My New Blog at www.ivanobinetti.com
Posted on domenica 18 marzo 2012
by Ivano Binetti
0 commenti Filed Under:
IBM X-Force - RazorCMS CSRF
Posted on
by Ivano Binetti
IBM X-Force has published a new Advisory regarding my Razorcms vulnerability:
IBM X-Force RazorCMS Advisory
To read my Original Advisory:
Ivano Binetti's RazorCMS Original Advisory
IBM X-Force RazorCMS Advisory
To read my Original Advisory:
Ivano Binetti's RazorCMS Original Advisory
0 commenti Filed Under: IBM X-Force
FlexCMS Multiple CSRF Vulnerabilities
Posted on venerdì 16 marzo 2012
by Ivano Binetti
I've just discovered new multiple CSRF vulnerabilities in FlexCMS 3.2.1 (latest version).
To read more about them you can download my Original Advisory or view other related publications:
Offensive Security Exploit-DB
Inj3ct0r
Packet Storm
Secunia
To read more about them you can download my Original Advisory or view other related publications:
Offensive Security Exploit-DB
Inj3ct0r
Packet Storm
Secunia
0 commenti Filed Under: 0day Vulnerabilities, Web Vulnerabilities
Secunia SA39961 - Razorcms Multiple Vulnerabilities
Posted on
by Ivano Binetti
Secunia published new Advisory regarding my discovered vulnerability which affects Razor cms 1.2.1 and lower.
To read more about Secunia's Advisory:
Secunia SA39961 Advisory
To read more about Secunia's Advisory:
Secunia SA39961 Advisory
0 commenti Filed Under: Secunia
Sitecom WLM-2501 Change Wireless Passphrase
Posted on martedì 13 marzo 2012
by Ivano Binetti
Yesterday I've discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.
To know more about these vulnerabilities please read my Original Advisory.
Other sources have published my Advisory:
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r
To know more about these vulnerabilities please read my Original Advisory.
Other sources have published my Advisory:
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r
0 commenti Filed Under: 0day Vulnerabilities, hardware
OSVDB 79635 - Contao cms (fka TYPOlight) CSRF
Posted on
by Ivano Binetti
New my contribution to OSVDB project:
http://osvdb.org/show/osvdb/79635
To read my Original Advisory:
Contao cms Original Advisory
http://osvdb.org/show/osvdb/79635
To read my Original Advisory:
Contao cms Original Advisory
0 commenti Filed Under: OSVDB
IBM X-Force - Drupal 7.12 CSRF
Posted on domenica 11 marzo 2012
by Ivano Binetti
IBM X-Force has published a security Advisory related to Drupal 7.12 CSRF vulnerability which I've discovered in the past days.
IBM X-Force's Drupal 7.12 Advisory
To read more about my Original Advisory:
My Original Drupal 7.12 Advisory
IBM X-Force's Drupal 7.12 Advisory
To read more about my Original Advisory:
My Original Drupal 7.12 Advisory
0 commenti Filed Under: IBM X-Force
RazorCMS <= 1.2.1 STABLE CSRF (Delete Web Pages)
Posted on venerdì 9 marzo 2012
by Ivano Binetti
New Advisory related to a new CSRF vulnerability in RazorCMS 1.2.1 and lower.
To download my original Advisory:
RazorCMS CSRF Security Advisory
Other publications:
Offensive Security Exploit-db
Packet Storm Security
To download my original Advisory:
RazorCMS CSRF Security Advisory
Other publications:
Offensive Security Exploit-db
Packet Storm Security
0 commenti Filed Under: 0day Vulnerabilities, Web Vulnerabilities
More about Drupal 7.12 CSRF Exploit
Posted on
by Ivano Binetti
This morning I've received a tweet from Heine - who "provide free Drupal support on the Drupal.org forum" - who invite me to read his article (Heine's article) about my security advisory related to latest stable version (7.12) of Dupal cms.
