CVE-2014-9561 Softbb.net SoftBB XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-9561  Softbb.net SoftBB XSS (Cross-Site Scripting) Security Vulnerability

Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter XSS

Product: SoftBB (mods)

Vendor: Softbb.net

Vulnerable Versions: v0.1.3

Tested Version: v0.1.3

Advisory Publication: Jan 10, 2015

Latest Update: Jan 10, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9561

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

 

 

 

Advisory Details:

Vendor URL:

(2) Vulnerability Details:

Softbb.net SoftBB can be exploited by XSS Attacks.

(2.1) The vulnerability occurs at “/redir_last_post_list.php” page, with “&post” parameter.

 

 

 

References:

CVE-2014-9560 Softbb.net SoftBB SQL Injection Security Vulnerabilities

CVE-2014-9560 Softbb.net SoftBB SQL Injection Security Vulnerabilities

 

Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter SQL Injection

Product: SoftBB (mods)

Vendor: Softbb.net

Vulnerable Versions: v0.1.3

Tested Version: v0.1.3

Advisory Publication: Jan 10, 2015

Latest Update: Jan 10, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)

CVE Reference: CVE-2014-9560

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

Vendor URL:

(2) Vulnerability Details:

Softbb.net SoftBB can be exploited by SQL Injection attacks.

(2.1) The vulnerability occurs at “/redir_last_post_list.php” page, with “&post” parameter.

 

References:

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities

vulnerability_scan_436x270

 

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities


Exploit Title:  OptimalSite CMS /display_dialog.php image Parameter XSS Web Security Vulnerability

Vendor: OptimalSite

Product: OptimalSite Content Management System (CMS)

Vulnerable Versions: V.1 V2.4

Tested Version: V.1 V2.4

Advisory Publication: January 24, 2015

Latest Update: January 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9562

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Jing Wang [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)





Suggestion Details:

(1) Vendor & Product Description

Vendor:

OptimalSite


Product & Version:

OptimalSite Content Management System (CMS)

V.1

V2.4


Vendor URL & Download:

The product can be obtained from here,

http://www.optimalsite.com/en/


Product Description Overview:

“Content management system OptimalSite is an online software package that enables the management of information published on a website. OptimalSite consists of the system core and integrated modules, which allow expanding website possibilities and functionality. You may select a set of modules that suits your needs best.


Website page structure

Website page structure is presented in a tree structure similar to Windows Explorer, so that several page levels can be created for each item on the menu.  The website’s structure itself can be easily edited: you can create new website pages, delete unnecessary ones, and temporarily disable individual pages.


Website languages

OptimalSite may be used to create a website in different languages, the number of which is not limited. Different information may be presented in each separate language and the structure of pages in each language may also differ.


WYSIWYG (What You See Is What You Get) text editor

Using this universal text editor makes posting and replacing information on the website effortless.   Even a minimum knowledge of MS Word and MS Excel will make it easy to use the tools of WYSIWYG text editor and implement your ideas.


Search function in the system

By using search function system’s administrator is able to find any information that is published in administrative environment. It is possible to execute a search in the whole system and in separate its’ modules as well.


Recycle bin function

System administrator is able to delete useless data.  All deleted data is stored in recycle bin, so administrator can restore information anytime. “




(2) Vulnerability Details:

OptimalSite web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other the similar product 0-day vulnerabilities have been found by some other bug hunter researchers before. OptinalSite has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to XSS vulnerabilities.


(2.1) The code programming flaw occurs at “&image” parameter in “display_dialog.php” page.






