameters to "admin/code/tce_select_users_popup.php" script is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23111
Vendor Notification / Patch / Public Disclosure Dates: August 22 / August 22 / September 12, 2012
Vulnerabilities Type: SQL Injection, XSS
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to TCExam 11.3.009

TCExam is a web-based CBA - Computer-Based Assessment system (e-exam, CBT - Computer Based Testing) for universities, schools and companies, that enables educators and trainers to author, schedule, deliver, and report on surveys, quizzes, tests and exams.

The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security

September 5, 2012 Frost & Sullivan has published a whitepaper, called "Web Application Security is an On-going Commitment due to Highly Dynamic Hacking Risks".

Frost & Sullivan, High-Tech Bridge, MITRE and OTA: The Growing Hacking Threat to Websites.

The Growing Hacking Threat to Websites, an Ongoing Commitment to Web Application Security from Frost & Sullivan

UPDATE (October, 15th of 2012): Video for this publication added: see it on our blog or on youtube.

How to use PyDbg as a powerful multitasking debugger

Brian Mariani & Frederic Bourla from High-Tech Bridge has published interesting whitepaper "How to use PyDbg as a powerful multitasking debugger". The mean of publication is to provide a reader with an introduction to the Python based debugger and deliver practical and real examples of this powerful security tool usage.

Excerpt from the article (page 2):

The debugger’s goal

• When a program crashes for some reason it is often hard to realize what happened without using the appropriate tool.
• A debugging tool is a program which aims to analyze other programs.
• The main interest when using a debugger is to analyze the code behavior or to find a bug in another program.
• A debugger allows a programmer or a researcher to quickly identify the cause of a problem in the code.

You can view this publication on SlideShare:

How to use PyDbg as a powerful multitasking debugger from High-Tech Bridge SA (HTBridge)

PyDbg as debugger for infosec researchers in other sources:

• How to use PyDbg as a powerful multitasking debugger whitepaper on PacketStormSecurity.
• PyDbg as debugger howto on exploit-db.

HTB23095: Kayako Fusion 4.40.1148 cross-site scripting (XSS) vulnerability

Kayako Fusion version 4.40.1148 and probably prior suffers from cross-site scripting (XSS) vulnerability (CVE-2012-3233).

This XSS vulnerability can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website: input appended to the URL after "/__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/ docs/download.php" is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23095
Vendor Notification / Public Disclosure Dates: June 6 / September 5, 2012
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk level: Medium [CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)]
Solution Status: Fixed by Vendor, upgrade to Kayako Fusion 4.50.1581

Kayako Fusion is the world's leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size.

See details and PoC-example for this advisory: Cross-Site Scripting (XSS) in Kayako Fusion.

HTB23110: Flogr 2.5.6 cross-site scripting (XSS) vulnerabilities

Flogr version 2.5.6 and probably prior suffers from cross-site scripting (XSS) vulnerability (CVE-2012-4336).

Input appended to the URL after "index.php"; via arbitrary GET parameter to "index.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.

Vulnerability ID: HTB23110
Vendor Notification / Public Disclosure Dates: August 15 / September 5, 2012
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk level: Medium [CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)]
More information is available on the advisory page.

HTB23088: TestLink cross-site request forgery (CSRF)

TestLink version 1.9.3 and probably prior suffers from cross-site request forgery (CSRF) vulnerability (CVE-2012-2275).

The source of the requests does not have proper validity checks, this can be exploited to perform certain actions via HTTP requests by authorized users. In original security advisory we can see PoC for "lib/usermanagement/userInfo.php" script to change administrator's email.

Vulnerability ID: HTB23088
Vendor Notification: April 18, 2012
Public Disclosure: September 5, 2012
Vulnerability Type: XSRF/CSRF
Risk level: Medium [CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)]
Solution Status: Fixed by Vendor, upgrade to TestLink 1.9.4

See details and PoC-examples for this advisory: Сross-Site Request Forgery (CSRF) in TestLink.