For reporting a issue with HTTP methods my name got published in the About section under Security.
http://www.apachefriends.org/about.html
Month: February 2014
Acknowledged by Altervista
I usually don’t write about XSS issues in websites but since this was a hard hunt I thought of writing a bit. The web application was okay with user input but I did not give up. After some time I figured out that the “target” parameter in the login form was not properly sanitized and no CSRF tokens were used in the login process. Therefore I was able to build a successful POST XSS exploit. (more…)
Share this:
Acknowledged by Telekom
For reporting a vulnerable version of running software my name got published in the acknowledgements section.
http://www.telekom.com/security/acknowledgements
Share this:
Acknowledged by Dropmyemail
For reporting a vulnerability in the server my name got published in the acknowledgements section.
https://www.dropmyemail.com/security
Share this:
Acknowledged by Librato
I found 19 XSS vulnerabilities in this website. After a responsible disclosure I got my name in their Acknowledgements section.
https://metrics.librato.com/vulnerability
Share this:
Bandizip Multiple Vulnerabilities
All these issues are patched in Bandizip 3.10 after a responsible disclosure done to the vendor.
Overview of Bandizip
Bandizip is a Lightweight, Fast and 100% free All-In-One Zip Archiver. It has a very fast Zip algorithm for compression & extraction with Fast Drag and Drop, High Speed Archiving, and Multi-core compression. It handles the most popular compression formats, including Zip, 7z, Rar, and so on.
Arbitrary DLL Injection Code Execution
Bandizip 3.09 and below version are affected with a DLL hijacking issue in which the application loads dwmapi.dll in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share. 
You can clearly see dwmapi.dll is being searched by the application in the current directory as a result of loading it in an insecure manner.
Proof of Concept (more…)
Share this:
MyBB 1.6.12 POST XSS 0day
This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.
alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload
MyBB throws out a SQL error:
[code language=”sql”]
SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE ‘moved|%’
AND ( LOWER(t.subject) LIKE ‘%<foo> <h1> <script> alert (bar) () ; //%’ LOWER(t.subject)
LIKE ‘%> < prompt \x41 \%42 constructor onload%’)
[/code]
Share this:
My Joomla XSS 0days
Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.
<foo> </bar> '" > <> ; () //
What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.
‘; ()//"
Persistent XSS in com_contact
To reproduce this issue follow these steps.
- Click components -> Contacts-> Contacts. This is the URL: http://localhost/Joomla_3.1.5/administrator/index.php?option=com_contact (more…)
Share this:
Rewarded by Segment.io
For the vulnerable server I reported in Segment.io I received a awesome t-shirt and nice letter.
This letter was hand written and is very beautiful 🙂
