CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

6kbbs_4

 

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

 

Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]

CVE Reference: *

CXSecurity Reference: WLB-2015040034

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

Suggestion Details:



(1) Vendor & Product Description:



Vendor:

6kbbs

 

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

 

Vendor URL & download:

6kbbs can be gain from here,

http://www.6kbbs.com/download.html

http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

 

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions.”

“1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user’s posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; …”

 

 

 

(2) Vulnerability Details:

6kbbs web application has a computer cyber security bug problem. It can be exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to csrf vulnerabilities.

 

(2.1) The first code programming flaw occurs at “/portalchannel_ajax.php?” page with “&id” and &code” parameters in HTTP $POST.

(2.2) The second code programming flaw occurs at “/admin.php?” page with “&fileids” parameter in HTTP $POST.

 

 

 

 

Related Articles:
http://cxsecurity.com/issue/WLB-2015040034
http://lists.openwall.net/full-disclosure/2015/04/05/7
http://www.intelligentexploit.com/view-details.html?id=21071
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
https://www.mail-archive.com/fulldisclosure@seclists.org/msg01902.html
http://seclists.org/fulldisclosure/2015/Apr/13
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-csrf
http://essayjeans.blog.163.com/blog/static/237173074201551435316925/
https://itinfotechnology.wordpress.com/2015/04/14/6kbbs-crsf/

http://frenchairing.blogspot.fr/2015/06/6kbbs-crsf.html
http://tetraph.blog.163.com/blog/static/234603051201551444917365/
http://diebiyi.com/articles/security/6kbbs-v8-0-csrf
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-csrf

 

 

 

Advertisements

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

201402Return-oriented-programming-ROP-computer-security-exploit-technique

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2563 Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Web Security Vulnerabilities

Product: phpVID

Vendor: Vastal I-tech

Vulnerable Versions: 1.2.3 0.9.9

Tested Version: 1.2.3 0.9.9

Advisory Publication: March 13, 2015

Latest Update: April 25, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2563

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Direction Details:



(1) Vendor & Product Description:



Vendor:

Vastal I-tech

Product & Vulnerable Versions:

phpVID

1.2.3

0.9.9

Vendor URL & Download:

phpVID can be approached from here,

http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA


Product Introduction Overview:

“phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy.”


“The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a “single dedicated server”. phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: http://www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com.”


“Server Requirements:

Preferred Server: Linux any Version

PHP 4.1.0 or above

MySQL 3.1.10 or above

GD Library 2.0.1 or above

Mod Rewrite and .htaccess enabled on server.

FFMPEG (If you wish to convert the videos to Adobe Flash)”

(2) Vulnerability Details:

phpVID web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpVID has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to important vulnerabilities.



(2.1) The first code programming flaw occurs at “&order_by” “&cat” parameters in “groups.php?” page.


Related Links:

http://packetstormsecurity.com/files/130754/Vastal-I-tech-phpVID-1.2.3-SQL-Injection.html

https://progressive-comp.com/?l=full-disclosure&m=142601071700617&w=2

http://seclists.org/fulldisclosure/2015/Mar/58

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1699

http://lists.openwall.net/full-disclosure/2015/03/10/8

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142601071700617&w=2

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2563/

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2

https://cxsecurity.com/issue/WLB-2015020091

https://www.facebook.com/permalink.php?story_fbid=935563809832135&id=874373602617823

http://t.qq.com/p/t/482410003538035

http://biboying.lofter.com/post/1cc9f4f5_6ee2aa5

http://mathpost.tumblr.com/post/118768553885/xingti-cve-2015-2563-vastal-i-tech-phpvid

http://essayjeans.lofter.com/post/1cc7459a_6ee4fcb

http://xingti.tumblr.com/post/118768481545/cve-2015-2563-vastal-i-tech-phpvid-1-2-3-sql

https://plus.google.com/113698571167401884560/posts/gftS84rfD3A

https://itswift.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/

https://www.facebook.com/essayjeans/posts/827458144012006

https://tetraph.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/

http://mathstopic.blogspot.com/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html

http://yurusi.blogspot.sg/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html

https://twitter.com/tetraphibious/status/598057025247907840

http://tetraph.blog.163.com/blog/static/23460305120154125453111/


XSS攻撃に対して脆弱先立ち2013年にニューヨーク·タイムズ紙の記事へのすべてのリンク

XSS攻撃に対して脆弱先立ち2013年にニューヨーク·タイムズ紙の記事へのすべてのリンク

 

