HTB23186: MijoSearch Joomla Extension - XSS and Full Path Disclosure

High-Tech Bridge Security Research Lab discovered 2 vulnerabilities in MijoSearch Joomla Extension version 2.0.1, which can be exploited to gain access to potentially sensitive data and perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.

Cross-site Scripting vulnerability in MijoSearch exists due to insufficient sanitisation of user-supplied data appended to "/component/mijosearch/search" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Information Exposure Through Externally-generated Error Message vulnerability in MijoSearch exists due to improper implementation of error handling mechanisms in "/component/mijosearch/search" URL. A remote attacker can send a specially crafted HTTP GET request to the vulnerable web application and gain knowledge of full installation path of the application.

Read full details at High-Tech Bridge Advisory HTB23186: Multiple Vulnerabilities in MijoSearch.

HTB23183: Bitrix Site Manager - User Identity Spoofing - CWE-345

High-Tech Bridge Security Research Lab discovered vulnerability in Bitrix Site Manager version 12.5.13, which can be exploited to spoof user's identity and read, modify or delete pre-ordered items in customer's basket.

User Identity Spoofing vulnerability (CWE-345) in Bitrix Site Manager version 12.5.13 exists due to insufficient verification of supplied data authenticity when displaying pre-order items in customer's basket in the e-Store Module of Bitrix Site Manager. A remote unauthenticated user can change "BITRIX_SM_SALE_UID" cookie, view another user's basket and perform certain actions, e.g. add or delete items in the basket. The e-Store Module must be installed on the system and knowledge of a valid "BITRIX_SM_SALE_UID" cookie is required. This value can be easily guessed using simple brute-force techniques, since the application increases its value by 1 with every new customer.

Below are exploitation instructions for this vulnerability. You will need to open two different browsers with plugins that allow cookie management.

1. Open your first browser
2. Visit the following URL http://[host]/buy/cms.php and add items to the basket.
3. You will be redirected to the following URL: http://[host]/personal/cart.php
4. Record your "BITRIX_SM_SALE_UID" cookie value.
5. Open your second browser and navigate to the following URL: http://[host]/personal/cart.php
6. Change the value of your "BITRIX_SM_SALE_UID" cookie to the one you recorded before and delete all other cookies.
7. Refresh the page http://[host]/personal/cart.php. You will see pre-ordered items of another user.

Solution: Update "sale" module to version 14.0.1

More Information: www.bitrixsoft.com/products/cms/versions.php?module=sale

HTB23185: SQL Injection in InstantCMS

High-Tech Bridge Security Research Lab discovered blind SQL injection vulnerability in InstantCMS version 1.10.3, which can be exploited to perform SQL Injection attacks, alter SQL requests and compromise vulnerable application.

SQL Injection vulnerability in InstantCMS exists due to insufficient filtration of "orderby" HTTP POST parameter passed to "/catalog/[id]" URL. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. Simple exploit code in advisory uses blind SQL injection exploitation technique.

Solution: Apply patch for InstantCMS 1.10.3
InstantCMS 1.10.3 downloaded after November 21, 2013 is patched [without version/release modification] and is not vulnerable for this vulnerability.

HTB23184: Cross-Site Scripting (XSS) in Jamroom

Jamroom, social media platform, version 5.0.2 is vulnerable to perform cross-site scripting (XSS) attacks. Details are disclosed by High-Tech Bridge Security Research Lab.

The XSS vulnerability exists due to insufficient sanitisation of user-supplied data in "search_string" HTTP POST parameter passed to URLs like "/search/results/all/1/4". A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word:
<form action="http://[host]/search/results/all/1/4" method="post" name="main">
<input type="hidden" name="search_string" value='" onmouseover="javascript:alert("immuniweb");'>
<input type="submit" id="btn">
</form>


Solution: Update Jamroom Search module to version 1.1.1.

HTB23179: Claroline 1.11.8 multiple cross-site scripting (XSS)

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Claroline version 1.11.8, which can be exploited to perform Cross-Site Scripting (XSS) attacks against vulnerable web application visitors and administrators.

Cross-Site Scripting (XSS) in Claroline: CVE-2013-6267
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "box" HTTP GET parameter passed to "/claroline/messaging/messagebox.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "ImmuniWeb" word:
http://[host]/claroline/messaging/messagebox.php?box=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C /script%3E

1.2 The vulnerability exists due to insufficient filtration of user-supplied data in "cidToEdit" HTTP GET parameter passed to "/claroline/admin/adminregisteruser.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/adminregisteruser.php?cidToEdit=94102_001%22%3E%3Cscript%3Ealert%28%27 imuniweb%27%29;%3C/script%3E

1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data in "cidToEdit" HTTP GET parameter passed to "/claroline/admin/admin_user_course_settings.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/admin_user_course_settings.php?ccfrom=culist&cidToEdit=94102%22%3E%3Cs cript%3Ealert%28%27imuniweb%27%29;%3C/script%3E&uidToEdit=1

1.4 The vulnerability exists due to insufficient sanitisation of user-supplied data in "module_id" HTTP GET parameter passed to "/claroline/admin/module/module.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/module/module.php?module_id=4%22%3E%3Cscript%3Ealert%28%27imuniweb%27% 29;%3C/script%3E

1.5 The vulnerability exists due to insufficient sanitisation of user-supplied data in "offset" HTTP GET parameter passed to "/claroline/admin/right/profile_list.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/right/profile_list.php?cmd=exLock&offset=0%22%3E%3Cscript%3Ealert%28%2 7imuniweb%27%29;%3C/script%3E

Solution: Update to Claroline 1.11.9

References:

1. High-Tech Bridge Advisory HTB23179 - Multiple Cross-Site Scripting (XSS) in Claroline.
2. Claroline - Claroline is an Open Source software to easily deploy a platform for learning and collaboration online.

HTB23181: SQL Injection in Dokeos

High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos version 2.2RC, which can be exploited to perform SQL Injection attacks.

SQL Injection in Dokeos 2.2RC: CVE-2013-6341
The vulnerability exists due to insufficient validation of "language" HTTP GET parameter passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database and gain complete control over the vulnerable web application.

The following exploitation example displays version of MySQL server:

http://[host]/index.php?language=0%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8%20--%202

Solution: Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip

References:

1. High-Tech Bridge Advisory HTB23181 - SQL Injection in Dokeos.
2. Dokeos - the flexible, enterprise-ready e-learning software.

HTB23182: Chamilo LMS SQL injection SQLi

Chamilo LMS version 1.9.6 is vulnerable to perform SQL injection attacks, discovered by High-Tech Bridge Security Research Lab.