In his article Heine said that I've "rightly identified" a CSRF vulnerability which allows to force logout administrator, but he does not refer to the main problem which I've identified in my advisory: form_token (anti-CSRF) security flaw, as you can read in my security advisory:
http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html
"form_token" (anti-CSRF) security flaw
As reported in my Advisory:
"In "form_token" parameter there is another security flaw inside the logic with which this parameter is generated, because is used the same parameter for for similar operations in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
creation Drupal assigns the same "form_token" and so on). This flaw can be used by un attacker which knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities to create an "ad-hoc" crafted web page that allows to performs any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, and so on) when a Drupal administrator or User browses that crafted web page. "
This means that the anti-CSRF "form_token" parameter is not unique for any operations but is the same (in the same session obviously) for similar operation. An attacker - also with low knowledge of Man in the Middle attack - can sniff anti-CSRF parameter and - without make a rewrite rule in order to modify the traffic in real time (this might require some more skills) - could use sniffed "form_token" parameter to change Drupal settings.
This is the main flaw which I've described and which Heine did not mention in his article.
"form_buid_id" parameter
As you can read in my advisory I've never said that "form_build_id" is an anti-CSRF parameter but I've noticed as is possible to use any Drupal compatible form_build_id instead of the right one - specifically created for that operation - in order to use my exploit and add an Drupal admin.
You said that form_build_id is used "to fetch state from a database table during certain operations." Do you think that is normal that I can modify a parameter as I want and Drupal does not care about it?
Http Referer
I confirm you that if you would make void my exploit Drupal have to:
HTTPS protection
Drupal default installation does not provide default http to https redirection.
p.s. I think that Drupal is a great cms and may be I'll use it in my blog.
In his article Heine said that I've "rightly identified" a CSRF vulnerability which allows to force logout administrator, but he does not refer to the main problem which I've identified in my advisory: form_token (anti-CSRF) security flaw, as you can read in my security advisory:
http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html
"form_token" (anti-CSRF) security flaw
As reported in my Advisory:
"In "form_token" parameter there is another security flaw inside the logic with which this parameter is generated, because is used the same parameter for for similar operations in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
creation Drupal assigns the same "form_token" and so on). This flaw can be used by un attacker which knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities to create an "ad-hoc" crafted web page that allows to performs any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, and so on) when a Drupal administrator or User browses that crafted web page. "
This means that the anti-CSRF "form_token" parameter is not unique for any operations but is the same (in the same session obviously) for similar operation. An attacker - also with low knowledge of Man in the Middle attack - can sniff anti-CSRF parameter and - without make a rewrite rule in order to modify the traffic in real time (this might require some more skills) - could use sniffed "form_token" parameter to change Drupal settings.
This is the main flaw which I've described and which Heine did not mention in his article.
"form_buid_id" parameter
As you can read in my advisory I've never said that "form_build_id" is an anti-CSRF parameter but I've noticed as is possible to use any Drupal compatible form_build_id instead of the right one - specifically created for that operation - in order to use my exploit and add an Drupal admin.
You said that form_build_id is used "to fetch state from a database table during certain operations." Do you think that is normal that I can modify a parameter as I want and Drupal does not care about it?
Http Referer
I confirm you that if you would make void my exploit Drupal have to:
- use "http referer" check , which is not in contradiction with form_token check, but it can only increase Drupal's security level.
- fix "form_token" flaw.
HTTPS protection
Drupal default installation does not provide default http to https redirection.
p.s. I think that Drupal is a great cms and may be I'll use it in my blog.
0 commenti Filed Under: 0day Vulnerabilities, Web Vulnerabilities
Bugtraq ID 52335 - Webfolio <= 1.1.4 Multiple XSS
Posted on
by Ivano Binetti
Security Focus has assigned me Bugtraq ID 52335 for multiple XSS vulnerability in Webfolio <= 1.1.4 Multiple XSS:
http://www.securityfocus.com/bid/52335/
For more details my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html
http://www.securityfocus.com/bid/52335/
For more details my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html
0 commenti Filed Under: Bugtraq ID - Security Focus
IBM X-Force - Webfolio <= 1.1.4 Multiple XSS
Posted on
by Ivano Binetti
IBM X-Force published an Advisory related to Webfolio <= 1.1.4 Multiple XSS that I've discovered in the past days.
