My New Blog at www.ivanobinetti.com

This is my old blog.
You will find the new one at  http://www.ivanobinetti.com
 

IBM X-Force - RazorCMS CSRF

IBM X-Force has published a new Advisory regarding my Razorcms vulnerability:
IBM X-Force RazorCMS Advisory

To read my Original Advisory:
Ivano Binetti's RazorCMS Original Advisory 

FlexCMS Multiple CSRF Vulnerabilities

I've just discovered new multiple CSRF vulnerabilities in FlexCMS 3.2.1 (latest version).
To read more about them you can download my Original Advisory or view other related publications:

Offensive Security Exploit-DB
Inj3ct0r
Packet Storm
Secunia

Secunia SA39961 - Razorcms Multiple Vulnerabilities

Secunia published new Advisory regarding my discovered vulnerability which affects Razor cms 1.2.1 and lower.

To read more about Secunia's Advisory:
Secunia SA39961 Advisory

Sitecom WLM-2501 Change Wireless Passphrase

Yesterday I've discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.

To know more about these vulnerabilities please read my Original Advisory.

Other sources have published my Advisory:
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r

OSVDB 79635 - Contao cms (fka TYPOlight) CSRF

New my contribution to OSVDB project:
http://osvdb.org/show/osvdb/79635

To read my Original Advisory:
Contao cms Original Advisory

IBM X-Force - Drupal 7.12 CSRF

IBM X-Force has published a security Advisory related to Drupal 7.12 CSRF vulnerability which I've discovered in the past days.
IBM X-Force's Drupal 7.12 Advisory

To read more about my Original Advisory:
My Original Drupal 7.12 Advisory

RazorCMS <= 1.2.1 STABLE CSRF (Delete Web Pages)

New Advisory related to a new CSRF vulnerability in RazorCMS 1.2.1 and lower.
To download my original Advisory:
RazorCMS CSRF Security Advisory

Other publications:
Offensive Security Exploit-db
Packet Storm Security

More about Drupal 7.12 CSRF Exploit

This morning I've received a tweet from Heine - who "provide free Drupal support on the Drupal.org forum" -  who invite me to read his article (Heine's article) about my security advisory related to latest stable version (7.12) of Dupal cms.

In his article Heine said that I've "rightly identified" a CSRF vulnerability which allows to force logout administrator, but he does not refer to the main problem which I've identified in my advisory:  form_token (anti-CSRF) security flaw, as you can read in my security advisory:
http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html

"form_token" (anti-CSRF) security flaw
As reported in my Advisory:

"In "form_token" parameter there is another security flaw inside the logic with which this parameter is generated, because is used the  same parameter for for similar operations  in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
 creation Drupal assigns the same "form_token" and so on). This flaw can be used by un attacker which  knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities to create an "ad-hoc" crafted web page that allows to performs any Drupal changes (add administrator, delete administrator, add web pages, delete  web pages, and so on) when a Drupal administrator or User browses that crafted web page. "

This means that the anti-CSRF "form_token" parameter is not unique for any operations but is the same (in the same session obviously) for similar operation. An attacker - also with low knowledge of Man in the Middle attack - can sniff  anti-CSRF parameter and - without make a rewrite rule in order to modify the traffic in real time (this might require some more skills) - could use sniffed  "form_token" parameter to change Drupal settings.
This is the main flaw which I've described and which Heine did not mention in his article.

"form_buid_id" parameter 
As you can read in my advisory I've never said that "form_build_id" is an anti-CSRF parameter but I've noticed as is possible to use any Drupal compatible form_build_id instead of the right one - specifically created  for that operation - in order to use my exploit and add an Drupal admin.
You said that form_build_id is used "to fetch state from a database table during certain operations." Do you think that is normal that I can modify a parameter as I want and Drupal does not care about it?


Http Referer
I confirm you that if you would make void my exploit Drupal have to:

• use "http referer" check , which is not in contradiction with form_token check, but  it can only increase Drupal's security level. 
•  fix "form_token" flaw.

HTTPS protection
Drupal default installation does not provide default http to https redirection.

p.s. I think that Drupal is a great cms and may be I'll use it in my blog.

