CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities

201402Return-oriented-programming-ROP-computer-security-exploit-technique

 

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities


 

Exploit Title: CVE-2015-2214 NetCat CMS Full Path Disclosure Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1

Tested Version: 5.01   3.12

Advisory Publication: February 27, 2015

Latest Update: May 05, 2015

Vulnerability Type: Information Leak / Disclosure [CWE-200]

CVE Reference: CVE-2015-2214

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Credit and Writer: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 
 
 

Consultation Details:


 

(1) Vendor & Product Description:

Vendor:

NetCat


 

Product & Version:

NetCat

5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


 

Vendor URL & Download:

NetCat can be accessed from here,

http://netcat.ru/


 

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”


“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”


“We give a discount on any edition NetCat

We try to help our partners to enter into a close-knit team. To reduce your expenses on the development of a new system, we provide special conditions for the acquisition of commercial licenses NetCat, for a partner is assigned a permanent discount of 40%, which according to the results of further sales could be increased to 60%.”


“Teach your developers work with the secrets NetCat

In addition to the detailed documentation and video tutorials to new partners we offer a unique free service – direct contact with the developer from the team NetCat, which will help in the development of product development tools.”


“We give customers

Once you develop the three sites NetCat information about you appear in our ranking developers. This means that you not only begin to receive direct requests from clients but also become a member of tenders conducted by customers. In addition, if the partner is really good work, employees NetCat begin recommending it to clients requesting assistance in the choice of contractor.”


“We will help in the promotion of

The company is a regular participant NetCat large number of forums, seminars and conferences. We are happy to organize together with partners involved, help with advertising materials and share information for the report.”


“Confirmed its status in the eyes of customers

We have a very flexible system of certification of partners: we do not give certificates for the sale of licenses and for the developed sites. So, for example, to obtain a certificate “Development of corporate websites’ to add to your personal account three implementation of the appropriate type.”

 
 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Netcat has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to important vulnerabilities.

 

(2.1) The first programming code flaw occurs at “&redirect_url” parameter in “netshop/post.php?” page.

 
 
 
 
 

References:

http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html

http://seclists.org/fulldisclosure/2015/Mar/8

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01740.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1645

http://lists.openwall.net/full-disclosure/2015/03/02/6

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142527117510514&w=2

http://marc.info/?l=full-disclosure&m=142527117510514&w=4

https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://www.tetraph.com/blog/information-leakage-vulnerability/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

http://essayjeans.blog.163.com/blog/static/2371730742015411113047382/

http://www.weibo.com/1644370627/ChjMoA9hD?type=comment#_rnd1431315096193

http://homehut.lofter.com/post/1d226c81_6eae13a

 

CVE-2014-7294 NYU Opensso Integration Open Redirect Security Vulnerability

 

sso_3

 

CVE-2014-7294 NYU OpenSSO Integration 2.1 Dest Privilege Escalation Web Security Vulnerability

 

Exploit Title: NYU OpenSSO Integration Logon Page url Parameter Open Redirect

Product: OpenSSO Integration

Vendor: NYU

Vulnerable Versions: 2.1 and probability prior

Tested Version: 2.1

Advisory Publication: December 14, 2014

Latest Update: January 05, 2015

Vulnerability Type: Open Redirect [CWE-601]

CVE Reference: CVE-2014-7294

mpact CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Discover and Writer: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 
Suggestion Details:

 

(1) Vendor & Product Description:



Vendor:

NYU



Product & Vulnerable Versions:

OpenSSO Integration

2.1



Vendor URL & Download:

OpenSSO Integration can be obtrained from here,

 

Product Description:

“NYU has integrated PDS with Sun’s OpenSSO Identity Management application. The PDS/OpenSSO integration uses PDS as the NYU Libraries’ single sign-on system and leverages NYU’s OpenSSO system to provide seamless interaction between library applications and university services. The integration merges patron information from OpenSSO (e.g. name, email, e-resources access) with patron information from Aleph (e.g. borrower status and type) to ensure access to the multitude of library services.”

 
“The NYU Libraries operate in a consortial environment in which not all users are in OpenSSO and not all OpenSSO users are in Aleph. PDS is hosted in an active/passive capacity on our Primo front-end servers. Due to the nature of PDS and Aleph, patrons are required to have an Aleph account in order to login to the library’s SSO environment. The exception to this rule is EZProxy.”

“Author: Scot Dalton

Additional author(s):

Institution: New York University

Year: 2009

License: BSD style

Short description: Use, modification and distribution of the code are permitted provided the copyright notice, list of conditions and disclaimer appear in all related material.

Link to terms: [Detailed license terms]”

 

 

 

(2) Vulnerability Details:

NYU Opensso Integration web application has a computer security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Other similar products 0day vulnerabilities have been found by some other bug hunter researchers before. NYU has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to website vulnerabilities.

(2.1) The vulnerability occurs at “PDS” service’s logon page, with “&url” parameter.

 

 

 

 

References:
http://tetraph.com/security/cves/cve-2014-7294-ex-libris-patron-directory
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7294
http://seclists.org/fulldisclosure/2014/Dec/127
http://tetraph.blogspot.com/2015/02/cve-2014-7294-nyu-opensso-integration.html
http://diebiyi.com/articles/security/open-redirect/cve-2014-7294
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01506.html
http://lists.openwall.net/full-disclosure/2014/12/29/5
https://itswift.wordpress.com/2015/02/12/cve-2014-7294-nyu-opensso
https://vulnerabilitypost.wordpress.com/2015/02/10/cve-2014-7294
http://mathstopic.blogspot.com/2015/05/cve-2014-7294-nyu-opensso-integration.html
http://whitehatview.tumblr.com/post/110720300046/cve-2014-7294-nyu-opensso-integration
http://itsecurity.lofter.com/post/1cfbf9e7_5c6681c
http://www.inzeed.com/kaleidoscope/computer-security/cve-2014-7294
http://computerobsess.blogspot.com/2015/02/cve-2014-7294-nyu-opensso-integration.html

Yahoo and Yahoo Japan May be Vulnerable to Spams

175801847

Yahoo and Yahoo Japan May be Vulnerable to Spams
 
Student security researcher Wang Jing from School of Physical and Mathematical Sciences at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo. After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed”. It seems that Yahoo do not take the vulnerabilities seriously at all.
 
Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior”. However, these vulnerabilities were patched later.“
 
The vulnerability of Yahoo occurs at “ard.yahoo.com” page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp”.
Proof of concept on YouTube were also released to illustrate exploits.
 
(1)Yahoo Open Redirect
https://www.youtube.com/watch?v=k4eFLsTyZkg
(2)Yahoo Japan Unvalidated Redirects and Forwards (URF)
https://www.youtube.com/watch?v=2SM78WKAVr8
 
In fact, Yahoo’s users were attacked based on redirection this year. Base onCNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware.”
 
Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.
 
Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.
 
On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year.”
 
Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust.”

 

 

 

CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

 

Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

 

Advisory Details:
(1) Product
“WebPress is the foundation on which we build web sites. It’s our unique Content Management System (CMS), flexible enough for us to build your dream site, and easy enough for you to maintain it yourself.”

 

(2) Vulnerability Details:
goYWP WebPress has a security problem. It is vulnerable to XSS attacks.
(2.1) The first security vulnerability occurs at “/search.php” page with “&search_param” parameter in HTTP GET.
(2.2) The second security vulnerability occurs at “/forms.php” (form submission ) page with “&name”, “&address” “&comment” parameters in HTTP POST.

 

References:

76.3% WEATHER CHANNEL WEBSITE LINKS VULNERABLE TO REFLECTED CROSS-SITE SCRIPTING (XSS)

 

380

 

Popular Weather Channel web site (Weather.com) has been found to be vulnerable to a reflected Cross-Site Scripting flaw, according to security researcher Wang Jing’s research. The vulnerability lies in that Weather.com does not filter malicious script codes when constructing HTML tags with its URLs. This way, an attacker just adds a malicious script at the end of the URL and executes it.

“If The Weather Channel’s users were exploited, their Identity may be stolen,” Jing said via email. “At the same time, attackers may use the vulnerability to spy users’ habits, access sensitive information, alter browser functionality, perform denial of service attacks, etc.”

Wang Jing is a Ph.D student from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He found that at list 76.3% of Weather Channel website links were vulnerable to XSS attacks. Attackers just need to add scripts at end of Weather Channel’s URLs. Then the scripts will be executed.

 

 

Related News:

http://www.scmagazine.com/the-weather-channels-website-found-vulnerable-to-xss-attacks/article/386010/

http://www.hotforsecurity.com/blog/weather-channel-web-site-vulnerable-to-reflected-cross-site-scripting-xss-10906.html

http://www.computerworld.com/article/2852502/weathercom-fixes-web-app-flaws.html

http://seclists.org/fulldisclosure/2014/Nov/89

http://packetstormsecurity.com/files/129288/weatherchannel-xss.txt

http://webcabinet.tumblr.com/post/116076287997/whitehatview-the-weather-channel-fixes-web-app

http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-weather-com-almost-all-links-vulnerable-to-xss-attacks/

http://www.securitylab.ru/news/462524.php

http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8

http://www.tetraph.com/blog/it-news/weather-channel-xss/

https://www.facebook.com/websecuritiesnews/posts/699866823466824

https://itswift.wordpress.com/2014/12/01/76-3-weather-channel-xss-attacks/

https://www.secnews.gr/weather-channel-xss

 

 

 

CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation Security Vulnerability

CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation Security Vulnerability

Exploit Title: WordPress Ad-Manager Plugin Dest Redirect Privilege Escalation Vulnerability

Product: WordPress Ad-Manager Plugin

Vendor: CodeCanyon

Vulnerable Versions: 1.1.2

Tested Version: 1.1.2

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]

CVE Reference: CVE-2014-8754

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

Advisory Details

(1) Product:

“WordPress Ad-Manager offers users a simple solution to implement advertising into their posts, their blog or any other WordPress page. Users can use pictures and images or HTML snippets like Google AdSense to incorporate advertising in an easy way.”

(2) Vulnerability Details:

The Dest Redirect Privilege Escalation vulnerability occurs at “track-click.php” page with “&out” parameter.

References: