ush.it - a beautiful place

ARC v2011-12-01 Multiple vulnerabilities

November 22, 2012 at 11:34 am - Filed under aa, bb - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

Pixelpost (Calendar addon 1.1.6) 1.7.3 Multiple vulnerabilities

April 7, 2011 at 5:46 pm - Filed under aa, bb - 1033 words, reading time ~3 minutes - Permalink - Comments

Simone "negator" Onofri found multiple issues in a nice image gallery script that was going to use for his personal purposes, perhaps it's better to wait a couple of releases before using this in production. Since the vendor was not responsive this is a forced release. Found vulnerabilities include Blind SQL Injection and XSS.

Vtiger CRM 5.2.0 Multiple Vulnerabilities

November 16, 2010 at 10:46 pm - Filed under aa, bb - 1279 words, reading time ~4 minutes - Permalink - Comments

Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi found multiple vulnerabilities in Vtiger CRM 5.2.0, a software we already audited in the past. High impact (for a web application) findings include a Remote Command Execution issue (thanks to a possible bypass in the file upload extension blacklist) and a Local File Inclusion that can be exploited by unauthenticated users. Two separate Cross Site Scripting issues have been found, the first on the login.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection

January 11, 2010 at 2:16 am - Filed under aa, bb - 2587 words, reading time ~8 minutes - Permalink - Comments

If you have read our previous article Jetty 6.x and 7.x Multiple Vulnerabilities your are already familiar to an attack vector called log escape sequence injection. It allows remote attackers to remotely exploit terminal emulator vulnerabilities that may happen when displaying in an unsafe manner files containing escape sequences. While the real issue belong to the terminals, programs that does not sanitize outputs make this vector relevant in the real world.

Jetty 6.x and 7.x Multiple Vulnerabilities

October 25, 2009 at 5:00 am - Filed under aa, bb - 2607 words, reading time ~8 minutes - Permalink - Comments

Jetty is a pure Java application server used by big players like Google (Google AppEngine, Google Web Toolkit) and many projects and products like Eclipse, Alfresco Developers, Bea WebLogic Business Connect and WebLogic Event Server, Cisco Subscriber Edge Services Manager, Sybase EAServer, Apache Geronimo, HP OpenView Interconnect Tools and HP Openview Self-Healing, JFox, Zimbra Desktop and others (here a more complete list http://docs.codehaus.org/display/JETTY/Jetty+Powered). Finding a bug in such a wildspread component is something definitely interesting as the exploitation scenarios are many. We were procrastinating a little too much on this advisory but a CORE advisory burned some of our research and this month we found the time to contact the vendor and follow our disclosure procedure. As always enjoy the reading!

Vtiger CRM 5.0.4 Multiple Vulnerabilities

August 18, 2009 at 3:55 pm - Filed under aa, bb - 1780 words, reading time ~5 minutes - Permalink - Comments

In our publication PHP filesystem attack vectors - Take Two we highlighted some issues that can occur in applications written in PHP that make use of filesystem operations. This advisory for the Vtiger CRM, version 5.0.4, application is an example on how such generic issues can impact the security of a real world application.

PHP filesystem attack vectors - Take Two

July 26, 2009 at 2:31 am - Filed under aa, bb - 2669 words, reading time ~8 minutes - Permalink - Comments

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

SugarCRM 5.2.0e Remote Code Execution

June 13, 2009 at 6:44 pm - Filed under aa, bb - 1524 words, reading time ~5 minutes - Permalink - Comments

FormMail 1.92 Multiple Vulnerabilities

May 12, 2009 at 4:19 am - Filed under aa, bb - 1928 words, reading time ~6 minutes - Permalink - Comments

Do you remember FormMail? I hope so. It's PERL code belonging to the past, the glorious 1995 Internet era. FromMail is a CGI script used to create contact forms, but not a common one, it's historical with millions of downloads and has a dedicated Wikipedia page (http://en.wikipedia.org/wiki/FormMail). By the way it's still used in both small and big deployments. FromMail development stopped in 1996, with the exception of security updates and the last security issue is from April 19, 2002. Now one could expect a software to be bugfree after 13 years of feature freeze and "stable" status. Well.. this is why we are here : ) Don't expect code execution, just enjoy the reading.

Zabbix 1.6.2 Frontend Multiple Vulnerabilities

March 3, 2009 at 9:10 pm - Filed under aa, bb - 1792 words, reading time ~5 minutes - Permalink - Comments

Multiple Vulnerabilities exist in Zabbix front end software ranging from Remote Code Execution (RCE), to Cross Site Request Forgery (CSRF) and Local File Inclusion (LFI).

PHP filesystem attack vectors

February 8, 2009 at 3:13 am - Filed under aa, bb - 6792 words, reading time ~22 minutes - Permalink - Comments

On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it "secret" [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable.

25C3 (CCC Congress 2008) Tricks: makes you smile

January 6, 2009 at 10:58 pm - Filed under aa, bb - 969 words, reading time ~3 minutes - Permalink - Comments

Finally back from CCC Conference 2008, thanks Berlin you always provide heaps of fun!

⌫ Previous entries
Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network