Chamilo LMS - Chamilo aims at bringing you the best e-learning and collaboration platform in the open source world.

SQL Injection vulnerability in Chamilo LMS exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. Exploitation example in advisory HTB23182 - SQL Injection in Chamilo LMS displays version of MySQL server. Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").

Solution: Edit the source code and apply changes according to vendor's instructions.

HTB23180: Tweet Blender 4.0.1 Wordpress Plugin cross-site scripting XSS

Tweet Blender Wordpress Plugin version 4.0.1 is vulnerable to perform cross-site scripting (XSS) attacks, discovered (HTB23180) by High-Tech Bridge Security Research Lab.

Tweet Blender Wordpress Plugin provides several Twitter widgets: show your own tweets, show tweets relevant to post's tags, show tweets for Twitter lists, show tweets for hasht.

Cross-Site Scripting (XSS) vulnerability in Tweet Blender exists due to insufficient sanitisation of user-supplied data in "tb_tab_index" HTTP POST parameter passed to "/wp-admin/options-general.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "ImmuniWeb" word:

<form action="http://[host]/wp-admin/options-general.php?page=tweet-blender/admin-page.php" method="post" name="main">
<input type="hidden" name="tb_tab_index" value='</script><script>alert("ImmuniWeb");</script>'>
<input type="submit" id="btn">
</form>


This vulnerability patched in Tweet Blender version 4.0.2

HTB23178: Zikula Application Framework cross-site scripting (XSS)

Zikula Application Framework version 1.3.5 build 20 and probably prior is vulnerable to perform XSS (cross-site scripting) attacks. Details of vulnerability are disclosed this week by High-Tech Bridge Security Research Lab.

Cross-site scripting (XSS) vulnerability in Zikula Application Framework exists due to insufficient sanitisation of user-supplied data in "returnpage" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution: Update to Zikula 1.3.6 build 19

Additional details available on researcher's page and on zikula.org.

HTB23177: SQL Injection in appRain

High-Tech Bridge Security Research Lab discovered vulnerability in appRain, which can be exploited to perform SQL Injection attacks.

Blind SQL Injection vulnerability in appRain is caused by insufficient validation of user-supplied data appended to "/blog-by-cat/" URL. Remote attacker can execute arbitrary SQL commands to read, modify or delete information in application's database.

The following exploitation example will display all posts from category 1, if the MySQL Server version is 5.x, otherwise no posts will be displayed:
http://[host]/blog-by-cat/1%20and%20substring(version(),1,1)=5/

Solution: Vendor did not reply to notifications, unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23177-patch.zip

Source: High-Tech Bridge Advisory HTB23177 - SQL Injection in appRain.

Yahoo launches $15,000 bug bounty program

Yahoo launches $15,000 bug bounty after $12.50 company voucher debacle
Web portal Yahoo launched a bug bounty programme on Friday following the scandal that unravelled last month, which saw a security firm rewarded with a $12.50 Yahoo Company Store voucher for uncovering a security flaw.

In what is good news for security researchers, Yahoo said that the bounty programme will now pay up to $15,000 to ethical hackers who find vulnerabilities in its web services, a much bigger reward than its previous policy of offering a company t-shirt. Read more at The Inquirer

Yahoo offers $15,000 to bug hunters
Yahoo is seeking to entice bug hunters with rewards up to $15,000 depending on the severity of the bug found. The web giant was criticized by security researchers for paying a measly $12.50 in Yahoo discount vouchers to security researchers at High-Tech Bridge for two cross site scripting (XSS) bugs they had reported. Yahoo's security head, Ramses Martinez, claimed later that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Read more at AfterDawn Oy

Following controversy, Yahoo officially launches bug bounty program
As promised, Yahoo formally kicked off its bug bounty program late last week, aiming to correct what many in the security industry viewed as misstep after it handed out a paltry $12.50 credit to a researcher for discovering a cross-site scripting error.

The company caught flak when in September when it was reported that the $12.50 – a scant prize as it is – came as a discount code that could be used toward Yahoo-branded merchandise like t-shirts, cups and pens from its store. Read more at Threatpost

HTB23176: Cross-Site Scripting (XSS) in GuppY

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in GuppY, which can be exploited to perform Cross-Site Scripting attacks against users of vulnerable application.

Cross-Site Scripting (XSS) in GuppY vulnerability exists due to insufficient sanitisation of user-supplied data in "an" HTTP GET parameter passed to "/agenda.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
http://[host]/agenda.php?agv=2&an=%22%20onmouseover%3dalert%28%27document.cookie%27%29%20%22

The second XSS vulnerability exists due to insufficient sanitisation of user-supplied data in "cat" HTTP GET parameter passed to "/mobile/thread.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
http://[host]/mobile/thread.php?cat=1%22%20onmouseover%3dalert%28%27document.cookie%27%29%20%22

Solution: Update to GuppY 4.6.28

Source: High-Tech Bridge security advisory HTB23176.

HTB23175: Remote Code Execution in Microweber

High-Tech Bridge Security Research Lab discovered vulnerability in Microweber, which can be exploited to delete arbitrary files and compromise vulnerable system as a consequence.

Improper Access Control in Microweber: CVE-2013-5984 vulnerability exists due to improper access restriction to "/userfiles/modules/admin/backup/delete.php" script and insufficient validation of user-supplied input passed via "file" HTTP GET parameter.

A remote unauthenticated attacker can delete arbitrary files on the target system with privileges of the web server using directory traversal sequences and NULL byte.

The exploitation example below deletes the application's configuration file "config.php":
http://[host]/userfiles/modules/admin/backup/delete.php?file=../../../../../config.php

After deletion of the "config.php" file the application will suggest to re-install it from scratch when accessing "/index.php" file. Further exploitation of this vulnerability allows the attacker to reinstall the application and get full administrative access to it.

After successful re-installation the attacker can use "Admin Console" module of the application to execute arbitrary PHP code on the target system.

Simple exploit below displays output of "phpinfo()" PHP function after successful re-installation of application:
POST /module/ HTTP/1.1 module=admin%2Fconsole%2Fterm&data-type=admin%2Fconsole%2Fterm&id=mw_exec_term_command&c lass=+module++&exec_command=cGhwaW5mbw==&exec_command_params=MQ%3D%3D

Solution: Update to Microweber version 0.830

Source: High-Tech Bridge security advisory HTB23175.

HTB23174: Cross-Site Scripting (XSS) in Feng Office

Feng Office version 2.3.2-rc is vulnerable to perform cross-site-scripting attacks against users of vulnerable application.

The vulnerability exists due to insufficient sanitisation of user-supplied data in "ref_[any]" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Exploitation example and additional details are available on advisory page.

HTB23171: Gnew 2013.1 multiple vulnerabilities

Gnew version 2013.1 and probably prior suffers from PHP file inclusion and SQL injection vulnerabilities, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application.

PHP File Inclusion vulnerability in Gnew exists due to insufficient validation of user-supplied input passed via the "gnew_language" cookie to "users/login.php" script before using it in "include()" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.

SQL Injection vulnerabilities in Gnew exists due to insufficient filtration of "friend_email" to "news/send.php", "user_email" to "users/register.php", "answer_id" to "/polls/vote.php", "question_id" to "/polls/vote.php", "story_id" to "/comments/add.php", "story_id" to "/comments/edit.php", "thread_id" to "/posts/add.php", "thread_id" to "/posts/edit.php" POST parameters.

As a solution it is suggested to apply an unofficial patch, developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23171-patch.zip

Full advisory and additional details available here.

HTB23173: GLPI remote code execution

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in GLPI version 0.84.1, which can be exploited to bypass security restrictions and execute arbitrary PHP code with privileges of web server.

Improper access control vulnerability in GLPI exists due to insufficient access restrictions to the installation script "install/install.php", which is present by default after application installation. A remote attacker can change application’s configuration, such as database host, forcing the application to connect to an external database and spoof information on the website, obtain access to sensitive information or simply cause a denial of service.

Arbitrary PHP code injection vulnerability in GLPI exists due to insufficient validation of user-supplied input passed to the "db_host", "db_user", "db_pass", and "databasename" HTTP POST parameters via "install/install.php" script [that is present by default after application installation] before writing data into "config_db.php" file. A remote attacker can inject and execute arbitrary PHP code on the vulnerable system.

Solution: update to GLPI 0.84.2, all details with PoC examples available on security resercher's page.

HTB23172: X2CRM's multiple security vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in X2CRM version 3.4.1, which can be exploited to include arbitrary local files and execute arbitrary PHP code, as well as to perform cross-site sripting (XSS) attacks against users of vulnerable application.

PHP File Inclusion vulnerability in X2CRM exists due to insufficient filtration of the "file" HTTP GET parameter passed to "index.php/admin/translationManager" URL before using it in PHP "include()" function. A remote authenticated administrator can include and execute arbitrary local PHP files on the target system using directory traversal sequences. Successful exploitation of this vulnerability requires administrative privileges, however it can be also exploited via CSRF vector to which the application is prone.

Cross-site scripting (XSS) vulnerability exists due to insufficient sanitisation of user-supplied data in "model" HTTP GET parameter passed to "index.php/admin/editor" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution: Update to X2CRM 3.5 More information: www.htbridge.com/advisory/HTB23172.

HTB23168: vtiger CRM's SQL Injection

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in vtiger CRM version 5.4.0, which can be exploited to execute arbitrary SQL commands in application's database.

vtiger CRM is an on demand customer relationship management software that provides sales, marketing, and support teams with powerful tools to efficiently and effectively collaborate in providing the ideal customer experience.

This SQL injection vulnerability exists due to insufficient validation of "onlyforuser" HTTP GET parameter passed to "index.php" script. A remote authenticated user can execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires the attacker to be registered and logged-in. The registration is disabled by default. So severity of this issue has medium level with CVSSv2 Base Score 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P). Read full advisory and solution details on htbridge.com.

Nasdaq website security vulnerabilities

A penetration testing company uncovered security vulnerabilities on the NASDAQ website that remained open for two weeks after the stock exchange was notified.
NASDAQ Website Security Vulnerabilities Remained Open for Weeks After Alert (securityweek.com)

Exchange delayed fixing potentially critical website vulnerabilities despite multiple alerts, security firm says
Nasdaq waited two weeks to fix flaws (computerworld.com)

Ilia Kolochenko, head of Swiss information security company High-Tech Bridge, says he’s repeatedly warned Nasdaq.com that hackers could steal users’ browser history or confidential data, but claims the exchange has done nothing to fix the problem. 'It is quite frightening when you think about it,' he says.
Cypersecurity pro on Nasdaq website: 'I needed 10 minutes to hack' (nydailynews.com)

ImmuniWeb® Self-Fuzzer Firefox Extension

High-Tech Bridge announced new Firefox Addon: ImmuniWeb® Self-Fuzzer.

ImmuniWeb® Self-Fuzzer is a simple and free extension that fuzzes user's HTTP requests in real-time to detect SQLi and XSS vulnerabilities on a website, demonstrating how easily these 2 most common web weaknesses can be found by anyone.

Description in PDF format: PDF: ImmuniWeb® Self-Fuzzer Firefox Extension

ImmuniWeb® Self-Fuzzer Firefox Extension from High-Tech Bridge SA (HTBridge)

Also demo video available:

HTB23170: WikkaWiki 1.3.4 XSS vulnerability

WikkaWiki version 1.3.4 is vulnerable to perform cross-site scripting attack, described in HTB23170 security advisory. The vulnerability exists due to insufficient sanitisation of user-supplied data in "wakka" HTTP GET parameter passed to "/sql/" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Exploit example is available on security research page.

Solution: upgrade to Wikka Wiki version 1.3.4-p1 that is available here.

HTB23169: Collabtive - improper access control vulnerability

High-Tech Bridge SA Security Research Lab has discovered vulnerability in Collabtive version 1.0, which can be exploited to gain complete control over the application. The vulnerability exists due to improper access restrictions to the third installation step after successfully installing the application. A remote attacker can send a specially crafted HTTP POST request to the "install.php" script and create a new user with administrative privileges. The installation script is not deleted after application installation and is publicly available by default. You can update to Collabtive 1.1 to fix this vulnerability.

XSS in BackWPup WordPress plugin HTB23161

BackWPup version 3.0.12 (WordPress plugin) is vulnerable to perform cross-site scripting (XSS) attacks against administrator of website. The vulnerability exists due to insufficient filtration of user-supplied data in "tab" HTTP GET parameter passed to "wp-admin/admin.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Full details and how-to exploit XSS vulnerability on BackWPup example available here. Solution: upgrade your installation to BackWPup 3.0.13.

XSS in Twilight CMS & path traversal in DeWeS Web Server

Details about XSS in Twilight CMS 5.17 & path traversal in DeWeS Web Server 0.4.2 PoC's available here1 and here2.

HTB23165: BigTree CMS vulnerabilities - SQLi, XSS, XSRF

Multiple vulnerabilities found in BigTree CMS 4.0 RC2 by HTB Security Research Lab.

SQL Injection in BigTree CMS: CVE-2013-4879 - exists due to insufficient sanitisation of user-supplied data passed to "site/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

Сross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881 - exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges.

Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880 - exists due to insufficient filtration of user-supplied data in "module" HTTP GET parameter passed to "site/index.php/admin/developer/modules/views/add/" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

To fix this vulnerabilities follow instuctions on researcher's page.

Cotonti SQL injection

SQL injection vulnerability was discovered in Cotonti 0.9.13 (HTB23164). The vulnerability exists due to insufficient filtration of the "c" HTTP GET parameter passed to "index.php" script when HTTP GET "e" parameter is set to "rss". As a solution you can upgrade to Cotonti 0.9.14.

Jahia xCM XSS vulnerabilities

Multiple XSS vulnerabilities have been discovered in Jahia xCM version 6.6.1.0 r43343 by High-Tech Bridge Security Research Lab, which can be exploited to perform cross-site scripting attacks against administrator of vulnerable application.

The vulnerabilities exists due to insufficient sanitisation of user-supplied data in "site" HTTP GET parameter passed to "/engines/manager.jsp" script, "searchString" HTTP POST parameter passed to "/administration/" URI when "do=users" and "sub=search", "username", "manage-user-property#j:firstName", "manage-user-property#j:lastName", "manage-user-property#j:email" and "manage-user-property#j:organization" HTTP POST parameters passed to "/administration/" URI when "do=users" and "sub=processCreate". Risk level of this issues are Low, CVSSv2 Base Score=2.6

It is recommended to apply hotfix 7, that is available to all customers: hotfix 7.

Duplicator WordPress Plugin cross-site scripting XSS vulnerability

Duplicator WordPress Plugin version 0.4.4 is vulnerable to perform cross-site scripting / XSS attack because insufficient filtration of user-supplied data in "package" HTTP GET parameter passed to "wp-content/plugins/duplicator/files/installer.cleanup.php" script exist. This attack can be exploited against a logged-in administrator to steal login cookies. Upgrade to Duplicator version 0.4.5 to be safe from this vulnerability in this plugin for WP.

Additional details provided here: www.htbridge.com/advisory/HTB23162.

Magnolia CMS cross-site scripting XSS vulnerability

Magnolia CMS versions 4.5.7 - 5.0.1 is vulnerable to cross-site scripting / XSS vulnerability due to insufficient sanitisation of user-supplied data in "username", "fullname" and "email" HTTP POST parameters passed to "magnoliaPublic/demo-project/members-area/registration.html" URL. Proof-of-Concept code and how-to fix guide are available on researcher's page: https://www.htbridge.com/advisory/HTB23163.

Security for brokers and insurers: Welcome to the World Wild Web

Basic and visual security awareness initiation for brokers and insurers was presented at 4th brokers forum which occurred in Chavannes-de-Bogis by Frederic Bourla, some of the threats which could deadly impact brokers businesses.

Welcome in the World Wild Web from High-Tech Bridge SA (HTBridge)

YouTube videos:

Related links:

• Download PDF presentation
• Welcome to the World Wild Web

Exclusive First Look: ImmuniWeb by High-Tech Bridge - EH-Net Online Mag

Ever since the Internet took off from its humble beginnings as a simple connection between the two networks of UCLA and Stanford for educational purposes, it has increasingly been used by the global population as a means of communication, commerce, charity and much more. The myriad ways of utilizing the Internet backbone all require software engineering of web-enabled applications (webapps). A new product from High-Tech Bridge SA called ImmuniWeb® performs webapp security assessments. If you’re like me, you’re probably thinking that this is just another webapp vulnerability scanner but hang on! It provides an innovative hybrid approach along with some really creative additional modules for assessing security beyond just the webapp. Why would we need such a hybrid approach? Read more at ethicalhacker.net.

Global Security Mag Online: In 2013 web application vendors patch security vulnerabilities within 3 weeks on average

In Q1 and Q2 of 2013 Cross-Site Scripting (XSS) was the most common vulnerability in web applications, SQL Injection took the second place, and Cross-Site Request Forgery the third one. During this period of time 65% of discovered vulnerabilities had medium risk, 20% had high risk. 95% of vendors released security patches before public disclosure of vulnerabilities. On average, vendors released security patches within 3 weeks after they were notified about discovered vulnerabilities. Read more at globalsecuritymag.com

Computer Business Review: Cross-Site Scripting most vulnerable among web apps

Cross-Site Scripting (XSS) was the most common vulnerability in web applications found during the first half of 2013, followed by SQL Injection and Cross-Site Request Forgery, a new report has found. Read full article: cbronline.com.

Help Net Security: Vendors patch security vulnerabilities within 3 weeks

High-Tech Bridge Security Research Lab released its statistics on web application security for the first half of 2013. The statistics is based on HTB Security Advisories that are released on a weekly basis and cover 73 vulnerabilities in open source web applications which names are quoted at least 50’000 times in Google. Read more at net-security.org.

Infosecurity: Complex Coding Makes Web Apps a Bit Safer

Malware and internet-based attacks continue to escalate in both volume and complexity, but when it comes to web application security, critical-level risk appears to be in the minority thanks to the convoluted code that most apps run on. Read more at infosecurity-us.com.

HTB23160: OpenCms XSS vulnerabilities

About one month ago High-Tech Bridge Security Research Lab was discovered two cross-site scripting /XSS/ vulnerabilities in OpenCMS version 8.5.1 and they was disclosed this days as "Multiple Cross-Site Scripting (XSS) in OpenCms: CVE-2013-4600".

Descriptions of vulnerabilities:

• Exists due to insufficient sanitisation of user-supplied data in "title" HTTP GET parameter passed to "opencms/opencms/system/workplace/views/admin/admin-main.jsp" script.

• Exists due to insufficient sanitisation of user-supplied data in "requestedResource" HTTP POST parameter passed to "opencms/opencms/system/login/index.html" URL.

This issues are fixed now and solution is available: upgrade to OpenCms 8.5.2.

Softpedia: XSS and LFI Vulnerabilities Fixed in OpenX Advertising Platform

Experts from the High-Tech Bridge Security Research Lab have identified multiple vulnerabilities in OpenX, the popular advertising platform. The flaws can be exploited to execute arbitrary PHP code, launch cross-site scripting (XSS) attacks and compromise affected systems.

The first vulnerability is a Local File Inclusion (LFI) issue that can be exploited by an attacker that has administrative privileges, or by tricking a logged-in OpenX administrator to open a malicious web page that triggers a Cross-Site Request Forgery (CSRF) exploit code.

Experts have also discovered a couple of XSS vulnerabilities that can be leveraged by a remote attacker to get administrators to execute arbitrary code by tricking them into opening a specially crafter link.

The vulnerabilities, which affect Open X 2.8.10 and probably older versions, were reported to the vendor on May 8. They were addressed last week.

Additional technical details and patches are available here.

Source: Softpedia, Eduard Kovacs

SecurityWeek: OpenX Addresses New Security Flaws with Latest Update

Article by Steve Ragan:
OpenX, the open source ad serving platform, patched two flaws last week, after they were discovered by Geneva, Switzerland’s High-Tech Bridge. The platform has had several issues before, and is a favorite target of criminals operating using malvertising as an attack vector.

According to the High-Tech Bridge advisory, OpenX patched two flaws in the final days of June. The first was a file inclusion vulnerability, which if the attacker has administrative privileges, can be used to access stored files such as the webservers /etc/passwd file.

"Successful exploitation of these vulnerabilities requires administrative privileges, however they can also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick logged-in OpenX administrator to open a specially crafted web page with CSRF exploit code," the advisory explains.

Read Full Article at: SecurityWeek.com

Related posts:
HTB23155: OpenX PHP file inclusion & cross-site scripting
Serious vulnerabilities in OpenX ad platform expose millions to risk

Help Net Security: Serious vulnerabilities in OpenX ad platform expose millions to risk

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenX, which can be exploited to execute arbitrary PHP code, perform Cross-Site Scripting (XSS) attacks and compromise vulnerable system.

Read More at Help Net Security.

HTB23155: OpenX PHP file inclusion & cross-site scripting

Multiple vulnerabilities (PHP file inclusion and cross-site scripting) in OpenX version 2.8.10 have been discovered by High-Tech Bridge Security Research Lab about 2 months ago and disclosed this week.

• Local File Inclusion in OpenX:
  Input passed via "group" HTTP GET parameter to "/www/admin/plugin-preferences.php" and "/www/admin/plugin-settings.php" scripts is not properly verified before being used in PHP 'include()' function and can be exploited to include arbitrary local files via directory traversal sequences and URL-encoded NULL byte techniques.

• Cross-Site Scripting (XSS) in OpenX:
  The vulnerabilities exists due to insufficient filtration of user-supplied data in "package" HTTP GET parameter passed to "/www/admin/plugin-index.php" and "group" HTTP GET parameter passed to "/www/admin/plugin-settings.php" scripts.

To fix this issues replace files from SVN repository as mentioned in High-Tech Bridge security advisory HTB23155: Multiple Vulnerabilities in OpenX, also diff-dile is available. Proof-of-Concept (PoC) examples also available on researcher's page.

HTB23158: Kasseler CMS multiple vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Kasseler CMS version 2 r1223, which can be exploited to perform SQL injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks and compromise vulnerable application.

SQL Injection:
Exists due to insufficient validation of "groups" HTTP POST parameter passed to "admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.

Stored Cross-Site Scripting (XSS):
Exists due to insufficient filtration of "cat" HTTP POST parameter passed to "admin.php" script. A remote attacker with privileges to create categories can permanently inject arbitrary HTML and script code into application database that will be executed in browser of every website visitor.

Сross-Site Request Forgery (CSRF):
Exists due to absence of CSRF protection mechanisms in the entire application. A remote attacker can trick logged-in administrator to visit a specially crafted webpage with CSRF exploit code. This will enable the attacker to execute arbitrary SQL queries in application's database and gain complete control over the application.

Upgrade to Kasseler CMS 2 r1232 to stay secure from this issues.

ImmuniWeb® Web Security Assessment SaaS is certified CVE and CWE Compatible

High-Tech Bridge SA, is pleased to announce that its innovative web application security assessment SaaS solution ImmuniWeb® has successfully obtained CVE and CWE Compatibility certifications from MITRE.

ImmuniWeb® is officially "CWE-Compatible" and "CWE-Compatible".

ImmuniWeb® is a unique hybrid of security vulnerabilities scanner and manual penetration testing in parallel, distributed as a SaaS (Software-as-a-Service) solution. It is inexpensive and efficient tool to assess security of your website. ImmuniWeb® Portal is a web platform from which customer can manage security assessment process from begin to end, as well as to receive assessment report in a secure manner. It enables even SMBs and private persons who are not familiar with information security to order security assessment of their website very quickly.

MITRE CVE and CWE News:
1 Product from High Tech Bridge Now Registered as Officially "CVE-Compatible"
1 Product from High Tech Bridge Now Registered as Officially "CWE-Compatible"

HTB23156: Xaraya multiple cross-site scripting (XSS) vulnerabilities

Xaraya version 2.4.0-b1 suffer from cross-site scripting [CWE-79] vulnerabilities.

High-Tech Bridge Security Research Lab discovered four XSS vulnerabilities in Xaraya, which can be exploited to perform cross-site scripting attacks against administrators of vulnerable application.

This issues exists due to insufficient sanitisation of user-supplied data passed via the "id" HTTP GET parameter to "/index.php", "interface" HTTP GET parameter to "/index.php", "name" HTTP GET parameter to "/index.php" script, "tabmodule" HTTP GET parameter to "/index.php" scripts. Exploitation examples available on HTB23156 security advisory page.

Solution for XSS in Xaraya
Because Xaraya Development Group did not reply to many notifications, unofficial patch was developed by High-Tech Bridge Security Research Lab.

HTB23157: SQL Injection in Dolphin 7.1.2

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Dolphin 7.1.2, which can be exploited to manipulate SQL requests passed to vulnerable application and obtain sensitive data from the database.

Dolphin is the world's most advanced software platform for building vibrant community websites.

The vulnerability exists due to insufficient validation of "pathes[]" HTTP POST parameter passed to "administration/categories.php" PHP script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database. This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. The basic CSRF exploit code based based on DNS Exfiltration technique available on security advisory page and may be used if the database of the vulnerable application is hosted on a Windows system.

How to fix SQL Injection in Dolphin?
Upgrade to Dolphin 7.1.3, Stability, Security, Spam-Prevention and More - Dolphin 7.1.3 Released!.

High-Tech Bride Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

High-Tech Bridge SA announced it has been named to the Online Trust Alliance (OTA) 2013 Online Trust Honor Roll for demonstrating exceptional data protection, privacy and security in an effort to better protect their customers and brand. For High-Tech Bridge this is a second consecutive nomination for this prestigious global award that the company has already received in 2012.

OTA, a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive audits analyzing more than 750 domains and privacy policies, approximately 10,000 web pages and more than 500 million emails for this report. The composite analysis included over a dozen attributes focusing on:

1. Site & server security,
2. Domain, brand, email and consumer protection,
3. Privacy policy and practices.

In addition to the in-depth analysis of their web sites, Domain Name Systems (DNS), outbound emails, and public records were analyzed for recent data breach incidents and FTC settlements. Key sectors audited include the Internet Retailer 500, FDIC 100, Top 50 Social Sites as well as OTA members.