References:

http://www.tetraph.com/blog/xss-vulnerability/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/xss-vulnerability/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9562

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9562

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01646.html

http://lists.openwall.net/full-disclosure/2015/02/02/3

http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1546

https://redysnowfox.wordpress.com/2015/05/10/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-web-security-vulnerabilities/

http://japanbroad.blogspot.sg/2015/05/cve-2014-9562-optimalsite-content.html

http://tetraph.blog.163.com/blog/static/234603051201541082835108/

https://www.facebook.com/permalink.php?story_fbid=1025716320801705&id=922151957824809

https://twitter.com/yangziyou/status/597377123976785920

http://www.weibo.com/5337321538/ChdW1skbf?ref=home&rid=0_0_1_2666499023890563989&type=comment#_rnd1431261523301

https://plus.google.com/110001022997295385049/posts/7rNn4ynjzRP

http://itsecurity.lofter.com/post/1cfbf9e7_6e96648

http://securitypost.tumblr.com/post/118602594462/cve-2014-9562-optimalsite-content-management

CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation Security Vulnerability

CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation Security Vulnerability




Exploit Title: WordPress Ad-Manager Plugin Dest Redirect Privilege Escalation Vulnerability
Product: WordPress Ad-Manager Plugin
Vendor: CodeCanyon
Vulnerable Versions: 1.1.2
Tested Version: 1.1.2
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8754
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

Advisory Details

(1) Product:
“WordPress Ad-Manager offers users a simple solution to implement advertising into their posts, their blog or any other WordPress page. Users can use pictures and images or HTML snippets like Google AdSense to incorporate advertising in an easy way.”

(2) Vulnerability Details:
The Dest Redirect Privilege Escalation vulnerability occurs at “track-click.php” page with “&out” parameter.

References:
http://tetraph.com/security/cves/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation/
https://www.marshut.net/ksvthm/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation.html
http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014110533
http://seclists.org/fulldisclosure/2014/Nov/93
http://www.osvdb.org/creditees/12822-wang-jing
http://mathswift.blogspot.com/2014/12/cve-2014-8754-wordpress-ad-manager.html
http://cxsecurity.com/issue/WLB-2014120003
http://www.cnvd.org.cn/flaw/show/CNVD-2014-08598

CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

 

Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

 

Advisory Details:
(1) Product
“WebPress is the foundation on which we build web sites. It’s our unique Content Management System (CMS), flexible enough for us to build your dream site, and easy enough for you to maintain it yourself.”

 

(2) Vulnerability Details:
goYWP WebPress has a security problem. It is vulnerable to XSS attacks.
(2.1) The first security vulnerability occurs at “/search.php” page with “&search_param” parameter in HTTP GET.
(2.2) The second security vulnerability occurs at “/forms.php” (form submission ) page with “&name”, “&address” “&comment” parameters in HTTP POST.

 

References:

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

 

Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Vulnerability

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

 

 

 

 

 

Advisory Details

(1) Product:

“Springshare LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide.”

 

 

(2) Vulnerability Details:

Springshare LibCal has a security problem. It is vulnerable to XSS attacks.

The XSS vulnerabilities occur at “/api_events.php?” page, with “&m” and “&cid” parameters.

 

 

(3) Solutions:

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code

 

 

 

 

 

References:

CVE-2014-7292 Newtelligence dasBlog Dest Redirect Privilege Escalation Security Vulnerability

Exploit Title: Newtelligence dasBlog Dest Redirect Privilege Escalation Vulnerability
Product: dasBlog
Vendor: Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125) 2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update: OCT 15, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] Advisory Details:

(1) Vendor URL:
https://searchcode.com/codesearch/view/8710666/ https://www.microsoft.com/web/gallery/dasblog.aspx



(2) Vulnerability Description:
“Newtelligence dasBlog ct.ashx is vulnerable to Open Redirect attacks.
dasBlog supports a feature called Click-Through which basically tracks all links clicked inside your blog posts. It’s a nice feature that allows the blogger to stay informed what kind of content readers like. If Click-Through is turned on, all URLs inside blog entries will be replaced with <URL to your blog>/ct.ashx?id=<Blog entry ID>&url=<URL-encoded original URL> which of course breaks WebSnapr previews.”

Web.config code:
<add verb=”*” path=”ct.ashx” type=”newtelligence.DasBlog.Web.Services.ClickThroughHandler, newtelligence.DasBlog.Web.Services”/>

(3) Vulnerability Detail:
Newtelligence dasBlog has a security problem. It is vulnerable to Open Redirect attacks.

(3.1) The vulnerability occurs at “ct.ashx?” page, with “&url” parameter,.
Solutions:
2014-10-15 Public disclosure with self-written patch.

References: