My New Blog at www.ivanobinetti.com

Posted on domenica 18 marzo 2012 by Ivano Binetti

This is my old blog.
You will find the new one at  http://www.ivanobinetti.com
 

IBM X-Force - RazorCMS CSRF

Posted on by Ivano Binetti

IBM X-Force has published a new Advisory regarding my Razorcms vulnerability:
IBM X-Force RazorCMS Advisory

To read my Original Advisory:
Ivano Binetti's RazorCMS Original Advisory 


FlexCMS Multiple CSRF Vulnerabilities

Posted on venerdì 16 marzo 2012 by Ivano Binetti

I've just discovered new multiple CSRF vulnerabilities in FlexCMS 3.2.1 (latest version).
To read more about them you can download my Original Advisory or view other related publications:

Offensive Security Exploit-DB
Inj3ct0r
Packet Storm
Secunia

Secunia SA39961 - Razorcms Multiple Vulnerabilities

Posted on by Ivano Binetti

Secunia published new Advisory regarding my discovered vulnerability which affects Razor cms 1.2.1 and lower.

To read more about Secunia's Advisory:
Secunia SA39961 Advisory

Sitecom WLM-2501 Change Wireless Passphrase

Posted on martedì 13 marzo 2012 by Ivano Binetti

Yesterday I've discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.

To know more about these vulnerabilities please read my Original Advisory.

Other sources have published my Advisory:
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r

OSVDB 79635 - Contao cms (fka TYPOlight) CSRF

Posted on by Ivano Binetti

New my contribution to OSVDB project:
http://osvdb.org/show/osvdb/79635

To read my Original Advisory:
Contao cms Original Advisory




IBM X-Force - Drupal 7.12 CSRF

Posted on domenica 11 marzo 2012 by Ivano Binetti

IBM X-Force has published a security Advisory related to Drupal 7.12 CSRF vulnerability which I've discovered in the past days.
IBM X-Force's Drupal 7.12 Advisory

To read more about my Original Advisory:
My Original Drupal 7.12 Advisory

RazorCMS <= 1.2.1 STABLE CSRF (Delete Web Pages)

Posted on venerdì 9 marzo 2012 by Ivano Binetti

New Advisory related to a new CSRF vulnerability in RazorCMS 1.2.1 and lower.
To download my original Advisory:
RazorCMS CSRF Security Advisory

Other publications:
Offensive Security Exploit-db
Packet Storm Security

More about Drupal 7.12 CSRF Exploit

Posted on by Ivano Binetti

This morning I've received a tweet from Heine - who "provide free Drupal support on the Drupal.org forum" -  who invite me to read his article (Heine's article) about my security advisory related to latest stable version (7.12) of Dupal cms.

In his article Heine said that I've "rightly identified" a CSRF vulnerability which allows to force logout administrator, but he does not refer to the main problem which I've identified in my advisory:  form_token (anti-CSRF) security flaw, as you can read in my security advisory:
http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html

"form_token" (anti-CSRF) security flaw
As reported in my Advisory:

"In "form_token" parameter there is another security flaw inside the logic with which this parameter is generated, because is used the  same parameter for for similar operations  in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
 creation Drupal assigns the same "form_token" and so on). This flaw can be used by un attacker which  knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities to create an "ad-hoc" crafted web page that allows to performs any Drupal changes (add administrator, delete administrator, add web pages, delete  web pages, and so on) when a Drupal administrator or User browses that crafted web page.
"

This means that the anti-CSRF "form_token" parameter is not unique for any operations but is the same (in the same session obviously) for similar operation. An attacker - also with low knowledge of Man in the Middle attack - can sniff  anti-CSRF parameter and - without make a rewrite rule in order to modify the traffic in real time (this might require some more skills) - could use sniffed  "form_token" parameter to change Drupal settings.
This is the main flaw which I've described and which Heine did not mention in his article.

"form_buid_id" parameter 
As you can read in my advisory I've never said that "form_build_id" is an anti-CSRF parameter but I've noticed as is possible to use any Drupal compatible form_build_id instead of the right one - specifically created  for that operation - in order to use my exploit and add an Drupal admin.
You said that form_build_id is used "to fetch state from a database table during certain operations." Do you think that is normal that I can modify a parameter as I want and Drupal does not care about it?


Http Referer
I confirm you that if you would make void my exploit Drupal have to:
  • use "http referer" check , which is not in contradiction with form_token check, but  it can only increase Drupal's security level. 
  •  fix "form_token" flaw.

HTTPS protection
Drupal default installation does not provide default http to https redirection.

p.s. I think that Drupal is a great cms and may be I'll use it in my blog.


Bugtraq ID 52335 - Webfolio <= 1.1.4 Multiple XSS

Posted on by Ivano Binetti

Security Focus has assigned me Bugtraq ID 52335 for multiple XSS vulnerability in Webfolio <= 1.1.4 Multiple XSS:
http://www.securityfocus.com/bid/52335/

For more details my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html

IBM X-Force - Webfolio <= 1.1.4 Multiple XSS

Posted on by Ivano Binetti

IBM X-Force published an Advisory related to Webfolio <= 1.1.4 Multiple XSS that I've discovered in the past days.
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73738

For more details about my Original Advisory:
http://ivanobinetti.blogspot.com/2012/03/webfolio-114-multiple-xss.html

Webfolio <= 1.1.4 Multiple XSS

Posted on mercoledì 7 marzo 2012 by Ivano Binetti

WebfolioCMS 1.1.4 (and lower) is prone to multiple XSS vulnerabilities in "webfolio/admin/users/edit/<used_id>" pages  - where <used_id> = 1....n - due to an improper input sanitization.

To download my Original Advisory:
Webfolio <= 1.1.4 Multiple XSS

Other publications:
http://packetstormsecurity.org/files/110524/Webfolio-CMS-1.1.4-Cross-Site-Scripting.html
http://1337day.com/exploits/17634

CVE-2012-1498 - Webfolio CMS

Posted on lunedì 5 marzo 2012 by Ivano Binetti

Today "MITRE CVE Numbering Authority" has assigned  me CVE-2012-1498 for a vulnerability related to Webfolio CMS.
For more details, please read my Original Advisory.
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities

Posted on venerdì 2 marzo 2012 by Ivano Binetti

IBM X-Force - DFLabs PTK <= 1.0.5 Multiple Vulnerabilities

Posted on giovedì 1 marzo 2012 by Ivano Binetti

Today IBM X-Force published my Advisory regarding multiple vulnerabilities which I've found in DFLabs PTK  <= 1.0.5  which allow an attacker to steal administrator/investigator credentials.
For read IBM X-Force Advisory:
http://xforce.iss.net/xforce/xfdb/73404

For read my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/dflabs-ptk-105-multiple-vulnerabilities.html

OSVDB 79658 - Webfolio CMS Vulnerability

Posted on by Ivano Binetti

Today was approved my new contribution to OSVDB database:
To read more about it:
http://osvdb.org/show/osvdb/79658

To view my Original Advisory:
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Bugtraq ID 52218 - Webfolio CMS CSRF

Posted on by Ivano Binetti

Security Focus has assigned me Bugtraq ID 52218 for discovering Webfolio CMS CSRF vulnerability.

For more details about this Bugtraq ID:
http://www.securityfocus.com/bid/52218

For learn more about my Original Advisory:<br>
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html