"Consumers are trading billions of pieces of personal data in exchange for desired services and are relying on the integrity of businesses collecting and storing that information to protect them,” said Craig Spiezle, president and executive director of Online Trust Alliance. “As a 2013 Honor Roll Recipient, High-Tech Bridge has demonstrated excellence in leadership and commitment to protecting consumers and building trust through data protection, security, and privacy."

"At High-Tech Bridge we are honored to receive the OTA Online Trust Honor Roll award. Being a member of OTA Advisory Council our company shares the values and objectives promoted by Online Trust Alliance, such as global trust and security in the cyber space," said Ilia Kolochenko, CEO of High-Tech Bridge. "We are committed to support OTA projects and initiatives, and this year we are especially proud that our new product ImmuniWeb® was used by OTA during Honor Roll scoring."

Being named to the 2013 Honor Roll is a significant achievement considering the large number of companies that received failing marks for inadequate domain and consumer protection (14%), insecure websites (7%), and inadequate privacy policies or data collection practices (36%).

About The Online Trust Alliance
The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust, while promoting innovation and the vitality of the internet. Our goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship.

About High-Tech Bridge
High-Tech Bridge SA is a leading provider of information security services, such as penetration testing, network security auditing, consulting and computer crime forensics. In 2012 Frost & Sullivan has recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry. High-Tech Bridge devotes significant resources to information security research. High-Tech Bridge Security Research Lab helped various software vendors improving security of their products, including such vendors as Microsoft, IBM, Novell, McAfee, Sony, HP, Samsung, OpenOffice, Corel, OpenX, Joomla, WordPress, UMI.CMS, and hundreds of others.

Contact Information:
High-Tech Bridge SA
Mr. Patrick Tran
+41 22 560 68 43
www.htbridge.com

Frost & Sullivan: High-Tech Bridge Moves Ethical Hacking to the Cloud with ImmuniWeb® SaaS

Movers & Shakers Interview with Ilia Kolochenko, CEO of High-Tech Bridge, a Leading Provider of Ethical Hacking Services in Europe

Mr. Kolochenko, the CEO of High-Tech Bridge and creative mind of ImmuniWeb® talked to Frost & Sullivan about the recent launch of ImmuniWeb® Beta, an innovative cloud-based ethical hacking SaaS solution for web applications.

The fundamentals of ImmuniWeb are ease and rapidity of use, and a powerful combination of human and machine. "ImmuniWeb is a hybrid of manual penetration testing, performed by security auditor, and automated security assessment under thorough control of the auditor. ImmuniWeb security assessment can be purchased and configured in less than 15 minutes on the ImmuniWeb Portal" Mr. Kolochenko says.

"ImmuniWeb presents a solution to three common issues of ethical hacking and the security auditing industry: lack of in-house technical knowledge among customers, administrative and regulatory complexities that takes lot of time, and relatively high market prices," he explains. "ImmuniWeb has a very attractive quality-price ratio and simplicity of use, making web application security assessment affordable to SMBs and even to private persons."

ImmuniWeb tackles one of the main end-user challenges when engaging ethical hacking services. "Although the ethical hacking market is quite well developed today, and there are many qualified players in the market, quite often customers still have to decide between buying either a good quality service at quite excessive price or a cheap service quality of which does not even worth its dumping price," Mr. Kolochenko explains. "We felt an obligation to find a solution that would be fair in terms of pricing, and technically efficient."

To read the entire interview and learn more on ImmuniWeb please see Movers & Shakers Interview with Ilia Kolochenko - CEO of High-Tech Bridge on frost.com.

Frost & Sullivan is proud to showcase Movers & Shakers interviews, highlighting dynamic companies and leaders in the corporate world. These organizations and individuals are recognized for achieving milestones such as launching a breakthrough technology, executing a key strategic acquisition, or implementing a revolutionary vision for the future of their industries.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today's market participants.

Our "Growth Partnership" supports clients by addressing these opportunities and incorporating two key elements driving visionary innovation: The Integrated Value Proposition and The Partnership Infrastructure.

• The Integrated Value Proposition provides support to our clients throughout all phases of their journey to visionary innovation including: research, analysis, strategy, vision, innovation and implementation.
• The Partnership Infrastructure is entirely unique as it constructs the foundation upon which visionary innovation becomes possible. This includes our 360 degree research, comprehensive industry coverage, career best practices as well as our global footprint of more than 40 offices.

For more than 50 years, we have been developing growth strategies for the global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies?

Contact Us: Start the discussion

Join Us: Join our community

Subscribe: Newsletter on "the next big thing"

Register: Gain access to visionary innovation

Contact:
Joanna Lewandowska
Frost & Sullivan
Corporate Communications – Europe
Phone: +48 22 481 62 20
Email: joanna.lewandowska (at) frost.com
http://www.frost.com

SOURCE: Frost & Sullivan

High-Tech Bridge: Speaker at Fribourg IT Security Day 2013

High-Tech Bridge's Vice-President Stephane Koch will make a speech at Fribourg IT Security Day (FISD) about human risks, social engineering and other dangers that users face in the era of Social Networks.

Fribourg IT Security Day 2013 will take place:

On the 28th of May 2013
08:30AM - 16:00PM
École d'Ingénieurs et d'Architectes
Auditoire Edouard Gremaud
Bd de Pérolles 80
Fribourg, Switzerland

Official event program and registration are available here. High-Tech Bridge look forward meeting you at FISD 2013!

High-Tech Bridge: Gold Sponsor at ITSecuDay Geneva 2013

High-Tech Bridge participates for the second time at ITSecuDay Geneva as a Gold Sponsor of the event. The event will gather leading security experts from Geneva to discuss the latest trends in information security.

ITSecuDay Geneva 2013 will take place:

On the 24th of May 2013
08:45AM - 17:00PM
Hotel Bristol Geneva
10 Rue du Mont-Blanc
Geneva, Switzerland

Event program is available here. To participate at the event please follow the Registration.

Web Security: High-Tech Bridge launches ImmuniWeb® Beta

High-Tech Bridge SA, a leading Swiss information security company recognized as one of the market leaders and best service providers in the ethical hacking industry by Frost & Sullivan in 2012, is pleased to introduce ImmuniWeb® Beta.

ImmuniWeb® is a next-generation web application security assessment solution with Software-as-a-Service delivery model. It is a unique hybrid of cutting-edge web security scanner and accurate manual web application penetration test.