Bugtraq ID 52335 - Webfolio <= 1.1.4 Multiple XSS

Security Focus has assigned me Bugtraq ID 52335 for multiple XSS vulnerability in Webfolio <= 1.1.4 Multiple XSS:
http://www.securityfocus.com/bid/52335/

For more details my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html

IBM X-Force - Webfolio <= 1.1.4 Multiple XSS

IBM X-Force published an Advisory related to Webfolio <= 1.1.4 Multiple XSS that I've discovered in the past days.
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73738

For more details about my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html

Webfolio <= 1.1.4 Multiple XSS

WebfolioCMS 1.1.4 (and lower) is prone to multiple XSS vulnerabilities in "webfolio/admin/users/edit/<used_id>" pages  - where <used_id> = 1....n - due to an improper input sanitization.

To download my Original Advisory:
Webfolio <= 1.1.4 Multiple XSS

Other publications:
http://packetstormsecurity.org/files/110524/Webfolio-CMS-1.1.4-Cross-Site-Scripting.html
http://1337day.com/exploits/17634

CVE-2012-1498 - Webfolio CMS

Today "MITRE CVE Numbering Authority" has assigned  me CVE-2012-1498 for a vulnerability related to Webfolio CMS.
For more details, please read my Original Advisory.
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities

I've just found new multiple vulnerabilities into latest stable release (v. 7.12) of Drupal.
To download my Advisory:

Download My Drupal 7.12 Security Advisory 

Other web sites that have published my Advisory:
CVE-2007-6752
http://xforce.iss.net/xforce/xfdb/73674
http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt
http://1337day.com/exploits/17611
http://www.exploit-db.com/exploits/18564/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6752
https://bugzilla.redhat.com/show_bug.cgi?id=807859
http://en.securitylab.ru/nvd/422373.php

IBM X-Force - DFLabs PTK <= 1.0.5 Multiple Vulnerabilities

Today IBM X-Force published my Advisory regarding multiple vulnerabilities which I've found in DFLabs PTK  <= 1.0.5  which allow an attacker to steal administrator/investigator credentials.
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73404

For read my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/dflabs-ptk-105-multiple-vulnerabilities.html

OSVDB 79658 - Webfolio CMS Vulnerability

Today was approved my new contribution to OSVDB database:
To read more about it:
http://osvdb.org/show/osvdb/79658

To view my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Bugtraq ID 52218 - Webfolio CMS CSRF

Security Focus has assigned me Bugtraq ID 52218 for discovering Webfolio CMS CSRF vulnerability.

For more details about this Bugtraq ID:
http://www.securityfocus.com/bid/52218

For learn more about my Original Advisory:<br>
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

MITRE CVE Numbering Authority

I am proud to announce that "MITRE CVE Numbering Authority" has assigned me eleven (11) CVE numbers for vulnerabilities that I've discovered in last days. In details:

DFLabs PTK <= 1.0.5:

• CVE-2012-1415 for Multiple Vulnerabilities (Steal Authentication Credentials)

Fork CMS <= 3.2.5:

• CVE-2012-1306 for "Delete Admins or Users" and "Delete Web Pages" issues.
• CVE-2012-1307 for "poor logic to manage sessions" form_token issue.
• CVE-2012-1304 for XSS into private/en/blog/settings and private/en/users/index issues.
• CVE-2012-1305 for XSS into private/en/pages/settings issue.

D-Link DSL-2640B (ADSL Router):

• CVE-2012-1308 for CSRF Vulnerability
• CVE-2012-1309 for Authentication Bypass

 ContaoCMS (fka TYPOlight) <= 2.11:

• CVE-2012-1297 for CSRF (Delete Admin- Delete Article)

SyndeoCMS <= 3.0:

• CVE-2012-1203 for CSRF Vulnerability 

SocialCMS <= 1.0.2:

• CVE-2012-1416 for CSRF Vulnerabilities

PlumeCMS <= 1.2.4:

• CVE-2012-1414 for CSRF Vulnerability 

Kaspersky Lab - Webfolio CMS Vulnerability

Kaspersky Lab published my new Advisory regarding a new vulnerability which affects all versions of Webfolio CMS.
For read Kaspersky Lab's Advisory:
http://www.securelist.com/en/advisories/48190

For read my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Secunia - Contao cms (fka TYPOlight) CSRF Vulnerability

Secunia has published my new security Adsvisory regarding a new vulnerability found in latest release (and lower) of Contao CMS(fka TYPOlight). This vulnerability allows an attacker to delete administrator/users, articles, news, newsletter andmodify many other parameters.

