Rediff Mail XSS Vulnerability

I dont know why people look at XSS vulnerability as less critical. This may be an eye opener for them. This poc shows how easy it is to grab a cookie and play with it.
here is a POC:-
http://login.rediff.com/cgi-bin/subs/passwd_remind.cgi?FormName=takeusername&login=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
Thanks
SumSid

MSN India SQl injection

A Sql injection vulnerability has been reported in MSN India web site.
The vendor (Microsoft) was quick in responding to us. The site was immediately taken offline.
The full story will be released at NII web site very shortly along with
the WINDOWS DISPLAY DRIVER DOS vulnerability

YAHOO Bugs released

Finally the minor YAHOO bugs which i discovered has been released. You would have got it in your email as i made sure to post it to every individual on my mailing list:) so i wont post it here
Btw:- if you havent received in your email see it here

Being lazy

I find it too boring to update each and every advisory here
So here is a link which will keep me and you updated about my advisories

http://secunia.com/search/?search=$um$id
Thanks
SumSid($um$id)

Shmoocon

Today i got an invitation to speak at Shmoocon to be held at Washington .The event is scheduled from january 13th to january 16th 2006.
But it seems that i wont be able to get a visa on such a short term notice.
Huhhh!!!!
Still to speak at an international conference.
2 invits and both gone waste..

Shmoocon homepage
pakcon homepage

SumSid

URL Redirection in ORKUT

About Orkut:-
orkut.com is an online community website designed for friends. The main goal of our service is to make your social life... orkut's social network can help you both maintain existing relationships and establish new ones by reaching out to people you've never met before. Who you interact with is entirely up to you

Original Url:-

https://www.orkut.com/
GLogin.aspx?done=http%3A%2F%2Fwww.orkut.com%2F

Malformed URL:-
https://www.orkut.com/GLogin.aspx?done=http://any_url.com

After successful validation Url redirection occurs. To make the matter worse , as the validation has already occured.the victims browser has been authenticated and will remain authenticated unless he logs out of orkut. Although remotely , it can only be exploited by doing a phishing attack at any_url.com with a fake login screen etc.

Credits:-$um$id

Advisory

EveryAuction V 1.53 XSS vulnerability
Read it here on Security Focus

PhpSupportTicket Advisory

Links to Me

My articles/ advisories are available at the following links:-
0. CVE-2005-4264
1.CVE-2005-4162,
2.CVE-2005-4088
3.Snort docs
4.Secguru:- http://www.secguru.com/node?from=16
5. FRSIRT
6.Security-tracker http://www.securitytracker.com/alerts/2005/Dec/1015332.html

One More

My Perl -Cal advisory is published at Security focus .Here is the link
The same is also available at Secunia. See it here

Advisory

Software: Shop PBS

Type: Cross Site Scripting

Severity: Medium

Vulnerability Type: Input Validation Error

Overview:- There exists a cross-site scripting vulnerability as the input in the parameter "keyword" is not filtered properly sanatised in the index.jsp

Description:- The cross-site scripting bug can be executed with a URL like so:

This issue could permit a remote attacker to create a malicious URL link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected Web site.

proof of Concept:-

http://www.shoppbs.org/searchHandler/index.jsp?keywords=
"<"script">"alert%28document.cookie%29"<"/script">"&x=31
&y=11"

Solution:
--------------------
There is no vendor-supplied patch for this issue at
this time.

Credit:-
KeyShore


...Kishore works with me and he came accross this one..:)
Cheers
SumSid

Advisory

TITLE:
Yahoo servers URL redirection

SECUNIA ADVISORY ID:
coming soon.

VERIFY ADVISORY:
coming soon.

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
Yahoo.com web site


DESCRIPTION:
$um$id has reported vulnerabilities in Yahoo.com web site/s which can be
exploited by malicious people to injection malacious URL in the scripts running on the servers which causes redirection to those malacious URL.
As the redirection will be done by the Yahoo servers the victim will associate the same amount of trust with the malacious URL as he/she will with the Yahoo servers. This can then be followed by a phishing attack.

Proof Of Concept:-
original link:- http://in.rd.yahoo.com//prop/?http://in.photos.yahoo.com/
malformed link:-http://in.rd.yahoo.com//prop/?http://www.any_malacious_link.com

Minutes after reporting this vulnerability with different url to YAHOO , that link was updated.However, the prrof of concept contains the new url and which still allows url redirection

SOLUTION:
Check the URL before rendering it in the browser.

PROVIDED AND/OR DISCOVERED BY:
$um$id

Advisory at Secunia

The following advisories of mine are now available at secunia.

1. PhPForumPro SQL Injection
Secunia id:17915
Link:-http://secunia.com/advisories/17915


2. PhPAddressBook v1.2 SQL Injection
Secunia id:-17885
Link:-http://secunia.com/advisories/17885


Thanks
SumSid

advisory

TITLE:
X-cart Path disclosure vulnerability

SECUNIA ADVISORY ID:


VERIFY ADVISORY:

CRITICAL:
Not critical

IMPACT:
Path disclosure vulnerability

WHERE:
From remote

SOFTWARE:
x-cart

DESCRIPTION:
$um$id has reported a vulnerability in x-cart, which can be
exploited by malicious people to disclose certain system information.
Input passed in "error_message.php" isn't properly
sanitised before being returned to the user. The vulnerability has been reported in x-cart gold and in x-cart pro. Other versions may also be affected.

proof of concept:-
http://localhost/x-cart/admin/error_message.php?http://www.attacker.com

SOLUTION:
No patch is available as of now.

PROVIDED AND/OR DISCOVERED BY:
$um$id

Comments from people

Hi Sumit

I really enjoyed your article on Scurity Focus on "Evading NIDS, Revisited." I am not an IDS or networking expert, but you explained everything so well, with such good illustrations, that this was a very readable paper, even for the non-expert. Wish all security articles were as good as this one.

Thanks for a very enjoyable and informative article.

Regards

Mary Ann Davidson
Mary is the chief security researcher at Oracle

INFOCUS

Check out my articles on SecurityFocus
Comments/Suggestions invited.
Thanks
Sumit

Advisory

Product:- PHP SUPPORT TICKETS version 2.1 and earlier

Vulnerability:-Sql Injection

CRITICALITY:
critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
"Manage customer queries with this one stop solution for online customer relations.PHP Support Tickets is written in PHP5 and utilises a MySQL database both are required on your web.The administration section is secured through a username and password. The default entry is administrator / password. You may change this once you have logged in.
You may have unlimited Moderators / Admins assigned to take care of incoming tickets. These are all entered through an intuitive user admin page.Admins are allowed to view all tickets and perform all admin tasks, moderators can see the tickets assigned to their department only.Manageable departments allow you to edit / delete / add new departments at will.".

DESCRIPTION:
The Vulnerability can be exploited by malicious people to conduct SQL injection attacks.The input passed to the "username" and "password" field and in the "id" parameter in the "index.php" is not properly filtered which allows the attacker to run arbitary sql query. There may be other parameters as well where the input is not filtered.

Proof of concept:-
** The proof of concept cannot be released until vendor is ready with the patch***

SOLUTION:
Awaiting response from the vendor

Original Advisory: Here at http://axcesdenied.blogspot.com

Credit: $um$id
Aka
Access Denied

ADVISORY

Product:- php-addressbook v1.2 by WidgetMonkey

Vulnerability:-Sql Injection

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
"This is an address book program for people who have their own web space. At present it is does not have a multiple user function. I wrote it because I wanted a place where I could store all my addresses so I can access them from multiple locations, and its a handy backup if you lose your address book, and there weren`t any freeware programs that suited my needs".

DESCRIPTION:
The Vulnerability can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in "view.php" isn't properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.There are other parameters also where the input is not properly filtered and will result in sql injection.


SOLUTION:
Awaiting response from the vendor

Original Advisory: Here at http://axcesdenied.blogspot.com

Credit: $um$id
Aka
Access Denied

ADVISORY

Product:- PhpForumPro from W2B

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
PhpForumPro from W2B.
phpForumPro is a fast and powerful, password protected private discussion forum application built with the industry standard PHP4 scripting language and powered by the MySQL database engine.



DESCRIPTION:
The Vulnerability can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "parent" parameter in "index.php" isn't properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.There are other parameters also where the input is not properly filtered and will result in sql injection.


SOLUTION:
Awaiting response from the vendor

Original Advisory: Here at http://axcesdenied.blogspot.com

Credit: $um$id
Aka
Access Denied