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73738
For more details about my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73738
For more details about my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html
0 commenti Filed Under: IBM X-Force
Webfolio <= 1.1.4 Multiple XSS
Posted on mercoledì 7 marzo 2012
by Ivano Binetti
WebfolioCMS 1.1.4 (and lower) is prone to multiple XSS vulnerabilities in "webfolio/admin/users/edit/<used_id>" pages - where <used_id> = 1....n - due to an improper input sanitization.
To download my Original Advisory:
Webfolio <= 1.1.4 Multiple XSS
Other publications:
http://packetstormsecurity.org/files/110524/Webfolio-CMS-1.1.4-Cross-Site-Scripting.html
http://1337day.com/exploits/17634
To download my Original Advisory:
Webfolio <= 1.1.4 Multiple XSS
Other publications:
http://packetstormsecurity.org/files/110524/Webfolio-CMS-1.1.4-Cross-Site-Scripting.html
http://1337day.com/exploits/17634
0 commenti Filed Under: 0day Vulnerabilities, Web Vulnerabilities
CVE-2012-1498 - Webfolio CMS
Posted on lunedì 5 marzo 2012
by Ivano Binetti
Today "MITRE CVE Numbering Authority" has assigned me CVE-2012-1498 for a vulnerability related to Webfolio CMS.
For more details, please read my Original Advisory.
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html
For more details, please read my Original Advisory.
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html
0 commenti Filed Under: CVE MITRE
Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities
Posted on venerdì 2 marzo 2012
by Ivano Binetti
I've just found new multiple vulnerabilities into latest stable release (v. 7.12) of Drupal.
To download my Advisory:
Download My Drupal 7.12 Security Advisory
Other web sites that have published my Advisory:
CVE-2007-6752
http://xforce.iss.net/xforce/xfdb/73674
http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt
http://1337day.com/exploits/17611
http://www.exploit-db.com/exploits/18564/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6752
https://bugzilla.redhat.com/show_bug.cgi?id=807859
http://en.securitylab.ru/nvd/422373.php
To download my Advisory:
Download My Drupal 7.12 Security Advisory
Other web sites that have published my Advisory:
CVE-2007-6752
http://xforce.iss.net/xforce/xfdb/73674
http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt
http://1337day.com/exploits/17611
http://www.exploit-db.com/exploits/18564/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6752
https://bugzilla.redhat.com/show_bug.cgi?id=807859
http://en.securitylab.ru/nvd/422373.php
0 commenti Filed Under: 0day Vulnerabilities, Web Vulnerabilities
IBM X-Force - DFLabs PTK <= 1.0.5 Multiple Vulnerabilities
Posted on giovedì 1 marzo 2012
by Ivano Binetti
Today IBM X-Force published my Advisory regarding multiple vulnerabilities which I've found in DFLabs PTK <= 1.0.5 which allow an attacker to steal administrator/investigator credentials.
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73404
For read my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/dflabs-ptk-105-multiple-vulnerabilities.html
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73404
For read my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/dflabs-ptk-105-multiple-vulnerabilities.html
0 commenti Filed Under: IBM X-Force
OSVDB 79658 - Webfolio CMS Vulnerability
Posted on
by Ivano Binetti
Today was approved my new contribution to OSVDB database:
To read more about it:
http://osvdb.org/show/osvdb/79658
To view my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html
0 commenti Filed Under: OSVDB
Bugtraq ID 52218 - Webfolio CMS CSRF
Posted on
by Ivano Binetti
Security Focus has assigned me Bugtraq ID 52218 for discovering Webfolio CMS CSRF vulnerability.
For more details about this Bugtraq ID:
http://www.securityfocus.com/bid/52218
For learn more about my Original Advisory:<br>
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html
For more details about this Bugtraq ID:
http://www.securityfocus.com/bid/52218
For learn more about my Original Advisory:<br>
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html
0 commenti Filed Under: Bugtraq ID - Security Focus
Iscriviti a:
Post (Atom)