To read Secunia's Advisory:
http://secunia.com/advisories/48180/

To learn more about my Original Advisory:

http://ivanobinetti.blogspot.com/2012/02/contaocms-fka-typolight-211-csrf-delete.html

Secunia - Webfolio cms CSRF Vulnerability

Today Secunia published a my security Adsvisory regarding a new vulnerability found in Webfolio CMS which allows to add a new administrator account, modify published web pages and change many other parameters of latest release (and below) of Webfolio CMS.

To read Secunia's Advisory:
http://secunia.com/advisories/48190

For know more about my original Advisory:
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages)

Today I've discovered a new CSRF vulnerability which affects WebfolioCMS 1.1.4 (and lower) and which allows to modify any parameter. In my Advisory I've demonstrated how to add a new administrator account and how to modify a published web page.

Download my Original Advisory

Some other pubblication related to this vulnerability:
http://packetstormsecurity.org/files/110294/WebfolioCMS-1.1.4-Cross-Site-Request-Forgery.html
http://www.exploit-db.com/exploits/18536/

OSVDB 79410

OSVDB (famous Vulnerability DB sponsored by Nessus) has published my Advisory related to SyndeoCMS <= 3.0.

For more details about OSVDB 79410 Advsory:
http://osvdb.org/show/osvdb/79410

My original Advisory:
http://ivanobinetti.blogspot.com/2012/02/syndeocms-30-csrf-vulnerability.html

IBM X-Force published my SyndeoCMS Advisory

Yesterday IBM X-Force published my Advisory regarding a new CSRF vulneability that I've found in SyndeoCMS <= 3.0 http://ivanobinetti.blogspot.com/2012/02/syndeocms-30-csrf-vulnerability.html
This vulnerability allows an attacker to change administrator password and gain access to the system.

IBM classified this vulnerability as "Highly Exploitable".

For more details about IBM X-Force publication:
http://xforce.iss.net/xforce/xfdb/73319

ContaoCMS (fka TYPOlight) 2.11 CSRF (Delete Admin- Delete Article)

ContaoCMS (fka TYPOlight) 2.11 version (and lower) in affected by a CSRF vulnerability which allows to delete administrator/users, delete article, news, newsletter and so on.
I've created an Advisory describing this vulnerability and the methods to exploit it:
ContaoCMS Ivano Binetti's Advisory

There are other web sites which have reported my security Advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1297
http://osvdb.org/show/osvdb/79635
http://packetstormsecurity.org/files/110214/ContaoCMS-2.11.0-Cross-Site-Request-Forgery.html
http://www.exploit-db.com/exploits/18527/
http://secunia.com/advisories/48180/
http://www.securelist.com/en/advisories/48180
http://xforce.iss.net/xforce/xfdb/73479
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1297
https://bugs.launchpad.net/bugs/cve/2012-1297
http://cxsecurity.com/cveshow/CVE-2012-1297/

IBM X-Force published my PlumeCMS Advisory

Few days ago I discovered a new CSRF vulnerability (http://ivanobinetti.blogspot.com/2012/02/plumecms-124-csrf-0day-vulnerability.html which affects all versions - included latest (1.2.4) - of Pluse CMS.
Today IBM X-Force published my Advisory and classified the "Exploitability:" of this vulnerability as "High".
Fore more details:
http://xforce.iss.net/xforce/xfdb/73317

IBM X-Force published my D-Link DSL-2640B Advisories

Today IBM X-Force published two of my advisories related to vulnerabilities discoverd into D-Link DSL-2640B ADSL Router / Access Point.
If you would like to read more about them:
http://xforce.iss.net/xforce/xfdb/73316
http://xforce.iss.net/xforce/xfdb/73379

IBM X-Force published my Cisco Linksys WAG54GS Advisory

Today IBM X-Force has published my Advisory related to a security flaw which I've discovered in Cisco Linksys WAG54GS router which allow an attacker to change administrator password.