Ilia Kolochenko, CEO of High-Tech Bridge, says: "Today many SMBs are unfairly prevented from securing their websites due to budget, internal technical skills or administrative restrictions. We are glad to launch our innovative SaaS ImmuniWeb® that enables SMBs to secure their websites in simple, efficient and cost-affordable manner. Starting today the service will run in Beta mode during some time in order to get feedback from our customers and probably add some additional features and options they will consider useful."

Marsel Nizamutdinov, Chief Security Research Officer, adds: "I am very glad that after several years of our hard work we can finally announce the launch of ImmuniWeb®. This will enable anyone to benefit from our skills, experience and research in the domain of web application security. Moreover, other similar products that make information security simple, efficient and fair are currently being developed. Our Corporate Management invests a lot into Research and Development and will continue to do so in the future to assure permanent growth and innovation.

Frederic Bourla, Chief Security Specialist, comments: "According to the recent ISTR 2013 study from Symantec, SMEs are now clearly a prime target for hackers. In 2012 businesses with fewer than 250 employees were targeted by nearly one third of worldwide cyber-attacks, which is approximately twice as much as the previous year. And from our own experience those figures are probably slightly lower than the reality in Switzerland, so we are now pleased to offer SMEs the opportunity to address this trend."

ImmuniWeb® Beta is currently available to the holders of Invite Codes distributed by High-Tech Bridge. It is also possible to leave a request for Invite Code on ImmuniWeb® Portal.

Source: High-Tech Bridge

HTB23154: Exponent CMS multiple vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.

SQL Injection in Exponent CMS: CVE-2013-3294

The vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

PHP File Inclusion in Exponent CMS: CVE-2013-3295

The vulnerability is caused by improper filtration of user-supplied input passed via the "page" HTTP GET parameter to "/install/popup.php" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system.

Also Proof-of-Concept (POC) provided in advisory.

Solution:
Fixed by Vendor, Upgrade to Exponent CMS v2.2.0 Release Candidate 1

References:
[1] High-Tech Bridge Advisory HTB23154: Multiple Vulnerabilities in Exponent CMS.
[2] Exponent CMS - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation.

HTB23153: Jojo CMS multiple vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple security issues in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.

SQL Injection in Jojo CMS: CVE-2013-3081

The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application's database.

Successful exploitation of the SQLi requires that "jojo comments" plugin is enabled (disabled by default).

Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082

The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Also Proof-of-Concept (POC) provided in advisory.

Solution:
Fixed by Vendor, Upgrade to Jojo CMS to version 1.2.2

References:
[1] High-Tech Bridge Advisory HTB23153: Multiple vulnerabilities in Jojo CMS
[2] Jojo CMS - Jojo is a PHP-based free CMS for web developers wanting to build good websites.

HTB23151: UMI.CMS cross-site request forgery (CSRF)

High-Tech Bridge Security Research Lab discovered CSRF vulnerability in UMI.CMS, which can be exploited to perform Cross-Site Request Forgery (CSRF) attacks and create new administrator in the vulnerable application.

Cross-site Request Forgery (CSRF) in UMI.CMS: CVE-2013-2754

The application allows authorized administrator to perform certain sensitive actions via HTTP requests without making proper validity checks to verify the source of these HTTP requests. This can be exploited to perform any actions with administrator privileges, such as adding new administrator to the system.

A remote attacker can create a specially crafted webpage, trick a logged-in administrator to open it and create new user with administrative privileges.

A basic CSRF exploit that will create new administrator with "csrfuser" as a login and "password" as a password provided in advisory.

Solution:
Fixed by Vendor, Upgrade to UMI.CMS 2.9 build 21905
Changelog: http://www.umi-cms.ru/support/changelog/ (task number 17390)

References:
[1] High-Tech Bridge Advisory HTB23151: Cross-Site Request Forgery (CSRF) in UMI.CMS.
[2] UMI.CMS - UMI.CMS is a fast and scalable content management system.

HTB23141: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS

GetSimple CMS version 3.1.2 suffers from cross-site scripting vulnerabilities, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

Cross-site scripting (XSS) in GetSimple CMS (CVE-2013-1420): the issues exists due to insufficient sanitisation of user-supplied data passed via the "id" HTTP GET parameter to "/admin/backup-edit.php", "path" HTTP GET parameter to "/admin/upload.php", "title" and "menu" HTTP GET parameters to "/admin/edit.php", "path" and "returnid" HTTP GET parameters to "/admin/filebrowser.php" scripts. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

GetSimple CMS has XSS filter, however it can be bypassed as demonstrated in PoC examples of High-Tech Bridge advisory HTB23141.

HTB23152: b2evolution SQL Injection

b2evolution v4.1.6 suffers from SQL Injection [CWE-89] weakness due to insufficient validation of HTTP GET parameter "show_statuses" in "blogs/admin.php" script.

This vulnerability was exploitable via CSRF vector, but were fixed by vendor in version: b2evolution 4.1.7

Source: High-Tech Bridge Advisory HTB23152.

HTB23150: KrisonAV CMS multiple vulnerabilities

KrisonAV CMS version 3.0.1 suffers from cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities.

1. Cross-site scripting (XSS): exists due to insufficient filtration of user-supplied data passed to "content" HTTP GET parameter via "services/get_article.php" script. A remote attacker can trick a user to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of the vulnerable website.
2. Сross-site request forgery (CSRF): exists due to insufficient verification of the HTTP request origin in "users_maint.html" script.

Solution: Both security weaknesses are now fixed, upgrade to KrisonAV CMS version 3.0.2.

Source: High-Tech Bridge Advisory HTB23150 - Multiple Vulnerabilities in KrisonAV CMS

OpenX vulnerabilities in SemperVideo's News

Security Advisory in OpenX HTB23116 mentioned in SemperVideo's YouTube channel (News 07.04.2013, about OpenX from 2:33):

HTB23149: Hero Framework 3.791 multiple XSS

Hero Framework version 3.791 contain 2 XSS vulnerabilities, which can be exploited to perform cross-site scripting attacks against vulnerable application.

Vulnerabilities exists due to insufficient sanitisations of user-supplied data in "username" HTTP GET parameter passed to "/users/login" and "error" HTTP GET parameter passed to "/users/forgot_password" URLs. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.

Solution: upgrade to Hero Framework version 3.80.

Source: High-Tech Bridge Advisory HTB23149 - Multiple XSS in Hero Framework.

Novell GroupWise untrusted pointer dereference exploitation

In November 2012 High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Novell GroupWise 2012. Details of the security advisory was disclosed in April 2013 (available on htbridge.blogspot.com here). Next paper demonstrates vulnerability exploitation to execute arbitrary code on the vulnerable system: Novell GroupWise Untrusted Pointer Dereference Exploitation.

Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation from High-Tech Bridge SA (HTBridge)

Demonstration video available for this security publication:

Direct link to files:
Publication PDF: Novell GroupeWise Untrusted Pointer Dereference
Exploit files: Novell-GroupWise-exploit.rar pass: htbridge

HTB23131: Novell GroupWise Multiple Remote Code Execution Vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell GroupWise, which could be exploited to compromise a remote system.

Short description of untrusted pointer dereferences CWE-822 in Novell GroupWise 2012 (CVE-2013-0804), vulnerabilities exists due to an untrusted pointer dereference errors in next ActiveX methods:

• InvokeContact() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll".

  A remote attacker can pass an arbitrary value to the pInvokeParams argument of the InvokeContact() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction.

• GenerateSummaryPage() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll".

  A remote attacker can pass an arbitrary value to the pInvokeParams argument of the GenerateSummaryPage() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction.

• SecManageRecipientCertificates() method within the ActiveX control (gwmim1.ocx, GUID {BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}, located by default in "C:\Program Files\Novell\GroupWise\gwmim1.ocx".

  A remote attacker can pass an arbitrary value to the lProp argument of the SecManageRecipientCertificates() method and trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction.

For all of these security issues researchers presented Proof-of-Concept (PoC) codes, which will crash Internet Explorer 7/8/9.

Apply GroupWise 8.0.3 Hot Patch 2 (or later) or GroupWise 2012 SP1 Hot Patch 1 to stay secure from this vulnerability. Read more at Novell Knowledgebase about this security issue: GroupWise Client for Windows Remote Untrusted Pointer Dereference Vulnerability.

HTB23148: Symphony 2.3.1 SQL injection vulnerability

SQL injection vulnerability found in Symphony version 2.3.1

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.

The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.

See more details at High-Tech Bridge Advisory HTB23148 - SQL Injection in Symphony.

HTB23146: FUDforum PHP Code Injection

FUDforum logo from Wikipedia

PHP code injection found in FUDforum 3.0.4. High-Tech Bridge Security Research Lab discovered vulnerability in FUDforum, which can be exploited to execute arbitrary PHP code on the target system.

As described in Wikipedia, FUDforum is a free and open source Internet forum software, that is now maintained by the user community. The name "FUDforum" is an abbreviation of Fast Uncompromising Discussion forum. It is comparable to other forum software. FUDforum is customizable and has a large feature set relative to other forum packages.

The vulnerability exists due to insufficient validation of HTTP POST parameters "regex_str", "regex_str_opt" and "regex_with" in "adm/admreplace.php" script before using them in the "preg_replace()" function. A remote administrator can send a specially crafted HTTP POST request, inject and execute arbitrary PHP code on the target system with privileges of the web server.

More details about this vulnerability, PoC code an solution you can found in original advisory HTB23146: PHP Code Injection in FUDforum.

HTB23128: McAfee Virtual Technician ActiveX Control Insecure Method

McAfee Virtual Technician ActiveX Control Insecure Method version 6.5.0.2101 suffers from Exposed Unsafe ActiveX Method [CWE-618]. This vulnerability can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.

The vulnerability exists due to the ActiveX control including the insecure "Save()" method in "McHealthCheck.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. Proof-of-Concept (PoC) code available on security advisory page.

Solution: upgrade to McAfee Virtual Technician (MVT) 7.1

Related links:
McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability
High-Tech Bridge Advisory HTB23128 - McAfee Virtual Technician ActiveX control Insecure Method.

HTB23147: AWS XMS path traversal vulnerability

Path traversal vulnerability has been discovered in AWS XMS version 2.5 by HTB Security Research Lab, which can be exploited to read contents of arbitrary files.

The vulnerability exists due to insufficient filtration of "what" HTTP GET parameter passed to "importer.php" script before using it in PHP "file()" function. A remote attacker can read contents of arbitrary files on the target system.

Proof of Concept /PoC/ code for this vulnerability in AWS XMS 2.5 uses wget utility to download source code of "default.php" file, which contains application configuration data and administrators credentials. See more at HTB23147 advisory.

Upgrade your AWS XMS installation to version 2.6 to stay safe, or remove "/importer.php" script from your system.

HTB23114: Corel WordPerfect X6 untrusted pointer dereference vulnerability

WordPerfect Office X6 – Standard Edition, Corel.com

High-Tech Bridge Security Research Lab discovered an untrusted pointer dereference vulnerability in Corel WordPerfect. Opening of a malicious WPD (WordPerfect Document) causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

The very beginning of the crash occurs within the WPWIN16.DLL module in the STARTAPP function when the application attempts to call the STRNICMP procedure in the MSVCR80 module.

In order to exploit the vulnerability remotely the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.

WPD-file provided by researcher as a Proof of Concept (PoC) example.

HTB23112: Corel Quattro Pro X6 NULL pointer dereference vulnerabilities

WordPerfect Office X6 – Standard Edition, Corel.com

High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer.

The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI.

In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.

Two files provided by researcher as a Proof of Concept (PoC) examples.

HTB23145: CosCms OS Command Injection [CWE-78]

CosCms version 1.721 have high risk / 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) OS Command Injection (CWE-78) vulnerability according to HTB23145.

Vulnerability exists due to insufficient validation of user-supplied input in "$_FILES['file']['name']" variable passed to "/gallery/upload/index" URL before using it in PHP "exec()" function. A remote attacker can send a specially crafted HTTP POST request containing a malicious filename, and execute arbitrary commands on the target system with privileges of the web server.

Solution available: upgrade to CosCms 1.822.

HTB23139: Events Manager WordPress plugin multiple XSS vulnerabilities

Multiple XSS vulnerabilities in Events Manager WordPress plugin version 5.3.3 discovered by High-Tech Bridge Security Research Lab, which can be exploited to perform Cross-Site Scripting attacks.

This vulnerabilities exists due to insufficient filtration of user-supplied data in "scope" GET parameter passed to "index.php", "_wpnonce" GET parameter passed to "wp-admin/edit.php", "user_name", "dbem_phone" and "user_email" GET parameters passed to "index.php", "booking_comment" POST parameter passed to "index.php" scripts. A remote attacker can trick user or administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution available: Upgrade to Events Manager 5.3.4. Additional details available on advisory HTB23139 - Multiple XSS vulnerabilities in Events Manager WordPress plugin.

Events Manager is a popular WordPress plugin with fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management. It's recommended to upgrade old versions to latest.