HTB23156: Xaraya multiple cross-site scripting (XSS) vulnerabilities

Xaraya version 2.4.0-b1 suffer from cross-site scripting [CWE-79] vulnerabilities.

High-Tech Bridge Security Research Lab discovered four XSS vulnerabilities in Xaraya, which can be exploited to perform cross-site scripting attacks against administrators of vulnerable application.

This issues exists due to insufficient sanitisation of user-supplied data passed via the "id" HTTP GET parameter to "/index.php", "interface" HTTP GET parameter to "/index.php", "name" HTTP GET parameter to "/index.php" script, "tabmodule" HTTP GET parameter to "/index.php" scripts. Exploitation examples available on HTB23156 security advisory page.

Solution for XSS in Xaraya
Because Xaraya Development Group did not reply to many notifications, unofficial patch was developed by High-Tech Bridge Security Research Lab.

HTB23157: SQL Injection in Dolphin 7.1.2

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Dolphin 7.1.2, which can be exploited to manipulate SQL requests passed to vulnerable application and obtain sensitive data from the database.

Dolphin is the world's most advanced software platform for building vibrant community websites.

The vulnerability exists due to insufficient validation of "pathes[]" HTTP POST parameter passed to "administration/categories.php" PHP script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database. This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. The basic CSRF exploit code based based on DNS Exfiltration technique available on security advisory page and may be used if the database of the vulnerable application is hosted on a Windows system.

How to fix SQL Injection in Dolphin?
Upgrade to Dolphin 7.1.3, Stability, Security, Spam-Prevention and More - Dolphin 7.1.3 Released!.

High-Tech Bride Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

High-Tech Bridge SA announced it has been named to the Online Trust Alliance (OTA) 2013 Online Trust Honor Roll for demonstrating exceptional data protection, privacy and security in an effort to better protect their customers and brand. For High-Tech Bridge this is a second consecutive nomination for this prestigious global award that the company has already received in 2012.

OTA, a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive audits analyzing more than 750 domains and privacy policies, approximately 10,000 web pages and more than 500 million emails for this report. The composite analysis included over a dozen attributes focusing on:

1. Site & server security,
2. Domain, brand, email and consumer protection,
3. Privacy policy and practices.

In addition to the in-depth analysis of their web sites, Domain Name Systems (DNS), outbound emails, and public records were analyzed for recent data breach incidents and FTC settlements. Key sectors audited include the Internet Retailer 500, FDIC 100, Top 50 Social Sites as well as OTA members.

"Consumers are trading billions of pieces of personal data in exchange for desired services and are relying on the integrity of businesses collecting and storing that information to protect them,” said Craig Spiezle, president and executive director of Online Trust Alliance. “As a 2013 Honor Roll Recipient, High-Tech Bridge has demonstrated excellence in leadership and commitment to protecting consumers and building trust through data protection, security, and privacy."

"At High-Tech Bridge we are honored to receive the OTA Online Trust Honor Roll award. Being a member of OTA Advisory Council our company shares the values and objectives promoted by Online Trust Alliance, such as global trust and security in the cyber space," said Ilia Kolochenko, CEO of High-Tech Bridge. "We are committed to support OTA projects and initiatives, and this year we are especially proud that our new product ImmuniWeb® was used by OTA during Honor Roll scoring."

Being named to the 2013 Honor Roll is a significant achievement considering the large number of companies that received failing marks for inadequate domain and consumer protection (14%), insecure websites (7%), and inadequate privacy policies or data collection practices (36%).

About The Online Trust Alliance
The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust, while promoting innovation and the vitality of the internet. Our goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship.

About High-Tech Bridge
High-Tech Bridge SA is a leading provider of information security services, such as penetration testing, network security auditing, consulting and computer crime forensics. In 2012 Frost & Sullivan has recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry. High-Tech Bridge devotes significant resources to information security research. High-Tech Bridge Security Research Lab helped various software vendors improving security of their products, including such vendors as Microsoft, IBM, Novell, McAfee, Sony, HP, Samsung, OpenOffice, Corel, OpenX, Joomla, WordPress, UMI.CMS, and hundreds of others.

Contact Information:
High-Tech Bridge SA
Mr. Patrick Tran
+41 22 560 68 43
www.htbridge.com

Frost & Sullivan: High-Tech Bridge Moves Ethical Hacking to the Cloud with ImmuniWeb® SaaS

Movers & Shakers Interview with Ilia Kolochenko, CEO of High-Tech Bridge, a Leading Provider of Ethical Hacking Services in Europe

Mr. Kolochenko, the CEO of High-Tech Bridge and creative mind of ImmuniWeb® talked to Frost & Sullivan about the recent launch of ImmuniWeb® Beta, an innovative cloud-based ethical hacking SaaS solution for web applications.

The fundamentals of ImmuniWeb are ease and rapidity of use, and a powerful combination of human and machine. "ImmuniWeb is a hybrid of manual penetration testing, performed by security auditor, and automated security assessment under thorough control of the auditor. ImmuniWeb security assessment can be purchased and configured in less than 15 minutes on the ImmuniWeb Portal" Mr. Kolochenko says.

"ImmuniWeb presents a solution to three common issues of ethical hacking and the security auditing industry: lack of in-house technical knowledge among customers, administrative and regulatory complexities that takes lot of time, and relatively high market prices," he explains. "ImmuniWeb has a very attractive quality-price ratio and simplicity of use, making web application security assessment affordable to SMBs and even to private persons."

ImmuniWeb tackles one of the main end-user challenges when engaging ethical hacking services. "Although the ethical hacking market is quite well developed today, and there are many qualified players in the market, quite often customers still have to decide between buying either a good quality service at quite excessive price or a cheap service quality of which does not even worth its dumping price," Mr. Kolochenko explains. "We felt an obligation to find a solution that would be fair in terms of pricing, and technically efficient."

To read the entire interview and learn more on ImmuniWeb please see Movers & Shakers Interview with Ilia Kolochenko - CEO of High-Tech Bridge on frost.com.

Frost & Sullivan is proud to showcase Movers & Shakers interviews, highlighting dynamic companies and leaders in the corporate world. These organizations and individuals are recognized for achieving milestones such as launching a breakthrough technology, executing a key strategic acquisition, or implementing a revolutionary vision for the future of their industries.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today's market participants.

Our "Growth Partnership" supports clients by addressing these opportunities and incorporating two key elements driving visionary innovation: The Integrated Value Proposition and The Partnership Infrastructure.

• The Integrated Value Proposition provides support to our clients throughout all phases of their journey to visionary innovation including: research, analysis, strategy, vision, innovation and implementation.
• The Partnership Infrastructure is entirely unique as it constructs the foundation upon which visionary innovation becomes possible. This includes our 360 degree research, comprehensive industry coverage, career best practices as well as our global footprint of more than 40 offices.

For more than 50 years, we have been developing growth strategies for the global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies?

Contact Us: Start the discussion

Join Us: Join our community

Subscribe: Newsletter on "the next big thing"

Register: Gain access to visionary innovation

Contact:
Joanna Lewandowska
Frost & Sullivan
Corporate Communications – Europe
Phone: +48 22 481 62 20
Email: joanna.lewandowska (at) frost.com
http://www.frost.com

SOURCE: Frost & Sullivan