For more informations:
http://xforce.iss.net/xforce/xfdb/73345

Kaspersky Lab published my ForkCMS 3.2.6 Advisory

Today Kaspersky Lab (http://www.securelist.com/) published my ForkCMS 3.2.6 vulnerability.
For more details:
http://www.securelist.com/en/advisories/48067

IBM X-Force published ForkCMS 3.2.6 "0day" vulnerability

IBM X-Force (http://xforce.iss.net/) published my new "0day" vulnerability regarding Multiple Vulnerabilities discovered in ForkCMS 3.2.6 and lower:
http://xforce.iss.net/xforce/xfdb/73394

OSVDB 79444 : Fork CMS Multiple Function CSRF

OSVDB (http://osvdb.org) - vulnerability DB sponsored by Nessus (http://www.tenable.com) - published my ForkCMS 3.2.6 (and lower) vulnerability.
Here you can read more details:
http://osvdb.org/show/osvdb/79444

Secunia - Fork CMS Vulnerability

Secunia has published an advisory related to a "0day" vulnerabilty (http://ivanobinetti.blogspot.com/2012/02/forkcms-325-csrf-and-xss-0day.html which I've discovered in the past days and regarding a CSRF (Cross Site Request Forgery) which affects ForkCMS 3.2.5 and lower.
Secunia tested this vulnerability also in 3.2.6 version, latest release which ForkCMS team published few days ago.
As I already said in my advisory I think that ForkCMS in a very nice CMS which, with some security improvements, can become a great cms. May be that I will use it in the future.

Following you can read more details about Secunia Advisory:
https://secunia.com/advisories/48067

Also PacketStorm has published this Advisory:
http://packetstormsecurity.org/files/110069/sa48067.txt

D-Link DSL-2640B "0day" Vulnerabilities

SecurityFocus (http://www.securityfocus.com/) has assigned me three BID (Bugtraq ID) related to "0day" Dlink and Cisco Linksys vulnerabilities regarding design flaws and exploitable using CSRF:

Following you can read more details about them:
http://www.securityfocus.com/bid/52096
http://www.securityfocus.com/bid/52129
http://www.securityfocus.com/bid/52105

DFLabs PTK <= 1.0.5 Multiple Vulnerabilities (Steal Authentication Credentials)

Today also PacketStorm published the new "0day" vulnerability that affects DFLabs PTK 1.0.5 and lower versions.

http://packetstormsecurity.org/files/110102/DFLabs-PTK-1.0.5-Cross-Site-Request-Forgery.html

DFLabs PTK <= 1.0.5 Multiple Vulnerabilities (Steal Authentication Credentials)

Today I've discovered multiple vulnerabilities into DFLabs PTK 1.0.5 (latest release) and lower.
Offensive Security Exploit DB has already published this "0day" vulnerability:
http://www.exploit-db.com/exploits/18513/

D-Link DSL-2640B Authentication Bypass

New "0day" vulnerability found.
For more details:

http://www.exploit-db.com/exploits/18511/
http://packetstormsecurity.org/files/110117/D-Link-DSL-2640B-Authentication-Bypass.html
http://www.securityfocus.com/bid/52129

ForkCMS 3.2.5 CSRF and XSS "0day" Vulnerabilities

Today I've discovered multiple vulnerability into Fork CMS 3.2.5. I think there are also  this vulnerabilities  in version 3.2.6.
To download my Original Advisory:
https://sites.google.com/site/ivanobinetti/ForkCMS%203.2.5%20CSRF%20and%20XSS%20vulnetabilities.txt?attredirects=0&d=1

Other pubblication related to these vulnerabilities:
http://packetstormsecurity.org/files/110048/ForkCMS-3.2.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18505/
http://secunia.com/advisories/48067
http://osvdb.org/show/osvdb/79444 
http://xforce.iss.net/xforce/xfdb/73394
http://www.securelist.com/en/advisories/48067
www.1337day.com/exploits/17557

Cisco Linksys WAG54GS (ADSL Router) change admin password

Today I found a new "0day" vulnerability into Cisco Linksys WAG54GS Wifi Adsl Router and published related exploit in order to change default administrator ("admin") password. For more details:

http://www.exploit-db.com/exploits/18503/
http://packetstormsecurity.org/files/110040/Cisco-Linksys-WAG54GS-Cross-Site-Request-Forgery.html
http://www.securityfocus.com/bid/52105

You can simply modify this exploit in order to change other router's parameters.
Enjoy it!

PlumeCMS <= 1.2.4 CSRF "0day" Vulnerability

New "0day" vulnerability discovered regarding PluseCMS.

For more details:

http://www.exploit-db.com/author/?a=3557
http://packetstormsecurity.org/files/author/9536/

D-Link DSL-2640B (ADSL Router) CSRF "0day" Vulnerability

I've discovered a new "0day" vulnerability:

http://www.securityfocus.com/bid/52096/info
http://www.exploit-db.com/author/?a=3557
http://packetstormsecurity.org/files/author/9536/

This vulnerability allows to change administrator password of D-Link DSL-2640B ADSL Router.

SyndeoCMS <= 3.0 CSRF "0day" Vulnerability

Today I've found a new "0day" vulnerability into Syndeocms 3.0 - and lower version - and I've created an exploit in order to automatically add an administrator account when the real administrator browses an "ad hoc" created web page containing a simple html/javascript code.

For more details:

http://www.exploit-db.com/author/?a=3557
http://packetstormsecurity.org/files/author/9536/

Some web sites which published my "0day" vulnerability:

http://1337day.com/exploits/17544
http://exploitsdownload.com/exploit/php/syndeocms-30-csrf-vulnerabili
http://www.allinfosec.com/2012/02/19/webapps-0day-syndeocms-3-0-csrf-vulnerability/
http://www.silobreaker.com/webapps--syndeocms-lt-30-csrf-vulnerability-5_2265494154572201984
http://eternal-todo.com/aggregator/categories/1
http://www.morningstarsecurity.com/news
http://unsecure-os.org/index.php/exploits
http://securit.se/it-sakerhetsnyheter/
http://cxsecurity.com/
http://www.bugsearch.net/

SocialCMS CSRF "0day" Vulnerability

Yestarday I found a "0day" vulnerability into latest version (1.0.2) of "Socialcms" cms (socialcms.com) and created an exploit in order to add an  Administrator account. The vulnerability and related exploit  have been published into Offensive Security Exploit Database. You can find more details here:

http://www.exploit-db.com/author/?a=3557

Other web site have published this "oday" vulnerability:

http://www.allinfosec.com/2012/02/16/webapps-0day-socialcms-csrf-vulnerability
http://www.1337day.com/exploits/17527
http://www.realhacker.net/tag/webapps
http://94hi.com/exploit/html/3244.html

Discovering Cross Site Scripting (XSS) vulnerabilities

Today I wrote a simple perl script to automatically discover XSS vulnerabilities into a web application.
This script can be improved in order to make it more suitable to be used in a web penetration test.

Following the code:

#!/usr/bin/perl 

use strict;
use LWP::Simple;
my ($url, $webpage, @webpage, @name, $result);

if(@ARGV < 1) {
 usage();
}

#Get web page specified by cmd
$webpage = get("http://" . $ARGV[0]);

#Split variable into an arry
@webpage = split(/\n/, $webpage);

#Parsing Web Page to obtain names of "input type=text" 
foreach (@webpage) {
  if($_ =~ /input\stype="text"\sname="(\w{1,30})"/) {
    push(@name, $1);    
  }
}

#Print found search box
if(@name) {
 print "I've found the following search box:\n";  
 foreach (@name) {
   print "$_\n";
 }
 print "and I've discovered that:\n";


#Automatically exploit search box to verify XSS vulnerabilities
 foreach (@name) {
   $result = get("http://" . $ARGV[0] . "?" . $_ . "=<script>alert('test_XSS')</script>");
   if($result =~ /<script>alert\('test_XSS'\)<\/script>/) {
     print "$_ is vulnerable to XSS\n";
   }   
   else { print "$_ isn't vulnerable to XSS\n";}
 }
}

else { 
 print"I have not found search boxes in " . $ARGV[0] . "\n";
}

sub usage() {
 print"Usage: ".$0." <url>\n";
 print "Example: " . $0 . " ivanobinetti.com\n";
 exit;
}