 

2013の前に公開されたニューヨーク·タイムズ(NYT)の資料へのURLは、Webブラウザのコンテキストで実行されるコードを提供できるXSS(クロスサイトスクリプティング)攻撃に対して脆弱であることが見出されている。

 

NYTimesのの設計に基づいて、ほぼ2013年前にすべてのURLが(記事のすべてのページを)影響を受けます。実際には、「印刷」ボタン、「単一ページ」ボタンを含むすべての記事ページには、「ページ*」ボタン、「次ページ」ボタンが影響を受けます。

 

324748_1280x720

 

NYTimesのは、そのサーバに送信されたURLを復号化し、2013年以来、このメカニズムを変更しました。これは今メカニズムはるかに安全になります。

 

し かし、2013年前にすべてのURLは古いメカニズムを使用しています。これは2013年前にほとんどすべての記事ページはまだXSS攻撃に対して脆弱で あることを意味します。私はNYTimesの前にURLをフィルタリングしない理由はコストだと思います。それは前にすべての投稿記事のデータベースを変 更する(マネー&人的資本)あまりかかります。

 

この脆弱性は、物理の学校と数理科学(SPMS)、南洋理工大学、シンガポールから数学の博士課程の学生によって(Wang Jing) 発見されました。

 

王によって与えられたPOCとブログの説明、
https://www.youtube.com/watch?v=RekCK5tjXWQ
http://tetraph.com/security/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

 

 

一方、王は「ニューヨーク·タイムズ紙は、これはより良い保護メカニズムです。今新しいメカニズムを採用しています。」と述べた

 

記事が古い場合でも、ページがまだ関連しています
最近の記事への攻撃は間違いなく大きな影響を持っていただろうが、2012年、あるいはそれ以上の年齢の記事は廃止されてから遠く離れている。彼らはまだ攻撃の文脈において関連があるでしょう。

 

サイバー犯罪者は、高い成功率、すべての複数と標的型攻撃を潜在的な被害者へのリンクを送信し、記録するさまざまな方法を考案することができる。

 

XSSとは何ですか?
ク ロスサイトスクリプティング(XSS)は、典型的には、Webアプリケーションで見つかったコンピュータセキュリティの脆弱性の一種です。 XSSは、他のユーザが閲覧するWebページにクライアント側のスクリプトを注入するために、攻撃を可能にします。クロスサイトスクリプティングの脆弱性 は、同一生成元ポリシーとしてアクセス制御をバイパスするために攻撃者によって使用されてもよい。ウェブサイト上で行わクロスサイトスクリプティングは、 2007年のようにSymantecが文書化されたすべてのセキュリティ脆弱性の約84%を占めた(ウィキペディア)

 

 

 

 

 

 

Serious Covert Redirect Vulnerability Found in OAuth 2.0 and OpenID

Following in the steps of the OpenSSL vulnerability Heartbleed, A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.

 

Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a log-in popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.

 

For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.

 

If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

 

Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.

 

Wang says he has already contacted Facebook and has reported the flaw, but was told that the company “understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.”

 

Facebook isn’t the only site affected. Wang says he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.

 

covert_redirect_logo_tetraph


Google (which uses OpenID) told him that the problem was being tracked, while LinkedIn said that the company has published a blog on the matter. Microsoft, on the other hand, said an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.

“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” said Wang.

 

“However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” he added.

 

LinkedIn engineer Shikha Sehgal wrote a blog post about the creation of a whitelist for the site more than a month before Wang published his findings.

 

“In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application’s redirect URLs with us by April 11, 2014,” she said.

 

Sehgal did not explicitly say that the measure was in response to a flaw in OAuth 2, but the social network did confirm to CNET that the vulnerability that Wang detailed is the same one that inspired the blog post.

 

PayPal also has addressed the flaw.

“When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability,” James Barrese, PayPal’s CTO, said in a blog post on Friday. PayPal declined to add details about those measures.

(Article Mainly from Cnet.com)

 

 

 

Related Articles: